NetScreen Message Log Reference Guide
Transcription
NetScreen Message Log Reference Guide
1HW6FUHHQ0HVVDJH/RJ 5HIHUHQFH*XLGH 9HUVLRQ 31 5HY% Copyright Notice Copyright © 1998-2001 NetScreen Technologies, Inc. NetScreen Technologies, Inc., the NetScreen logo, NetScreen-5, NetScreen-5XP, NetScreen-10, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-500, NetScreen-1000, NetScreen-Global Manager, NetScreen-Global PRO, NetScreen-Remote, GigaScreen ASIC, and NetScreen ScreenOS are trademarks and NetScreen is a registered trademark of NetScreen Technologies, Inc. All other trademarks and registered trademarks are the property of their respective companies. NetScreen Technologies, Inc. 350 Oakmead Parkway Sunnyvale, CA 95051 U.S.A. www.netscreen.com Licenses, Copyrights, and Trademarks THE SPECIFICATIONS REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS, ELECTRONIC OR MECHANICAL, FOR ANY PURPOSE, WITHOUT RECEIVING WRITTEN PERMISSION FROM NETSCREEN TECHNOLOGIES INC. FCC Statement This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a light commercial installation. This equipment generates, uses and can radiate radio frequency energy, and, if not installed and used in accordance with the instruction, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television LL reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: •Reorient or relocate the receiving antenna. •Increase the separation between the equipment and receiver. •Consult the dealer or an experienced radio/TV technician for help. •Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device. Product License Agreement PLEASE READ THIS LICENSE AGREEMENT (“AGREEMENTS”) CAREFULLY BEFORE USING THIS PRODUCT. BY INSTALLING AND OPERATING, YOU INDICATE YOUR ACCEPTANCE OF THE TERMS OF THIS LEGAL AND BINDING AGREEMENT AND ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PART TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT START THE INSTALLATION PROCESS. 1. License Grant. This is a license, not a sales agreement, between you, the end user, and NetScreen Technologies, Inc. (“NetScreen”). The term “Firmware” includes all NetScreen and third party Firmware and software provided to you with the NetScreen product, and includes any accompanying documentation, any updates and enhancements of the Firmware and software provided to you by NetScreen, at its option. NetScreen grants to you a non-transferable (except as provided in section 3 (“Transfer”) below, non-exclusive license to use the Firmware and software in accordance with the terms set forth in this License Agreement. The Firmware and software are “in use” on the product when they are loaded into temporary memory (i.e. RAM) 2. Limitation on Use. You may not attempt and if you are a corporation, you will use best efforts to prevent your employees and contractors from attempting to, (a) modify, translate, reverse engineer decompile, disassemble, create, derivative works based on, sublicense, or distribute the Firmware or the accompanying documentation; (b) rent or lease any rights in the Firmware or software or accompanying documentation in any form to any person; or (c) remove any proprietary 1HW6FUHHQ0HVVDJH/RJ notice, labels, or marks on the Firmware, software, documentation, and containers. 3.Transfer. You may transfer (not rent or lease) the Firmware or software to the end user on a permanent basis, provided that: (I) the end user receives a copy of this Agreement and agrees in writing to be bound by its terms and conditions, and (ii) you at all times comply with all applicable United States export control laws and regulations. 4. Proprietary Rights. All rights, title, interest, and all copyrights to the Firmware, software, documentation, and any copy made by you remain with NetScreen. You acknowledge that no title to the intellectual property in the Firmware and software is transferred to you and you will not acquire any rights to the Firmware except for the license as expressly set forth herein. 5. Term and Termination. The term of the license is for the duration of NetScreen’s copyright in the Firmware and software. NetScreen may terminate this Agreement immediately without notice if you breach or fail to comply with any of the terms and conditions of this Agreement. You agree that, upon such termination, you will either destroy all copies of the documentation or return all materials to NetScreen. The provisions of this Agreement, other than the license granted in Section 1 (“License Grant”) shall survive termination. 6. Limited Warranty. For a period of one (1) year after delivery to Customer, NetScreen will repair or replace any defective product shipped to Customer, provided it is returned to Netscreen at Customer’s expense within that period. For a period of ninety (90) days after the initial delivery of a particular product, NetScreen warrants to Customer that such product will substantially conform with NetScreen’s published specifications for that product if properly used in accordance with the procedures described in documentation supplied by NetScreen. NetScreen’s exclusive obligation with respect to non-conforming product shall be, at NetScreen’s option, to replace the product or use diligent efforts to provide Customer with a correction of the defect, or to refund to customer the purchase price paid for the unit. Defects in the product will be reported to NetScreen in a form and with supporting information reasonably requested by NetScreen to enable it to verify, diagnose, and correct the defect. for returned product, the customer shall notify NetScreen of any nonconforming product during the warranty period, obtain a return authorization for the nonconforming product, from NetScreen, and return the nonconforming product to NetScreen’s factory of origin with a statement describing the nonconformance. 5HIHUHQFH*XLGH NOTWITHSTANDING ANYTHING HERIN TO THE CONTRARY, THE FOREGOING IS CUSTOMER’S SOLE AND EXCLUSIVE REMEDY FOR BREACH OF WARRANTY BY NETSCREEN WITH RESPECT TO THE PRODUCT. The warranties set forth above shall not apply to any Product or Hardware which has been modified, repaired or altered, except by NetScreen, or which has not been maintained in accordance with any handling or operating instructions supplied by NetScreen, or which has been subjected to unusual physical or electrical stress, misuse, abuse, negligence or accidents. THE FOREGOING WARRANTIES ARE THE SOLE AND EXCLUSIVE WARRANTIES EXPRESS OR IMPLIED GIVEN BY NETSCREEN IN CONNECTION WITH THE PRODUCT AND HARDWARE, AND NETSCREEN DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. NETSCREEN DOES NOT PROMISE THAT THE PRODUCT IS ERROR-FREE OR WILL OPERATE WITHOUT INTERRUPTION. 7. Limitation of Liability. IN NO EVENT SHALL NETSCREEN OR ITS LICENSORS BE LIABLE UNDER ANY THEORY FOR ANY INDIRECT, INCIDENTAL, COLLATERAL, EXEMPLARY, CONSEQUENTIAL OR SPECIAL DAMAGES OR LOSSES SUFFERED BY YOU OR ANY THIRD PARTY, INCLUDING WITHOUT LIMITATION LOSS OF USE, PROFITS, GOODWILL, SAVINGS, LOSS OF DATA, DATA FILES OR PROGRAMS THAT MAY HAVE BEEN STORED BY ANY USER OF THE FIRMWARE. IN NO EVENT WILL NETSCREEN'S OR ITS LICENSORS' AGGREGATE LIABILITY CLAIM BY YOU, OR ANYONE CLAIMING THROUGH OR ON BEHALF OF YOU, EXCEED THE ACTUAL AMOUNT PAID BY YOU TO NETSCREEN FOR FIRMWARE. Some jurisdictions do not allow the exclusions and limitations of incidental, consequential or special damages, so the above exclusions and limitations may not apply to you. 8. Export Law Assurance. You understand that the Firmware is subject to export control laws and regulations. YOU MAY NOT DOWNLOAD OR OTHERWISE EXPORT OR RE-EXPORT THE FIRMWARE OR ANY UNDERLYING INFORMATION OR TECHNOLOGY EXCEPT IN FULL COMPLIANCE WITH ALL UNITED STATES AND OTHER APPLICABLE LAWS AND REGULATIONS. 9. U.S. Government Restricted Rights. If this Product is being acquired by the U.S. Government, the Product and related documentation is LLL commercial computer Product and documentation developed exclusively at private expense, and (a) if acquired by or on behalf of civilian agency, shall be subject to the terms of this computer Firmware, and (b) if acquired by or on behalf of units of the Department of Defense (“Odd”) shall be subject to terms of this commercial computer Firmware license Supplement and its successors. 10. Tax Liability. You agree to be responsible for the payment of any sales or use taxes imposed at any time whatsoever on this transaction. 11. General. If any provisions of this Agreement are held invalid, the remainder shall continue in full force and effect. The laws of the State of California, excluding the application of its conflicts of law rules shall govern this License Agreement. This Agreement will not be governed by the United Nations Convention on the Contracts for the International Sale of Goods. This Agreement is the entire agreement between the parties as to the subject matter hereof and supersedes any other Technologies, advertisements, or understandings with respect to the Firmware and documentation. This Agreement may not be modified or altered, except by written amendment, which expressly refers to this Agreement and which, is duly executed by both parties. You acknowledge that you have read this Agreement, understand, it, and agree to be bound by its terms and conditions. Hardware, including technical data, is subject to U.S. export laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Customer agrees to comply strictly with all such regulations and acknowledges that it has the responsibility to obtain licensed to export, re-export, or import hardware. LY 1HW6FUHHQ0HVVDJH/RJ &RQWHQWV &RQWHQWV Y 3UHIDFH L[ 2UJDQL]DWLRQ [ ,QIRUPDWLRQ 1RWLILFDWLRQ &ORFN 1RWLILFDWLRQ )HHGEDFN [L 'HYLFH &RQYHQWLRQV [LL &ULWLFDO $GPLQ,QIRUPDWLRQ [LLL '+&3 '+&36HUYHUDQG5HOD\$JHQW ,QWURGXFWLRQ [Y $QDWRP\RID0HVVDJH [YL 'LVSOD\RSWLRQV [YLLL 0HVVDJHV $GGUHVV 1RWLILFDWLRQ/HYHO $GPLQ &ULWLFDO :DUQLQJ :DUQLQJ ,QIRUPDWLRQ 1RWLILFDWLRQ 1RWLILFDWLRQ '+&3&OLHQW ,QIRUPDWLRQ ,QIRUPDWLRQ ',3 1RWLILFDWLRQ '16 1RWLILFDWLRQ ,QIRUPDWLRQ 1RWLILFDWLRQ 1RWLILFDWLRQ $XWK )LUHZDOO $OHUW :DUQLQJ :DUQLQJ :DUQLQJ ,QIRUPDWLRQ 5HIHUHQFH*XLGH (PHUJHQF\ (PHUJHQF\ (PHUJHQF\ $OHUW $OHUW Y $OHUW ,QWHUIDFH $OHUW 1RWLILFDWLRQ $OHUW $OHUW $OHUW 1RWLILFDWLRQ $OHUW /RJV &ULWLFDO ,QIRUPDWLRQ &ULWLFDO 0,3 1RWLILFDWLRQ *OREDO *OREDO352 &ULWLFDO ,QIRUPDWLRQ 1RWLILFDWLRQ ,QIRUPDWLRQ 3., &ULWLFDO ,QIRUPDWLRQ 1RWLILFDWLRQ *OREDO0DQDJHU 3ROLFLHV &ULWLFDO 1RWLILFDWLRQ 1RWLILFDWLRQ 5RXWHV +LJK$YDLODELOLW\ 1RWLILFDWLRQ +$ 6FKHGXOH &ULWLFDO 1RWLILFDWLRQ ,QIRUPDWLRQ 1RWLILFDWLRQ 3DWK0RQLWRULQJ &ULWLFDO 1RWLILFDWLRQ ,.( $OHUW YL /LQN6WDWXV 6&6 &ULWLFDO (UURU :DUQLQJ 1RWLILFDWLRQ 6HUYLFHV ,QIRUPDWLRQ 6HUYLFHV 1RWLILFDWLRQ 1RWLILFDWLRQ 1HW6FUHHQ0HVVDJH/RJ 6HUYLFH*URXSV 9/$1V 1RWLILFDWLRQ 1RWLILFDWLRQ 1RWLILFDWLRQ 6103 &ULWLFDO ,QIRUPDWLRQ 1RWLILFDWLRQ 1RWLILFDWLRQ 6RIWZDUH.H\ 1RWLILFDWLRQ 6\VORJDQG:HE7UHQGV 6\VORJ 1RWLILFDWLRQ :HE7UHQGV 931V 931V &ULWLFDO ,QIRUPDWLRQ 1RWLILFDWLRQ /73 ,QIRUPDWLRQ 1RWLILFDWLRQ $SSHQGL[$(PHUJHQF\0HVVDJHV$ $SSHQGL[%$OHUW0HVVDJHV % $SSHQGL[&&ULWLFDO0HVVDJHV & 1RWLILFDWLRQ $SSHQGL['(UURU0HVVDJHV' 6\VWHP $SSHQGL[(:DUQLQJ0HVVDJHV ( &ULWLFDO 8VHUV *HQHULF8VHU5HODWHG(YHQWV $SSHQGL[),QIRUPDWLRQ0HVVDJHV ) $SSHQGL[*1RWLILFDWLRQ0HVVDJHV * ,QIRUPDWLRQ 1RWLILFDWLRQ 'LDOXS8VHUV 1RWLILFDWLRQ 9,3 &ULWLFDO ,QIRUPDWLRQ 1RWLILFDWLRQ 9LUWXDO6\VWHPV 1RWLILFDWLRQ 5HIHUHQFH*XLGH YLL YLLL 1HW6FUHHQ0HVVDJH/RJ 3UHIDFH This reference guide documents the log messages that appear in ScreenOS 3.0.0. It serves a dual purpose: Managing Message Log Databases It provides a tool for categorizing and filtering messages for administrators using such network management tools as NetScreen-Global Manager, NetScreen-Global PRO, SNMP, syslog, or WebTrends. Because the book is organized by subject, you can quickly find all the messages related to particular areas and filter those into meaningful sections in the database. For example, you can find all the messages related to firewall status in the Firewall section on page 28. All the messages related to VPNs are in the VLANs section on page 138. 5HIHUHQFH*XLGH Understanding Messages It provides the NetScreen administrator with a comprehensive list of all the messages that the NetScreen system generates with explanations of what the messages mean and what possible actions you might take upon receiving them. You can find appendices at the end of the book organized by severity level. In each appendix, the messages are listed by their message type ID numbers. For example, if you see a message with the severity level “Notification” and the ID “00001,” you can look it up in the Notification Messages appendix, and see that message 00001 is explained on page 2. L[ 2UJDQL]DWLRQ 25*$1,=$7,21 The book is organized into the following sections: • Preface – The Preface explains the purpose of this book, its organization, and the terminology conventions used in all NetScreen documentation. • Introduction – The Introduction examines the discrete components of a message and the options that affect how a message is displayed. • Messages – This section contains all the messages organized by subject, then severity level, then message type ID number. For example, Address >> Notification Level >> 00001 (subject >> severity level >> message type ID). Each entry contains the following elements: – Message – The text of the message that appears in the log. – Meaning – An explanation of what the message means. – Action – One or more recommended actions for the administrator to take, when such action is required. For example, one of the messages found at Address >> Notification Level >> 00001 is the following: Message Address group <grp_name> has been { added | modified | deleted }. Meaning An administrator has added, modified, or deleted the specified address group. Action No recommended action • Emergency Messages – This appendix lists all the emergency messages by message type ID numbers, allowing you to find any emergency message quickly via its message type ID. • Alert Messages – This appendix lists all the alert messages by message type ID numbers. • Critical Messages – This appendix lists all the critical messages by message type ID numbers. • Error Messages – This appendix lists all the error messages by message type ID numbers. [ 1HW6FUHHQ0HVVDJH/RJ )HHGEDFN • Warning Messages – This appendix lists all the warning messages by message type ID numbers. • Information Messages – This appendix lists all the information messages by message type ID numbers. • Notification Messages – This appendix lists all the notification messages by message type ID numbers. )(('%$&. This version of the NetScreen Message Log Reference Guide marks the first attempt to document all of the ScreenOS messages. As it stands, this effort continues to be an ongoing project. If you find any errors or omissions in the following content, please contact us at the e-mail address below: [email protected] 5HIHUHQFH*XLGH [L &RQYHQWLRQV &219(17,216 NetScreen publications use the following conventions to indicate optional and required elements, variables, and options: • A parameter inside [ ] (square brackets) is optional. This element might appear in the message. • A parameter inside { } (braces) is required. This element must appear in the message. • Anything inside < > (angle brackets) is a variable and denotes the type, rather than the exact wording, of element that appears in the message. • If there is more than one option for an element inside [ ] and { }, they are separated by a pipe ( | ). For example, the following three messages can appear in the log: • Address group sales has been added. • Address group sales has been modified. • Address group sales has been deleted. In this book, these three messages are combined into one and written as follows: • Address group <grp_name> has been { added | modified | deleted }. Note that the variable <grp_name> denotes the specific name of the address group (sales in this example). The braces and pipes indicate that one of the elements—added, modified, deleted—must appear in the message. [LL 1HW6FUHHQ0HVVDJH/RJ &RQYHQWLRQV $GPLQ,QIRUPDWLRQ When a message results from an administrator’s action, the administrator’s name precedes the message and the location from which the administrator acted is included at the end of the message. All such log entries include the following information: <admin_name>: <message text> from { the console | scs <ip_addr> | telnet <ip_addr> | web <ip_addr> | the master | the backup | the LCD display }. Note: The terms “master” and “backup” denote the status of NetScreen devices configured for high availability (HA) in a redundant cluster. The LCD display is available only on the NetScreen-500. For example, messages such as the following can appear in the log: • netscreen: Address group sales has been added from the console. • joe: Address group sales has been modified from web 10.10.2.171. • xo: Address group sales has been deleted from the master. In the messages that follow in this book, the administrator’s name and location have been omitted to avoid unnecessary repetition. Note: Not all messages report the results of an admin’s action. For example, a message such as CPU utilization has reached 90% of capacity does not include such information because no admin is involved in the event. 5HIHUHQFH*XLGH [LLL &RQYHQWLRQV [LY 1HW6FUHHQ0HVVDJH/RJ ,QWURGXFWLRQ The messages explained in this book report events useful for system administrators when recording, monitoring, and tracing the operation of a NetScreen device. The messages provide information regarding the following events: • Firewall attacks • Configuration changes • Successful and unsuccessful system operations The following sections in the Introduction explain the separate components of each message and the available display options: • “Anatomy of a Message” on page xvi • “Display options” on page xviii 5HIHUHQFH*XLGH [Y $QDWRP\RID0HVVDJH $1$720<2)$0(66$*( All messages consist of the following elements: • • • • • • Date Date Time Module name Severity level Message type ID Message text Time Module Name Severity Level Message Type ID Message Text 2001-9-25 12:02:57 system-emergency-00001: Address group jamaica has been added from the console. The date shows the year-month-day when the event occurred. The time shows the hour:minute:second when the event occurred. The module name is the section of the system where the event occurred. In ScreenOS 3.0.0, the only module noted is system. The severity level places the event in one of eight levels of severity, using the hierarchical structure established by syslog, as shown in the following table. [YL 1HW6FUHHQ0HVVDJH/RJ $QDWRP\RID0HVVDJH Levels Explanation of Levels 0 Emergency The system has become unusable. 1 Alert Immediate action is required. 2 Critical Functionality is affected. 3 Error An erroneous condition exists and functionality is probably affected. 4 Warning Functionality might be affected. 5 Notification Notification of normal events. 6 Information General information about system operations. 7 Debugging Detailed information useful for debugging purposes. (currently not used) The message type ID provides a number for classifying the category for each type of message. For example, a notification message with ID 00001 indicates that it belongs in the address category. A critical message with ID 00027 indicates that it belongs in the admin category. You can find a list of message type ID numbers organized by severity level in the indexes at the back of this book: • • • • • • • “Emergency Messages” on page A-1 “Alert Messages” on page B-1 “Critical Messages” on page C-1 “Error Messages” on page D-1 “Warning Messages” on page E-1 “Information Messages” on page F-1 “Notification Messages” on page G-1 The message text describes the event being reported and often contains detailed information such as IP addresses, port numbers, and specific configuration settings. 5HIHUHQFH*XLGH [YLL 'LVSOD\RSWLRQV ',63/$<237,216 By default, messages appear as described in the previous section “Anatomy of a Message” on page xvi. Optionally, you can change the message display to include return-address information. This information is useful for debugging purposes. To change the message display to include the return-address, use the following CLI command: set logging header-format return-address The message format changes to include the return-address (in bold below) for each message, as the following examples illustrate: 2001-9-25 10:56:03 system-critical-00027(ra=0x8013b6fc): Multiple login failures for user jSm1th from 10.100.2.171:80. 2001-9-25 11:00:00 system-notification-00008(ra=0x8013b754): The system clock has been updated through NTP. 2001-9-25 11:28:38 system-information-00527(ra=0x8013b7d8): A DHCP-assigned IP address has been manually released from web 10.2.150.22. To change the format back to the default style, use the following CLI command: set logging header-format detail The messages no longer display the return-address information, as shown below: 2001-9-25 10:56:03 system-critical-00027: Multiple login failures for user jSm1th from 10.100.2.171:80. 2001-9-25 11:00:00 system-notification-00008: The system clock has been updated through NTP. 2001-9-25 11:28:38 system-information-00527: A DHCP-assigned IP address has been manually released from web 10.2.150.22. [YLLL 1HW6FUHHQ0HVVDJH/RJ 0HVVDJHV This section contains a compendium of all the NetScreen messages. Each message is presented, its meaning explained, and— where appropriate—an administrative action recommended. The messages are grouped by message type, and then within that type by severity level, from the most severe to the least. • “Address” on page 2 • “IKE” on page 61 • “Software Key” on page 126 • “Admin” on page 4 • “Interface” on page 83 • “Syslog and WebTrends” on page 127 • “Auth” on page 11 • “Link Status” on page 88 • “System” on page 131 • “Clock” on page 17 • “Logs” on page 89 • “Users” on page 132 • “Device” on page 18 • “MIP” on page 90 • “VIP” on page 134 • “DHCP” on page 20 • “PKI” on page 91 • “Virtual Systems” on page 136 • “DIP” on page 25 • “Policies” on page 102 • “VLANs” on page 138 • “DNS” on page 26 • “Routes” on page 104 • “VPNs” on page 139 • “Firewall” on page 28 • “Schedule” on page 105 • “Software Key” on page 126 • “Global” on page 43 • “SCS” on page 106 • “High Availability” on page 52 • “SNMP” on page 118 All messages reporting an administrative action include the location from which that action has been made: either from the console, from an administrator’s host IP address via SCS, Telnet, or the Web, or from the LCD display (NetScreen-500). When devices are used in a redundant cluster for high availability, the message also states whether the action occurred on a master or backup unit. Note that because the part of a message stating the source of an action is the same in all such messages, it is not included in the messages listed here. For more information, see “Admin Information” on page xiii. 5HIHUHQFH*XLGH $GGUHVV $''5(66 These messages relate to the the creation, modification, and removal of addresses. 1RWLILFDWLRQ/HYHO Message Address group <grp_name>: { Added | Deleted } member <addr_name>. Meaning An administrator has added the named address to or deleted it from the named address group. Action No recommended action Message <security_zone> address <addr_name> with { ip address <ip_addr> | domain name <dmn_name> } has been { added | deleted | modified }. Meaning An administrator has added an address with the specified IP address or domain name in the specified security zone to the address book, deleted it from the address book, or modified it in the address book. Action No recommended action Message Address group <grp_name> has been { added | modified | deleted }. Meaning An administrator has added, modified, or deleted the specified address group. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ $GGUHVV Message Address group <grp_name> comments have been modified. Meaning An administrator has modified the comment for the specified group. Action No recommended action Message Address group <grp_name1> group name has been changed to <grp_name2>. Meaning An administrator has changed the name of the address group. Action No recommended action 5HIHUHQFH*XLGH $GPLQ $'0,1 These messages relate to the administration of the NetScreen device. &ULWLFDO Message ScreenOS <version> serial # <number>: Asset recovery has been performed. Meaning From the console, an administrator has used the asset recovery option to return the specified ScreenOS version on a NetScreen device with the specified serial number to its factory default settings. Action After successfully performing the asset recovery operation, an administrator must reconfigure the NetScreen device. Message Multiple login failures for user <name> from { <ip_addr>:<port_num> | console }. Meaning The named user has failed to log in after three attempts from either a network address or via a console connection. After three failed login attempts, the NetScreen device automatically terminates the connection. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ $GPLQ :DUQLQJ Message [ Vsys ] Admin <admin_name> has logged { on | out } via { the console | Telnet from <ip_addr>:<port_num> | SCS from <ip_addr>:<port_num> }. Meaning The named administrator has logged on or out via a console connection or via a Telnet session from the specified IP address and port number. Action No recommended action Message [ Vsys ] Admin <admin_name> has logged on via the WebUI ( { HTTP | HTTPS } ) to port <port_num> from <ip_addr>:<port_num> }. Meaning The named administrator has logged on to the WebUI at the specified port number using HTTP or HTTPS from the specified IP address and port number. Action No recommended action Message Management session via { the console | Telnet from <ip_addr>:<port_num> | SCS from <ip_addr>:<port_num> } for [ vsys ] admin <admin_name> has timed out. Meaning The management session via the console, Telnet, or SCS for the named administrator has expired. Action No recommended action 5HIHUHQFH*XLGH $GPLQ Message Login attempt to system by admin <admin_name> via { the console | Telnet from <ip_addr>:<port_num> | SCS from <ip_addr>:<port_num> } has failed. Meaning An attempt to log in to the NetScreen system by the named administrator via the console, Telnet, or SCS has failed. Action No recommended action :DUQLQJ Message ScreenOS <version> serial # <number>: Asset recovery has been aborted. Meaning From the console, an administrator has aborted the asset recovery operation for the specified ScreenOS version on a NetScreen device with the specified serial number. Action No recommended action 1RWLILFDWLRQ Message System configuration has been erased. Meaning An administrator has erased the system configuration as the result of a successfully performing asset recovery via a console connection or by issuing an unset all command. Action The system configuration must be reconfigured. 1HW6FUHHQ0HVVDJH/RJ $GPLQ Message Management restriction for <ip_addr> <mask> has been { added | removed }. Meaning An administrator has either restricted network access to the NetScreen device only to administrators logging in from the specified IP address or removed that restriction. If the restriction is removed, administrators can manage the NetScreen device from any IP address (the default setting). Action No recommended action Message System IP has been changed from <ip_addr1> to <ip_addr2>. Meaning An administrator has changed the system IP address. Action No recommended action Message { HTTP | SCS | SSL | Telnet } port has been changed from <port_num1> to <port_num2>. Meaning An administrator has changed the port number used for managing the device via HTTP, SCS, SSL, or Telnet. Action No recommended action 5HIHUHQFH*XLGH $GPLQ Message { Root admin | Read/write admin | Vsys admin } { password | name } has been changed. Meaning Because there are different administrative levels with different privileges, the level of the admin taking action affects the possible meanings of this message, which can be any of the following: • The root admin has changed its own password or user name, or the password or user name of any other admin. • A read/write admin has changed its own password or the password or user name of a vsys admin. • A vsys read/write admin has changed its own password. Action No recommended action Message Admin user <name> has been { added | modified | deleted }. Meaning The root admin has added the named admin user, modified the user’s administrative privileges, or deleted the user. Action No recommended action Message The management idle timeout value has been changed from <minutes> to <minutes>. Meaning An admin has changed the management idle timeout value that terminates an administrative session via the Web when the specified amount of idle time has been reached. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ $GPLQ Message E-mail notification has been { enabled | disabled }. Meaning An admin has enabled or disabled e-mail notification of event alarms. Action No recommended action Message Mail server { IP address | domain name } has been changed. Meaning An admin has changed the IP address or domain name of the SMTP server used for sending e-mail notification of event alarms. Action No recommended action Message E-mail address { 1 | 2 } has been changed. Meaning An admin has changed the first or second e-mail address to which e-mail notification of event alarms is sent. Action No recommended action Message Inclusion of traffic logs with e-mail notification of event alarms has been { enabled | disabled }. Meaning An admin has enabled or disabled the inclusion of traffic logs with the e-mail notification of event alarms. Action No recommended action 5HIHUHQFH*XLGH $GPLQ Message LCD control keys have been locked. Meaning An admin has locked the LCD control keys on the NetScreen-500 device. Action No recommended action Message LCD display has been turned off and the LCD control keys have been locked. Meaning An admin has locked the LCD control keys and turned off the LCD display on the NetScreen-500 device. Action No recommended action Message LCD display has been turned on. Meaning An admin has turned on the LCD display on the NetScreen-500 device. Action No recommended action Message LCD display has been turned on and the LCD control keys have been unlocked. Meaning An admin has turned on the LCD display and unlocked the LCD control keys on the NetScreen-500 device. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ $XWK $87+ The following messages relate to user authentication. $OHUW Message Multiple authentication failures have been detected! From <ip_addr>:<port_number> to <ip_addr>:<port_number>, using protocol TCP, on interface <interface_name>. Meaning The NetScreen device has detected a multiple failed authentication attempts from the specified source IP address and port, destined for the specified IP address and port, using the TCP protocol at the specified interface. Action An unauthorized party might be trying to access the NetScreen device. Research the owner of the source IP address and the name used for the attempted log in to determine the cause of the multiple authentication failures. If they appear suspicious, notify your network security officer (NSO). :DUQLQJ Message User <name> at <ip_addr> must enter “Next Code” for SecurID <ip_addr>. Meaning The user at the specified IP address must enter the next token code from his or her SecurID card to authenticate with the SecurID server at the specified IP address. Action No recommended action 5HIHUHQFH*XLGH $XWK :DUQLQJ Message Local authentication for user <name> was { denied | successful }. Meaning The local database either denied access to the specified user or authenticated the user. Action No recommended action Message User <name> at <ip_addr> has been { accepted | rejected } via the { RADIUS | SecurID | LDAP } server at <ip_addr>. Meaning The user at the specified IP address has been accepted or rejected by the specified authentication server. Action No recommended action Message Admin user <name> has been { accepted | rejected } via the RADIUS server at <ip_addr>. Meaning The named admin user has been accepted or rejected by the specified RADIUS server. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ $XWK :DUQLQJ Message {RADIUS | SecurID | LDAP } user authentication attempt has timed out. Meaning The NetScreen device could not make a network connection to the RADIUS, SecurID, or LDAP server to authenticate a user and the attempt has timed out. Action Check the network cable connection, the IP address of the authentication server entered on the NetScreen device, and the authentication settings on both the NetScreen device and the authentication server. ,QIRUPDWLRQ Message User <name> at <ip_addr> must enter the new PIN” for SecurID <ip_addr>. Meaning The user at the specified IP address must enter the new PIN to authenticate with the SecurID server at the specified IP address. Action No recommended action Message User <name> at <ip_addr> must make a “New PIN” choice for SecurID <ip_addr>. Meaning The user at the specified IP address must choose between creating a new user-generated PIN, using a new system-generated PIN, or quitting the session to authenticate with the SecurID server at the specified IP address. Action No recommended action 5HIHUHQFH*XLGH $XWK Message User <name> at <ip_addr> has selected a system-generated PIN for authentication with SecurID <ip_addr>. Meaning The specified user has selected that the SecurID server at the specified IP address generate a New PIN for the user. Action No recommended action Message The new PIN for user <name> at <ip_addr> has been { accepted | rejected } by SecurID <ip_addr>. Meaning The SecurID server at the specified IP address has accepted or rejected the specified user’s new PIN. Action No recommended action ,QIRUPDWLRQ Message Cannot contact the SecurID server. Meaning The NetScreen device cannot make a network connection to the SecurID server. Action Check that the network and authentication settings on both the NetScreen device and the SecurID server are correctly configured and that the SecurID server has an active physical network connection. 1HW6FUHHQ0HVVDJH/RJ $XWK 1RWLILFDWLRQ Message LDAP { server name | port number | distinguished name | common name } has been changed. Meaning An administrator has changed the server IP address, TCP port number, distinguished name, or common name for the LDAP server. Action No recommended action Message Authentication type has been changed to { internal database | RADIUS | SecurID | LDAP }. Meaning An administrator has changed the authentication type to the specified method. Action No recommended action Message RADIUS server { IP | port | secret } has been changed. Meaning An administrator has changed the IP address or port number of the RADIUS server, or the secret shared between the NetScreen device and the RADIUS server. Action No recommended action 5HIHUHQFH*XLGH $XWK Message { Master | Backup } SecurID server IP address has been changed. Meaning An administrator has changed the IP address of either the master or backup SecurID server. Action No recommended action Message SecurID { authentication port | duress mode | timeout value | number of retries value } has been changed. Meaning An administrator has changed one of the following SecurID parameters: - The SecurID port number on which the NetScreen device communicates with the SecurID server - Duress mode, which allows a user to log in with a different PIN only once if he or she is doing so under duress - Timeout value in seconds that the NetScreen device waits between authentication retry attempts - Number of authentication attempts, or retries, that the NetScreen device makes to establish a connection with the SecurID server Action No recommended action 1HW6FUHHQ0HVVDJH/RJ &ORFN &/2&. The following messages relate to the system clock. 1RWLILFDWLRQ Message The system clock has been updated through NTP. Meaning The NetScreen system clock has used the Network Time Protocol (NTP) to update itself automatically. Action No recommended action Message NTP settings have been changed. Meaning An admin has changed at least one the Network Time Protocol (NTP) settings. Action No recommended action 5HIHUHQFH*XLGH 'HYLFH '(9,&( The following messages relate to the physical hardware components of the NetScreen device. &ULWLFDO Message At least one power supply is not functioning properly. Meaning At least one power supply is incorrectly seated, unplugged, or malfunctioning. Action First check that the power supplies are fully seated, that the power cords are plugged in to both power supplies and plugged in to active power sources, and that the power cords are undamaged. If the problem persists, replace the faulty power supply. Message The { primary | secondary } power supply is not functioning properly. Meaning Either the primary or secondary supply is incorrectly seated, unplugged, or malfunctioning. Action First check that the specified power supply is fully seated, that the power cord is plugged in to both the power supply and an active power source, and that the power cord is undamaged. If the problem persists, replace the power supply. Message At least one fan is not functioning properly. Meaning The fan assembly is incorrectly seated, or at least one fan is malfunctioning. Action First check that the fan assembly is properly in place and that nothing is restricting air flow to the fans. If the problem persists, replace the fan assembly. 1HW6FUHHQ0HVVDJH/RJ 'HYLFH Message The system temperature (<number>° C, <number>° F) is too high. Meaning The system temperature has exceeded the alarm threshold. Action First check that the fan assembly is functioning properly. If it is functioning properly, check that nothing is restricting air flow to the fans. If it is not functioning properly, check that the fan assembly is correctly seated. If the problem persists, replace the fan assembly. Message The { primary | secondary } power supply is now functioning properly. Meaning The specified power supply, which had malfunctioned, has returned to normal operation. Action No recommended action Message All { power supplies | fans } are now functioning properly. Meaning At least one power supply or fan that had malfunctioned has returned to normal operation. Action No recommended action 5HIHUHQFH*XLGH '+&3 '+&3 The following messages relate to Dynamic Host Control Protocol (DHCP). Some NetScreen devices can act as a DHCP server or relay agent. Some NetScreen devices can also act as a DHCP client. The following messages are divided into two sections: The first is for DHCP server and relay agent messages; the second is or DHCP client messages. '+&36HUYHUDQG5HOD\$JHQW ,QIRUPDWLRQ Message A DHCP-assigned IP address has been manually released. Meaning An admin has manually released an IP address that the NetScreen device had assigned to a DHCP client. (The client then automatically requests another IP address.) Action No recommended action Message A DHCP-assigned IP address <ip_addr> has been { assigned to <mac_addr> | freed from <mac_addr> }. Meaning The NetScreen device, acting as a DHCP server, has either assigned or freed an IP address for a DHCP client with the specified MAC address. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ '+&3 Message MAC address <mac_addr> has detected an IP conflict and has declined address <ip_addr>. Meaning The DHCP client has detected an IP address conflict and has declined the specified address. (After a DHCP client has been offered an IP address and before it accepts it, the client checks if there is any other host using the same address. If the client does not find a conflict, it accepts the address. If it does find a conflict, it rejects it.) Action No recommended action Message DHCP server has { assigned | released } an IP address. Meaning The NetScreen device, acting as a DHCP server, has either assigned or released an IP address. Action No recommended action 1RWLILFDWLRQ Message The DHCP server options have been changed. Meaning An admin has changed one or more of the DHCP server options on the NetScreen device. Action No recommended action 5HIHUHQFH*XLGH '+&3 1RWLILFDWLRQ Message The DHCP server IP address pool has changed. Meaning The NetScreen device, acting as a DHCP server, has offered, committed, or freed at least one IP address in its DHCP address pool. Action No recommended action '+&3&OLHQW ,QIRUPDWLRQ Message DHCP client lease for <ip_addr> has expired. Meaning The specified DHCP client IP address is no longer valid. (The NetScreen device automatically requests another IP address from the DHCP server.) Action No recommended action Message DHCP server <ip_addr> has assigned the <interface_name> interface <ip_addr> with lease <lease>. Meaning The specified DHCP server has assigned an IP address to the named security zone for the specified length of time. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ '+&3 Message An IP conflict has been detected and the DHCP client has declined address <ip_addr>. Meaning The DHCP client has detected an IP address conflict and has declined the specified address. (After a DHCP client has been offered an IP address and before it accepts it, the client checks if there is any other host using the same address. If the client does not find a conflict, it accepts the address. If it does find a conflict, it rejects it.) Action No recommended action Message DHCP client IP <ip_addr> for the interface <interface_name> has been manually released. Meaning An admin has manually released the specified IP address assigned to the named interface acting as a DHCP client. Action No recommended action Message DHCP client is unable to get an IP address for the <interface_name> interface. Meaning The NetScreen device, acting as a DHCP client, requested an IP address (perhaps repeatedly) for the specified interface but did not receive one from the DHCP server. Action If none of the requests for an IP address from the DHCP server are successful, check the DHCP client settings on the NetScreen device and the settings on the DHCP server. 5HIHUHQFH*XLGH '+&3 ,QIRUPDWLRQ Message System auto-config of file <file_name> from TFTP server <ip_addr> has { been loaded successfully | failed }. Meaning The NetScreen device, acting as a DHCP client, has either automatically loaded or failed to load the specified system configuration file from the specified TFTP server. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ ',3 ',3 The following messages relate to dynamic IP (DIP) addresses. 1RWLILFDWLRQ Message DIP <ip_addr1>-<ip_addr2> has been { added | modified | deleted }. Meaning An administrator has added, modified, or deleted the DIP pool consisting of the specified range of IP addresses. Action No recommended action 5HIHUHQFH*XLGH '16 '16 The following messages concern Domain Name System (DNS) settings. ,QIRUPDWLRQ Message DNS entries have been { manually | automatically } refreshed. Meaning An admin has refreshed the entries in the DNS table, or the NetScreen device has refreshed the entries through a scheduled operation. Action No recommended action 1RWLILFDWLRQ Message Daily DNS lookup time has been changed. Meaning An administrator has changed the time when the NetScreen device performs the daily DNS lookup, resolving domain names with IP addresses in its DNS table. Action No recommended action Message Daily DNS lookup has been disabled. Meaning An administrator has disabled the automatic daily lookup of entries in the DNS table. Action To refresh the DNS table, an admin must manually invoke the DNS lookup operation. 1HW6FUHHQ0HVVDJH/RJ '16 Message { Primary | Secondary } DNS server IP has been changed. Meaning An administrator has changed the IP address of the primary or secondary DNS server. Action No recommended action Message DNS cache table has been cleared. Meaning An administrator has cleared the DNS entries stored in the cache. Action No recommended action 1RWLILFDWLRQ Message DNS has been refreshed. Meaning The NetScreen device has just performed a DNS lookup and refreshed its DNS table of domain name to IP address mappings. Action No recommended action 5HIHUHQFH*XLGH )LUHZDOO ),5(:$// The following messages concern firewall settings and reports of attacks. (PHUJHQF\ Message SYN flood has been detected! From <ip_addr>:<port_number> to <ip_addr>:<port_number>, using protocol TCP, on interface <interface_name>. [ The attack occurred <number> times. ] Meaning The NetScreen device has detected an excessive number of SYN packets arriving at the specified interface from the specified source IP address and port, destined for the specified IP address and port, and using Transmission Control Protocol (TCP). The number indicates how many consecutive times per second the internal timer detected SYN packets in excess of the SYN attack alarm threshold. Action First determine if a valid SYN flood attack triggered the alarm. If the traffic originated from a small number of consistently fixed IP addresses or was destined for a popular server, it might be a false alarm. In that case, you might want to adjust the SYN flood alarm threshold. If the traffic came from a wide range of noncontiguous IP addresses or was bound for IP addresses that do not normally receive much traffic, it was probably an attack. In that case, contact your network security officer (NSO) and your upstream service provider to resolve the issue. 1HW6FUHHQ0HVVDJH/RJ )LUHZDOO (PHUJHQF\ Message Teardrop attack has been detected! From <ip_addr>:<port_number> to <ip_addr>:<port_number>, using protocol { TCP | UDP | <protocol_number> }, on interface <interface_name>. [ The attack occurred <number> times. ] Meaning The NetScreen device has detected a Teardrop attack at the specified interface, from the specified source IP address and port, destined for the specified IP address and port, and using the specified protocol. (Note: If the protocol is not TCP or UDP, the source and destination port numbers are not included in the message.) The number of times the attack occurred indicates how many consecutive fragmented packets per second the NetScreen device received and was unable to reassemble because of discrepant fragment sizes and offset values. A Teardrop attack exploits the reassembly of fragmented packets, altering the offset values used when recombining fragments so that the target device cannot successfully complete the reassembly procedure. A flood of such packets can force the target device to expend all its resources on reassembling fragmented packets, causing a denial-of-service (DoS) for legitimate traffic. Action 5HIHUHQFH*XLGH Investigate the source IP address by checking a service such as the American Registry of Internet Numbers (ARIN) in the United States and performing a Whois lookup on the address. If the source address raises suspicion, notify your network security officer (NSO). )LUHZDOO (PHUJHQF\ Message Ping of Death has been detected! From <ip_addr> to <ip_addr>, using protocol 1, on interface <interface_name>. [ The attack occurred <number> times. ] Meaning The NetScreen device has detected an attempted Ping of Death attack at the specified interface, from the specified source IP address, destined for the specified IP address, and using the specified protocol (1). The number of times the attack occurred indicates how many consecutive oversized ICMP echo requests (or PINGs) per second the NetScreen device received. When encountering a Ping of Death attack, the NetScreen device detects grossly oversized ICMP packets and rejects them. Action Investigate the source IP address by checking a service such as the American Registry of Internet Numbers (ARIN) in the United States and performing a Whois lookup on the address. If the source address raises suspicion, notify your network security officer (NSO). 1HW6FUHHQ0HVVDJH/RJ )LUHZDOO $OHUW Message Winnuke attack has been detected! From <ip_addr> to <ip_addr>, using protocol 139, on interface <interface_name>. [ The attack occurred <number> times. ] Meaning The NetScreen device has detected and corrected the overlapping offset value of a NetBIOS Session Service (port 139) packet from the specified source IP address, destined for the specified address, and arriving at the specified interface. The number indicates how many consecutive times per second the internal timer detected incidents of spoofed IP packets. Action Investigate the source IP address by checking a service such as the American Registry of Internet Numbers (ARIN) in the United States and performing a Whois lookup on the address. If the source address raises suspicion, notify your network security officer (NSO). 5HIHUHQFH*XLGH )LUHZDOO $OHUW Message IP spoofing has been detected! From <ip_addr>:<port_number> to <ip_addr>:<port_number>, using protocol { TCP | UDP | <protocol_number> }, on interface <interface_name>. [ The attack occurred <number> times. ] Meaning The NetScreen device has detected and rejected a packet having a source IP address and arriving at an interface that conflicts with the NetScreen route table. (Note: If the protocol is not TCP or UDP, the source and destination port numbers are not included in the message.) The number indicates how many consecutive times per second the internal timer detected incidents of spoofed IP packets. Action If the IP spoofing continues long enough and you consider it worth the effort, contact your upstream service provider to initiate a backtracking operation, basically tracking packets with the spoofed address from router to router back to their actual source. When the source is located, investigate it to determine if it is the instigator or merely an innocent and unwitting pawn hosting a “zombie agent” controlled by another device. 1HW6FUHHQ0HVVDJH/RJ )LUHZDOO $OHUW Message IP source routing has been detected! From <ip_addr>:<port_number> to <ip_addr>:<port_number>, using protocol { TCP | UDP | <protocol_number> }, on interface <interface_name>. [ The attack occurred <number> times. ] Meaning The NetScreen device has detected and blocked a packet having the source route option enabled in its header. The packet came from the specified source IP address and port number, bound for the specified destination address and port number, using the specified protocol, and arriving at the specified interface. (Note: If the protocol is not TCP or UDP, the source and destination port numbers are not included in the message.) The number indicates how many consecutive times per second the internal timer detected packets with the source route option enabled in their headers. In IP, the source route option can contain routing information that specifies a different source IP address than that in the packet header. The NetScreen device rejects any packets with this option enabled. Action 5HIHUHQFH*XLGH Investigate the source IP address by checking a service such as the American Registry of Internet Numbers (ARIN) in the United States and performing a Whois lookup on the address. If the source address raises suspicion, notify your network security officer (NSO). )LUHZDOO $OHUW Message Land attack has been detected! From <ip_addr1>:<port_number1> to <ip_addr1>:<port_number1>, using protocol TCP, on interface <interface_name>. [ The attack occurred <number> times. ] Meaning The NetScreen device has detected and blocked SYN packets whose source IP addresses have been spoofed to be the same as the destination addresses. The packets used TCP and arrived at the specified interface. The number indicates how many consecutive times per second the internal timer detected incidents of spoofed IP packets with identical source and destination IP addresses. By combining elements of the SYN flood defense and IP Spoofing detection, the NetScreen device blocks any attempted attacks of this nature. Action If the attack continues long enough and you consider it worth the effort, contact your upstream service provider to initiate a backtracking operation, basically tracking packets with the spoofed address from router to router back to their actual source. When the source is uncovered, investigate it to determine if it is the instigator or merely an innocent and unwitting pawn hosting a “zombie agent” controlled by another device. 1HW6FUHHQ0HVVDJH/RJ )LUHZDOO $OHUW Message ICMP flood has been detected! From <ip_addr>:<port_number> to <ip_addr>:<port_number>, using protocol 1, on interface <interface_name>. [ The attack occurred <number> times. ] Meaning The NetScreen device has detected an excessive number of ICMP echo requests arriving at the specified interface from the specified source IP address and port, and destined for the specified IP address and port. The number indicates how many consecutive times the internal timer detected ICMP echo requests in excess of the ICMP attack alarm threshold. Action First determine if a valid ICMP flood attack triggered the alarm. If the traffic originated from a small number of consistently fixed IP addresses or was destined for a popular server, it might be a false alarm. In that case, you might want to adjust the ICMP flood alarm threshold. If the traffic came from a wide range of noncontiguous IP addresses or was bound for IP addresses that do not normally receive much traffic, it was probably an attack. In that case, contact your network security officer (NSO) and your upstream service provider to resolve the issue. 5HIHUHQFH*XLGH )LUHZDOO $OHUW Message UDP flood has been detected! From <ip_addr>:<port_number> to <ip_addr>:<port_number>, using protocol UDP, on interface <interface_name>. [ The attack occurred <number> times. ] Meaning The NetScreen device has detected an excessive number of UDP packets arriving at the specified interface from the specified source IP address and port, destined for the specified IP address and port, and using User Datagram Protocol (UDP). The number indicates how many consecutive times the internal timer detected UDP packets in excess of the UDP attack alarm threshold. Action First, determine if this was indeed a UDP flood attack by checking whether the NetScreen is processing Voice-over-IP (VoIP) or Video over IP (H.323) traffic, which can appear to the device as a flood of UDP traffic. Second, determine if this was an attack by checking if the traffic originated from a small number of consistently fixed IP addresses or was destined for a popular server. If so, it might be a false alarm, and you might want to adjust the ICMP flood alarm threshold. If the traffic came from a wide range of noncontiguous IP addresses or was bound for IP addresses that do not normally receive much traffic, it was probably an attack. In that case, contact your network security officer (NSO) and your upstream service provider to resolve the issue. 1HW6FUHHQ0HVVDJH/RJ )LUHZDOO $OHUW Message Port scan has been detected! From <ip_addr>:<port_number> to <ip_addr>, using protocol { TCP | UDP | <protocol_number> }, on interface <interface_name>. [ The attack occurred <number> times. ] Meaning The NetScreen device has detected an excessive number of port scans arriving at the specified interface from the specified source IP address and port, destined for the specified IP address, and using the specified protocol. (Note: If the protocol is not TCP or UDP, the source and destination port numbers are not included in the message.) The number indicates how many consecutive times per second the internal timer detected ports being scanned in excess of the port scan alarm threshold. Action Investigate the source IP address. If the address belongs to a server, verify that it is not infected with a port-scanning worm. If the address raises suspicion, notify your network security officer (NSO) and resolve the issue with the owner of the address. Note: If you enable logging on your basic inbound “deny any” policy, all inbound denied packets are logged in the logging table associated with that policy. This allows you to check for patterns of activity and more easily discern suspicious activity from innocent. 5HIHUHQFH*XLGH )LUHZDOO $OHUW Message Address sweep has been detected! From <ip_addr>:<port_number>, using protocol { TCP | UDP | <protocol_number> }, on interface <interface_name>. [ The attack occurred <number> times. ] Meaning The NetScreen device has detected an excessive number of IP address scans arriving at the specified interface from the specified source IP address and port, and using the specified protocol. (Note: If the protocol is not TCP or UDP, the source and destination port numbers are not included in the message.) The number indicates how many consecutive times per second the internal timer detected IP addresses being scanned in excess of the address sweep alarm threshold. Action Investigate the source IP address. If the address belongs to a server, verify that it is not infected with a port-scanning worm. If the address raises suspicion, notify your network security officer (NSO) and resolve the issue with the owner of the address. Note: If you enable logging on your basic inbound “deny any” policy, all inbound denied packets are logged in the logging table associated with that policy. This allows you to check for patterns of activity and more easily discern suspicious activity from innocent. 1HW6FUHHQ0HVVDJH/RJ )LUHZDOO &ULWLFDO Message HTTP packet containing a malicious URL has been detected and blocked! From <ip_addr>:<port_number> to <ip_addr>:<port_number>, using protocol { TCP | UDP | <protocol_number> }, on interface <interface_name>. [ The attack occurred <number> times. ] Meaning The NetScreen device has detected and rejected a HyperText Transport Protocol (HTTP) packet with a URL containing a malicious string used to attack Web servers. The packet came from the specified source IP address and port number, bound for the specified destination address and port number, using the specified protocol, and arriving at the specified interface. The number indicates how many consecutive times per second the internal timer detected packets with such malicious URL strings. Action No recommended action 5HIHUHQFH*XLGH )LUHZDOO &ULWLFDO Message Session threshold has been exceeded! From <ip_addr>:<port_number>, to <ip_addr>:<port_number>, using protocol { TCP | UDP | <protocol_number> }, and arriving at interface <interface_name>. [ The threshold was exceeded <number> times. ] Meaning The NetScreen device has detected an excessive number of packets from the same source IP address, destined for the specified IP address, using the specified protocol, and arriving at the specified interface. (Note: If the protocol is not TCP or UDP, the source and destination port numbers are not included in the message.) The number indicates how many consecutive times per second the internal timer detected packets in excess of the session threshold. Action Investigate the source IP address and check the session threshold setting. If the address belongs to a server with a high number of sessions, valid traffic from the address might exceed the threshold. In that case, you might want to adjust the threshold. If the source address raises suspicion, check if it is infected with a port-scanning worm, which can quickly generate thousands of sessions, and notify your network security officer (NSO). 1HW6FUHHQ0HVVDJH/RJ )LUHZDOO 1RWLILFDWLRQ Message <Firewall_protection_type> has been { enabled | disabled }. Meaning An administrator has either enabled or disabled one of the following firewall protection or packet handling options: • IP spoofing protection • WinNuke attack protection • Teardrop attack protection • Port scan protection • Ping of death protection • IP sweep protection • IP source route filtering protection • Java/ActiveX/ZIP/EXE blocking • SYN flood protection • Default packet-deny policy • Land attack protection • Bypass-others-IPSec option • ICMP flood protection • Bypass non-IP traffic option • UDP flood protection • Deny policy alarm option Action No recommended action Message SYN flood { alarm threshold | alarm queue size | timeout value | attack threshold | attack threshold from the same source } has been changed to <number>/second. Meaning An admin has changed the SYN flood alarm threshold, alarm queue size, timeout value, attack threshold, or attack threshold from the same source IP address to the specified setting. Action No recommended action 5HIHUHQFH*XLGH )LUHZDOO Message { ICMP | UDP } flood alarm threshold from the same source has been changed to <number>/second. Meaning An admin has changed the the ICMP or UDP flood alarm threshold from the same source IP address to the specified setting. Action No recommended action Message Logging of { dropped | IKE | SNMP } traffic to self has been { enabled | disabled }. Meaning An admin has enabled or disabled the logging of dropped traffic, IKE traffic, or SNMP traffic destined for the NetScreen device. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ *OREDO */2%$/ The following messages relate to configuration changes to NetScreen-Global Manager and NetScreen-Global PRO central management software. • “Global PRO” on page 43 • “Global Manager” on page 49 *OREDO352 These messages pertain to NetScreen-Global PRO status reports and configuration changes. &ULWLFDO Message Intruder has attempted to connect to the NetScreen-Global PRO port! From <ip_addr>:<port_number> to <ip_addr>:15400, using protocol { TCP | UDP | <protocol_number> }, at interface <interface_name>. [ The attack occurred <number> times. ] Meaning The NetScreen device has detected an unauthorized attempt to connect to the device via the NetScreen-Global PRO port. The connection attempt was from the specified source IP address and port number, to the specified address and port number (15400 for NetScreen-Global PRO), using the specified protocol, and arriving at the specified interface. The number indicates how many consecutive times per second the internal timer detected unauthorized connection attempts to the NetScreen-Global PRO port. Action Investigate the source IP address by checking a service such as the American Registry of Internet Numbers (ARIN) in the United States and performing a Whois lookup on the address. If the source address raises suspicion, notify your network security officer (NSO). 5HIHUHQFH*XLGH *OREDO ,QIRUPDWLRQ Message Cannot connect to Global PRO data collector at <ip_addr>. Meaning The NetScreen device cannot make a network connection to the NetScreen-Global PRO data collector (DC) at the specified IP address. Action Check that the DC IP address settings are correct and that the DC is connected to the network and functioning properly. Message Device is not known to Global PRO data collector at <ip_addr>. Meaning The NetScreen device is not registered with the NetScreen-Global PRO data collector (DC) at the specified IP address. Action Using the NetScreen-Global PRO program, register the NetScreen device with the DC. Message Lost connection to Global PRO data collector at <ip_addr>. Meaning The TCP connection between the NetScreen device and the NetScreen-Global PRO data collector (DC) at the specified IP address has been lost. Action Check that the DC has an active network link, is currently running, is accepting new connections at the specified IP address, and is accessible from the NetScreen device. 1HW6FUHHQ0HVVDJH/RJ *OREDO Message Connection to Global PRO data collector at <ip_addr> has timed out. Meaning The NetScreen-Global PRO data collector (DC) at the specified IP address has stopped responding to the keep-alive messages sent by the NetScreen device. Action Check that the DC has an active network link, is currently running, is accepting new connections at the specified IP address, and is accessible from the NetScreen device. Message Lost socket connection to Global PRO data collector at <ip_addr>. Meaning Due to network failure, the TCP connection between the NetScreen device and the NetScreen-Global PRO data collector (DC) at the specified IP address has been lost. Action Check the network, and make sure that the DC is accessible from the NetScreen device. Message Device has connected to the Global PRO { primary | secondary } data collector at <ip_addr>. Meaning The NetScreen device has established a TCP connection to either the primary or secondary NetScreen-Global PRO data collector (DC) at the specified IP address. Action No recommended action 5HIHUHQFH*XLGH *OREDO Message Connection to Global PRO data collector at <ip_addr> has been closed. Meaning An admin has closed the TCP connection between the NetScreen device and the NetScreen-Global PRO data collector at the specified IP address. Action No recommended action 1RWLILFDWLRQ Message Global PRO { primary | secondary } host has been set to { domain_name | IP_addr }. Meaning An administrator has changed the IP address or domain name of the Global PRO primary or secondary host. Action No recommended action Message Global PRO has been { enabled | disabled }. Meaning An administrator has enabled or disabled Global-PRO manageability. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ *OREDO Message Global PRO { primary | secondary } host has been disabled. Meaning An administrator has disabled the Global-PRO primary or secondary host. Action No recommended action Message User-defined service <service_name> has been { added | removed } from Global PRO distribution. Meaning An administrator has either added or removed the specified user-defined service from the Global-PRO protocol distribution table. Action No recommended action Message Global PRO timeout value has been returned to the default: 30 seconds. Meaning An admin has returned the NetScreen-Global PRO timeout value to its default setting of ??? seconds. Action No recommended action Message Global PRO timeout value has been changed to <number> seconds. Meaning An admin has changed the NetScreen-Global PRO timeout value to the specified number of seconds. Action No recommended action 5HIHUHQFH*XLGH *OREDO Message Reporting of { the <table_type> table | <alarm_type> alarms | <log_type> logs } to Global PRO has been { enabled | disabled }. Meaning An administrator has either enabled or disabled the inclusion of one of the following Global PRO tables, alarms, or logs in reports to NetScreen-Global PRO: • Protocol distribution table • Attack alarms • Ethernet statistics table • Miscellaneous alarms • Attack statistics table • Configuration logs • Flow statistics table • Information logs • Policy table • Self-Management logs • Traffic alarms • Traffic logs When one of the above tables is enabled, the NetScreen device reports that type of information to the Global PRO data collector (DC). When one of the above tables is disabled, the device does not report that information to the DC. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ *OREDO *OREDO0DQDJHU These messages pertain to NetScreen-Global Manager errors and configuration changes. &ULWLFDO Message Intruder has attempted to connect to the NetScreen-Global Manager port! From <ip_addr>:<port_number> to <ip_addr>:15397, using protocol { TCP | UDP | <protocol_number> }, at interface <interface_name>. [ The attack occurred <number> times. ] Meaning The NetScreen device has detected an attempt to connect to the device via the NetScreen-Global Manager port. The connection attempt was from the specified source IP address and port number, to the specified address and port number (15397 for NetScreen-Global Manager), using the specified protocol, and arriving at the specified interface. The number indicates how many consecutive times per second the internal timer detected unauthorized connection attempts to the NetScreen-Global Manager port. Action Investigate the source IP address by checking a service such as the American Registry of Internet Numbers (ARIN) in the United States and performing a Whois lookup on the address. If the source address raises suspicion, notify your network security officer (NSO). Message Global Manager error in decoding bytes has been detected. Meaning The NetScreen device has detected an error while decoding a message sent from NetScreen-Global Manager. Action Check that NetScreen-Global Manager is encoding its messages. 5HIHUHQFH*XLGH *OREDO 1RWLILFDWLRQ Message Reporting of the { network activities | device resources | event logs | summary logs } to Global Manager has been { enabled | disabled }. Meaning An administrator has either enabled or disabled the reporting of network activities, device resources, event logs, or summary logs from the NetScreen device to NetScreen-Global Manager. Action No recommended action Message Global Manager { report port | listen port } has been set to <port_number>. Meaning An administrator has set the NetScreen-Global Manager report port or listen port to the specified port number. Action No recommended action Message The Global Manager keep-alive value has been changed to <number> seconds. Meaning An administrator has changed the NetScreen-Global Manager keep-alive value to the specified number of seconds. The keep-alive value is the interval at which the NetScreen device pings the NetScreen-Global Manager host to ensure continued network connectivity. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ *OREDO Message Global Manager has been { enabled | disabled }. Meaning An administrator has enabled or disabled NetScreen-Global Manager manageability. Action No recommended action Message Global Manager domain name has been defined as <domain_name>. Meaning An administrator has defined the NetScreen-Global Manager domain name as specified. Action No recommended action Message Global Manager VPN management tunnel has been { enabled | disabled }. Meaning An administrator has enabled or disabled management of the NetScreen device through a VPN tunnel to NetScreen-Global Manager. Action No recommended action 5HIHUHQFH*XLGH +LJK$YDLODELOLW\ +,*+$9$,/$%,/,7< The following messages concern high availability (HA) functions and HA-related features. +$ &ULWLFDO Message Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link. Meaning The primary HA link has gone down (perhaps the cable has become disconnected or needs to be replaced) and HA communications have been transferred to the secondary HA link. Action Restore the primary HA link as soon as possible. ,QIRUPDWLRQ Message HA link state has { gone down | come up }. Meaning The state of the HA link has changed either from up to down or from down to up. Action If the HA link has gone down, restore it as soon as possible. 1HW6FUHHQ0HVVDJH/RJ +LJK$YDLODELOLW\ 1RWLILFDWLRQ Message HA state of the local NetScreen device has changed from { master | backup | init } to { master | backup | init }. Meaning The state of the local NetScreen device, which is a member of a redundant cluster of devices in HA mode, has changed. The three states that a device can be in are as follows: • Master – The device is actively processing network and VPN traffic. • Backup – The device is actively backing up the configuration and sessions processed by the master so that the it can assume mastership without service interruption if the current master steps down or a failover occurs. • Init – The device passes through a transitory initial state when it initially joins a cluster, when it rejoins a cluster after rebooting, and when it exceeds the IP tracking failure threshold. While in this state, the devices in the cluster negotiate whether it becomes master or backup. Action No recommended action Message HA state of the local device has changed to init because IP tracking has failed. Meaning The state of the local NetScreen device in a redundant cluster has changed from master or backup to init because it exceeded the IP tracking failure threshold. While in the init state, the device continues to perform IP tracking until it no longer exceeds the failure threshold. At that point, it is promoted to either backup or master, as various factors such as priority settings and MAC values determine. Action No recommended action 5HIHUHQFH*XLGH +LJK$YDLODELOLW\ Message HA state of the local device has changed to backup because a device with a { higher priority has been detected | lower MAC value has been detected }. Meaning The state of the local NetScreen device in a redundant cluster has changed because one of the following two reasons: • Another device with a higher priority value than that of the local device (which had been acting as master) has been added to the cluster, causing the state of the local device to change from master to backup. • As two devices with the same device priority settings pass through the initial state, another device with a lower MAC address than that of the local device becomes master, causing the state of the local device to change from init to backup. Action No recommended action Message HA: Local device has been elected master because no other master exists. Meaning The local NetScreen device has become master due to one of the following conditions: • The previous master has been demoted (possibly due to a failover or IP tracking failure). • An admin has removed the previous master from the cluster. • The local device is the first and so far only member of the cluster. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ +LJK$YDLODELOLW\ Message HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster. Meaning The local NetScreen device has detected that its MAC address is higher than those of others in its cluster and has been elected backup. In a redundant cluster in which device priority settings are the same and so do not control HA states, devices rely on MAC addresses to determine master and backup roles. The device with the lowest MAC address is elected master. The others become backups. Action No recommended action Message HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster. Meaning The local NetScreen device has detected that its priority value is higher than those of others in its cluster and has been elected backup. In a redundant cluster in which device priority settings control HA states, the device with the priority value closest to 1 is elected master. By default, all devices in HA mode have a priority value of 100. Action No recommended action Message HA: Local NetScreen device has been elected backup because a master already exists. Meaning The local NetScreen device has detected another device in the cluster acting as master, and because the comparison of the priority settings and MAC addresses of the cluster members has not effected a state change, the local device has been elected backup. Action No recommended action 5HIHUHQFH*XLGH +LJK$YDLODELOLW\ Message HA: Previous master has promoted the local NetScreen device to master. Meaning The device acting as master of the redundant cluster issued a command promoting the local NetScreen device to master. Action No recommended action Message HA cluster ID has been changed to <number>. Meaning An admin has changed the ID number of the redundant cluster to which the local NetScreen device belongs to a number between 1 and 255. Action No recommended action Message Primary HA interface has been changed to { 0 | 1 | 2 }. Meaning An admin has changed the primary interface to the trusted (0), untrusted (1), or DMZ (2) interface. Action No recommended action Message HA: Local device priority has been changed to <number>. Meaning An admin has changed the priority setting of the local NetScreen device to a number between 1 and 255. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ +LJK$YDLODELOLW\ Message HA { encryption | authentication } { password | key } has been changed. Meaning An admin has changed either the encryption password or key or the authentication password or key used to secure HA communications among members of the same redundant cluster. Action No recommended action Message Reporting of HA configuration and status changes to NetScreen-Global Manager has been enabled. Meaning An admin has enabled the reporting of changes to HA configuration and status to NetScreen-Global Manager. Action No recommended action 3DWK0RQLWRULQJ &ULWLFDO Message IP tracking to <ip_addr> has failed. Meaning The number of consecutive unanswered ICMP echo requests or ARP requests to the specified IP address has exceeded the tracked IP failure threshold. Action Check that the physical network link on the NetScreen device is up and that it is securely connected to adjacent network devices, whose physical links are also up. 5HIHUHQFH*XLGH +LJK$YDLODELOLW\ 1RWLILFDWLRQ Message IP tracking to <ip_addr> with interval <seconds>, threshold <number>, weight <number>, interface <Interface_name>, method { ping | ARP } has been added. Meaning An admin has added the specified IP address with the following attributes to the list of targeted addresses for IP tracking: • Interval – the frequency for sending ping or ARP requests to the tracked IP address • Interface – the interface from which the ping or ARP requests are sent • Threshold – the number of unanswered ping or ARP requests that indicate a failed attempt to contact the tracked IP address • Method – the method by which IP tracking to the specified address is performed—either ping or ARP. • Weight – a value indicating the importance of connectivity to this address in relation to that of others being tracked Action No recommended action Message Tracked IP <ip_addr> has been deleted. Meaning An admin has deleted the specified IP address from the list of addresses targeted for IP tracking. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ +LJK$YDLODELOLW\ Message Tracked IP <ip_addr> options have been changed from int <seconds> thr <number> wgt <number> inf <interface_name> { ping | ARP } to <seconds> <number> <number> <Interface_name> { ping | ARP }. Meaning An admin has changed the specified path monitoring options for the specified tracked IP address. Action No recommended action Message IP tracking has been { enabled | disabled }. Meaning An admin has enabled or disabled the IP tracking feature. Action No recommended action Message IP tracking device failover threshold has been disabled. Meaning An admin has disabled the IP tracking device failover threshold. The device failover is now based solely on which device has the greater total of failed attempts to elicit responses from ping or ARP requests to targeted IP addresses. Action No recommended action 5HIHUHQFH*XLGH +LJK$YDLODELOLW\ Message IP tracking device failover threshold has been set to <number>. Meaning An admin has set the IP tracking device failover threshold to the specified number. A device failover occurs when the master fails to elicit the specified number of consecutive responses from ping or ARP requests to the targeted IP addresses. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ ,.( ,.( The following messages relate to the Internet Key Exchange (IKE) protocol, one of the three main components of IPSec—the other two are the Encapsulating Security Payload (ESP) and Authentication Header (AH) protocols. IKE provides a secure means for the distribution and maintenance of cryptographic keys and the negotiation of the parameters constituting a secure communications channel. $OHUW Message IKE <ip_addr>: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed. Meaning The number of IKE heartbeats that the local NetScreen device sends to the specified peer through the IPSec tunnel has exceeded the failure threshold. The security associations (SAs) for both Phase 1 and Phase 2 have been removed. Action Verify network connectivity to the peer gateway. Check if the peer has changed or deleted the tunnel configuration or rebooted the remote gateway device. 5HIHUHQFH*XLGH ,.( ,QIRUPDWLRQ Message IKE <ip_addr> Phase 1: Certificate received has a different { IP address | FQDN | UFQDN } SubAltName than expected. Meaning The local NetScreen device received a certificate from the specified IKE peer that contained a different subject alternative name (SubAltName) than was configured as the IKE ID on the local device. The SubAltName is an alternative name for the subject of a certificate. NetScreen supports the following kinds: • IP address, such as 209.157.66.170 • Fully Qualified Domain Name (FQDN), such as www.netscreen.com • User’s Fully Qualified Domain Name (UFQDN), such as [email protected] Action Recommend the peer use a certificate with the expected SubAltName or change the IKE ID in the local VPN configuration to match that of the certificate. Message IKE <ip_addr> Phase 1: Certificate received has a subject name that does not match the ID payload. Meaning The local NetScreen device received a certificate from the specified IKE peer that contained a different subject than the IKE ID sent by the peer. The subject of a certificate can be a distinguished name (DN) composed of a concatenation of the common name elements listed in the request submitted for that certificate. The DN is the identity of the certificate holder. Action Advise the peer to change the IKE ID in its VPN configuration to match that of the certificate, or use a certificate with a subject name that matches the IKE ID configured for the VPN. 1HW6FUHHQ0HVVDJH/RJ ,.( Message IKE <ip_addr> Phase 1: Cannot use a preshared key because the peer’s gateway has a dynamic IP address and negotiations are in Main mode. Meaning When configuring an IPSec tunnel to the specified remote gateway, which has a dynamically assigned IP address, an admin specified a preshared key and selected Main mode for the Phase 1 negotiations. Authentication via preshared key is not allowed when Main mode is used with a peer at a dynamically assigned IP address. Action Reconfigure the VPN using a certificate to authenticate the remote party, or select Aggressive mode for use with preshared key authentication. Message IKE <ip_addr> Phase 1: Main mode packet has arrived with ID type { IP address | FQDN | UFQDN | ASN1_DN }, but no user configuration was found for that ID. Meaning The NetScreen device has received the packet in Phase 1 Main mode negotiations that specifies the identity of the remote entity. The packet is from a VPN dialup user at the specified address and contains the specified IKE ID type. However, the NetScreen device cannot find a configuration for the VPN dialup user based on the ID received. NetScreen supports the following four IKE ID types: • IP address, such as 209.157.66.170 • Fully Qualified Domain Name (FQDN), such as www.netscreen.com • User’s Fully Qualified Domain Name (UFQDN), such as [email protected] • Abstract Syntax Notation, version 1, distinguished name (ASN1_DN), such as cn=ns100, ou=eng, o=netscreen, l=santa clara, s=ca, c=us Action 5HIHUHQFH*XLGH Check that a VPN dialup user has been configured with the specified identity. ,.( Message IKE <ip_addr> Phase 1: Retransmission limit has been reached. Meaning The local NetScreen device has reached the retransmission limit (10 failed attempts) during Phase 1 negotiations with the specified remote peer because the local device has not received a response. Note: If the local device continues receiving outbound traffic for the remote peer after the first 10 failed attempts, it makes another 10 attempts, and continues to do so until it either succeeds at contacting the remote gateway or it no longer receives traffic bound for that gateway. Action Verify network connectivity to the peer gateway. Request the remote gateway admin to consult the log to determine if the connection requests reached it and, if so, why the device did not respond. Message IKE <ip_addr> Phase 1: Completed { Aggressive | Main } mode negotiations with a <number>-second lifetime. Meaning The NetScreen device and the specified remote gateway have successfully completed Phase 1 negotiations in either Aggressive mode or Main mode with the lifetime of the Phase 1 security association (SA) defined in seconds. Action No recommended action Message IKE <ip_addr> Phase 1: Discarded a second initial packet, which arrived within 5 seconds after the first. Meaning The local NetScreen device received two initial Phase 1 packets from the peer at the specified address within a five-second interval. As a result, the local device dropped the second initial packet. Action Verify if the packets came from a legitimate peer gateway. If so, check the local logs and request the remote gateway admin to check his logs to uncover the cause of the difficulty in completing the Phase 1 negotiations. 1HW6FUHHQ0HVVDJH/RJ ,.( Message IKE <ip_addr> Phase 1: Initiated { Main | Aggressive } mode negotiations. Meaning The local NetScreen device has initiated a Phase 1 exchange with the peer at the specified address using either Main mode or Aggressive mode. Action No recommended action Message IKE <ip_addr> Phase 1: { Aggressive | Main } mode negotiations have failed. Meaning The Phase 1 session initiated by the local NetScreen device to the specified peer has failed. The session was in either Main mode or Aggressive mode. Action Request the remote admin to consult the event log to determine the cause of the failure. Message IKE <ip_addr> Phase 1: Received an invalid RSA signature. Meaning The specified IKE peer has sent an invalid RSA signature in Phase 1 Message 5 or 6. Action Request the peer to ensure that the RSA private key used to sign the packet pairs with the public key sent in the certificate. 5HIHUHQFH*XLGH ,.( Message IKE <ip_addr> Phase 1: Vendor ID payload indicates that the peer does not support NAT-T. Meaning The local NetScreen device has detected that the IKE peer or VPN dialup client does not support NAT-Transversal (NAT-T). One VPN participant determines if the other supports NAT-T by examining the information in the vendor ID payload exchanged in the first two Phase 1 messages. If the participant supports NAT-T, the payload contains the following MD5 hash of “draft-ietf-ipsec-nat-t-ike-00”: 4485152d 18b6bbcd 0be8a846 9579ddcc Action If NAT-T is required for successfully building an IPSec between the two VPN participants, make sure that the NAT-T option is enabled on the local device and contact the remote peer admin or the VPN dialup user to request that he or she enable NAT-T support there as well. Message IKE <ip_addr> Phase 1: Initiated negotiations in { Aggressive | Main } mode. Meaning The local NetScreen device has initiated Phase 1 negotiations in either Aggressive mode or Main mode to the specified peer. Action No recommended action Message IKE <ip_addr> Phase 1: Cannot verify { RSA | DSA } signature. Meaning The local NetScreen device cannot verify the RSA or DSA signature sent by the specified IKE peer. Action Contact the remote admin to check if he or she sent a certificate with the public key matching the private key used to produce the signature. 1HW6FUHHQ0HVVDJH/RJ ,.( Message IKE <ip_addr> Phase 1: No private key exists to sign packets. Meaning The private key needed to create an RSA or DSA signature to authenticate packets destined for the specified IKE peer does not exist. This situation can arise if the following conditions are met: • If the local configuration for the remote gateway specifies a local certificate that an admin later removes • If there are no local certificates in the certificate store and no local certificate is specified in the remote gateway configuration Action Obtain and load a certificate for use in authenticating IKE packets. Message IKE <ip_addr> Phase 1: { RSA | DSA } private key is needed to sign packets. Meaning The IKE gateway configurations—locally and remotely—require an RSA or DSA private key to authenticate packets destined for the specified IKE peer. However, only a different type of key pair exists locally (that is, an RSA private key is required, but only a DSA key pair is loaded; or a DSA private key is required, but only an RSA key pair is loaded). Action Either change the gateway configuration to specify a key type that is already loaded, or obtain and load the required certificate. 5HIHUHQFH*XLGH ,.( Message IKE <ip_addr> Phase 1: Received an incorrect public key authentication method. Meaning In the first and second Phase 1 messages, the IKE participants agreed to use a preshared key for packet authentication. Then, in the fifth or sixth message (Main mode) or second or third message (Aggressive mode), the remote peer sent a signature payload, which requires the local device to use a public key (not a preshared key) to authenticate the packet. The NetScreen device, however, does not attempt to authenticate the packet; it drops the packet. Action Check if the remote peer is a legitimate IKE peer. If so, contact the remote admin to check if that device has malfunctioned. If not, this might be an ineffectual attack in which the attacker is attempting to force the NetScreen device to consume bandwidth while trying to verify bogus signature payloads. Message IKE <ip_addr> Phase 1: IKE { initiator | responder } has detected NAT in front of the { local | remote } device. Meaning The local NetScreen device, with NAT-Traversal (NAT-T) enabled and functioning as either an initiator or responder of Phase 1 IKE negotiations, has detected a NAT device in the data path either in front of itself or in front of its remote peer. There are several reasons for IPSec/NAT incompatibility. (For a list of IPSec/NAT incompatibilities, see draft-ietf-ipsec-nat-reqts-00.txt by Bernard Aboba.) If NAT-T is enabled on both IKE participants, IPSec packets are encapsulated within UDP packets, protecting the original IPSec header from modification by NAT devices. Consequently, packet authentication—and communication via the IPSec tunnel—is successful. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ ,.( Message IKE <ip_addr> Phase { 1 | 2 }: Aborted negotiations because the time limit has elapsed. Meaning The NetScreen device has aborted Phase 1 or Phase 2 negotiations with the specified remote peer because the time limit—60 seconds for Phase 1 and 40 seconds for Phase 2—has elapsed. Action Verify network connectivity to the peer gateway. Consult the local log and request the remote gateway admin to consult his or her log to determine why the negotiations timed out before completion. Message IKE <ip_addr> Phase { 1 | 2 }: Rejected proposals from peer. Negotiations failed. Meaning The local NetScreen device has rejected the Phase 1 or Phase 2 proposals sent by the specified IKE peer. Action To see the local and remote peers’ Phase 1 proposals, contact the admin of the remote peer and compare configurations, or enter the following CLI commands when both peers participate in the next Phase 1 negotiation: 1. debug ike detail 2. clear dbuf 3. get dbuf stream 4. Check that at least one of the Phase 1 proposals for both peers match 5. To stop the debugger, press the ESCAPE key. 5HIHUHQFH*XLGH ,.( Message IKE <ip_addr> Phase 2: Initiated negotiations. Meaning The local NetScreen device has sent the initial message for IKE Phase 2 negotiations to the specified peer. Action No recommended action Message IKE <ip_addr> Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled. Meaning When the local NetScreen device received an IKE Phase 2 message from the specified peer, it could not check for a policy because the id-mode was set to IP or policy-checking was disabled. If the id-mode is set to IP, the remote peer does not send the proxy ID payload when initiating a Phase 2 session. The proxy ID consists of the local end entity’s IP address and netmask, protocol, and port number; and those for the remote end entity. Consequently, the local peer cannot use the information in the proxy ID to match the information in a local policy. If policy-checking is disabled for IKE traffic with the specified peer, the IKE module builds an SA without verifying the policy configuration. Action Verify if this is intended behavior. If not, set the id-mode to subnet (set ike id-mode subnet) and enable policy-checking (set ike policy-checking). 1HW6FUHHQ0HVVDJH/RJ ,.( Message IKE <ip_addr> Phase 2: No policy exists for the proxy ID received: local ID (<ip_addr>/<netmask>, <protocol>, <port_number>) remote ID (<ip_addr>/<netmask>, <protocol>, <port_number>). Meaning When the local NetScreen device received an IKE Phase 2 message from the specified peer, it detected that no access policy exists matching the attributes specified in the proxy ID payload. Action If you intend to allow IPSec traffic between the specified local and remote end entities, configure the necessary access policy. Message IKE <ip_addr> Phase 2: Received DH group <value1> instead of expected group <value2> for PFS. Meaning While executing a Diffie-Hellman exchange to refresh the cryptographic keys with Perfect Forward Secrecy (PFS) during Phase 2 Messages 1 and 2, the remote peer used a different Diffie-Hellman group than did the local NetScreen device. Consequently, the Phase 2 session has failed. Action Change the Phase 2 configuration on the local peer or request the admin for the remote peer to change that configuration so that both employ the same Diffie-Hellman group for PFS. Message IKE <ip_addr> Phase 2 msg-id <number>: Received responder lifetime notification. Meaning The local NetScreen device has received a responder lifetime notification message from the specified peer. The Phase 2 negotiation is identified by the specified message ID. The notification includes the Phase 2 SA lifetime in both seconds and kilobytes. The peers use the shortest lifetime defined. Action 5HIHUHQFH*XLGH No recommended action ,.( Message IKE <ip_addr> Phase 2 msg-id <number>: Negotiations have failed. Policy-checking has been disabled but multiple VPN policies to the peer exist. Meaning An admin has disabled policy-checking although multiple access policies for VPN traffic to the specified peer exist. Consequently, the IKE module cannot find the correct SA for traffic covered by each policy. Note: Policy-checking must be enabled if multiple policies for VPN traffic to the same gateway exist. Action Enable policy-checking or limit one policy per remote gateway. Message IKE <ip_addr> Phase 2 msg-id <number>: Responded to the first peer message. Meaning The local NetScreen device has responded to the specified peer, which sent the first message for Phase 2 IKE negotiations. Action No recommended action Message IKE <ip_addr> Phase 2 msg-id <number>: Negotiations have failed. Meaning The specified Phase 2 negotiations to the identified peer have failed. Action Examine the local log and request the remote admin to examine his or her log for possible causes. 1HW6FUHHQ0HVVDJH/RJ ,.( Message IKE <ip_addr> Phase 2 msg-id <number>: Completed negotiations with SPI <number>, tunnel ID <number>, and lifetime <number> seconds/<number> KB. Meaning The local NetScreen device has successfully negotiated a Phase 2 session with the specified peer. The Phase 2 session consists of the specified attributes. Action No recommended action Message IKE <ip_addr>: Dropped packet because remote gateway <name> is not used in any VPN tunnel configurations. Meaning The local NetScreen device has discarded an IKE packet sent from the specified remote gateway because the local device does not reference that gateway in any of its VPN tunnel configurations. Action Verify that the packet came from a peer with whom you want to establish a VPN. If so, configure a VPN using that gateway. 5HIHUHQFH*XLGH ,.( Message IKE <ip_addr>: Received incorrect ID payload: { IP address <ip_addr> | FQDN <string> | UFQDN <string> | ASN1_DN <string> } instead of { IP address <ip_addr> | FQDN <string> | UFQDN <string> | ASN1_DN <string> }. Meaning The NetScreen device received an incorrect IKE ID payload instead of the one that it was configured to receive. NetScreen supports the following four IKE ID types: • IP address, such as 209.157.66.170 • Fully Qualified Domain Name (FQDN), such as www.netscreen.com • User’s Fully Qualified Domain Name (UFQDN), such as [email protected] • Abstract Syntax Notation, version 1, distinguished name (ASN1_DN), such as cn=ns100, ou=eng, o=netscreen, l=santa clara, s=ca, c=us Action Check that the IKE ID configuration is identical on both the local and remote gateway devices. Message IKE <ip_addr>: Sent initial contact notification. Meaning The local NetScreen device has sent an initial contact notification message to the specified remote gateway. After rebooting, the local device sends an initial contact notification message when contacting a peer for the first time. The message informs the peer that the local device has no previous state with it. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ ,.( Message IKE <ip_addr>: Rejected an initial Phase 1 packet from an unrecognized peer gateway. Meaning The local NetScreen device has received an initial Phase 1 packet from the specified address. However, because the NetScreen device could not find a matching peer gateway configuration, it rejected the packet. Action Review the local VPN configurations to determine if the packet came from a legitimate peer. Message IKE <ip_addr>: Heartbeats have been lost <number> times. Meaning The IKE heartbeats that the local NetScreen device sends to the specified peer through the IPSec tunnel have been lost the specified number of times. Action No recommended action Message IKE <ip_addr>: Responded to a packet with a bad SPI after rebooting. Meaning The local NetScreen device responded to an IPSec packet with an invalid security parameters index (SPI) number from the specified peer. If configured, this happens after a system reboot for a configurable number of times. Note: To enable the NetScreen device to respond to an IPSec packet with an invalid SPI, use the following CLI command: set ike respond-bad-spi <number>. When the NetScreen device reboots, it loses any SPI values it had. However, the peers might still try to use SPI values in earlier SAs that have not yet timed out on their devices. Action 5HIHUHQFH*XLGH If you do not want the NetScreen device to respond to IPSec packets with bad SPI values, modify the configuration. ,.( Message IKE <ip_addr>: Received notify message for DOI <doi_value> <type_value> <msg_text>. Meaning The device has received one of the following notification messages in the specified Domain of Interpretation (DOI): Error Types 6. Invalid payload type 19. No proposal chosen 7. DOI not supported 20. Bad proposal syntax 8. Situation not supported 21. Payload malformed 9. Invalid cookie 22. Invalid key information 10. Invalid major version 23. Invalid ID information 11. Invalid minor version 24. Invalid cert encoding 12. Invalid exchange type 25. Invalid certificate 13. Invalid flags 26. Cert type unsupported 14. Invalid message ID 27. Invalid cert authority 15. Invalid protocol ID 28. Invalid hash information 16. Invalid SPI 29. Authentication failed 17. Invalid transform ID 30. Invalid signature 18. Attributes not supported 31. Address notification Status Types Action 16384 Connected 24577 Replay status 24576 Responder lifetime 24578 Initial contact For the error notification messages, take action as appropriate for the error described. For the status notification messages, no action is necessary. 1HW6FUHHQ0HVVDJH/RJ ,.( Message IKE <ip_addr>: Received a bad SPI. Meaning The local NetScreen device detected an invalid security parameters index (SPI) number in IPSec traffic from the specified peer. Action Receiving a few messages of this kind during rekey is normal. However, if you receive a large number of these messages, check the SA status. Message IKE <ip_addr>: Sent initial contact notification message. Meaning The local NetScreen device has sent an initial contact notification message to the specified peer because this is the first time for the local device to contact that peer. Action No recommended action Message IKE <ip_addr>: Added the initial contact task to the task list. Meaning The IKE module in the local NetScreen device has added to the task list the transmission of an initial contact notification message for the Phase 1 SA being negotiated. The device sends the initial contact notification message in either the fifth message (when the device is the initiator) or the sixth message (when it is the responder) of Main mode message exchanges. When using Aggressive mode, it sends the notification after the Phase 1 negotiations are completed. Action 5HIHUHQFH*XLGH No recommended action ,.( Message IKE <ip_addr>: Added Phase 2 session tasks to the task list. Meaning The IKE module in the local NetScreen device has added the task to start a Phase 2 session with the specified peer to the task list for the Phase 1 SA being negotiated. Action No recommended action Message IKE <ip_addr>: Phase 2 negotiation request is already in the task list. Meaning The IKE module in the local NetScreen device, when attempting to add a Phase 2 negotiation task to its task list, discovered that the list already contained an identical task for the specified peer. When beginning Phase 1 negotiations, the NetScreen device adds the tasks that the Phase 1 security association (SA) must do to its Phase 1 task list. One such task is to perform Phase 2 negotiations. If Phase 1 negotiations progress too slowly, local traffic might initiate another Phase 2 SA request to the IKE module. If so, before the NetScreen device adds the Phase 2 task to its task list, it will discover that an identical task is already in the list and refrain from adding the duplicate. Action Check if the IKE Phase 1 negotiations with that peer have successfully completed. 1HW6FUHHQ0HVVDJH/RJ ,.( Message IKE <ip_addr>: Received initial contact notification and removed Phase { 1 | 2 } SAs. Meaning The local NetScreen device has received an initial contact notification message from a peer and removed all IKE Phase 1 or Phase 2 security associations (SAs) for that peer. Note: When the NetScreen device receives an initial contact notification message, it removes all Phase 1 and Phase 2 SAs. However, because the removal of Phase 1 and Phase 2 SAs occurs separately, the NetScreen device logs both removals separately. Action No recommended action Message IKE <ip_addr>: Removed Phase 2 SAs after receiving a notification message. Meaning The local NetScreen device has received a notification message from a peer and removed all IKE Phase 2 security associations (SAs) for that peer. A notification to remove Phase 2 SAs can occur when the lifetime of a Phase 2 SA expires or when the peer manually deletes an SA before it expires. (To delete a specific SA, use the CLI command clear sa <id_number>. To delete all SAs, use the command clear ike all.) Action No recommended action Message IKE <ip_addr>: Rejected first Phase 1 packet from an unrecognized source. Meaning The local NetScreen device has rejected the first IKE Phase 1 message from a source that does not match any configured VPN gateways. Action Check your VPN configurations and investigate if you want to build a security association (SA) with the peer at the address from which the message originated. 5HIHUHQFH*XLGH ,.( Message IKE <ip_addr>: Dropped peer packet because no policy uses the peer configuration. Meaning The local NetScreen device has dropped a packet from the specified IKE peer because no access policy using that peer can be found. Action If you intend to establish a security association (SA) with the specified peer, verify that an access policy permitting traffic via that peer exists and is positioned correctly in the access control list (ACL). Message IKE <ip_addr>: Heartbeats have been disabled because the peer is not sending them. Meaning The local NetScreen device has detected that the specified peer has not enabled IKE heartbeat transmission, so the local device has also disabled heartbeat transmission to that peer. Both ends of the IPSec tunnel must enable IKE heartbeat transmission for this feature to remain active. If the local peer detects that the remote peer has not enabled this feature, the local peer automatically ceases heartbeat transmission Action No recommended action Message IKE <ip_addr>: Changed heartbeat interval to <number>. Meaning After detecting that the specified peer is using a shorter heartbeat interval than was originally configured locally, the local device has adjusted its rate of heartbeat transmission to that peer. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ ,.( Message Local gateway IP address has changed to 0.0.0.0. VPNs cannot terminate at an interface with IP 0.0.0.0. Meaning An admin has changed the IP address used for VPN termination on the local device to 0.0.0.0. Consequently, no VPN traffic can reach or leave the device. If the device is in NAT or Route mode, the admin has changed the IP address of the untrusted interface to 0.0.0.0/0. If the device is in Transparent mode, the admin has changed the system IP address to 0.0.0.0. Action If you made the change by mistake, return the changed address to its previous setting. If you made the change intentionally (for example, you changed the operational mode from NAT or Route mode to Transparent mode) and you want to maintain VPN activity with existing peers, set a valid IP address and notify all remote gateway admins of the address change so they can reconfigure their VPN configurations. Message Local gateway IP address has changed from 0.0.0.0 to another setting. Meaning An admin has changed the IP address that the local device can use for VPN termination from 0.0.0.0 to another address. Action No recommended action 1RWLILFDWLRQ Message IKE key <key_id> has been deleted. Meaning An admin has deleted the specified IKE key. Action No recommended action 5HIHUHQFH*XLGH ,.( Message IKE <ip_addr>: Gateway settings have been modified. Meaning An admin has modified the settings for the specified remote IKE gateway. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ ,QWHUIDFH ,17(5)$&( The following messages relate to interface configurations. 1RWLILFDWLRQ Message IP for interface <interface_name> has been changed from <ip_addr1> to <ip_addr2>. Meaning An administrator has changed the IP address for the specified interface. Action No recommended action Message Netmask for interface <interface_name> has been changed from <mask1> to <mask2>. Meaning An administrator has changed the netmask for the specified interface. Action No recommended action Message Manage IP for interface <interface_name> has been changed from <ip_addr1> to <ip_addr2>. Meaning An administrator has changed the manage IP address for the specified interface. Action No recommended action 5HIHUHQFH*XLGH ,QWHUIDFH Message Gateway IP for interface <interface_name> has been changed from <ip_addr1> to <ip_addr2>. Meaning An administrator has changed the IP address of the gateway for the specified interface. Action No recommended action Message Interface <interface_name> with IP <ip_addr> <mask> [ tag <802.1Q_tag> ] has been created. Meaning An administrator has created an interface for the specified interface. It has the specified IP address and netmask, and (optionally) the specified VLAN tag. Action No recommended action Message Interface <interface_name> has been removed. Meaning An administrator has removed the specified interface. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ ,QWHUIDFH Message Maximum bandwidth <mbw> kbps on interface <interface_name> is less than the total guaranteed bandwidth <gbw> kbps. Meaning The specified interface bandwidth settings are insufficient for the total guaranteed bandwidth specified in the traffic shaping option of the access policies that traverse that interface. Action Increase the interface bandwidth settings or decrease the traffic shaping bandwidth settings on the access policies. Message The configured bandwidth setting on the interface <interface_name> has been changed to <cbw> kbps. Meaning An administrator has changed the configured bandwidth for the specified interface. Action No recommended action Message { Global PRO | Ident-reset | NS-Global | Ping | SCS | SNMP | SSL | Telnet | Web } has been { enabled | disabled } on the interface <interface_name>. Meaning An administrator has either enabled or disabled Global PRO, NS-Global, SCS, SNMP, SSL, Telnet, or Web manageability, or ident-reset or ping functionality for the specified interface. Action No recommended action 5HIHUHQFH*XLGH ,QWHUIDFH Message The 802.1Q tag for the interface <interface_name> has been removed. Meaning An administrator has removed the 802.1Q VLAN tag for the specified interface. Action No recommended action Message The 802.1Q tag for the interface <interface_name> has been changed to <tag>. Meaning An administrator has changed the 802.1Q VLAN tag for the specified interface to the named tag. Action No recommended action Message 802.1Q VLAN trunking for the interface <interface_name> has been turned on. Meaning An administrator has enabled 802.1Q VLAN trunking for the specified interface. Note that this option is only available in Transparent mode. Action No recommended action Message 802.1Q VLAN trunking for the interface <interface_name> has been turned off. Meaning An administrator has disabled 802.1Q VLAN trunking for the specified interface. Note that this option is only available in Transparent mode. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ ,QWHUIDFH Message The operational mode for the interface <interface_name> has been changed to { Route | NAT }. Meaning An administrator has changed the operational mode for the specified interface to { Route | NAT }. Action Check access policy configurations to ensure that they function properly in the new operational mode. Message DHCP on the interface <interface_name> has been { enabled | disabled }. Meaning An administrator has { enabled | disabled } DHCP on the specified interface. Action Check access policy configurations to ensure that they function properly in the new operational mode. 5HIHUHQFH*XLGH /LQN6WDWXV /,1.67$786 The following messages relate to the status of the physical interface links. 1RWLILFDWLRQ Message The physical state of the interface <interface_name> has changed to { up | down }. Meaning The physical state of the specified interface has changed from up to down, or from down to up. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ /RJV /2*6 The following messages relate to the event, traffic, and self logs. ,QIRUPDWLRQ Message <log_name> has been cleared. Meaning An administrator has cleared the named log. Action No recommended action 5HIHUHQFH*XLGH 0,3 0,3 The following messages relate to mapped IP (MIP) addresses. ,QIRUPDWLRQ Message MIP <ip_addr>/<netmask> has been { added | modified | deleted }. Meaning An administrator has added, modified, or deleted the specified mapped IP address. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ 3., 3., The following messages relate to Public Key Infrastructure (PKI). &ULWLFDO Message Cannot load more X509 certificates. The maximum number has been reached. Meaning An admin has attempted to load more X509 certificates than the maximum allowed (128). Action Remove any unused or expired certificates before attempting to load new ones. Message Failed to save the CA configuration. Meaning An admin attempted to save the configuration for a CA on the NetScreen device, but the device failed to save it. Action Check the CA configuration settings on the NetScreen device. Message Failed to send the X509 request file via e-mail. Meaning An admin attempted to send an X509 request file via e-mail, but the attempt failed. Action Check the Simple Mail Transfer Protocol (SMTP) configuration settings on the NetScreen device. 5HIHUHQFH*XLGH 3., ,QIRUPDWLRQ Message PKI error message has been received: PKI_CID_VERIFY_CERT_RSP. The peer’s public key cannot be decoded. Meaning The NetScreen device has generated the message PKI_CID_VERIFY_CERT_RSP, indicating that a peer using a certificate in an IPSec Phase 1 negotiation has sent a public key that the NetScreen device cannot decode. Action Notify the peer that his or her certificate might be invalid. Message Cannot find the CA certificate with distinguished name <dn_name>. Meaning The NetScreen device cannot locate the specified CA certificate because it has not been loaded in the device. Action Load the required CA certificate in the NetScreen device. Message Local certificate with distinguished name <dn_name> is invalid. Meaning The specified local certificate is invalid. Action Request another local certificate from the CA. 1HW6FUHHQ0HVVDJH/RJ 3., Message PKI error message has been received: <message>. Meaning The NetScreen device generated one of the following messages: • The NetScreen device has received an invalid X509 certificate. • The NetScreen device cannot retrieve the CRL. • The return packet for an X509 certificate request is empty. • The CRL contents are invalid. • The NetScreen device has received an invalid end entity (EE) certificate. (That is, a IPSec peer’s local certificate is invalid.) • LDAP operation has failed. • The NetScreen device is unable to decode the issuer CA’s public key. • LDAP search operation has failed. • The NetScreen device cannot find the issuer CA certificate for the CRL. • The NetScreen device failed to retrieve the CRL. 5HIHUHQFH*XLGH • LDAP bind request has failed. • The NetScreen device has received an invalid CA certificate. • The CA is not responding. Action • The NetScreen device checked the CRL signature and the signature failed the inspection. • LDAP server host name is empty. • LDAP modification: The del operation is not currently supported. • LDAP modification: The add operation is not currently supported. Check the LDAP and SCEP configurations on the NetScreen device and request the CA admin to check if the CA server is properly configured. 3., Message Distinguished name <dn_name> in the X509 certificate request is invalid. Meaning The distinguished name in the X509 certificate request is invalid. The distinguished name is a concatenation of the following elements that together define the subject of the request: name, phone number, unit/department, organization, county/locality, state, country, e-mail address, and IP address. Action Change one or more of the elements composing the distinguished name in the certificate request. Message PKCS #7 data cannot be decapsulated. Meaning The NetScreen device is unable to decapsulate a PKCS #7 packet received from a CA. Action Contact the CA and request them to retransmit the packet. Message SCEP_FAILURE message has been received from the CA. Meaning The CA has responded to a Simple Certificate Enrollment Protocol (SCEP) request with a SCEP_FAILURE message indicating that the X509 certificate request has been rejected. Action Check the SCEP configuration on the NetScreen device and contact the CA administrator. 1HW6FUHHQ0HVVDJH/RJ 3., 1RWLILFDWLRQ Message X509 { certificate | CRL } cannot be loaded. Meaning An admin cannot load an X509 certificate or certificate revocation list (CRL) in the NetScreen device. Action Verify if the certificate or CRL is valid by trying to open it. If you can open the certificate or CRL, it is valid. If you cannot open it, it is invalid and you must request another one. Message X509 certificate has been deleted. Meaning An admin has deleted an X509 certificate from the NetScreen device. Action No recommended action Message CA configuration is invalid. Meaning The configuration on the NetScreen device for the CA is invalid. Action Check the CA configuration settings on the NetScreen device. 5HIHUHQFH*XLGH 3., Message In the X509 certificate request, the { name | phone |e-mail | country | state | county/locality | organization | unit/department | IP address | e-mail to } field has been changed from { <name> to none | none to <name> | <name1> to <name2> }. Meaning An admin has changed the specified common name (CN) field in the X509 certificate request. Action No recommended action Message For the X509 certificate request, the raw CN setting has been changed from { <enabled> to <disabled> | <disabled> to <enabled> }. Meaning An admin has enabled or disabled the use of the certificate name alone (as opposed to a concatenation of all the common names) as the distinguished name (DN) of the X509 certificate request. Action No recommended action Message The X509 certificate validation level has been changed from { full to partial | partial to full }. Meaning An admin has changed the certificate validation level either from full to partial or from partial to full. “Full” means that the NetScreen device validates a peer’s certificate by checking all the CAs in the hierarchical PKI validation path of the peer’s certificate until it verifies the root CA certificate, which must be loaded on the NetScreen device. “Partial” means that the NetScreen device verifies the first CA certificate—which must be loaded on the NetScreen device to be verified—in the hierarchical PKI validation path of a peer’s certificate. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ 3., Message Default LDAP server name managing the CRL has been changed from { <ip_addr1> to <ip_addr2> | <domain_name1> to <domain_name2> }. Meaning An admin has changed the IP address or domain name of the default LDAP server that manages the certificate revocation list (CRL). Action No recommended action Message Default LDAP server CRL URL has been changed from <url1> to <url2>. Meaning An admin has changed the URL on the default LDAP server at which the certificate revocation list (CRL) is accessed. Action No recommended action Message Default CRL refresh frequency has been changed from <interval1> to <interval2>. Meaning An admin has changed the frequency for checking the CRL on the default LDAP server. The options are daily, weekly, monthly, and default, which uses the frequency that the CA specifies. Action No recommended action 5HIHUHQFH*XLGH 3., Message The { CA | RA } CGI URL for SCEP requests has been changed from <url1> to <url2>. Meaning An admin has changed the HTTP URL or LDAP URL of the common gateway interface (CGI) on the CA server for either the certificate authority (CA) or registration authority (RA). The CGI identifies the script path used by the CA server to process the incoming Simple Certificate Enrollment Protocol (SCEP) request. Action No recommended action Message The { CA IDENT | Challenge password } for SCEP has been changed from <string1> to <string2>. Meaning An admin has changed the CA IDENT or the Challenge password. The CA IDENT uniquely identifies the initiator of a Simple Certificate Enrollment Protocol (SCEP) request to the responding CA server. The end entity (EE) can use the challenge password, included in the PKCS #10 certificate request, to validate its identity when requesting the CA to revoke the EE’s certificate. Action No recommended action Message DSS checking of CRLs has been changed from { 0 to 1 | 1 to 0 }. Meaning An admin has enabled (1) or disabled (0) the use of digital signatures—using the Digital Signature Standard (DSS)—to check the integrity of CRL content that the NetScreen device references. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ 3., Message SCEP mode has has been changed from { 0 to 1 | 1 to 0 }. Meaning An admin has changed the mode for trusting a CA certificate received via the Simple Certificate Enrollment Protocol (SCEP) from auto to manual (0 to 1) or manual to auto (1 to 0). To verify the integrity of a newly loaded CA certificate, you can compare its fingerprint (a hash of part of the certificate) with the hash of the same certificate available elsewhere (such as at the CA’s Web site). If the two hashes match, you can trust that its integrity is intact. Until you have confirmed its integrity, you can determine whether to trust or distrust the CA certificate. When the SCEP mode is set to auto (0), the NetScreen device automatically trusts CA certificates received via SCEP. When the SCEP mode is set to manual (1), the NetScreen device distrusts them until you have confirmed their integrity and manually approved them (set pki auth <cert_id_number> scep authentication { failed | passed }. Action No recommended action Message RSA key length has been changed from { 512 | 768 | 1024 | 2048 } to { 512 | 768 | 1024 | 2048 }. Meaning An admin has changed the bit length of the RSA key pair. Action No recommended action Message X509 certificate for ScreenOS image authentication is invalid. Meaning While attempting to load an X509 certificate to update the DSA key for authenticating the ScreenOS image, the NetScreen device determines the file to be invalid. Action Request another certificate. 5HIHUHQFH*XLGH 3., Message The public key used for ScreenOS image authentication cannot be { decoded | loaded }. Meaning When loading an X509 certificate for updating the DSA key that authenticates the ScreenOS image, the NetScreen device has discerned that the public key within the X509 certificate either cannot be decoded or it cannot be loaded. Action Request another certificate. Message The public key for ScreenOS image has successfully been updated. Meaning An admin has successfully updated the DSA key that authenticates the ScreenOS image. Action Request another certificate. Message Self-signed X509 certificate cannot be generated. Meaning An admin has attempted to make an X509 certificate request, which involves the generation of a local certificate to be sent to a CA for signing; however, the NetScreen device cannot generate an X509 certificate. Action Check that the total number of certificates—CA and local certificates combined—does not exceed the maximum of 128. 1HW6FUHHQ0HVVDJH/RJ 3., Message RA X509 certificate cannot be loaded. Meaning An admin has attempted to load an X509 certificate, but the NetScreen device has rejected it. Action Check that the CA certificate and RA certificate are valid by trying to open them. If you can open a certificate, it is valid. However, it might have expired, so also check the expiration date. If you cannot open the certificate, it is invalid and you must request another one. 5HIHUHQFH*XLGH 3ROLFLHV 32/,&,(6 The following messages relate to the configuration of access policies. 1RWLILFDWLRQ Message Policy (<id_num>, <direction>, <src_addr> -> <dst_addr>, <service_name>, { permit | deny | tunnel }) has been { added | modified | deleted | enabled | disabled }. Meaning An admin has added, modified, or deleted an access policy with the following attributes: • ID – The ID number of the access policy. • Direction – The direction of traffic to which the policy applies. • Source Address – The name of the source address from which the traffic is sent. (Note: If the source address appears as NULL Name, an error has occurred and the NetScreen device cannot find the source address name.) • Destination Address – The name of the destination address to which the traffic is sent. (Note: If the destination address appears as NULL Name, an error has occurred and the Action NetScreen device cannot find the destination address name.) • Service – The kind of traffic (such as HTTP, FTP, or ANY—which means all kinds of traffic) • Action – The action that the NetScreen device takes when this policy matches traffic received: - Permitting traffic to pass Denying traffic Tunneling traffic through a VPN tunnel Enabling the policy to take effect Disabling the policy from taking effect No recommended action 1HW6FUHHQ0HVVDJH/RJ 3ROLFLHV Message Positions of policies <id_num1> and <id_num2> have been exchanged. Meaning An administrator has exchanged the positions of the two specified policies in the access control list (ACL). Action No recommended action Message Policy <id_num1> has been moved { before | after } <id_num2>. Meaning An administrator has moved the first specified policy either before or after the second policy in the access control list (ACL). Action No recommended action 5HIHUHQFH*XLGH 5RXWHV 5287(6 The following messages relate to routing configurations. 1RWLILFDWLRQ Message Route to <ip_addr>/<mask> [ interface <interface_name> gateway <gw_ip> ] has been { added | deleted | modified }. Meaning An administrator has { added | deleted | modified } a route to the specified IP address. Optionally, the message can include the interface and gateway IP address through which the route must pass. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ 6FKHGXOH 6&+('8/( The following messages relate to schedules created for use in access policies. 1RWLILFDWLRQ Message Schedule <schedule_name> has been { added | modified | deleted }. Meaning An administrator has added, modified, or deleted the specified schedule. Action No recommended action 5HIHUHQFH*XLGH 6&6 6&6 The following messages relate to the secure command shell (SCS) utility on the NetScreen device. SCS is compatible with secure shell (SSH™) , which provides a method for an admin (SSH client) to securely access a NetScreen device (SCS server) remotely over unsecured channels to manage it via the CLI. &ULWLFDO Message NetScreen device failed to { identify itself | send the identification string } to the SSH client at <ip_addr>:<port_number>. Meaning The NetScreen device, acting as the SCS server, failed to identify itself or send the identification string to the specified SSH client during the SCS connection procedure. This most likely is the result of a low-level internal processing error. Action Advise the SSH admin user to initiate another connection with the device. If the problem persists, reset the NetScreen device and have the SSH user try again. Message NetScreen device failed to authenticate the SSH client at <ip_addr>:<port_number>. Meaning The NetScreen device, acting as the SCS server, was unable to authenticate the specified SSH client during the SCS connection procedure. Action Advise the SSH admin user to verify that the SSH client software is configured correctly and is using a cipher that the NetScreen device supports—DES and 3DES. 1HW6FUHHQ0HVVDJH/RJ 6&6 Message Incompatible SSH version <version_string> has been received from the SSH client at <ip_addr>:<port_number>. Meaning The NetScreen device, acting as the SCS server, has received an incompatible version of the SSH protocol from the specified SSH client during the SCS connection procedure. Action Advise the SSH user to run SSH version 1 for compatibility with a NetScreen device. Message Unable to validate cookie from the SSH client at <ip_addr>:<port_number>. Meaning The specified SSH client sent an invalid cookie during the SCS connection procedure. Action An attempted security attack might be in progress. First, validate the source of the connection attempt. If you repeatedly receive this message, you might want to disable SCS until you determine the cause. Message Failed to retrieve PKA key bound to SSH user <name>. (Key ID=<key_id_number>) Meaning The NetScreen device unsuccessfully attempted to retrieve the specified PKA key bound to the specified admin user attempting to log in using SCS. Action Contact NetScreen technical support. For contact information, visit http://www.netscreen.com/support/index.html 5HIHUHQFH*XLGH 6&6 Message Failed to { bind | unbind } PKA key { to | from } SSH user <name>. (Key ID=<key_id_number>) Meaning An administrator unsuccessfully attempted to bind or unbind the specified PKA key to the specified admin user. Action If binding is the problem, it might be that the specified PKA key is already bound to the specified admin user or that four PKA keys (the maximum) are already bound to him or her. In the latter case, you must first unbind one of the other keys from the user before binding the new one. If unbinding is the problem, verify that the specified key is actually bound to the specified admin user. Message NetScreen device failed to generate a PKA RSA challenge for SSH user <name>. (Key ID=<key_id_number>) Meaning The NetScreen device, acting as the SCS server, failed to generate a PKA RSA challenge for the specified SSH user during the SCS connection procedure. The challenge requires the SSH user to respond with an appropriate password to complete the authentication process. Action Check that the SSH user has the PKA RSA public key that has been bound to that user on the NetScreen device loaded on the SSH client. Also check that the user has configured the client to specify the identity file containing that PKA RSA public key during the log in process. 1HW6FUHHQ0HVVDJH/RJ 6&6 (UURU Message SSH client at <ip_addr>:<port_number> has failed to make an SCS connection to vsys <name> because SCS cannot generate the host and server keys before timing out. Meaning The SCS utility was unable to generate the host and server keys for the specified virtual system on the NetScreen device before the connection request timed out. Action Recommend that the SSH client wait one minute and then attempt another SCS connection. Message SSH client at <ip_addr>:<port_number> has failed to make an SCS connection because it requested an unsupported cipher. Meaning The specified SSH client attempted to make an SCS connection to the NetScreen device but failed because it requested a cipher not supported by the NetScreen device. Action Recommend that the SSH client reconfigure its request, using a cipher supported by the NetScreen device—DES and 3DES—and then attempt another SCS connection. Message SSH user <name> at <ip_addr>:<port_number> has failed the PKA RSA challenge. Meaning The specified SSH user has failed the Public Key Authentication (PKA) process while attempting to make an SCS connection to the NetScreen device. Action It is possible that the SSH user selected the wrong PKA key during the log in process. Compare the fingerprint for the PKA key bound to the SSH user and the fingerprint that the SSH user is using to see if they match. 5HIHUHQFH*XLGH 6&6 :DUQLQJ Message SCS has been { enabled | disabled } for <vsys_name> with <number> PKA keys already bound to <number> SSH users. Meaning An admin has enabled or disabled SCS for the specified virtual system with the specified number of Public Key Authentication (PKA) keys for the specified number of SSH users. Note that this message only appears if PKA keys are already bound to SSH users in the specified system when SCS is enabled or disabled. Action If you disable SCS, review the PKA keys to see if you need to keep or discard them. A large number of keys can consume considerable memory space, which you can reclaim by discarding the unused keys. Also, because SSH clients can no longer log in, you might consider notifying remote administrators running unmanned scripts via their SSH connections. If you enable SCS, after having disabled it earlier, review all the PKA keys and delete any for which you cannot account. Because anyone who has one of the PKA keys can access the NetScreen device, you must ensure that the NetScreen device is only storing keys for valid administrators. Message SSH user <name> at <ip_addr>:<port_number> has requested { password | PKA RSA } authentication, which is not supported for that client. Meaning While attempting to make an SCS connection to the NetScreen device, the specified SSH user requested a mode of authentication—password or PKA RSA—that had not been configured for that user. Action Enable the requested authentication method on the NetScreen device or reconfigure the SSH client application to use the method already enabled on the NetScreen device. 1HW6FUHHQ0HVVDJH/RJ 6&6 Message SSH user <name> at <ip_addr>:<port_number> has unsuccessfully attempted to log in via SCS to vsys <name> using the shared untrusted interface. Meaning The specified SSH user failed to make an SCS connection to the specified virtual system, which shares the untrusted interface with the root system. Action Because the NetScreen device uses the host and server keys of the root system—not those of the virtual system—when sharing the untrusted interface, make sure that the SSH client has the public host key of the root system loaded on its system. To allow SCS management of a virtual system sharing the untrusted interface with the root system, make sure that SCS is enabled at the root level. Optionally, create a separate untrusted subinterface for that virtual system and enable SCS manageability on its untrusted subinterface. Message Maximum number of SCS sessions (5) has been reached. Connection request from SSH user <name> at <ip_addr>:<port_number> has been denied. Meaning The maximum number of concurrent SCS sessions is five. Because five SCS connections are currently active, the NetScreen device has denied the connection request from the specified SSH user. Action Advise the admin user to wait for one of the currently active sessions to close before attempting another SCS connection. 5HIHUHQFH*XLGH 6&6 Message SSH client at <ip_addr>:<port_number> has attempted to make an SCS connection to vsys <name> but failed because SCS is not enabled for that vsys. Meaning The specified SSH client has attempted to make an SCS connection to the specified virtual system. However, because SCS is not enabled for that virtual system, the attempt was unsuccessful. Action If you want the SSH client to be able to access the specified virtual system via SCS, enter that virtual system and enable SCS manageability. Message SSH user <name> at <ip_addr>:<port_number> cannot log in via SCS to <vsys_name> using the shared untrusted interface because SCS is disabled. Meaning The specified SSH user has failed to make an SCS connection to the specified virtual system, which shares the untrusted interface with the root system. When SCS is disabled at the root level, it disables SCS manageability for all virtual systems that share the untrusted interface. Note: This message only appears in the event log of the virtual system to which the SSH user attempted to connect. Action To allow an SCS connection to a virtual system sharing the untrusted interface with the root system, make sure that SCS is enabled at the root level. Optionally, create a separate untrusted subinterface for that virtual system and enable SCS manageability on its untrusted subinterface. 1HW6FUHHQ0HVVDJH/RJ 6&6 Message SSH client at <ip_addr> has attempted to make an SCS connection to interface <interface_name> at IP <ip_addr> but failed because SCS is not enabled for that interface. Meaning The specified SSH client has attempted to make an SCS connection to the NetScreen device at the specified interface. However, because SCS was not enabled on that interface, the attempt was unsuccessful. Action If you want the SSH client to be able to access the device on the specified interface via SCS, enable SCS manageability for that interface. Message SSH client at <ip_addr>:<port_number> has attempted to make an SCS connection to { the root system| vsys <name> } but failed because SCS was not completely initialized for that system. Meaning The SCS utility was unable to generate the host and server keys for the specified virtual system on the NetScreen device before the connection request timed out. Action Recommend that the SSH client wait one minute and then attempt another SCS connection. Message SCS connection has been terminated for admin user <name> at <ip_addr>:<port_number> Meaning Either the SSH client or the NetScreen device has terminated the SCS connection for the specified admin user. Action No recommended action 5HIHUHQFH*XLGH 6&6 1RWLILFDWLRQ Message SCS has been { enabled | disabled } for { <vsys_name> | root system }. Meaning An admin has enabled or disabled SCS for the specified virtual system or root system. Action No recommended action Message SCS key regeneration interval has been changed from <interval1> to <interval2>. Meaning An admin has changed how often (in minutes) the NetScreen device generates a new SCS server key. Action No recommended action Message SSH user <name> has been authenticated using { password | PKA RSA } from <ip_addr>:<port_number> [ with key ID <key_id_number> ]. Meaning The specified SSH user has logged in to the NetScreen device from the specified IP address and port number via SCS and authenticated himself or herself using either Public Key Authentication (PKA) or a password. If the client uses PKA, the key ID number for the RSA key pair bound to that client and used for SCS authentication is specified. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ 6&6 Message SCS PKA key has been { bound to | unbound from } admin user <name>. (Key ID = <key_id_number>) Meaning The root admin has either bound the RSA public key with the specified key ID number to the named admin user or unbound the key from him or her. The admin user uses this key to authenticate himself or herself via Public Key Authentication (PKA) when making an SCS connection to the NetScreen device. Action No recommended action 5HIHUHQFH*XLGH 6HUYLFHV 6(59,&(6 The following messages relate to user-defined and predefined services, and service groups. 6HUYLFHV 1RWLILFDWLRQ Message Service <service_name> has been { added | modified | deleted }. Meaning An administrator has added, modified, or deleted the specified user-defined service. Action No recommended action 6HUYLFH*URXSV 1RWLILFDWLRQ Message Service group <grp_name> has been { added | modified | deleted }. Meaning An administrator has added, modified, or deleted the specified service group. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ 6HUYLFHV 1RWLILFDWLRQ Message Service group <grp_name>: { Added | Deleted } member <service_name>. Meaning An administrator has added the specified service to or deleted it from the named service group. Action No recommended action Message Service group <grp_name> comments have been modified. Meaning An administrator has modified the comments for the specified service group. Action No recommended action Message Service group <grp_name1> group name has been changed to <grp_name2>. Meaning An administrator has changed the name of the service group. Action No recommended action 5HIHUHQFH*XLGH 6103 6103 The following messages pertain to the Simple Network Management Protocol (SNMP). &ULWLFDO Message SNMP listen port has been restored from <port_num> to default port 161. This change goes into effect in three seconds. Meaning An admin has restored the user-configured SNMP listen port number to the default SNMP listen port number (161). The port number assignment takes three seconds to go into effect. Action Advise the SNMP admin to change the port number on the SNMP manager at which it makes SNMP requests. Message SNMP listen port has been restored from <port_num1> to <port_num2>. This change goes into effect in three seconds. Meaning An admin has changed the user-configured SNMP listen port number to another user-configured port number. The change of port number assignments takes three seconds to go into effect. Action Advise the SNMP admin to change the port number on the SNMP manager at which it makes SNMP requests. 1HW6FUHHQ0HVVDJH/RJ 6103 Message SNMP trap port has been changed from <port_num1> to port <port_num2>. Meaning An admin has changed the user-configured SNMP trap port number to another user-configured port number. Action Advise the SNMP admin to change the port number on the SNMP manager at which it receives SNMP traps. ,QIRUPDWLRQ Message SNMP request from <ip_addr>:<port_num> to <ip_addr>:<port_num> has been received, but the SNMP version type is incorrect. Meaning A request from the specified SNMP manager to the SNMP agent located in the specified NetScreen device has been received. However, because NetScreen supports SNMP version 1 and the SNMP manager making the request uses a different version of the protocol (such as SNMP version 2C or SNMP version 3), the agent cannot respond to the request. Action If the request is from a legitimate SNMP manager, advise the admin to use SNMP version 1. Message Response to SNMP request from <ip_addr>:<port_num> to <ip_addr>:<port_num> has failed due to a coding error. Meaning When the NetScreen device responded to an SNMP request, a BER coding/decoding error occurred. BER (Basic Encoding Rules) converts data into bits and bytes and is the transfer syntax for SNMP. Action Advise the SNMP administrator to retry. 5HIHUHQFH*XLGH 6103 Message SNMP request from an unknown SNMP community <name> at <ip_addr>:<port_num> to <ip_addr>:<port_num> has been received. Meaning A request from the specified SNMP manager to the SNMP agent located in the specified NetScreen device has been received. However, the NetScreen device does not recognize the specified SNMP community name. Action If the SNMP manager IP address and port number are legitimate, advise the SNMP admin to check the configuration. Message NetScreen device at <ip_addr>:<port_num> has responded successfully to SNMP request from <ip_addr>:<port_num>. Meaning The SNMP agent located in the specified NetScreen device has successfully responded to an SNMP request from the specified SNMP manager. Action No recommended action Message SNMP community <name> cannot be added because the community list is full. Meaning An admin has attempted to add the named SNMP community, but the NetScreen device already has the maximum number of communities configured. Action Either remove one of the existing communities and then add the new one, or forgo the attempt. 1HW6FUHHQ0HVVDJH/RJ 6103 Message SNMP host <ip_addr> cannot be added because community <name> is full. Meaning An admin has attempted to add the specified host to the named SNMP community, but the community already has the maximum number of hosts allowed. Action Either remove one of the existing hosts and then add the new one, or forgo the attempt. Message SNMP host <ip_addr> cannot be added to community <name> because of an IP address conflict. Meaning An admin has attempted to add the specified host to the named SNMP community, but its IP address duplicates another entry. Action Check that the IP address for the host is correct and that it has not already been added to the community. Message SNMP host <ip_addr> cannot be removed from community <name> because host cannot be found. Meaning An admin has attempted to remove the specified host from the named SNMP community, but the host is not listed in the community. Action Check that you are using the correct IP address for the host that you want to remove. 5HIHUHQFH*XLGH 6103 Message SNMP request has been received from an unknown host in SNMP community <name> at <ip_addr>:<port_num> to <ip_addr>:<port_num>. Meaning An SNMP request from an unknown host in the specified SNMP community has been received. Action If the SNMP request is from a legitimate SNMP community member, add the IP address for that host to the SNMP community configuration on the NetScreen device. Message SNMP request has been received from host <ip_addr>:<port_num> with read-only privileges to <ip_addr>:<port_num>. Meaning An SNMP request from a host at the specified IP address and port number with read-only privileges has been received at the specified IP address and port number of the NetScreen device. Action If you want the host to have read/write privileges, change the configuration on the NetScreen device for that SNMP community to permit it. Message SNMP request has been received, but no SNMP community has been configured. Meaning The SNMP agent on the NetScreen device has received an SNMP request, but no SNMP communities have been configured yet. Action Configure an SNMP community. 1HW6FUHHQ0HVVDJH/RJ 6103 1RWLILFDWLRQ Message SNMP VPN has been { enabled | disabled }. Meaning An admin has either enabled or disabled VPN encryption for SNMP traffic between the SNMP agent (that is, the NetScreen device) and the SNMP manager. Action No recommended action Message SNMP AuthenTraps have been { enabled | disabled }. Meaning An admin has either enabled the SNMP agent to generate SNMP authentication-failure traps or disabled the agent from doing so when the SNMP manager sends the incorrect community name string. Action No recommended action Message SNMP { contact | location } description has been modified. Meaning An admin has modified the SNMP contact information, such as the NetScreen admin’s telephone number or e-mail address, or the information about the physical location of the NetScreen device. Action No recommended action 5HIHUHQFH*XLGH 6103 Message SNMP community <name> attributes—write access, { yes | no }; receive traps, { yes | no }; receive traffic alarms, { yes | no }—have been modified. Meaning An admin has modified at least one of the following attributes for the specified SNMP community: • Read/write privileges (write access, yes) or read-only privileges (write access, no) • Receiving traps sent from the NetScreen SNMP agent (receive traps, yes) or not receiving traps (receive traps, no), in which case the SNMP manager must request information from the agent • Receiving traffic alarms sent from the NetScreen SNMP agent (receive traffic alarms, yes) or not receiving traffic alarms (receive traffic alarms, no) Action No recommended action Message SNMP host <ip_addr> has been { added to | removed from } SNMP community <name>. Meaning An admin has added the specified host to the named SNMP community or removed it from the community. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ 6103 1RWLILFDWLRQ Message SNMP listen port has been restored from <port_num> to default port 161. This change goes into effect in three seconds. Meaning An admin has restored the user-configured SNMP listen port number to the default SNMP listen port number (161). The port number assignment takes three seconds to go into effect. Action Advise the SNMP admin to change the port number on the SNMP manager at which it makes SNMP requests. Message SNMP listen port has been changed from <port_num1> to <port_num2>. This change goes into effect in three seconds. Meaning An admin has changed the user-configured SNMP listen port number to another user-configured port number. The change of port number assignments takes three seconds to go into effect. Action Advise the SNMP admin to change the port number on the SNMP manager at which it makes SNMP requests. Message SNMP trap port has been restored from <port_num> to default port 162. Meaning An admin has restored the user-configured SNMP trap port number to the default SNMP trap port number (162). Action Advise the SNMP admin to change the port number on the SNMP manager at which it receives SNMP traps. 5HIHUHQFH*XLGH 6RIWZDUH.H\ 62)7:$5(.(< The following message relates to software keys used for enhancing functionality or adding optional features to the ScreenOS. 1RWLILFDWLRQ Message An optional ScreenOS feature has been activated via a software key. Meaning An administrator has activated an optional ScreenOS feature by using a software key. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ 6\VORJDQG:HE7UHQGV 6<6/2*$1':(%75(1'6 The following messages pertain to configuring and enabling syslog and WebTrends© facilities. 6\VORJ 1RWLILFDWLRQ Message Attempt to enable { syslog | traffic logging via syslog } has failed because syslog settings have not yet been configured. Meaning An admin has attempted to enable the syslog facility or traffic logging via syslog before configuring the syslog settings. Consequently the attempt has failed. Action Before attempting to enable syslog or traffic logging via syslog, configure the syslog settings. Message { Syslog | Traffic logging via syslog } has been { enabled | disabled }. Meaning An admin has either enabled or disabled the syslog facility or traffic logging via syslog. Action No recommended action Message Syslog VPN encryption has been { enabled | disabled }. Meaning An admin has either enabled or disabled VPN encryption of all syslog messages sent from the NetScreen device to the syslog host. Action No recommended action 5HIHUHQFH*XLGH 6\VORJDQG:HE7UHQGV Message Syslog host { IP | domain name | port number } has been changed to { <ip_addr> | <domain_name> | <port_num> }. Meaning An admin has changed the IP address or domain name of the syslog host or the port number to which the NetScreen device sends UDP packets bound for the syslog host. Action No recommended action Message Syslog { facility | security facility } has been changed to { local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | auth/sec }. Meaning An admin has changed the name of the syslog facility or security facility for the messages sent to the syslog host. Action No recommended action Message Syslog message level has been changed to { debug | information | notification | warning | error | critical | alert | emergency }. Meaning An admin has changed the level of messages sent to the syslog host. The NetScreen device sends the syslog host messages at this level and higher. (The syslog messages rank from lowest to highest as follows: debug–information–notification–warning–error–critical–alert–emergency.) Action No recommended action 1HW6FUHHQ0HVVDJH/RJ 6\VORJDQG:HE7UHQGV Message Socket cannot be assigned for syslog. Meaning The NetScreen system cannot allocate an IP socket for the syslog facility. Action To free up a socket, close other management facilities that use sockets as connection tools, such as Telnet or the Web, and which are not currently in use. :HE7UHQGV 1RWLILFDWLRQ Message Attempt to enable WebTrends has failed because WebTrends settings have not yet been configured. Meaning An admin has attempted to enable the WebTrends facility before configuring the WebTrends settings. Consequently the attempt has failed. Action Before attempting to enable WebTrends, configure the WebTrends settings. Message WebTrends has been { enabled | disabled }. Meaning An admin has either enabled or disabled the WebTrends facility. Action No recommended action 5HIHUHQFH*XLGH 6\VORJDQG:HE7UHQGV Message WebTrends VPN encryption has been { enabled | disabled }. Meaning An admin has either enabled or disabled VPN encryption of all WebTrends messages sent from the NetScreen device to the WebTrends host. Action No recommended action Message WebTrends host { IP | domain name | port number } has been changed to { <ip_addr> | <domain_name> | <port_num> }. Meaning An admin has changed the IP address or domain name of the WebTrends host or the port number to which the NetScreen device sends UDP packets bound for the WebTrends host. Action No recommended action Message Socket cannot be assigned for WebTrends. Meaning The NetScreen system cannot allocate an IP socket for the WebTrends facility. Action To free up a socket, close some other facilities, such as Telnet, which are not currently in use. 1HW6FUHHQ0HVVDJH/RJ 6\VWHP 6<67(0 The following message pertains to NetScreen system memory. &ULWLFDO Message System memory is low: <number> bytes allocated out of <number> bytes total. Meaning The number of bytes allocated for system memory has surpassed the alarm threshold. Action If the memory alarm threshold was set too low, use the set alarm threshold memory <percent_value> command to increase the threshold. (The default is 95% of the total memory.) Check if a firewall attack is in progress. Seek ways to reduce traffic. 5HIHUHQFH*XLGH 8VHUV 86(56 The following messages relate to users and has been divided into several sections: • “Generic User-Related Events” on page 132 • “Dialup Users” on page 133 *HQHULF8VHU5HODWHG(YHQWV The following messages pertain to events that affect user settings and status at a global level. ,QIRUPDWLRQ Message The user limit has been exceeded and <ip_addr> cannot be added. Meaning (NetScreen-5 and -5XP only) The limit for the number of internal users that can access the NetScreen device has been exceeded. Therefore, a communication attempt from the specified IP address has been denied. Action No recommended action 1RWLILFDWLRQ Message Authentication idle timeout value in minutes has changed from <value1> to <value2>. Meaning An administrator has changed the value (in minutes) for timing out firewall authentication users. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ 8VHUV 'LDOXS8VHUV The following messages relate to VPN dialup users and dialup user groups. 1RWLILFDWLRQ Message The user <user_name> has been { added | modified | deleted }. Meaning An administrator has added, modified, or deleted the specified user. Action No recommended action Message The user group <grp_name> has been { added | modified | deleted }. Meaning An administrator has added, modified, or deleted the named dialup user group. Action No recommended action Message The group member <member_name> has been { added to a group | deleted from a group }. Meaning An administrator has added the specified member to a user group or deleted the member from a group. Action No recommended action 5HIHUHQFH*XLGH 9,3 9,3 The following messages concern virtual IP addresses (VIPs). &ULWLFDO Message { VIP | VIP load balancing } server <ip_addr> is not responding. Meaning The specified VIP server or VIP load balancing server is not responding to the heartbeat PINGs sent by the NetScreen device. Action Check that the server is powered up, that it is connected to the network, and that its TCP/IP settings are correct. ,QIRUPDWLRQ Message { VIP | VIP load balancing } server <ip_addr> is now responding. Meaning The specified VIP server or VIP load balancing server has begun responding to the heartbeat PINGs sent by the NetScreen device. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ 9,3 1RWLILFDWLRQ Message VIP (<ip_addr1> <service> <ip_addr2>) has been { added | modified | deleted }. Meaning An administrator has added, modified, or deleted the specified VIP. Action No recommended action 5HIHUHQFH*XLGH 9LUWXDO6\VWHPV 9,578$/6<67(06 The following messages relate to virtual system configurations. 1RWLILFDWLRQ Message Vsys <vsys_name> has been created. Meaning A root level administrator has created the specified virtual system. Action No recommended action Message Vsys <vsys_name1> has been changed to <vsys_name2>. Meaning A root level administrator has changed the name of a virtual system. Action No recommended action Message Vsys <vsys_name> ID has been changed to <new_id>. Meaning A root level administrator has changed the ID of the specified virtual system. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ 9LUWXDO6\VWHPV Message Vsys <vsys_name> has been deleted. Meaning A root level administrator has deleted the specified virtual system. Action No recommended action 5HIHUHQFH*XLGH 9/$1V 9/$16 The following messages relate to virtual LANs. 1RWLILFDWLRQ Message VLAN tag <number> has been { created | deleted }. Meaning An admin has created or deleted the specified VLAN tag. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ 931V 9316 The following messages relate to virtual private networks (VPNs), and VPN-related technologies. • “VPNs” on page 139 • “L2TP” on page 144 931V The following messages concern IPSec VPN tunnels. &ULWLFDO Message Replay packets have been detected! From <ip_addr>:<port_number> to <ip_addr>:<port_number>, using protocol { 50 | 51 }, on interface <interface_name>. [ The attack occurred <number> times.] Meaning The NetScreen device has detected Encapsulating Security Payload (ESP, protocol 50) or Authentication Header (AH, protocol 51) packets whose sequence numbers fall outside a specified range for VPNs with the replay protection feature enabled. The packets are from the specified source IP address and port, destined for the specified IP address and port, use the specified protocol, and enter the NetScreen device at the specified interface. The number indicates how many consecutive times per second the internal timer detected the arrival of packets with sequence numbers falling outside the defined range of acceptability. Out-of-sequence packets might indicate that somebody has resent a series of previously intercepted packets with the intent of gaining entry to the trusted network or of flooding the NetScreen device to cause a denial-of-service (DoS). Action 5HIHUHQFH*XLGH If the NetScreen device is in high availability (HA) mode in a redundant cluster, check if a failover has recently occurred. Because packet sequence numbers are not synchronized between master and backup units, all ESP or AH packets for VPNs with the replay protection feature enabled appear to be out of sequence to the new master. Consequently, the new master registers these packets as components of a replay attack. 931V ,QIRUPDWLRQ Message UDP packets have been received from <src_ip>/<src_port> at interface <name> at <dst_ip>/<dst_port>. Meaning UDP packets from the specified IP address and port number have been received at the named interface at the specified IP address and port number. Action No recommended action Message VPN ID number cannot be assigned. Meaning The NetScreen device was unable to assign an ID number to a newly configured VPN. Action Check if the maximum number of VPNs has been reached. 1RWLILFDWLRQ Message VPN monitoring frequency has been unset. Meaning An admin has returned the VPN monitoring frequency to its default setting. The VPN monitoring feature sends an ICMP echo request (PING) through a VPN tunnel from end to end to check if the tunnel is up or down. The default setting is one PING per minute. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ 931V Message VPN monitoring for VPN (name> has been { enabled | disabled }. Meaning An An admin has either enabled or disabled the VPN monitoring option for the specified VPN tunnel. VPN monitoring checks if a VPN tunnel is up or down. If the state changes, an SNMP trap is triggered and the NetScreen device sends a message to an SNMP manager. Action No recommended action Message VPN monitoring frequency has been set to <number>. Meaning An admin has changed the VPN monitoring frequency to the specified number of seconds. The VPN monitoring feature sends an ICMP echo request (PING) through a VPN tunnel from end to end at the specified frequency to check if the tunnel is up or down. Action No recommended action Message The DF-BIT for VPN <name> has been { cleared | set | copied }. Meaning For the specified VPN tunnel, an admin has cleared or set the Don’t Fragment BIT in the outside header of an encapsulated packet, or copied the DF-BIT setting from the inside header to the outside header. Action No recommended action 5HIHUHQFH*XLGH 931V Message P1 proposal <name> with { preshared key | RSA-sig | DSA-sig }, DH group { 0 | 1 | 2 | 5 }, ESP { NULL | DES | 3DES | AES }, auth { NULL | MD5 | SHA}, and lifetime <number> has been { added | modified | deleted }. Meaning An admin has added or deleted the specified Phase 1 proposal, or modified at least one of the following Phase 1 proposal attributes: • Preshared Key • Triple DES (3DES) encryption algorithm • RSA signature • DSA signature • Advanced Encryption Standard (AES) encryption algorithm • Diffie-Hellman group 1, 2, or 5 • Authentication Header (auth) protocol Note: “DH group 0” indicates that a DH group is not employed because the proposal does not contain Perfect Forwarding Secrecy (PFS). • Encapsulating Security Payload (ESP) protocol • Message Digest version 5 (MD5) hash algorithm • Secure Hash Algorithm-1 (SHA-1) hash algorithm • Lifetime (number in seconds, minutes, hours, or days) • Data Encryption Standard (DES) encryption algorithm Action No recommended action Message Gateway <name> at <ip_addr> in { main | aggressive } mode with ID: { <peer_id> | none } has been { added | modified | deleted }. Meaning An admin has added or deleted the specified remote gateway, or modified at least one of its attributes. Action No recommended action 1HW6FUHHQ0HVVDJH/RJ 931V Message P2 proposal <name> with DH group { 0 | 1 | 2 | 5 }, { AH | ESP }, enc { NULL | DES | 3DES | AES }, auth { NULL | MD5 | SHA}, and lifetime { { sec | min | hour | day } <number> | kb <number> } has been { added | modified | deleted }. Meaning An admin has added or deleted the specified Phase 1 proposal, or modified at least one of the following attributes: • Diffie-Hellman group 1, 2, or 5 • Triple DES (3DES) encryption algorithm Note: “DH group 0” indicates that a DH group is not employed because the proposal does not contain Perfect Forwarding Secrecy (PFS). • Authentication Header (AH) protocol • Advanced Encryption Standard (AES) encryption algorithm • Encapsulating Security Payload (ESP) protocol • DSA signature • Message Digest version 5 (MD5) hash algorithm • Secure Hash Algorithm-1 (SHA-1) hash algorithm • Lifetime (number in seconds, minutes, hours, or days) • Data Encryption Standard (DES) encryption algorithm Action No recommended action Message VPN <name> with gateway <name>, { no-rekey | rekey }, and p2-proposal <name> has been { added | modified | deleted }. Meaning An admin has added or deleted the specified VPN, or modified at least one of its attributes. Action No recommended action 5HIHUHQFH*XLGH 931V Message VPN <name> with gateway <ip_addr> and SPI <local_spi>/<remote_spi> has been { added | modified | deleted }. Meaning An admin has added or deleted the specified VPN, or modified at least one of its attributes. Action No recommended action Message IPSec NAT-T for VPN <name> has been { enabled | disabled }. Meaning An admin has either enabled or disabled the NAT traversal (NAT-T) option for the specified VPN. NAT traversal adds an extra layer of encapsulation, encapsulating the original IPSec packet (using ESP or AH protocols) within a UDP packet. Most NAT servers cannot recognize the ESP or AH protocols and drop IPSec packets. When the NAT-T option is enabled, the sender encapsulates the ESP or AH packet within a UDP packet. The NAT server recognizes the UDP protocol and sends it on. The recipient then strips off the UDP packet and processes the inner ESP or AH packet accordingly. Action No recommended action /73 The following messages concern the configuration and operation of Layer 2 Tunneling Protocol (L2TP). 1HW6FUHHQ0HVVDJH/RJ 931V ,QIRUPDWLRQ Message No IP address in L2TP IP pool for user <name>. Meaning The PPP server cannot assign an IP address from its address pool for the named L2TP user. Action You can enlarge the size of the L2TP default IP pool or assign an IP pool specifically to the user: • set ippool <name> <start_IP_addr> <end_IP_addr> • set user <name> remote-settings ippool <name> Message No L2TP IP pool for user <name>. Meaning There is no L2TP IP address pool on the PPP server for the named L2TP user. Action You must create an L2TP IP pool: • set ippool <name> <start_IP_addr> <end_IP_addr> • To make the above IP pool the default L2TP IP pool: set l2tp default ippool <name> • To use the above IP pool for the specified user: set user <name> remote-settings ippool <name> 1RWLILFDWLRQ Message IP pool <pool_name> with range <start_ip-end_ip> has been { created | deleted }. Meaning The named IP pool with the specified range of IP addresses has been created or deleted. Action No recommended action 5HIHUHQFH*XLGH 931V 1HW6FUHHQ0HVVDJH/RJ $SSHQGL[$ (PHUJHQF\0HVVDJHV $ The following list contains page references for the messages at the highest severity level: emergency. (PHUJHQF\0HVVDJHV ......................................................................................28 ......................................................................................29 ......................................................................................30 5HIHUHQFH*XLGH $ $ 1HW6FUHHQ0HVVDJH/RJ $SSHQGL[% $OHUW0HVVDJHV % The following list contains page references for the messages at the second highest severity level: alert. $OHUW0HVVDJHV ......................................................................................11 ......................................................................................31 ......................................................................................32 ......................................................................................33 ......................................................................................34 ......................................................................................35 ......................................................................................36 ......................................................................................37 ......................................................................................38 ......................................................................................61 5HIHUHQFH*XLGH % % 1HW6FUHHQ0HVVDJH/RJ $SSHQGL[& &ULWLFDO0HVVDJHV & The following list contains page references for the messages at the third highest severity level: critical. &ULWLFDO0HVVDJHV 5HIHUHQFH*XLGH & & 1HW6FUHHQ0HVVDJH/RJ $SSHQGL[' (UURU0HVVDJHV ' The following list contains page references for the messages at the fourth highest severity level: error. (UURU0HVVDJHV ....................................................................................109 5HIHUHQFH*XLGH ' ' 1HW6FUHHQ0HVVDJH/RJ $SSHQGL[( :DUQLQJ0HVVDJHV ( The following list contains page references for all the messages at the fifth highest severity level: warning. :DUQLQJ0HVVDJHV 5HIHUHQFH*XLGH ( ( 1HW6FUHHQ0HVVDJH/RJ $SSHQGL[) ,QIRUPDWLRQ0HVVDJHV ) The following list contains page references for the messages at the second lowest severity level: information. ,QIRUPDWLRQ0HVVDJHV 5HIHUHQFH*XLGH ) ) 1HW6FUHHQ0HVVDJH/RJ $SSHQGL[* 1RWLILFDWLRQ0HVVDJHV * The following list contains page references for all the messages at the lowest severity level: notification. 1RWLILFDWLRQ0HVVDJHV 5HIHUHQFH*XLGH * * 1HW6FUHHQ0HVVDJH/RJ