Msg

��

��

��

��

��

��

�

��

r FCC compliance of Class B bed in this manual generates and ergy. If it is not installed in stallation instructions, it may

nd television reception. This found to comply with the limits for rdance with the specifications in specifications are designed to against such interference in a r, there is no guarantee that particular installation.

armful interference to radio or be determined by turning the is encouraged to try to correct the the following measures:

ceiving antenna.

etween the equipment and receiver.

xperienced radio/TV technician for

an outlet on a circuit different from is connected.

ions to this product could void the o operate this device.

LIMITED WARRANTY FOR THE E SET FORTH IN THE HIPPED WITH THE PRODUCT AND

BY THIS REFERENCE. IF YOU ARE TWARE LICENSE OR LIMITED ETSCREEN REPRESENTATIVE

��

��

NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of NetScreen Technologies, Inc. NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-1000, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of NetScreen Technologies, Inc. All other trademarks and registered trademarks are the property of their respective companies.Information in this document is subject to change without notice.

No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from

NetScreen Technologies, Inc. 350 Oakmead ParkwaySunnyvale, CA 94085 U.S.A.www.netscreen.com

��

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is fodevices: The equipment descrimay radiate radio-frequency enaccordance with NetScreen’s incause interference with radio aequipment has been tested anda Class B digital device in accopart 15 of the FCC rules. Theseprovide reasonable protection residential installation. Howeveinterference will not occur in a

If this equipment does cause htelevision reception, which canequipment off and on, the userinterference by one or more of

• Reorient or relocate the re

• Increase the separation b

• Consult the dealer or an ehelp.

• Connect the equipment tothat to which the receiver

Caution: Changes or modificatuser's warranty and authority t

��

THE SOFTWARE LICENSE ANDACCOMPANYING PRODUCT ARINFORMATION PACKET THAT SARE INCORPORATED HEREIN UNABLE TO LOCATE THE SOFWARRANTY, CONTACT YOUR NFOR A COPY.

http:\\www.netscreen.com

�!��

��

��0�/1 /��0�/�1 /��02421 /4

/2��0��1 /2

�.��051 �.

��,�0//1 ��,�0�1 ��

�4�� ,�)�&��4,�0/�1 �4��0/�1 �2��0/�1 �5��0�/21 �5�� 0��1 ��02421 �.

�/��0/.1 �/

��0�1 ��041 ��0/�1 ��0�/�1 ��

��

!��

��

��"��

�� #��$ �%

!�� %& '��(��'�� %�

&��)'� %��

(�� %��

&��')�� %��

*��+,�)��+�� %%

-��%%�

��.

& �� /!��,�0�.1 / ��,�0.1 /

& '��!��,�0/21 �3��0�.�1 43��0��.1 5 ��0/1 5 ��0�1 .�(��'��02421 .�

&��6//&,��0�1 //3��0�.51 //3��0�.57��.�1 /�

3��(��'(��'

8��

!,��$ ��

*�� !��!��

*9!�*9!��

!�� (��'

*9!��!,��(��'(��'

*(� ��

* � �� (��'

�!��

��

,�02/1 24,�02�1 22,�02�1 2�,�02�1 2�,�0241 5,�0221 5,�02�1 5.��021 5/�� /,�04/1 �/,�04�1 ��,�04�1 ��

��/41 ��0.21 ��0��41 �5

./��0�1 ./

./��0��1 ./�

./2��0�.�1 ./2

./5��0��1 ./5��02421 ./5

.��0.1 .�

.�.��0��1 .�.��0��51 .��

��

��:�,, �4;'��)�0�1 �4;'��)�041 �5;'��)�021 ��&,��0�1 ��&,��0�1 �&,��051 �&,��0�1 �.&,��0.1 �/&,��0..1 ��&,��0./1 ��&,��0.41 ��&,��0.21 �4!��,�0.�1 �4!��,�0.51 �2!��,�0�/1 �2!��,�0��1 �5!��,�0�.�1 ��!��,�0�.�1 ��!��,�0��21 4!��,�0��51 4!��,�0��1 4. ��0�1 4.

�,�#�,44!��,�0/51 44 ��0��1 44(��'��0��51 4�

9��6�&��,�#�,��)2.9&�� 2.

!��,�0.�1 2.!��,�021 2�!��,�02.1 2�

!��!��!��!��!��!��!��

��6��!��!��!��

(<; &,��0 ��(��'

(��

�/-� (��'

��$��

�� (��'(��'

�(� ��

&! ��(��'

�!��

��

//5,�0/21 //5��0/1 //��0�.1 /��0�/�1 /�/

/�2��0�41 /�2

/�5��0��1 /�5

#-�� /��

/��0.�1 /��/�4��0.�1 /�4

/�5,�0/1 /�5

/��51 /��

/��0�/41 /�

/�.,�0/�1 /�.��0.41 /�.��0��1 /�/

/��0�/1 /��

/�4��0�1 /�4

��

��.�2!��,�0//1 .�2!��,�0/�1 .�2 ��0�51 .�5 ��0�.1 .�� 0��1 .�(��'��0��.1 .�.

�<( .�/!��,�0/�1 .�/ ��0�1 .��(��'��0��1 .2�

��; .�� 0��1 .��(��'��0��21 /

��,�� /� ��0.51 /�

�� /4!��,�0/1 /4!��,�0/.1 /4 ��0..1 /2

��6� �,�/.� ��0/1 /.�

�!�/.�!��,�0��1 /.�;��0��1/.53��0��1 /.� ��0/41 //�

��//4 ��0./1 //4

� �� !�� (��'

��:��<�) ��

��

�)�,�� 3�

�)�,��

3�#-��

�)��'!��

-��6�+��0/

=�� (��'

>(� !�� (��'

>��,��)��'� ��

>�& � ��

�!��

��

�8�.

��!�.

� *�.

�� ;�.

�� .

��.

��

>� � /�5!��,�0/41 /�5 ��0.21 /��(��'��0��41 /4�

?�� /4� ��0�21 /4�

-��/44

&++�� %�&��;'��)�� &�.

&++�� %�8��&,��

&++�� %�!��!��,��

&++�� %�*��;��

&++�� %�;��3��

&++�� %��

&++�� %��(��'��

��

t serves a dual purpose:

tanding Messages

reen administrator with a f all the messages that the NetScreen th explanations of what the messages ible actions you might take upon can find appendices at the end of the verity level. In each appendix, the

by their message type ID numbers.

ee a message with the severity level ID “00001,” you can look it up in the s appendix, and see that message n page 2.

Messages--Text Only . You can use it multiple messages that have been

��

��

This reference guide documents the log messages that appear in ScreenOS 4.0.0. I

Managing Message Log Databases

It provides a tool for categorizing and filtering messages for administrators using such network management tools as NetScreen-Global Manager, NetScreen-Global PRO, SNMP, syslog, or WebTrends. Because the book is organized by subject, you can quickly find all the messages related to particular areas and filter those into meaningful sections in the database.

For example, you can find all the messages related to firewall status in the Firewall section. All the messages related to VPNs are in the VLANs section.

Unders

It provides the NetSccomprehensive list osystem generates wimean and what possreceiving them. You book organized by semessages are listed

For example, if you s“Notification” and theNotification Message00001 is explained o

Note: A text file with only message text ships on the documentation CD: NetScreento cut-and-paste messages when creating scripts. You must still do some editing forcombined into a single documented entry.

�� "��

��

d the terminology

sage and the

en severity level, > 00001 (subject ments:

ke, when such

vel >> 00001 is the following:

message type ID age type ID.

e ID numbers.

type ID numbers.

ted }.

address group.

��

��The book is organized into the following sections:

• Preface – The Preface explains the purpose of this book, its organization, anconventions used in all NetScreen documentation.

• Introduction – The Introduction examines the discrete components of a mesoptions that affect how a message is displayed.

• Messages – This section contains all the messages organized by subject, ththen message type ID number. For example, Address >> Notification Level >>> severity level >> message type ID). Each entry contains the following ele

– Message – The text of the message that appears in the log.

– Meaning – An explanation of what the message means.

– Action – One or more recommended actions for the administrator to taaction is required.

For example, one of the messages found at Address >> Notification Le

• Emergency Messages – This appendix lists all the emergency messages bynumbers, allowing you to find any emergency message quickly via its mess

• Alert Messages – This appendix lists all the alert messages by message typ

• Critical Messages – This appendix lists all the critical messages by message

Message Address group <grp_name> has been { added | modified | dele

Meaning An administrator has added, modified, or deleted the specified

Action No recommended action

�� #��$

�%��

pe ID numbers.

age type ID

message type ID

message type ID

t to document all of the ou find any errors or omissions

��

• Error Messages – This appendix lists all the error messages by message ty

• Warning Messages – This appendix lists all the warning messages by messnumbers.

• Notification Messages – This appendix lists all the notification messages bynumbers.

• Information Messages – This appendix lists all the information messages bynumbers.

��This version of the NetScreen Message Log Reference Guide marks the first attempScreenOS messages. As it stands, this effort continues to be an ongoing project. If yin the following content, please contact us at the e-mail address below:

[email protected]

mailto:[email protected]

�� !��

%��

ed elements, variables, and

ear in the message.

message.

er than the exact wording, of

arated by a pipe ( | ).

(sales in this example). The t appear in the message.

��

�� NetScreen publications use the following conventions to indicate optional and requiroptions:

• A parameter inside [ ] (square brackets) is optional. This element might app

• A parameter inside { } (braces) is required. This element must appear in the

• Anything inside < > (angle brackets) is a variable and denotes the type, rathelement that appears in the message.

• If there is more than one option for an element inside [ ] and { }, they are sep

For example, the following three messages can appear in the log:

• Address group sales has been added.

• Address group sales has been modified.

• Address group sales has been deleted.

In this book, these three messages are combined into one and written as follows:

• Address group <grp_name> has been { added | modified | deleted }.

Note that the variable <grp_name> denotes the specific name of the address group braces and pipes indicate that one of the elements—added, modified, deleted—mus

�� !��

%��

ecedes the message and the ll such log entries include the

ip_addr> | web <ip_addr> | the

been omitted to avoid

ices configured for high the NetScreen-500.

sage such as “CPU utilization is involved in the event.

��

& '��(��'��

When a message results from an administrator’s action, the administrator’s name prlocation from which the administrator acted is included at the end of the message. Afollowing information:

<admin_name>: <message text> from { the console | scs <ip_addr> | telnet <master | the backup | the LCD display }.

For example, messages such as the following can appear in the log:

• netscreen: Address group sales has been added from the console.

• joe: Address group sales has been modified from web 10.10.2.171.

• xo: Address group sales has been deleted from the master.

In the messages that follow in this book, the administrator’s name and location haveunnecessary repetition.

Note: The terms “master” and “backup” denote the status of NetScreen devavailability (HA) in a redundant cluster. The LCD display is available only on

Note: Not all messages report the results of an admin’s action. For example, a meshas reached 90% of capacity” does not include such information because no admin

�� &��)'�

%��

rms, and standards:

��

��!"�NetScreen publications use the following acronyms to represent various concepts, te

Acronym Full Text

3DES Triple Data Encryption Standard

ACK Acknowledge

ACL Access Control List

AES Advanced Encryption Standard

AH Authentication Header

ARIN American Registry of Internet Numbers

AS Autonomous System

AS-PATH Autonomous System Path

BER Basic Encoding Rules

BGP Border Gateway Protocol

CA Certificate Authority

CERT Certificate

CN Common Name (X.509 certificate)

CR Certificate Revocation

CRL Certificate Revocation List

DER Distinguished Encoding Rule

DES Data Encryption Standard

DH Diffie-Hellmann

DHCP Dynamic Host Configuration Protocol

DIP Dynamic IP

�� &��)'�

%��
��
DN Distinguished Name

DNS Domain Name System

DOI Domain of Interpretation

DoS Denial of Service

DSA Digital Signature Authority

DSS Digital Signature Standard

EE End Entity

ESP Encapsulating Security Payload

FQDN Fully Qualified Domain Name

HA High Availability

HDLC High Level Data Link Control

HTTP HyperText Transfer Protocol

HTTPS HypterText Transfer Protocol Secure

ICMP Internet Control Message Protocol

IKE Internet Key Exchange

IP Internet Protocol

IPSec Internet Protocol Security

L2TP Layer 2 Tunneling Protocol

LDAP Lightweight Directory Access Protocol

LSA Link State Advertisement

MD5 Message Digest 5

MIP Managed IP

NACN NetScreen Address Change Notification

Acronym Full Text

�� &��)'�

%��
��
NAT Network Address Translation

NAT-T Network Address Translation - Transparent Mode

NSO Network Security Officer

NSRP NetScreen Redundancy Protocol

NTP Network Time Protocol

OSPF Open Shortest Path First

PFS Perfect Forwarding Secrecy

PKA Public Key Authentication

PKCS Public Key Cryptography Standards

PKI Public Key Infrastructure

PLDAP Primary Connection Lightweight Directory Access Protocol

PM NetScreen Policy Manager

PPP Point-to-Point Protocol

PPPoE Point-to-Point Protocol over Ethernet

RADIUS Remote Authentication Dial-In User Service

RSA Rivest Shamir Adelman (authors of RSA security standard)

RTO Run Time Objects

SA Security Association

SCEP Simple Certificate Enrollment Protocol

SHA Secure Hash Algorithm

SMTP Simple Mail Transfer Protocol

SNMP Simple Network Management Protocol

SPI Security Parameter Index

Acronym Full Text

�� &��)'�

%��
��
SSH Secure Shell

SSL Secure Socket Layer

TFTP Trivial File Transfer Protocol

UDP User Datagram Protocol

UFQDN User’s Fully Qualified Domain Name

URL Uniform Resource Locator

VIP Virtual IP

VLAN Virtual Local Area Network

VOIP Voice Over IP

VPN Virtual Private Network

VSD Virtual Security Device

VSYS Virtual System

Acronym Full Text

�� &��)'�

%��
��

%��

��#$�� when recording, monitoring, regarding the following events:

message and the available

��

The messages explained in this book report events useful for system administratorsand tracing the operation of a NetScreen device. The messages provide information

• Firewall attacks

• Configuration changes

• Successful and unsuccessful system operations

The following sections in the Introduction explain the separate components of each display options:

• “Anatomy of a Message” on page xviii

• “Display Options” on page xx

• “Traffic Log Messages” on page xxi

�(�� &��')��

%��

e hierarchical structure

l.

ssage includes the e example, the administrator

m host 10.100.2.21

essage Text

��

��"!��"��All messages consist of the following elements:

• Date

• Time

• Module

• Severity Level

• Message Type

• Message Text

• The date shows the year-month-day when the event occurred.

• The time shows the hour:minute:second when the event occurred.

• The module shows the device type where the event occurred.

• The severity level places the event in one of eight levels of severity, using thestablished by syslog, as shown in the following table.

• The message type displays a code number associated with the severity leve

• The message text displays the content of the event message. The event meadministrator’s login name when the administrator performed an action. In thlogin name is netscreen.

Date Time Module Level Type Description

2001-9-2512:02:57 system info 00767 netscreen: System Config saved fro

Date TimeSeverity

LevelMMessage TypeModule

�(�� &��')��

%�%��

f message. For example, a . A critical message with ID

exes at the back of this book:

ormation such as IP addresses,

bly affected.

rrently not used)

��

The message type ID provides a number for classifying the category for each type onotification message with ID 00001 indicates that it belongs in the address category00027 indicates that it belongs in the admin category.

You can find a list of message type ID numbers organized by severity level in the ind

• “Emergency Messages” on page A-1

• “Alert Messages” on page B-1

• “Critical Messages” on page C-1

• “Error Messages” on page D-1

• “Warning Messages” on page E-1

• “Notification Messages” on page F-1

• “Information Messages” on page G-1

The message text describes the event being reported and often contains detailed infport numbers, and specific configuration settings.

Levels Explanation of Levels

0 Emergency The system has become unusable.

1 Alert Immediate action is required.

2 Critical Functionality is affected.

3 Error An erroneous condition exists and functionality is proba

4 Warning Functionality might be affected.

5 Notification Notification of normal events.

6 Information General information about system operations.

7 Debugging Detailed information useful for debugging purposes. (cu

�(�� *��+,�)��+��

%%��

sage” on page xviii. Optionally, rmation is useful for debugging lowing CLI command:

message, as the following

ilures for user jSm1th from

clock has been updated

ssigned IP address has been

1th from 10.100.2.171:80.

updated through NTP.

ss has been manually released

��

��%&�!�%��By default, messages appear as described in the previous section “Anatomy of a Mesyou can change the message display to include return-address information. This infopurposes. To change the message display to include the return-address, use the fol

set logging header-format return-address

The message format changes to include the return-address (in bold below) for eachexamples illustrate:

2001-9-25 10:56:03 system-critical-00027(ra=0x8013b6fc): Multiple login fa10.100.2.171:80.

2001-9-25 11:00:00 system-notification-00008(ra=0x8013b754): The systemthrough NTP.

2001-9-25 11:28:38 system-information-00527(ra=0x8013b7d8): A DHCP-amanually released from web 10.2.150.22.

To change the format back to the default style, use the following CLI command:

set logging header-format detail

The messages no longer display the return-address information, as shown below:

2001-9-25 10:56:03 system-critical-00027: Multiple login failures for user jSm

2001-9-25 11:00:00 system-notification-00008: The system clock has been

2001-9-25 11:28:38 system-information-00527: A DHCP-assigned IP addrefrom web 10.2.150.22.

�(�� -��

%%��

ports a traffic log which ds is shown here.

00170 system notification-0025 mp proto=1 src zone=Trust dst 0 dst=10.10.10.1 icmp type=8

generated.

generated. This value is displayed

generated the traffic log message.

that generated the traffic log

h is the 16-digit serial number

ich generated the traffic message.

lve the event on the device.erely affected.. the device.

on the device.ge about the device. problem on the device.

ed with the type.

��

-�&��(!��;��&�;�Message logging automatically begins when a device boots up. NetScreen 4.0.0 supcontains entries that have multiple fields in them. An example of an entry and its fiel

May 18 15:59:26 192.168.10.1 ns204: NetScreen device_id=-00290120020(traffic): start_time=”2001-04-29 16:46:16” duration=88 policy id=2 service=iczone=Untrust action=Tunnel(VPN_3 03) sent=102 rcvd=0 src=192.168.10.1

The following table breaks these fields down and describes them.

Field Example Field Name Description

May 10 Date Stamp Displays the date when the message was

15:59:26 Time Stamp Displays the time when the message was in the following format: HH:MM:SS.

192.168.10.1 Source IP Address Displays the IP address of the device that

ns204 Device Model Displays the model number of the device message.

NetScreen device id=0029012002000170

Device Serial Number Displays the ID number of the device whicassigned to the device by NetScreen.

system notification Severity Level Displays the severity level of the event whSeverity levels are:Emergency: The device is unusableAlert: Immediate action is required to resoCritical: Functionality on the device is sevError: An error was reported on the deviceWarning: Functionality may be affected onNotification: The event is seen as normal Information: A general information messaDebug: A message related to debugging a

0025 Type ID Displays the error type in a code associat

�(�� -��

%%��

ing about the error.

c began being generated.

at elapsed since the traffic

icy type that generated the traffic

device that generated the traffic ssages include ICMP, TCP, and

the protocol service used by the .

the error-generating traffic was

e error-generating traffic was

ice from the detection of the error:

he VPN on which the

ith the error that were sent by the

with the error that were received

ding the traffic associated with the

iving the traffic associated with

��

(traffic) Type Displays the error type in a descriptive str

start_time=”2001-04-29 16:46:16”

Start Time Displays the time and date when the traffi

duration=88 Duration Displays the amount of time in seconds thmessage was generated.

policy_id=2 Traffic Policy Displays the code associated with the polmessage.

service=icmp Service Displays the protocol service used by the message. Common services for traffic meUDP.

proto=1 Protocol Number Displays the code number associated withdevice that generated the traffic message

src zone=Trust Source Zone Displays the name of the zone from whereforwarded.

dst zone=Untrust Destination Zone Displays the name of the zone to where thforwarded.

action=Tunnel Policy Action Displays the action that results on the devforward or denial.

(VPN_303) VPN ID Displays the code number that identifies terror-generating traffic was running.

sent=102 Bytes Sent Displays the number of bytes associated wsource device.

rcvd=0 Bytes Received Displays the number of bytes associated by the destination device.

src=192.168.10.10 Source IP Address Displays the IP address of the device senerror.

dst=10.10.10.1 Destination IP Address Displays the IP address of the device recethe error.


.��

��ge text description includes an

messages are grouped by the least.

at action has been made: either r from the LCD display ity, the message also states art of a message stating the sages listed here. For more

Key” on page 237

page 238

nd WebTrends” on page 244

on page 248

haping” on page 249

n page 250

page 251

ystems” on page 254

on page 256

n page 258

n page 264

og Messages” on page 266

��

This section contains a compendium of all the NetScreen messages. Each messaexplanation of its meaning, and (when appropriate), a recommended action. The message type, and then within that type by severity level, from the most severe to

All messages reporting an administrative action include the location from which thfrom the console, from an admin’s host IP address via SCS, Telnet, or the Web, o(NetScreen-500). When devices are used in a redundant cluster for high availabilwhether the action occurred on a master or backup unit. Note that because the psource of an action is the same in all such messages, it is not included in the mesinformation, see “Admin Information” on page xi.

• “Address” on page 2 • “L2TP” on page 125 • “Software

• “Admin” on page 5 • “Link Status” on page 127 • “SSL” on

• “Auth” on page 22 • “Logs” on page 128 • “Syslog a

• “BGP” on page 27 • “MIP” on page 130 • “System”

• “Clock” on page 31 • “NACN” on page 131 • “Traffic S

• “Device” on page 33 • “OSPF” on page 137 • “Users” o

• “DHCP” on page 36 • “PKI” on page 142 • “VIP” on

• “DIP” on page 42 • “PPPoE” on page 199 • “Virtual S

• “DNS” on page 43 • “Policies” on page 204 • “VLANs”

• “Firewall” on page 46 • “Routes” on page 206 • “VPNs” o

• “Global” on page 66 • “Schedule” on page 213 • “Zones” o

• “High Availability” on page 71 • “SCS” on page 214 • “Traffic L

• “IKE” on page 95 • “Services” on page 226

• “Interface” on page 120 • “SNMP” on page 228

& �� !��,�0�.1

/��

s.

on interface <interface>

interface uses the same IP

om_name> } in zone <zone> has

br_name>) with the specified IP

me>

ddress group (<grp_name>).

��

&**�;��These messages relate to the the creation, modification, and removal of addresse

!��,�0�.1

��,�0.1

Message { arp req | arp reply }, detect IP conflict (<ip_addr>), mac <mac_addr>

Meaning An ARP request (or reply) reveals that the specified NetScreen deviceaddress as another network device, which creates a conflict.

Action Change the IP address of one of the devices.

Message Address <mbr_name> for { ip address <ip_addr> | domain address <dbeen { added | deleted | modified }

Meaning An admin has added, deleted, or modified the address book entry (<maddress (or domain name) in the security zone.


Message Address group <grp_name> has { added | deleted } member <mbr_na

Meaning An admin has added (or deleted ) the address (<mbr_name>) in the a


& �� ,�0.1

��

me>).

e>).

name2>

dress group (<grp_name1>).

rp_name>).

��

Message Address group <grp_name> has been { added | deleted }

Meaning An admin has added, modified, or deleted an address group (<grp_na


Message Address group <grp_name> comments have been modified

Meaning An admin has modified the comment for the address group (<grp_nam


Message Address group <grp_name1> group name has been changed to <grp_

Meaning An admin has assigned a new name (<grp_name2>) to an existing ad


Message Address group <grp_name> has been { added | deleted | modified }

Meaning An admin added, deleted, or modified the specified address group (<g


& �� ,�0.1

��

en { added | deleted | modified }

str>) from the specified zone.

ce changed to another interface,

2>!

ce changed from <interface1> to

��

Message Address <name_str> for ip address <ip_addr> in zone <zone> has be

Meaning An admin added, deleted, or modified an address book entry (<name_


Message arp entry <ip_addr> interface changed!

Meaning The interface mapped to the Address Resolution Protocol (ARP) servithus creating the possibility of future ARP errors.

Action Map ARP to the correct interface.

Message arp entry <ip_addr> interface changed old <interface1> new <interface

Meaning The interface mapped to the Address Resolution Protocol (ARP) servi<interface2>. This could cause future ARP errors.

Action Map ARP to the correct interface.

& '�� !��,�0/21

��

asset recovery returns the

ust reconfigure the NetScreen

r three failed login attempts, the

��

&*�( These messages relate to the administration of the NetScreen device.

!��,�0/21

Message Device Reset (Asset Recovery) has been { performed | aborted }

Meaning An admin performed an asset recovery operation (or aborted one). AnScreenOS to its factory default settings.

Action After successfully performing the asset recovery operation, an admin mdevice.

Message Multiple login failures occurred for user <usr_str>

Meaning The user <usr_str> has made three unsuccessful login attempts. (AfteNetScreen device automatically terminates the connection.)


& '�� 3��0�.�1

4��

CS | console }

on, a SCS session, or a Telnet

anagement (port <port_num1>)

rt number using HTTP or HTTPS

num> | SCS from

by the named admin) has expired.

��

3��0�.�1

Message [ Vsys ] Admin User <name_str> has logged { on | out } via ( Telnet | S

Meaning An admin (<name_str>) has logged on or out, with a console connectisession.


Message [ Vsys ] Admin User “<name_str>” logged in for Web({ http | https }) m

Meaning An admin <name_str> has logged on to the WebUI at the specified pofrom the specified IP address and port number.


Message Management session via { the console | Telnet from <ip_addr>:<port_<ip_addr>:<port_num> } for [ vsys ] admin <name_str> timed out

Meaning The management session (established via the console, Telnet, or SCS


& '�� 3��0�.�1

2��

et from <ip_addr>:<port_num> |

the console, Telnet, or SCS has

ip_addr>:<port_num> | SCS from

, Telnet, or SCS session.

.

e security zone <zone>.

ent (port <number>) from

from the specified IP address and

��

Message Login attempt to system by admin <name_str> via { the console | TelnSCS from <ip_addr>:<port_num> } has failed.

Meaning An attempt to log in to the NetScreen system by the named admin via failed.


Message [ Vsys ] Admin User %s has logged out via (the console | Telnet from <<ip_addr>:<port_num> }

Meaning The general admin logged out of the NetScreen device from a console


Message The session limit threshold has been set to <number> on zone <zone>

Meaning An admin has set a session limit threshold to <number> minutes on th


Message Admin user <name_str> login attempt for Web{ https | http } managem<ip_addr>:<port_num> failed.

Meaning The named admin failed to log on to the WebUI using HTTP or HTTPSport number.


& '�� 3��0��.1

5��

b{ https | http } management (port

rom the specified IP address and

ed.

nOS version (<string>) on a

uccessful asset recovery executed mand.

��

3��0��.1

��0/1

Message Admin user <name_str> attempt access to <name_str> illegal from We<number>) from <ip_addr>:<port_num>.

Meaning The named admin attempted to access a site using HTTP or HTTPS fport number.


Message ScreenOS <string> serial # <id_num>: Asset recovery has been abort

Meaning Admin has aborted an asset recovery operation for the specified ScreeNetScreen device with the specified serial number.


Message System configuration has been erased.

Meaning An admin has erased the system configuration. This may be due to a svia a console connection, or successful execution of the unset all com

Action The system configuration must be reconfigured.

& '�� 0/1

��

d | removed }

ecified IP address, or removed e NetScreen device from any IP

ice. Admins can administer the

ed admin.

m2>

the port used for managing the

��

Message Management restriction for <ip_addr> subnet <mask> has been { adde

Meaning An admin has either restricted access to admins logging in from the spsuch a restriction. If the restriction is removed, admins can manage thaddress. This is the default setting.


Message Management restriction from all IPs and subnets has been removed

Meaning An admin has removed all restrictions to accessing the NetScreen devNetScreen device from any IP address.

Action Confirm that the action was appropriate, and performed by an authoriz

Message System IP has been changed from <ip_addr1> to <ip_addr2>

Meaning An admin has changed the system IP address.


Message { SCS | Telnet } port has been changed from <port_num1> to <port_nu

Meaning An admin has changed the number (<port_num1> to <port_num2>) ofdevice via SCS or Telnet.


& '�� 0/1

.��


ed admin.


ed admin.

y admin <name_str>

e password or user name of any

ed admin.

��

Message HTTP port has been changed from <port_num1> to <port_num2>

Meaning An admin has changed the number (<port_num1> to <port_num2>) ofdevice via HTTP.


Message SSL port changed from <port_num1> to <port_num2>

Meaning An admin has changed the number (<port_num1> to <port_num2>) ofdevice via SSL.


Message { Root admin | Vsys admin } { password | name } has been changed b

Meaning Either of the following events has occurred:

• The root admin has changed the root password or user name, or thother admin.

• A vsys read/write admin has changed password.


& '�� 0/1

..��

ser’s administrative privileges, or

administrative privileges, or

<number1> to number2> minutes

ber1> minutes to <number2> agement session terminates.

��

Message Admin user <name_str> password has been changed

Meaning The password of the named admin user has changed.


Message Vsys admin user <name_str> is modified

Meaning The root admin has added the named vsys admin user, modified the udeleted the user.


Message Admin user <name_str> has been { added | modified | deleted }

Meaning The root admin has added the named admin user, modified the user’sdeleted the user.


Message Web Admin Authentication idle timeout value has been changed from

Meaning An admin has changed the management idle timeout value from <numminutes. If there is no activity for this specified period of time, the man


& '�� 0/1

./��

ber.

rver used for sending e-mail event

��

Message Unexpected error from email server(state=<id_num>):

Meaning An email server generated an error condition with the specified ID num

Action Contact NetScreen.

Message E-mail notification has been { enabled | disabled }.

Meaning An admin has enabled or disabled e-mail notification of event alarms.


Message E-mail notification has been { enabled | disabled }.

Meaning An admin has enabled or disabled e-mail notification of event alarms.


Message Mail server { IP address | domain name } has been changed.

Meaning An admin has changed the IP address or domain name of the SMTP sealarm notifications.


& '�� 0/1

.��

ich the NetScreen device sends

n { enabled | disabled }.

ail event alarm notifications.

locked.

play on a NetScreen device.

��

Message E-mail address { 1 | 2 } has been changed.

Meaning An admin has changed the primary or secondary e-mail address to whevent alarm notifications.


Message Inclusion of traffic logs with e-mail notification of event alarms has bee

Meaning An admin has enabled or disabled the inclusion of traffic logs with e-m


Message LCD control keys have been locked.

Meaning An admin has locked the LCD control keys on a NetScreen device.


Message LCD display has been turned off and the LCD control keys have been

Meaning An admin has locked the LCD control keys and turned off the LCD dis


& '�� 0�1

.��

unlocked.

l keys on a NetScreen device.

f minutes.

tivity for this specified period of

d.

��

��0�1

Message LCD display has been turned on.

Meaning An admin has turned on the LCD display on a NetScreen device.


Message LCD display has been turned on and the LCD control keys have been

Meaning An admin has turned on the LCD display and unlocked the LCD contro


Message The console timeout value changed from <number1> to <number2> o

Meaning An admin has changed the console idle timeout value. If there is no actime, the console session terminates.


Message The console page size changed from <number1> to <number2>.

Meaning The number of pixels that comprise the console page size has change


& '�� (��'��02421

.��

ed admin.

file on the memory card.

ed admin.

��

(��'��02421

Message The local console has been { enabled | disabled }.

Meaning An admin has enabled (or disabled) local console connectivity.


Message The console debug buffer has been { enabled | disabled }.

Meaning An admin has enabled (or disabled) the console debug buffer.


Message All System Config saved by admin <name_str>

Meaning An admin just saved the system configuration to flash memory.


Message System Config from flash to slot - <string> by admin <name_str>

Meaning An admin just copied the system configuration from flash memory to a


& '�� (��'��02421

.4��

tr>

emory card into RAM.

ed admin.

_str>

e>) on a TFTP server (<ip_addr>)

ed admin.

by admin <name_str>

e>) on a TFTP server (<ip_addr>)

ed admin.

r>

a TFTP server (<ip_addr>).

ed admin.

��

Message The system configuration was loaded from the slot by admin <name_s

Meaning An admin just loaded a saved system configuration from a file on the m


Message System Config load from <ip_addr> (file <filename>) by admin <name

Meaning An admin just loaded a saved system configuration from a file (<filenaminto RAM.


Message System Config load from <ip_addr> (file <filename>) to slot - <string>

Meaning An admin just copied a saved system configuration from a file (<filenamto a memory card in a slot (<string>).


Message Save configuration to <ip_addr> (file: <filename>) by admin <name_st

Meaning An admin just saved the current configuration to a file (<filename>) on


& '�� (��'��02421

.2��

_str>

(<filename>) in the memory card

ed admin.

e_str>

memory card to flash memory.

ed admin.

<name_str>

TFTP server (<ip_addr>) to flash

ed admin.

ame2>) by admin <name_str>

TFTP server (<ip_addr>) to a file

ed admin.

��

Message Get new software from flash to slot (file: <filename>) by admin <name

Meaning An admin just saved the ScreenOS image from flash memory to a file slot.


Message Save new software from slot (file: <filename>) to flash by admin <nam

Meaning An admin just copied a ScreenOS image from a file (<filename>) on a


Message Save new software from <ip_addr> (file: <filename>) to flash by admin

Meaning An admin just copied a ScreenOS image from a file (<filename>) on amemory.


Message Get new software from <ip_addr> (file: <filename1>) to slot (file: <filen

Meaning An admin just loaded a ScreenOS image from a file (<filename1>) on a(<filename2>) on a memory card.


& '�� (��'��02421

.5��

>

FTP server (<ip_addr>).

ed admin.

to an external server, such as a

ed admin.

ed admin.

��

Message Get new software to <ip_addr> (file: <filename>) by admin <name_str

Meaning An admin just saved the ScreenOS image to a file (<filename>) on a T


Message Admin <name> issued command <string> to redirect output.

Meaning An admin has issued a command and redirected the command outputTFTP server.


Message System is operational.

Meaning The system has become initialized and is now operational.


Message The system configuration was saved by admin <name_str>

Meaning An admin (<name_str>) has saved the system configuration.


& '�� (��'��02421

.��

ed admin.

s been loaded successfully

tion file from the TFTP server.

s failed.

om the specified TFTP server and

rrect.

hich the local time is ahead or

��

Message System Config saved to filename <filename>

Meaning An admin saved the system configuration to the specified filename.


Message System auto-config of file <name_str> from TFTP server <ip_addr> ha

Meaning The NetScreen device has successfully loaded the specified configura


Message System auto-config of file <name_str> from TFTP server <ip_addr> ha

Meaning The NetScreen device attempted to load the named configuration file frfailed.

Action Verify that the TFTP server is operational and that the IP address is co

Message New GMT zone: <number> seconds

Meaning An admin set the time zone by specifying the number of seconds by wbehind the Greenwich Mean Time (GMT).


& '�� (��'��02421

/��

everts to the standard time if the

adjusts to daylight saving time if

��

Message The Daylight Saving Time ended

Meaning Daylight saving time has ended. The NetScreen device automatically roption was previously set.


Message The Daylight Saving Time started

Meaning Daylight saving time has started. The NetScreen device automatically the option was previously set.

Action No recommended action.

Message System log was reviewed

Meaning An admin viewed the system log.


Message Event log was reviewed

Meaning An admin viewed the event log.


& '�� (��'��02421

/.��
��
Message Asset-recovery log was reviewed

Meaning An admin viewed the asset-recovery log.


Message Self log was reviewed

Meaning An admin viewed the self log.


Message Traffic log was reviewed

Meaning An admin viewed the traffic log.


Message Alarm log was reviewed

Meaning An admin viewed the alarm log.


&��6 &,��0�1

//��

pts. (This message may include

Research the owner of the source uthentication failures. If they

_addr2>

om his or her SecurID card to

��

&=-9The following messages relate to user authentication.

&,��0�1

3��0�.51

Message Multiple authentication failures have been detected!

Meaning The NetScreen device has detected multiple failed authentication attemthe user name and the source IP address.)

Action An unauthorized party might be trying to access the NetScreen device.IP address and the user name to determine the cause of the multiple aappear suspicious, notify your network security officer (NSO).

Message User <usr_str> at <ip_addr1> must enter “Next Code” for SecurID <ip

Meaning The user at the specified IP address must enter the next token code frauthenticate with the SecurID server at the specified IP address.


&��6 3��0�.57��.�1

/��

ed/timedout } via the <string>

the specified WebAuth

ssful }

er.

tication server, but encountered

��

3��0�.57��.�1

Message Local authentication for user <usr_str> was { denied | successful }.

Meaning An authentication attempt by a user was either successful or denied.


Message WebAuth user <name_str> at <ip_addr1> has been { accepted | rejectserver at <ip_addr2>

Meaning The user at the specified IP address has been accepted or rejected byauthentication server.


Message Local authentication for WebAuth user <usr_str> was { denied | succe

Meaning The user (<usr_str>) was rejected by the WebAuth authentication serv


Message Error in authentication for WebAuth user <usr_str>

Meaning The user (<usr_str>) attempted authentication via the WebAuth authenan error condition.


&��6 3��0�/1

/��

US server at <ip_addr>

RADIUS server.

thentication attempt has timed out

DIUS, SecurID, LDAP, or Local

ion server entered on the en device and the authentication

ip_addr2>

ticate with the SecurID server at

��

3��0�/1

(��'��0�/�1

Message Admin user <name_str> has been { accepted | rejected } via the RADI

Meaning The named admin user has been accepted or rejected by the specified


Message User <name_str> at <ip_addr> {RADIUS | SecurID | LDAP | Local } au

Meaning The NetScreen device could not make a network connection to the RAserver to authenticate a user, and the attempt has timed out.

Action Check the network cable connection, the IP address of the authenticatNetScreen device, and the authentication settings on both the NetScreserver.

Message User <usr_str> at <ip_addr1> must enter the “New PIN” for SecurID <

Meaning The user at the specified IP address must enter the new PIN to authenthe specified IP address.


&��6 (��'��0�/�1

/��

rID <ip_addr2>

PIN, use a new system-generated 2>.

r authentication with SecurID

N from the SecurID server.

ejected } by SecurID <ip_addr2>.

ed the specified user’s new PIN.

��

Message User <usr_str> at <ip_addr1> must make a “New PIN” choice for Secu

Meaning The user at IP address <ip_addr1> must create a new user-generatedPIN, or quit the session. The SecurID server is at IP address <ip_addr


Message User <usr_str> at <ip_addr1> has selected a system-generated PIN fo<ip_addr2>

Meaning The specified user has performed some action that requests a New PI


Message The new PIN for user <usr_str> at <ip_addr1> has been { accepted | r

Meaning The SecurID server at the specified IP address has accepted or reject


&��6 (��'��02421

/4��

rID server.

en device and the SecurID server ysical network connection.

rver does not recognize the

��

(��'��02421

Message The device cannot contact the SecurID server

Meaning The NetScreen device cannot make a network connection to the Secu

Action Check that the network and authentication settings on both the NetScreare correctly configured, and that the SecurID server has an active ph

Message The device cannot send data to the SecurID server

Meaning The device cannot send material to the SecurID server because the sedevice.

Action Check to see if the SecurID server has permissions for the device.

8�� 0��1

/2��

namic routing.

en on the IP address of the current

��

8��The following messages relate to the Border Gateway Protocol (BGP) used for dy

��0��1

Message BGP instance in virtual router <vrouter> was removed from the device

Meaning An admin removed a BGP virtual routing instance from the device.


Message BGP instance in virtual router <vrouter> was created

Meaning An admin created a BGP virtual routing instance.


Message BGP peer: <ip_addr> changed to Established state

Meaning The address of the specified peer BGP virtual routing instance has takrouting instance.


8�� 0��1

/5��

rom a connection state to the idle another routing instance.

s the specified address.

s the specified address.

��

Message BGP peer: <ip_addr> changed to Idle state

Meaning The state of the specified peer BGP virtual routing instance changed fstate. In the idle state, the instance cannot establish a connection with


Message BGP peer: <ip_addr> is enabled

Meaning An admin successfully enabled a BGP virtual routing instance that use


Message BGP peer: <ip_addr> is disabled

Meaning An admin successfully disabled a BGP virtual routing instance that use


8�� 0��1

/��

or }

ad message header, a bad open ariety of error conditions. The .

ell-known Attribute (update

own Attribute (update

rror (update message)

Error (update message)

ttribute (update message)

stem Routing Loop (update

Attribute (update message)

te Error (update message)

Field (update message)

PATH (update message)

��

Message { Message Header Error | Open Message Error | Update Message Err

Meaning A BGP routing message error occurred that was either the result of a bmessage, or an updated message. Each error type can result from a vfollowing table details each condition with the message error indicated


Message Received notification Invalid Error code from notification message

Meaning The system detected an unrecognizable error code.

Action Report the problem to NetScreen.

• Connection not Synchronized (message header)

• Bad Message Length (message header)

• Bad Message Type (message header)

• Unsupported Version Number (open message)

• Bad Peer Autonomous System (open message)

• Bad BGP Identifier (open message)

• Unsupported Optional Parameter (open message)

• Authentication Failure (open message)

• Unacceptable Hold Time (open message)

• Malformed Attribute List (update message)

• Unrecognized Wmessage)

• Missing Well-knmessage)

• Attribute Flags E

• Attribute Length

• Invalid Origin A

• Autonomous Symessage)

• Invalid NextHop

• Optional Attribu

• Invalid Network

• Malformed AS_

8�� 0��1

��

pecified virtual router.

specified virtual router.

GP virtual routing instance.

specified address. The removed

��

Message BGP instance <name_str> created for vr <vrouter>

Meaning An admin successfully created a BGP virtual routing instance for the s


Message BGP instance deleted for vr <vrouter>

Meaning An admin successfully removed a BGP virtual routing instance for the


Message BGP peer: <ip_addr> created

Meaning An admin successfully created a peer routing instance to the current B


Message BGP peer: <ip_addr> deleted

Meaning An admin successfully removed a peer routing instance that used the instance was a peer to the current BGP virtual routing instance.


!,��$ ��051

�.��

>

ed admin.

o update itself automatically.

P) settings.

ed admin.

��

!��!<The following messages relate to the system clock.

��051

Message System clock configurations have been changed by admin <name_str

Meaning An admin has changed the configuration for the system clock.


Message The system clock has been updated through NTP.

Meaning The NetScreen system clock has used Network Time Protocol (NTP) t


Message NTP settings have been changed

Meaning An admin has changed at least one of the Network Time Protocol (NT


!,��$ ��051

�/��

ck setting using NTP.

ith the client or through the CLI.

��

Message failed to get clock through NTP

Meaning An admin has made an unsuccessful attempt to capture the current clo


Message New system time: <number>

Meaning An admin set the system time with the set clock command.


Message system clock is changed manually

Meaning An admin changed the NetScreen device’s clock by synchronizing it w


*�� !��,�0//1

��

reen device.

lfunctioning in some other way.

ds are plugged in to both power ords are undamaged. If the

d, or malfunctioning in some other

er cord is plugged in to both the ndamaged. If the problem persists,

me other way.

is restricting air flow to the fans. If

��

*;>(!;The following messages relate to the physical hardware components of the NetSc

!��,�0//1

Message At least one power supply is not functioning properly

Meaning At least one power supply is incorrectly seated, is unplugged, or is ma

Action Check to see if the power supplies are fully seated, that the power corsupplies and plugged in to active power sources, and that the power cproblem persists, replace the faulty power supply.

Message The { primary | secondary } power supply is not functioning properly

Meaning The primary or secondary power supply is incorrectly seated, unpluggeway.

Action Check to see if the specified power supply is fully seated, that the powpower supply and an active power source, and that the power cord is ureplace the power supply.

Message At least one fan is not functioning properly

Meaning At least one fan assembly is incorrectly seated, or malfunctioning in so

Action First check that the fan assembly is properly in place and that nothing the problem persists, replace the fan assembly.

*�� !��,�0//1

��

ing properly, check that nothing is t the fan assembly is correctly

hes an acceptable temperature mponents (such as the CPU in.

normal operation.

ion.

��

Message The system temperature (<number1>° C, <number2>° F) is too high.

Meaning The system temperature has exceeded the alarm threshold.

Action First check that the fan assembly is functioning properly. If it is functionrestricting air flow to the fans. If it is not functioning properly, check thaseated. If the problem persists, replace the fan assembly.

Also, remove power from the device and wait until it cools. After it reacrange, reconnect the device to a power source and evaluate device coboard) to see if it runs too hot. Report your findings to the network adm

Message The { primary | secondary } power supply is now functioning properly.

Meaning The specified power supply, which had malfunctioned, has returned to


Message All fans are now functioning properly.

Meaning At least one fan that had malfunctioned has returned to normal operat


*�� !��,�0�1

��

al operation.

active

>) <number3> times in 1 minute

olicy in bytes per minute.

se the threshold.

��

!��,�0�1

Message All power supplies are functioning properly now.

Meaning At least one power supply that had malfunctioned has returned to norm


Message The auxiliary board has been pulled out or otherwise made inactive

Meaning The admin has pulled out the auxiliary board.


Message The board in slot <number>, has been pulled out or otherwise made in

Meaning The admin has pulled out the module in the specified slot.


Message System CPU utilization is high (<number1> alarm threshold:<number2

Meaning CPU utilization has surpassed the alarm threshold that was set by a p

Action If the policy set the alarm threshold too low, modify the policy to increa

*9!� !��,�0/�1

�4��

ome NetScreen devices can act CP client. The following ent messages; the second is for

.

n a specified filename to read IP

re IP address information to a file .

s runs.

��

*9!�The following messages relate to Dynamic Host Configuration Protocol (DHCP). Sas a DHCP server or relay agent. Some NetScreen devices can also act as a DHmessages are divided into two sections: The first is for DHCP server and relay agDHCP client messages.

*9!�� ,�)�&��

!��,�0/�1

Message The DHCP process cannot open file <filename> to { read | write } data

Meaning The Dynamic Host Configuration Protocol (DHCP) process cannot opeaddress data.

Action Try running DHCP again.

Message DHCP file write: out of memory.

Meaning The Dynamic Host Configuration Protocol (DHCP) process cannot stobecause the server on which the DHCP process runs is out of memory

Action Try freeing up some memory on the server on which the DHCP proces

*9!� ��0/�1

�2��

lly when it is not being used by the

s a DHCP server.

that were set, for example the IP riod.

ed admin..

��

��0/�1

Message DHCP server shared IP has been enabled

Meaning An admin has enabled a reserved IP address to be assigned dynamicaregistered MAC address.


Message DHCP server has been { enabled | disabled }

Meaning An admin has either enabled or disabled the NetScreen device to act a


Message DHCP server option have been { changed | removed }

Meaning An admin has changed or removed one or more of the DHCP options addresses of the DNS servers, the gateway IP address or the lease pe


*9!� ��0/�1

�5��

y agent. An admin has changed or

ed admin.

d, or freed at least one IP address

sed.

vice had assigned to a DHCP

��

��0/�1

(��'��0�/21

Message DHCP relay agent settings have been changed

Meaning The NetScreen device has been configured to function as a DHCP relaremoved one or more of the DHCP settings.


Message The DHCP server IP address pool has changed.

Meaning The NetScreen device, acting as a DHCP server, has offered, committein its DHCP address pool.


Message One or more DHCP-assigned IP addresses have been manually relea

Meaning An admin has manually released an IP address that the NetScreen declient. (The client then automatically requests another IP address.)


*9!� (��'��0�/21

��

_addr1> | freed from

or freed an IP address for a DHCP

d address <ip_addr>.

the specified address. (After a e client checks if there is any other cepts the address. If it does find a

or released an IP address.

��

Message A DHCP-assigned IP address <ip_addr> has been { assigned to <mac<mac_addr2> }.

Meaning The NetScreen device, acting as a DHCP server, has either assigned client with the specified MAC address.


Message MAC address <mac_addr> has detected an IP conflict and has decline

Meaning The DHCP client has detected an IP address conflict and has declinedDHCP client has been offered an IP address and before it accepts it, thhost using the same address. If the client does not find a conflict, it acconflict, it rejects it.)


Message DHCP server has assigned or released an IP address.

Meaning The NetScreen device, acting as a DHCP server, has either assigned


*9!� (��'��0��1

��

en device automatically requests

with lease <number>.

interface for the specified length of

dress <ip_addr>.

the specified address. (After a e client checks if there is any other cepts the address. If it does find a

��

*9!��!,��

(��'��0��1

Message DHCP client lease for <ip_addr> has expired

Meaning The specified DHCP client IP address is no longer valid. (The NetScreanother IP address from the DHCP server.)


Message DHCP server <ip_addr> has assigned the untrust interface <interface>

Meaning The specified DHCP server has assigned an IP address to the named time.


Message An IP conflict has been detected and the DHCP client has declined ad

Meaning The DHCP client has detected an IP address conflict and has declinedDHCP client has been offered an IP address and before it accepts it, thhost using the same address. If the client does not find a conflict, it acconflict, it rejects it.)


*9!� (��'��02421

�.��

ally released.

the named interface acting as a

ess (perhaps repeatedly) for the

ccessful, check the DHCP client r.

{ been loaded successfully |

lly loaded or failed to load the

��

(��'��02421

Message DHCP client IP <ip_addr> for the interface <interface> has been manu

Meaning An admin has manually released the specified IP address assigned toDHCP client.


Message DHCP client is unable to get IP address for the untrust interface.

Meaning The NetScreen device, acting as a DHCP client, requested an IP addrspecified interface but did not receive one from the DHCP server.

Action If none of the requests for an IP address from the DHCP server are susettings on the NetScreen device and the settings on the DHCP serve

Message System auto-config of file <filename> from TFTP server <ip_addr> hasfailed }.

Meaning The NetScreen device, acting as a DHCP client, has either automaticaspecified system configuration file from the specified TFTP server.


*(� ��0/.1

�/��

ated | modified | deleted }

the specified range of IP

��

*(�The following messages relate to dynamic IP (DIP) addresses.

��0/.1

Message IP pool <name_str> with range <ip_addr1>-<ip_addr2> has been { cre

Meaning An admin has created, modified, or deleted the DIP pool consisting of addresses.


* � ��0�1

��

the daily DNS lookup, resolving

S table.

kup operation.

S server.

��

* �The following messages concern Domain Name System (DNS) settings.

��0�1

Message Daily DNS lookup time has been changed.

Meaning An admin has changed the time when the NetScreen device performsdomain names with IP addresses in its DNS table.


Message Daily DNS lookup has been disabled.

Meaning An admin has disabled the automatic daily lookup of entries in the DN

Action To refresh the DNS table, an admin must manually invoke the DNS loo

Message { Primary | Secondary } DNS server IP has been changed.

Meaning An admin has changed the IP address of the primary or secondary DN


* � ��041

��

based on the model of the device.

��

��041

Message DNS cache table has been cleared.

Meaning An admin has cleared the DNS entries stored in the cache.


Message Hostname set to <name_str>

Meaning The admin set the name of the NetScreen device. The default name is


Message Domain set to <name_str>

Meaning The admin set the domain name of the NetScreen device.


* � ��0/�1

��

d its DNS table of domain name to tifies the same device that the IP addresses in the system cache address information coming into ing system refreshes.

device has refreshed the entries

��

��0/�1

(��'��0�/�1

Message DNS has been refreshed.

Meaning The NetScreen device has just performed a DNS lookup and refresheIP address mappings. Each domain name has an IP address that idendomain name does. The device stores both the domain name and theand continually updates the cache by obtaining new domain name andthe device. This information is made available for checking by perform


Message DNS entries have been { manually | automatically } refreshed.

Meaning An admin has refreshed the entries in the DNS table, or the NetScreenthrough a scheduled operation.


Message DNS entries have been refreshed by HA.

Meaning HA has refreshed the entries in the DNS table.


��:�,, ;'��)�0�1

�4��

addr2>:<port_num2>, using r> times. ]

kets arriving at the specified e specified IP address and port, how many consecutive times per attack alarm threshold.

ffic originated from a small number , it might be a false alarm. In that ffic came from a wide range of t normally receive much traffic, it

icer (NSO) and your upstream

��

�(�;3&��The following messages concern firewall settings and reports of attacks.

;'��)�0�1

Message SYN flood has been detected! From <ip_addr1>:<port_num1> to <ip_protocol TCP, on interface <interface>. [ The attack occurred <numbe

Meaning The NetScreen device has detected an excessive number of SYN pacinterface from the specified source IP address and port, destined for thand using Transmission Control Protocol (TCP). The number indicatessecond the internal timer detected SYN packets in excess of the SYN

Action First determine if a valid SYN flood attack triggered the alarm. If the traof consistently fixed IP addresses or was destined for a popular servercase, you might want to adjust the SYN flood alarm threshold. If the tranoncontiguous IP addresses or was bound for IP addresses that do nowas probably an attack. In that case, contact your network security offservice provider to resolve the issue.

��:�,, ;'��)�0�1

�2��

N attack and dropped a SYN

ll TCP connection requests. connection request if the NetScreen device passes such ecause an admin had previously

��

Message syn proxy drop packet with unknown mac!

Meaning The NetScreen device, operating in Transparent mode, detected a SYpacket containing an unknown MAC address.

Generally, when a NetScreen device detects a SYN attack, it proxies aHowever, when in Transparent mode, the device cannot proxy a TCP destination MAC address is not in its MAC learning table. By default, apackets. In this case, the NetScreen device dropped the SYN packet bconfigured it to do so.


��:�,, ;'��)�041

�5��

<ip_addr2>:<port_num2>, using tack occurred <number2> times. ]

interface, from the specified port, and using the specified ination port numbers are not icates how many consecutive

as unable to reassemble because

ring the offset values used when mplete the reassembly procedure. sources on reassembling affic.

merican Registry of Internet on the address. If the source

��

;'��)�041

Message Teardrop attack has been detected! From <ip_addr1>:<port_num1> toprotocol { TCP | UDP | <number1> }, on interface <interface>. [ The at

Meaning The NetScreen device has detected a Teardrop attack at the specifiedsource IP address and port, destined for the specified IP address and protocol. (Note: If the protocol is not TCP or UDP, the source and destincluded in the message.) The number of times the attack occurred indfragmented packets per second the NetScreen device received and wof discrepant fragment sizes and offset values.

A Teardrop attack exploits the reassembly of fragmented packets, alterecombining fragments so that the target device cannot successfully coA flood of such packets can force the target device to expend all its refragmented packets, causing a denial-of-service (DoS) for legitimate tr

Action Investigate the source IP address by checking a service such as the ANumbers (ARIN) in the United States and performing a Whois lookup address raises suspicion, notify your network security officer (NSO).

��:�,, ;'��)�021

��

ing protocol 1, on interface

at the specified interface, from the using the specified protocol (1). ive oversized ICMP echo requests

cts grossly oversized ICMP


m the same source IP address.

��

;'��)�021

&,��0�1

Message Ping of Death has been detected! From <ip_addr1> to <ip_addr2>, us<interface>. [ The attack occurred <number> times. ]

Meaning The NetScreen device has detected an attempted Ping of Death attackspecified source IP address, destined for the specified IP address, andThe number of times the attack occurred indicates how many consecut(or PINGs) per second the NetScreen device received.

When encountering a Ping of Death attack, the NetScreen device detepackets and rejects them.


Message Multiple authentication failures have been detected!

Meaning The NetScreen device has detected multiple authentication failures fro


��:�,, &,��0�1

��

<ip_addr2>:139, using protocol ]

set value of a NetBIOS Session rt number, destined for the he number indicates how many tBIOS Session Service (port 139)


dr2>:<port_num2>, using protocol urred <number2> times. ]

urce IP address and arriving at an col is not TCP or UDP, the source

umber indicates how many poofed IP packets.

effort, contact your upstream packets with the spoofed address e, investigate it to determine if it is bie agent” controlled by another

��

&,��0�1

&,��051

Message WinNuke attack has been detected! From <ip_addr1>:<port_num1> toTCP, on interface <interface>. [ The attack occurred <number> times.

Meaning The NetScreen device has detected and corrected the overlapping offService (port 139) packet from the specified source IP address and pospecified address, using TCP, and arriving at the specified interface. Tconsecutive times per second the internal timer detected tampered Nepackets.


Message IP spoof has been detected! From <ip_addr1>:<port_num1> to <ip_ad{ TCP | UDP | <number1> }, on interface <interface>. [ The attack occ

Meaning The NetScreen device has detected and rejected a packet having a sointerface that conflicts with the NetScreen route table. (Note: If the protoand destination port numbers are not included in the message.) The nconsecutive times per second the internal timer detected incidents of s

Action If the IP spoofing continues long enough and you consider it worth theservice provider to initiate a backtracking operation, basically tracking from router to router back to their actual source. After locating the sourcthe instigator or merely an innocent and unwitting pawn hosting a “zomdevice.

��:�,, &,��0�1

�.��

o <ip_addr2>:<port_num2>, using tack occurred <number2> times. ]

source route option enabled in its rt number, bound for the specified arriving at the specified interface. rt numbers are not included in the ond the internal timer detected

ifies a different source IP address ets with this option enabled.


��

&,��0�1

Message IP Source Route has been detected! From <ip_addr1>:<port_num1> tprotocol { TCP | UDP | <number1> }, on interface <interface>. [ The at

Meaning The NetScreen device has detected and blocked a packet having the header. The packet came from the specified source IP address and podestination address and port number, using the specified protocol, and(Note: If the protocol is not TCP or UDP, the source and destination pomessage.) The number indicates how many consecutive times per secpackets with the source route option enabled in their headers.

In IP, the source route option can contain routing information that specthan that in the packet header. The NetScreen device rejects any pack


��:�,, &,��0.1

�/��

ddr2>:<port_num>, using protocol ]

source IP addresses have been d TCP and arrived at the specified nd the internal timer detected addresses.

ction, the NetScreen device blocks

t, contact your upstream service with the spoofed address from e, investigate it to determine if it is bie agent” controlled by another

��

&,��0.1

Message Land attack has been detected! From <ip_addr1>:<port_num> to <ip_aTCP, on interface <interface>. [ The attack occurred <number> times.

Meaning The NetScreen device has detected and blocked SYN packets whosespoofed to be the same as the destination addresses. The packets useinterface. The number indicates how many consecutive times per secoincidents of spoofed IP packets with identical source and destination IP

By combining elements of the SYN flood defense and IP Spoofing deteany attempted attacks of this nature.

Action If the attack continues long enough and you consider it worth the efforprovider to initiate a backtracking operation, basically tracking packetsrouter to router back to their actual source. After discovering the sourcthe instigator or merely an innocent and unwitting pawn hosting a “zomdevice.

��:�,, &,��0..1

��

protocol 1, on interface

o requests arriving at the specified ecified IP address. The number P echo requests in excess of the

raffic originated from a small r server, it might be a false alarm.

If the traffic came from a wide hat do not normally receive much curity officer (NSO) and your

��

&,��0..1

Message ICMP flood has been detected! From <ip_addr1> to <ip_addr2>, using<interface>. [ The attack occurred <number> times. ]

Meaning The NetScreen device has detected an excessive number of ICMP echinterface from the specified source IP address, and destined for the spindicates how many consecutive times the internal timer detected ICMICMP attack alarm threshold.

Action First determine if a valid ICMP flood attack triggered the alarm. If the tnumber of consistently fixed IP addresses or was destined for a populaIn that case, you might want to adjust the ICMP flood alarm threshold.range of noncontiguous IP addresses or was bound for IP addresses ttraffic, it was probably an attack. In that case, contact your network seupstream service provider to resolve the issue.

��:�,, &,��0./1

��

addr2>:<port_num2>, using r> times. ]

kets arriving at the specified e specified IP address and port, many consecutive times the threshold.

ther the NetScreen is processing r to the device as a flood of UDP

ated from a small number of f so, it might be a false alarm, and ame from a wide range of t normally receive much traffic, it

icer (NSO) and your upstream

��

&,��0./1

Message UDP flood has been detected! From <ip_addr1>:<port_num1> to <ip_protocol UDP, on interface <interface>. [ The attack occurred <numbe

Meaning The NetScreen device has detected an excessive number of UDP pacinterface from the specified source IP address and port, destined for thand using User Datagram Protocol (UDP). The number indicates how internal timer detected UDP packets in excess of the UDP attack alarm

Action First, determine if this was indeed a UDP flood attack by checking wheVoice-over-IP (VoIP) or Video over IP (H.323) traffic, which can appeatraffic.

Second, determine if this was an attack by checking if the traffic originconsistently fixed IP addresses or was destined for a popular server. Iyou might want to adjust the ICMP flood alarm threshold. If the traffic cnoncontiguous IP addresses or was bound for IP addresses that do nowas probably an attack. In that case, contact your network security offservice provider to resolve the issue.

��:�,, &,��0.41

��

ddr2>:<port_num2>, using tack occurred <number2> times. ]

s arriving at the specified interface d IP address, and using the and destination port numbers are pears in the message is the one in indicates how many times the

verify that it is not infected with a rk security officer (NSO) and

ll inbound denied packets are to check for patterns of activity and

��

&,��0.41

Message Port scan has been detected! From <ip_addr1>:<port_num1> to <ip_aprotocol { TCP | UDP | <number1> }, on interface <interface>. [ The at

Meaning The NetScreen device has detected an excessive number of port scanfrom the specified source IP address and port, destined for the specifiespecified protocol. (Note: If the protocol is not TCP or UDP, the sourcenot included in the message. Also, the destination port number that apthe packet that triggered the port scan detection feature.) The numberevent was logged.

Action Investigate the source IP address. If the address belongs to a server, port-scanning worm. If the address raises suspicion, notify your networesolve the issue with the owner of the address.

Note: If you enable logging on your basic inbound “deny any” policy, alogged in the logging table associated with that policy. This allows you more easily discern suspicious activity from innocent.

��:�,, &,��0.21

�4��

sing protocol 1, on interface

ss scans arriving at the specified ICMP protocol. (Note: The acket that triggered the address e times per second the internal weep alarm threshold.

verify that it is not infected with a rk security officer (NSO) and

ll inbound denied packets are to check for patterns of activity and

��

&,��0.21

!��,�0.�1

Message Address sweep has been detected! From <ip_addr1> to <ip_addr2>, u<interface>. [ The attack occurred <number> times. ]

Meaning The NetScreen device has detected an excessive number of IP addreinterface from the specified source IP address and port, and using thedestination IP address that appears in the message is the one in the psweep detection feature.) The number indicates how many consecutivtimer detected IP addresses being scanned in excess of the address s

Action Investigate the source IP address. If the address belongs to a server, port-scanning worm. If the address raises suspicion, notify your networesolve the issue with the owner of the address.

Note: If you enable logging on your basic inbound “deny any” policy, alogged in the logging table associated with that policy. This allows you more easily discern suspicious activity from innocent.

Message inconsistent configuration between master and slave

Meaning The configurations of the master device and the slave device differ.


��:�,, !��,�0.51

�2��

<ip_addr2>:<port_num2>, using r> times. ]

ort Protocol (HTTP) packet with a cket came from the specified n address and port number, using interface. The number indicates ckets with such malicious URL

��

!��,�0.51

!��,�0�/1

Message Deny Policy Alarm

Meaning Content to come.


Message Malicious URL has been detected! From <ip_addr1>:<port_num1> to protocol TCP, on interface <interface>. [ The attack occurred <numbe

Meaning The NetScreen device has detected and rejected a HyperText TranspURL containing a malicious string used to attack Web servers. The pasource IP address and port number, bound for the specified destinatiothe Transmission Control Protocol (TCP), and arriving at the specifiedhow many consecutive times per second the internal timer detected pastrings.


��:�,, !��,�0��1

�5��

, to <ip_addr2>:<port_num2>, erface>. [ The attack occurred

rom the same source IP address, arriving at the specified interface. rt numbers are not included in the ond the internal timer detected

ting. If the address belongs to a ight exceed the threshold. In that

scanning worm (which can quickly er (NSO).

��

!��,�0��1

Message Session threshold has been detected! From <ip_addr1>:<port_num1>using protocol { TCP | UDP | <number> }, and arriving at interface <int<number> times. ]

Meaning The NetScreen device has detected an excessive number of packets fdestined for the specified IP address, using the specified protocol, and(Note: If the protocol is not TCP or UDP, the source and destination pomessage.) The number indicates how many consecutive times per secpackets in excess of the session threshold.

Action Investigate the source IP address and check the session threshold setserver with a high number of sessions, valid traffic from the address mcase, you might want to adjust the threshold.

If the source address raises suspicion, check if it is infected with a port-generate thousands of sessions) and notify your network security offic

��:�,, !��,�0�.�1

��

_addr2>:<port_num2>, using >. [ The attack occurred <number>

alformed flags field. The packet r the specified destination address ified interface. The number etected TCP packets without any

ip_addr2>:<port_num2>, using >. [ The attack occurred <number>

in the IP datagram header is P address and port number, bound fied protocol, and arriving at the s per second the internal timer .

��

!��,�0�.�1

!��,�0�.�1

Message No tcp flag has been detected! From <ip_addr1>:<port_num1>, to <ipprotocol { TCP | UDP | <number> }, and arriving at interface <interfacetimes. ]

Meaning The NetScreen device has detected a TCP packet with a missing or mcame from the specified source IP address and port number, bound foand port number, using the specified protocol, and arriving at the specindicates how many consecutive times per second the internal timer dflags set.


Message IP bad option has been detected! From <ip_addr1>:<port_num1>, to <protocol { TCP | UDP | <number> }, and arriving at interface <interfacetimes. ]

Meaning The NetScreen device detected a packet in which the list of IP optionsincomplete or malformed. The packet came from the specified source Ifor the specified destination address and port number, using the specispecified interface. The number indicates how many consecutive timedetected TCP packets with an incomplete or malformed IP options list


��:�,, !��,�0��21

4��

o <ip_addr2>:<port_num2>, using >. [ The attack occurred <number>

he NetScreen device has detected pecified source IP address and ber, using the specified protocol, consecutive times per second the

o <ip_addr2>:<port_num2>, using >. [ The attack occurred <number>

The NetScreen device has in the flags field. The packet came pecified destination address and interface. The number indicates

P packets that do not have both

��

!��,�0��21

!��,�0��51

Message SYN and FIN set has been detected! From <ip_addr1>:<port_num1>, tprotocol { TCP | UDP | <number> }, and arriving at interface <interfacetimes. ]

Meaning Both the SYN and FIN flags are not normally set in the same packet. Ta packet with both SYN and FIN flags set. The packet came from the sport number, bound for the specified destination address and port numand arriving at the specified interface. The number indicates how manyinternal timer detected TCP packets with both SYN and FIN flags set.


Message FIN without ACK has been detected! From <ip_addr1>:<port_num1>, tprotocol { TCP | UDP | <number> }, and arriving at interface <interfacetimes. ]

Meaning TCP packets with the FIN flag set normally also have the ACK bit set. detected a packet in which the FIN flag is set but the ACK bit is not set from the specified source IP address and port number, bound for the sport number, using the specified protocol, and arriving at the specifiedhow many consecutive times per second the internal timer detected TCFIN flag and ACK bit set.


��:�,, !��,�0��1

4.��

2>, using protocol { TCP | UDP | d <number> times. ]

evice to block all IP packet e.

rotection or packet handling

protection

ction

tion

P/EXE blocking

eny policy

PSec option

traffic option

rm option

��

!��,�0��1

��0�1

Message ip fragment, From <ip_addr1>:<port_num1>, to <ip_addr2>:<port_num<number> }, and arriving at interface <interface>. [ The attack occurre

Meaning An admin has enabled the “screen” option that allows the NetScreen dfragments that it receives at interfaces bound to a specific security zon


Message <name_str> has been { enabled | disabled }.

Meaning An admin has either enabled or disabled one of the following firewall poptions:


• IP spoofing protection

• Teardrop attack protection

• Ping of death protection

• IP source route filtering protection

• SYN flood protection

• Land attack protection

• ICMP flood protection

• UDP flood protection

• WinNuke attack

• Port scan prote

• IP sweep protec

• Java/ActiveX/ZI

• Default packet-d

• Bypass-others-I

• Bypass non-IP

• Deny policy ala

��:�,, ��0�1

4/��

k threshold | same source IP

ize, timeout value, attack specified setting.

one.

second.

e same source IP address to the

nabled | disabled }.

raffic, SNMP, or ICMP traffic

��

Message SYN flood { alarm threshold | packet queue size | timeout value | attacthreshold } is set to <number>.

Meaning An admin has changed the SYN flood alarm threshold, packet queue sthreshold, or attack threshold from the same source IP address to the


Message SYN flood timeout has been set to <number> on <zone> <name_str>.

Meaning An admin has changed the SYN flood timeout value for the specified z


Message { ICMP | UDP } flood alarm threshold has been changed to <number>/

Meaning An admin has changed the ICMP or UDP flood alarm threshold from thspecified setting.


Message Logging of { dropped | IKE | SNMP | ICMP } traffic to self has been { e

Meaning An admin has enabled or disabled the logging of dropped traffic, IKE tdestined for the NetScreen device.


��:�,, ��0�1

4��

ttack threshold | same source IP

ize, timeout value, attack P address for the specified zone.

set to <number> on <zone>

urce ip threshold for the specified

on <interface> <name_str>.

es up all open slots, creating a your device from a DOS. You can When the amount exceeds the

��

Message The SYN flood { alarm threshold | packet queue size | timeout value | athreshold } has been set to <number> on <zone> <name_str>.

Meaning An admin has changed the SYN flood alarm threshold, packet queue sthreshold, attack threshold, or attack threshold from the same source I


Message SYN flood { same destination ip | same source ip } threshold has been<name_str>.

Meaning An admin has changed the SYN flood same destination ip or same sozone.


Message The SYN-ACK-ACK proxy threshold value has been set to <number>

Meaning Establishing multiple telnet sessions without letting each complete, usDenial of Service (DOS) condition. The SYN-ACK-ACK proxy protectsset the threshold to a level that tests how many sessions are created. threshold, the system generates an alarm.


��:�,, ��0�1

4��

e_str>.

rent zone.

me_str>.

rent interface.

has been enabled on <zone>

known destination MAC

ll TCP connection requests. connection request if the NetScreen device passes such o drop SYN packets with unknown nknown-mac .

��

Message Screen service <serv_name> is { enabled | disabled } on <zone> <nam

Meaning The specified screen service has been enabled or disabled for the cur


Message Screen service <serv_name> is { enabled | disabled } on interface <na

Meaning The specified screen service has been enabled or disabled for the cur


Message SYN flood drop pak in xparent mode when receiving unknown dst mac<name_str>.

Meaning An admin has instructed the device to drop SYN packets containing unaddresses.

Generally, when a NetScreen device detects a SYN attack, it proxies aHowever, when in Transparent mode, the device cannot proxy a TCP destination MAC address is not in its MAC learning table. By default, apackets. In this case, an admin has configured the NetScreen device tdestination MAC addresses: set zone zone screen syn-flood drop-u


��:�,, ��0�1

4��

set to <number> on <zone>

has been set for the specified

me_str>.

��

Message { IP sweep | Port scan | UDP flood | ICMP flood | } threshold has been<name_str>.

Meaning The threshold for address sweep, port scan, UDP flood, or ICMP floodzone.


Message The session limit threshold has been set to <number> on <zone> <na

Meaning The session limit threshold has been set for the specified zone.


�,�#�, !��,�0/51

44��

central management software.

rt! From <ip_addr1>:<port_num1> rface <interface>. [ The attack

ct to the device via the cified source IP address and port

en-Global PRO Report Manager), number indicates how many connection attempts to the


| IP_addr }.

RO primary or secondary host.

��

��8&�The following messages relate to configuration changes to NetScreen-Global PRO

!��,�0/51

��0��1

Message An intruted has attempted to connect to the NetScreen-Global PRO poto <ip_addr2>:15400, using protocol { TCP | UDP | <number> }, at inteoccurred <number> times. ]

Meaning The NetScreen device has detected an unauthorized attempt to conneNetScreen-Global PRO port. The connection attempt was from the spenumber, to the specified address and port number (15400 for NetScreusing the specified protocol, and arriving at the specified interface. Theconsecutive times per second the internal timer detected unauthorizedNetScreen-Global PRO port.


Message <name_str> { primary | secondary } host has been set to { dom_name

Meaning An admin has changed the IP address or domain name of the Global P


�,�#�, ��0��1

42��

<name_str> distribution.

ice from the Global-PRO protocol

ds.

default setting.

��

Message <name_str> has been { enabled | disabled }.

Meaning An admin has enabled or disabled Global-PRO manageability.


Message <name_str> { primary | secondary } host has been disabled.

Meaning An admin has disabled the Global-PRO primary or secondary host.


Message User-defined service <serv_name> has been { added | removed } from

Meaning An admin has either added or removed the specified user-defined servdistribution table.


Message <name_str> timeout value has been returned to the default: 30 secon

Meaning An admin has returned the NetScreen-Global PRO timeout value to its


�,�#�, ��0��1

45��

e specified number of seconds.

str3> logs } to <name_str4> has

lowing Global PRO tables, alarms,

ts that type of information to the

hat information to the DC.

larms

gs

nt logs

��

Message <name_str> timeout value has been changed to <number> seconds.

Meaning An admin has changed the NetScreen-Global PRO timeout value to th


Message Reporting of { the <name_str1> table | <name_str2> alarms | <name_been { enabled | disabled }.

Meaning An admin has either enabled or disabled the inclusion of one of the folor logs in reports to NetScreen-Global PRO:

When one of the above tables is enabled, the NetScreen device reporGlobal PRO data collector (DC).

When one of the above tables is disabled, the device does not report t


• Protocol distribution table

• Ethernet statistics table

• Attack statistics table

• Flow statistics table

• Policy table

• Traffic alarms

• Attack alarms

• Miscellaneous a

• Configuration lo

• Information logs

• Self-Manageme

• Traffic logs

�,�#�, (��'��0��51

4��

creen-Global PRO data collector

onnected to the network and

O data collector (DC) at the

vice with the DC.

n-Global PRO data collector (DC)

ccepting new connections at the

��

(��'��0��51

Message Cannot connect to <name_str> data collector at <ip_addr>.

Meaning The NetScreen device cannot make a network connection to the NetS(DC) at the specified IP address.

Action Check that the DC IP address settings are correct and that the DC is cfunctioning properly.

Message Device is not known to <name_str> data collector at <ip_addr>.

Meaning The NetScreen device is not registered with the NetScreen-Global PRspecified IP address.

Action Using the NetScreen-Global PRO program, register the NetScreen de

Message Lost connection to <name_str> data collector at <ip_addr>.

Meaning The TCP connection between the NetScreen device and the NetScreeat the specified IP address has been lost.

Action Check that the DC has an active network link, is currently running, is aspecified IP address, and is accessible from the NetScreen device.

�,�#�, (��'��0��51

2��

ress has stopped responding to

ccepting new connections at the

vice and the NetScreen-Global

NetScreen device.

collector at <ip_addr>.

primary or secondary .

d.

ce and the NetScreen-Global PRO

��

Message Connection to <name_str> data collector at <ip_addr> has timed out.

Meaning The NetScreen-Global PRO data collector (DC) at the specified IP addthe keep-alive messages sent by the NetScreen device.

Action Check that the DC has an active network link, is currently running, is aspecified IP address, and is accessible from the NetScreen device.

Message Lost socket connection to <name_str> data collector at <ip_addr>.

Meaning Due to network failure, the TCP connection between the NetScreen dePRO data collector (DC) at the specified IP address has been lost.

Action Check the network, and make sure that the DC is accessible from the

Message Device has connected to the <name_str> { primary | secondary } data

Meaning The NetScreen device has established a TCP connection to either theNetScreen-Global PRO data collector (DC) at the specified IP address


Message Connection to <name_str> data collector at <ip_addr> has been close

Meaning An admin has closed the TCP connection between the NetScreen devidata collector at the specified IP address.


9��6�&��,�#�,��) !��,�0.�1

2.��

rations using the NetScreen ided into the following sections:

synchronization with the remote

se it is in use by another channel k because the control channel is

��

9(�9�&>&(�&8(�(-@The following messages concern high availability (HA) settings, features, and opeRedundancy Protocol (NSRP), and the related functionality of IP tracking. It is div

• “HA and NSRP” on page 71

• “Path Monitoring” on page 92

9&��

!��,�0.�1

Message Configuration out of sync between local unit and remote unit

Meaning The local device to which the administrative session is linked is not in device (the other device in the NSRP cluster).

Action Perform a manual synchronization.

Message no HA <string> channel available (<string> used by other channel)

Meaning The link to which the channel attempted to move is unavailable becautype. For example, the data channel was unable to move to another linon that link.


9��6�&��,�#�,��) !��,�0.�1

2/��

n } (<interface>)

rnet cable connecting two devices a LAN, typically a 10/100 switch. used as a backup link in the event n the link. A channel can be one of

ing information over to the link her priority than the data channel.

he data channel has less priority

now attempts to run the channel.

ctive or inactive.

able is unplugged, the cable is not ectrical short. Also, check the port

ssages between the members of

��

Message HA { control | data } channel moved from link { up | down } to { up | dow

Meaning A High Availability link is a physical connection or line, typically an Ethein a redundancy arrangement or where both devices are connected toWith HA links another link is present called link candidate that can be that the active link fails. A channel is a logical connection that resides otwo types:

• Control Channel that performs High Availability tasks including copycandidate known as synchronization. The control channel has a hig

• Data Channel that performs packet forwarding tasks over the link. Tthan the control channel.

In this instance, the link in use stopped running and the link candidate


Message NSRP link { up | down }.

Meaning The physical link used for NSRP communications has either become a

Action Try to determine why the link went down. Typical reasons include the cseated in the port correctly, or the cable is faulty, possibly due to an elto see if you can establish a link with it.

Message HA control channel change to <interface>.

Meaning The name of the physical interface that sends and receives control mean NSRP cluster has changed.


9��6�&��,�#�,��) !��,�0.�1

2��

ts between the members of an

��

Message HA data channel change to <interface>.

Meaning The name of the physical interface that sends and receives data packeNSRP cluster has changed.


Message HA change from <string> to <string>.

Meaning The state of the current HA link has changed.


Message HA: Slave is down

Meaning The state of the HA link for the backup device is down.


9��6�&��,�#�,��) !��,�021

2��

from inoperable to init

changed from inoperable to initial. ork problem has been corrected),

from ineligible to init

s changed from ineligible to initial. ial state first.

from { master | primary backup |

nge the state of the local

��

!��,�021

Message NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state

Meaning The state of the local NetScreen device in the specified VSD group hasWhen a device returns from the inoperable state (after a system or netwit transitions to the initial state first.



Meaning The state of the local NetScreen device in the specified VSD group haWhen a device returns from the ineligible state, it transitions to the init


Message NSRP: local unit=<id_num1> of VSD group (<id_num2>) change statebackup | ineligible | inoperable } to init, force command.

Meaning An admin used the exec nsrp vsd-group mode CLI command to chaNetScreen device in the specified VSD group to initial.


9��6�&��,�#�,��) !��,�02.1

2��

from init to master, missing master

roup has not detected a master the absence of a master device is nnected.

ed, unplugged, of if it failed or if it orrect the problem.

from backup to master, missing



��

!��,�02.1


Meaning For a variety of reasons, the identified local unit in the specified VSD gdevice, causing the local device to become master. A typical reason forthat a former master in the VSD group has failed or has become disco

Action Check the status of the former master device. See if it has been removbecame corrupted for some reason. Try to reset the device once you c

Message NSRP: local unit=<id_num1> of VSD group (<id_num2>) change statemaster



9��6�&��,�#�,��) !��,�02/1

24��

from primary backup to master,



from { primary backup | backup |


from init to primary backup,

s changed from initial to primary

��

!��,�02/1

Message NSRP: local unit=<id_num1> of VSD group (<id_num2>) change statemissing master



Message NSRP: local unit=<id_num1> of VSD group (<id_num2>) change stateineligible | inoperable } to master, force command.

Meaning An admin used the exec nsrp vsd-group mode CLI command to chaNetScreen device in the specified VSD group to master.


Message NSRP: local unit=<id_num1> of VSD group (<id_num2>) change statemissing primary backup

Meaning The state of the local NetScreen device in the specified VSD group habackup.


9��6�&��,�#�,��) !��,�02�1

22��

from backup to primary backup,

s changed from backup to primary

from { backup | ineligible |


from init to backup, elected

s changed from initial to backup.

��

!��,�02�1

Message NSRP: local unit=<id_num1> of VSD group (<id_num2>) change statemissing primary backup

Meaning The state of the local NetScreen device in the specified VSD group habackup.


Message NSRP: local unit=<id_num1> of VSD group (<id_num2>) change stateinoperable } to primary backup, force command.

Meaning An admin used the exec nsrp vsd-group mode CLI command to chaNetScreen device in the specified VSD group to primary backup.



Meaning The state of the local NetScreen device in the specified VSD group ha


9��6�&��,�#�,��) !��,�02�1

25��

from master to backup, { duplicate

ter VSDs opted to change its state ary backup device has been

eempt option enabled.

o there will be only one master in

from primary backup to backup,

the device to change its state from

ry backup in the VSD group..

from { primary backup | ineligible |


��

Message NSRP: local unit=<id_num1> of VSD group (<id_num2>) change statemaster | preempt by primary backup }

Meaning A second master VSD may exist in the VSD group and one of the masbecause two master devices in one group creates a conflict, or the primconfigured with a higher priority than the master device and has the pr

Action If there are duplicate masters, change the state of one of the devices sthe VSD group..

Message NSRP: local unit=<id_num1> of VSD group (<id_num2>) change stateduplicate primary backup

Meaning The local NetScreen device detected a second primary VSD, causing primary backup to backup.

Action Change the state of one of the devices so there will be only one prima

Message NSRP: local unit=<id_num1> of VSD group (<id_num2>) change stateinoperable } to backup, force command

Meaning An admin used the exec nsrp vsd-group mode CLI command to chaNetScreen device in the specified VSD group to backup.


9��6�&��,�#�,��) !��,�02�1

2��


ible so that it cannot participate in


cause of an internal system

.

��

!��,�02�1

!��,�02�1

Message NSRP: local unit=<id_num1> of VSD group (<id_num2>) change statebackup | ineligible | inoperable | init } to ineligible

Meaning An admin has changed the state of the local NetScreen device to ineligthe election process.


Message NSRP: local unit=<id_num1> of VSD group (<id_num2>) change statebackup | ineligible | inoperable | init } to inoperable

Meaning The state of the local NetScreen device has changed to inoperable beproblem or a link failure.

Action Check the device. Try to reset the device once you correct the problem

9��6�&��,�#�,��) !��,�0241

5��

th request to unit=<id_num3>

and as a result asks the master to . Having a secondary HA path can .

ath request from unit=<id_num3>

ia the secondary HA path (if it is failovers in the event that the first

��

!��,�0241

!��,�0221

Message NSRP: local unit=<id_num1> of VSD group (<id_num2>) send 2nd pa

Meaning The local device registered a missed heartbeat from the master deviceretransmit the heartbeat via the secondary HA path (if it is configured)minimize the number of failovers in the event that the first HA link fails


Message NSRP: local unit=<id_num1> of VSD group (<id_num2>) receive 2nd pto unit=<id_num4>

Meaning The local device received a request to retransmit a missed heartbeat vconfigured). Having a secondary HA path can minimize the number ofHA link fails.


9��6�&��,�#�,��) !��,�02�1

5.��

it is bound in a redundancy pair th works. The VSD uses this path

. Typically, the reason for a path rt to which the path is connected is

on interface <interface>

t an ARP broadcast on the , the election process uses device

��

!��,�02�1

Message HA link disconnect. Begin to use second path of HA

Meaning The primary HA path between the VSD and the other device to which does not work. A secondary HA path configured to act as a backup pato connect with the other device.

Action Determine what is wrong with the primary path and correct the problembeing down is simply that a cable has been disconnected or that the podown.

Message ARP req, detect duplicate VSD group master <ip_addr> <mac_addr>

Meaning A second master device with the specified IP and MAC addresses senspecified interface. Since there can be only one master in a VSD grouppriorities to determine the master.


9��6�&��,�#�,��) ��021

5/��

a member of the specified virtual

>(msec).

of a virtual security device (VSD)

ath

luster can have two paths y or backup path used when the ndary path connecting two devices

��

��021

Message NSRP: VSD <id_num> change to { preempt | non-preempt } mode.

Meaning An admin has either enabled or disabled the preempt mode option on security device (VSD) group.


Message VSD heartbeat interval changed from <number1>(msec) to <number2

Meaning An admin has changed the interval (in milliseconds) at which membersgroup send VSD heartbeats.


Message Remove pathname <name_str> (ifnum=<id_num>) as secondary HA p

Meaning A local and a remote device in a redundant arrangement in an NSRP cconnecting each other, one a primary path, and a second, a secondarprimary path is down. An admin successfully removed an existing secoin the NSRP cluster.


9��6�&��,�#�,��) ��021

5��

nnecting each other, one a primary ry path is down. An admin vice with a remote device in the

luster can have two paths secondary or backup path used dary path connecting the local and

r HA links, therefore users have to

��

Message Change secondary HA path from <name_str1> to <name_str2>.

Meaning A local and a remote device in an NSRP cluster can have two paths copath, and the other, a secondary or backup path used when the primasuccessfully established a new secondary path connecting the local deNSRP cluster.


Message Set secondary HA path to <name_str> (ifnum=<id_num>)

Meaning A local and a remote device in a redundant arrangement in an NSRP cconnecting each other, one a primary path, and a second, the other a when the primary path is down. An admin successfully created a seconremote devices in the NSRP cluster.


Message NSRP: nsrp interface change to <interface>.

Meaning Some NetScreen devices do not have dedicated physical interfaces fomanually set them. The interface for the HA link has been changed.


9��6�&��,�#�,��) ��021

5��

etScreen devices in a redundant . The master propagates all its

to the backup. You terminated this the NSRP cluster.

se, the HA message passing han the receiving device expected n devices that use the message, s of NSRP message encryption

l not fail as these operations do not

ession. In this case, the HA crypted with a different password ssword changes, configuration icies or firewalls) fail. Two d changes: both heartbeat and n encryption passwords.

.

��

Message Session sync ended by unit=<dev_name>

Meaning To assure a continuous traffic flow, you can cable and configure two Ncluster, with one device acting as a master and the other as its backupnetwork and configuration settings and the current session informationinformation transfer, called a synchronization, on one of the devices in


Message NSRP encryption password changed.

Meaning An NSRP encryption password protects an NSRP message. In this cabetween two NSRP devices was encrypted with a different password tfrom it. When the password changes, configuration operations betwee(for example, policies or firewalls) fail. Two exceptions exist in instancepassword changes: neither heartbeat nor synchronization sessions wilrely on encryption passwords.

Action Check the message encryption password and correct it if it is wrong.

Message NSRP authentication password changed.

Meaning An NSRP authentication password protects an NSRP authentication sauthentication session exchanged between two NSRP devices was enthan the receiving device expected from it. When the authentication paoperations between devices affected by that session (for example, polexceptions exist in instances of NSRP authentication session passworsynchronization sessions will not fail as these operations do not rely o

Action Check the authentication session password and correct it if it is wrong

9��6�&��,�#�,��) ��021

5��

xample, SESS_CR, SESS_CL, h one key while the corresponding e operation to fail.

ory during normal operation, for . In the event of a failover, it is d service interruption. A mirror s to each other for backup its a copy (direction=out) and

ssfully set the RTO mirror group

ory during normal operation, for . In the event of a failover, it is d service interruption. A mirror s to each other for backup

irror group with the specified ID.

��

Message NSRP: message <string> dropped: invalid encryption password.

Meaning The NetScreen device dropped a message of the specified type (for eSESS_CH) because one device in an NSRP cluster was encrypted witdevice in the NSRP cluster was encrypted with another key, forcing th

Action Check the encryption password and correct it if it is wrong.

Message RTO mirror group id=<id_num> direction={ in | out } is set

Meaning Run time objects (RTOs) are code objects created dynamically in memexample, session table entries, ARP cache entries, and DHCP leasescritical that the current RTOs be maintained by the new master to avoigroup refers to the two devices in an NSRP cluster that exchange RTOpurposes. You can set a direction that determines which device transmwhich device receives the copy (direction=in) of the RTOs. You succedirection.


Message RTO mirror group id=<id_num> is set

Meaning Run time objects (RTOs) are code objects created dynamically in memexample, session table entries, ARP cache entries, and DHCP leasescritical that the current RTOs be maintained by the new master to avoigroup refers to the two devices in an NSRP cluster that exchange RTOpurposes. You have successfully added the local device to the RTO m


9��6�&��,�#�,��) ��021

54��

ory during normal operation, for . In the event of a failover, it is d service interruption. A mirror s to each other for backup its a copy (direction=out) and

ed RTO mirror group is required to uniquely identify this mirror group by unsetting its

ory during normal operation, for . In the event of a failover, it is d service interruption. A mirror s to each other for backup

TO mirror group with the specified

��

Message RTO mirror group id=<id_num>, direction={ in | out } is unset

Meaning Run time objects (RTOs) are code objects created dynamically in memexample, session table entries, ARP cache entries, and DHCP leasescritical that the current RTOs be maintained by the new master to avoigroup refers to the two devices in an NSRP cluster that exchange RTOpurposes. You can set a direction that determines which device transmwhich device receives the copy (direction=in) of the RTOs. The specifiunidirectional, therefore both a group ID and a directional attribute aregroup. You have successfully removed the local device from the RTO direction.


Message RTO mirror group id=<id_num> is unset

Meaning Run time objects (RTOs) are code objects created dynamically in memexample, session table entries, ARP cache entries, and DHCP leasescritical that the current RTOs be maintained by the new master to avoigroup refers to the two devices in an NSRP cluster that exchange RTOpurposes. You have successfully removed the local device from the RID.


9��6�&��,�#�,��) ��021

52��

om { undefined | set | active } to {

rror group has changed state.

m2>, duplicate from

e specified RTO mirror group and

s master and the other as backup. ailability device. This message up and of how many VSD groups

��

Message RTO mirror group id=<id_num> direction={ in | out } peer=<id_num> frundefined | set | active } state, { missed heartbeat | group detached }

Meaning The specified peer with the specified direction in the specified RTO mi


Message RTO mirror group id=<id_num1> direction={ in | out } local unit=<id_nuunit=<id_num3>

Meaning The local device has detected a device using the same IP address in thspecified direction.

Action Change the IP address of one of the devices using the same address.

Message vsd group id=<id_num> is deleted, total number=<number>

Meaning A virtual security device (VSD) is composed of two devices, one acts aA VSD group is composed of two VSDs, each configured on a High Avinforms you that you have successfully removed the specified VSD groremain.


9��6�&��,�#�,��) ��021

55��

s master and the other as backup. ailability device. This message p and of how many VSD groups

umber2>

dicates how likely the device is to een the two VSD group members. priority is 100. In this instance the

��

Message vsd group id=<id_num> is created, total number=<number>

Meaning A virtual security device (VSD) is composed of two devices, one acts aA VSD group is composed of two VSDs, each configured on a High Avinforms you that you have successfully created the specified VSD grouexist.


Message vsd group <id_num> local unit priority changed from <number1> to <n

Meaning Each VSD in a High Availability VSD group is assigned a value that inbe elected the master in the redundancy relationship established betwThis value is known as a priority and ranges from 1 to 254. The defaultpriority value of the current VSD has been changed.


Message HA Slave is { up | down }

Meaning The state of the HA link for the slave device is up or down.


9��6�&��,�#�,��) ��021

5��

y exists | detect new master with

��

Message HA: ha link { up | down }

Meaning The state of the current HA link is up or down.


Message HA change state to init

Meaning The state of the current HA link has changed to initial (init).


Message HA: Change state to initial state.

Meaning The state of the current HA link has changed to initial (init).


Message HA: Elected slave, { lower priority | MAC value is larger | master alreadhigher priority | detect new master with smaller MAC value }

Meaning The current device has been elected slave.


9��6�&��,�#�,��) ��021

��

e state

.

e state

.

not successful or the link is down.

s.

��

Message HA: Promoted master, command issued from original master to chang

Meaning The original master device has promoted the current device to master


Message HA: Change to master, command issued from original master to chang

Meaning The original master device has promoted the current device to master


Message HA: Change state to slave { for tracking ip failed | for linkdown }

Meaning The state of the master device changed to slave because track-ip was


Message HA: Elected master, no other master

Meaning The current device was elected master because no other master exist


9��6�&��,�#�,��) ��021

�.��

authentication key } changed.

tion key for the current HA device

��

Message HA change group id to <id_num>

Meaning The ID of the current HA group changed.


Message HA change priority to <number>

Meaning The priority of the current HA device changed.


Message HA { encryption password | authentication password | encryption key |

Meaning The encryption or authentication password, or encryption or authenticachanged.


9��6�&��,�#�,��) !��,�04/1

�/��

the network, usually to identify a ssfully located the object on the

the network, usually to identify a t locate the object on the network

��

��6��

!��,�04/1

Message nsrp track-ip ip <ip_addr> succeed!

Meaning NetScreen uses the track-ip feature to search for an IP address out ondevice to which the current device wants to connect. The device succenetwork using the specified IP address.


Message IP tracking to <ip_addr> has failed!

Meaning NetScreen uses the track-ip feature to search for an IP address out ondevice to which the current device wants to connect. The device cannousing the specified IP address.


Message HA linkdown

Meaning The current HA link is down.


9��6�&��,�#�,��) !��,�04�1

��

the network, usually to identify a evice cannot locate the object on

n the network, and the number of vice may fail over to a backup

external IP address being tracked.

��

!��,�04�1

!��,�04�1

Message nsrp track-ip ip <ip_addr> failed!

Meaning NetScreen uses the track-ip feature to search for an IP address out ondevice to which the current device wants to connect. The NetScreen dthe network using the specified IP address.

Action Check to see if the IP address specified is correct.

Message track ip fail reaches threshold, system may fail over!

Meaning The NetScreen device attempted to track a specified IP address out ofailed attempts has reached a specified threshold. In such case, the dedevice.

Action Verify the network connectivity between the NetScreen device and the

9��6�&��,�#�,��) !��,�04�1

��

the network, generally to identify a to locate an object out on the

list of addresses it will attempt to s list.

addresses in it. Depending on the e varying amounts of IP addresses t build the list. Reduce the amount

��

Message Can not create track-ip list

Meaning NetScreen uses the track-ip feature to search for an IP address out on device to which the current device wants to connect. Before attemptingnetwork that has a specified address, the track-ip feature generates a search for in the current track-ip session. Track-ip cannot construct thi

Action Determine if the track-ip feature attempted to build a list with too manyCPU and memory in your NetScreen device, track-ip can accommodatfor searching. If the track-ip list exceeds this amount, the feature cannoof IP addresses specified for searching using track-ip.

(<; &,��0/41

��

f the three main components of ication Header (AH) protocols. ic keys and the negotiation of

h IPSEC VPN.

ertificate supported by the Policy g an IPSec VPN tunnel with the

��

(<;The following messages relate to the Internet Key Exchange (IKE) protocol, one oIPSec—the other two are the Encapsulating Security Payload (ESP) and AuthentIKE provides a secure means for the distribution and maintenance of cryptographthe parameters constituting a secure communications channel.

&,��0/41

��0.21

Message IKE <ip_addr> Policy Manager’s default CA is used by peer to establis

Meaning The specified IKE peer has used the default certificate authority (CA) cManager (PM) component of NetScreen-Global PRO when establishinlocal NetScreen device.

Action Use a different CA certificate.

Message IKE key <key_id> has been deleted.

Meaning An admin has deleted the specified IKE key.


(<; ��0.21

�4��

ay.

roup { 0 | 1 | 2 | 5 }, ESP { NULL | -1 }, and lifetime <number> has

dified at least one of the following

S) encryption algorithm

yption Standard (AES) rithm

eader (auth) protocol

t version 5 (MD5) hash

gorithm-1 (SHA-1) hash

r in seconds, minutes,

��

Message IKE <ip_addr>: Gateway settings have been modified.

Meaning An admin has modified the settings for the specified remote IKE gatew


Message P1 proposal <name_str> with { Preshared | RSA-sig | DSA-sig }, DH gDES | 3DES | AES128 | AES192 | AES256 }, auth { NULL | MD5 | SHAbeen { added | modified | deleted }.

Meaning An admin has added or deleted the specified Phase 1 proposal, or moPhase 1 proposal attributes:


• Preshared Key

• RSA signature

• DSA signature

• Diffie-Hellman group 1, 2, or 5

Note: “DH group 0” indicates that a DH group is not employed because the proposal does not contain Perfect Forwarding Secrecy (PFS).

• Encapsulating Security Payload (ESP) protocol

• Data Encryption Standard (DES) encryption algorithm

• Triple DES (3DE

• Advanced Encrencryption algo

• Authentication H

• Message Digesalgorithm

• Secure Hash Alalgorithm

• Lifetime (numbehours, or days)

(<; ��0.21

�2��

c { NULL | DES | 3DES | AES128 umber>) (kb <number>) has been

dified at least one of the following

S) encryption algorithm

yption Standard (AES) rithm

t version 5 (MD5) hash

gorithm-1 (SHA-1) hash

r in seconds, minutes,

��

Message P2 proposal <name_str> with DH group { 0 | 1 | 2 | 5 }, { AH | ESP }, en| AES192 | AES256 }, auth { NULL | MD5 | SHA-1 }, and lifetime (sec <n{ added | modified | deleted }.

Meaning An admin has added or deleted the specified Phase 1 proposal, or moattributes:


• Diffie-Hellman group 1, 2, or 5

Note: “DH group 0” indicates that a DH group is not employed because the proposal does not contain Perfect Forwarding Secrecy (PFS).

• Authentication Header (AH) protocol

• Encapsulating Security Payload (ESP) protocol

• DSA signature

• Data Encryption Standard (DES) encryption algorithm

• Triple DES (3DE

• Advanced Encrencryption algo

• Message Digesalgorithm

• Secure Hash Alalgorithm

• Lifetime (numbehours, or days)

(<; (��'��0��41

�5��

hase 1 and 2 SAs have been

o the specified peer through the tions (SAs) for both Phase 1 and

changed or deleted the tunnel

DN | UFQDN } SubAltName than

E peer that contained a different E ID on the local device.

NetScreen supports the following

reen.com

or change the IKE ID in the local

��

(��'��0��41

Message IKE <ip_addr>: Missing heartbeats have exceeded the threshold. All Premoved.

Meaning The number of IKE heartbeats that the local NetScreen device sends tIPSec tunnel has exceeded the failure threshold. The security associaPhase 2 have been removed.

Action Verify network connectivity to the peer gateway. Check if the peer hasconfiguration or rebooted the remote gateway device.

Message IKE <ip_addr> Phase 1: Cert received has a different { IP address | FQexpected.

Meaning The local NetScreen device received a certificate from the specified IKsubject alternative name (SubAltName) than was configured as the IK

The SubAltName is an alternative name for the subject of a certificate.kinds:

IP address, such as 209.157.66.170

Fully Qualified Domain Name (FQDN), such as www.netscreen.com

User’s Fully Qualified Domain Name (UFQDN), such as jsmith@netsc

Action Recommend the peer use a certificate with the expected SubAltNameVPN configuration to match that of the certificate.

(<; (��'��0��41

��

ot match the ID payload.

E peer that contained a different

ed of a concatenation of the ate. The DN is the identity of the

that of the certificate, or use a the VPN.

r gateway <ip_addr> has a

ich has a dynamically assigned IP for the Phase 1 negotiations.

ed with a peer at a dynamically

ty, or select Aggressive mode for

ecified IP address during Phase 1

ote peer to send the ID type.

��

Message IKE <ip_addr> Phase 1: Cert received has a subject name that does n

Meaning The local NetScreen device received a certificate from the specified IKsubject than the IKE ID sent by the peer.

The subject of a certificate can be a distinguished name (DN) composcommon name elements listed in the request submitted for that certificcertificate holder.

Action Advise the peer to change the IKE ID in its VPN configuration to matchcertificate with a subject name that matches the IKE ID configured for

Message IKE <ip_addr> Phase 1: Cannot use a preshared key because the peedynamic IP address and negotiations are in Main mode.

Meaning When configuring an IPSec tunnel to the specified remote gateway, whaddress, an admin specified a preshared key and selected Main mode

Authentication via preshared key is not allowed when Main mode is usassigned IP address.

Action Reconfigure the VPN using a certificate to authenticate the remote paruse with preshared key authentication.

Message IKE <ip_addr>: Received incorrect ID payload: ID type mismatch.

Meaning The type of IKE ID that the local peer received from the peer at the spnegotiations was different than that defined in the configuration.

Action Reconfigure the VPN to accept the different ID type, or request the rem

(<; (��'��0��41

.��

P address | FQDN | UFQDN |

negotiations that specifies the he specified address and contains a configuration for the VPN dialup

reen.com

such as cn=ns100, ou=eng,

dentity.

ailed attempts) during Phase 1 as not received a response.

ote peer after the first 10 failed either succeeds at contacting the

ateway admin to consult the log to ice did not respond.

��

Message IKE <ip_addr> Phase 1: Main mode packet has arrived with ID type { IASN1_DN }, but no user configuration was found for that ID.

Meaning The NetScreen device has received the packet in Phase 1 Main modeidentity of the remote entity. The packet is from a VPN dialup user at tthe specified IKE ID type. However, the NetScreen device cannot find user based on the ID received.

NetScreen supports the following four IKE ID types:




Abstract Syntax Notation, version 1, distinguished name (ASN1_DN), o=netscreen, l=santa clara, s=ca, c=us

Action Check that a VPN dialup user has been configured with the specified i

Message IKE <ip_addr> Phase 1: Retransmission limit has been reached.

Meaning The local NetScreen device has reached the retransmission limit (10 fnegotiations with the specified remote peer because the local device h

Note: If the local device continues receiving outbound traffic for the remattempts, it makes another 10 attempts, and continues to do so until itremote gateway or it no longer receives traffic bound for that gateway.

Action Verify network connectivity to the peer gateway. Request the remote gdetermine if the connection requests reached it and, if so, why the dev

(<; (��'��0��41

..��

with the specified IKE peer, the

t the remote admin check the IKE

ations with a <number>-second

sfully completed Phase 1 f the Phase 1 security association

ed within 5 seconds after the first.

the peer at the specified address second initial packet.

the local logs and request the ifficulty in completing the Phase 1

��

Message IKE <ip_addr> Give up phase-2, session id <id_num>

Meaning After several unsuccessful attempts to complete Phase 2 negotiationslocal NetScreen device has aborted the negotiations.

Action Check network connectivity by pinging the IKE peer. Also, request thaconfiguration on that end of the tunnel.

Message IKE <ip_addr> Phase 1: Completed { Aggressive | Main } mode negotilifetime.

Meaning The NetScreen device and the specified remote gateway have succesnegotiations in either Aggressive mode or Main mode with the lifetime o(SA) defined in seconds.


Message IKE <ip_addr> Phase 1: Discarded a second initial packet, which arriv

Meaning The local NetScreen device received two initial Phase 1 packets from within a five-second interval. As a result, the local device dropped the

Action Verify if the packets came from a legitimate peer gateway. If so, checkremote gateway admin to check his logs to uncover the cause of the dnegotiations.

(<; (��'��0��41

./��

failed.

cified peer has failed. The session

use of the failure.

essage 5 or 6.

acket pairs with the public key sent

ressive | Main } mode.

r Aggressive mode or Main mode _addr2>).

ent by the specified IKE peer.

he public key matching the private

��

Message IKE <ip_addr> Phase 1: { Aggressive | Main } mode negotiations have

Meaning The Phase 1 session initiated by the local NetScreen device to the spewas in either Main mode or Aggressive mode.

Action Request the remote admin to consult the event log to determine the ca

Message IKE <ip_addr> Phase 1: Received an invalid RSA signature.

Meaning The specified IKE peer has sent an invalid RSA signature in Phase 1 M

Action Request the peer to ensure that the RSA private key used to sign the pin the certificate.

Message IKE <ip_addr1> >> <ip_addr2> Phase 1: Initiated negotiations in { Agg

Meaning The local NetScreen device has initiated Phase 1 negotiations in eithefrom the the outgoing interface (<ip_addr1>) to the specified peer (<ip


Message IKE <ip_addr> Phase 1: Cannot verify { RSA | DSA } signature.

Meaning The local NetScreen device cannot verify the RSA or DSA signature s

Action Contact the remote admin to check if he or she sent a certificate with tkey used to produce the signature.

(<; (��'��0��41

.��

icate packets destined for the

icate that an admin later removes

ificate is specified in the remote

ackets.

A or DSA private key to ly a different type of key pair exists is loaded; or a DSA private key is

lready loaded, or obtain and load

��

Message IKE <ip_addr> Phase 1: No private key exists to sign packets.

Meaning The private key needed to create an RSA or DSA signature to authentspecified IKE peer does not exist.

This situation can arise if the following conditions are met:

If the local configuration for the remote gateway specifies a local certif

If there are no local certificates in the certificate store and no local certgateway configuration

Action Obtain and load a certificate for use in authenticating IKE packets.

Message IKE <ip_addr> Phase 1: { RSA | DSA } private key is needed to sign p

Meaning The IKE gateway configurations—locally and remotely—require an RSauthenticate packets destined for the specified IKE peer. However, onlocally (that is, an RSA private key is required, but only a DSA key pairrequired, but only an RSA key pair is loaded).

Action Either change the gateway configuration to specify a key type that is athe required certificate.

(<; (��'��0��41

.��

n method.

to use a preshared key for packet nd or third message (Aggressive cal device to use a public key (not

packet; it drops the packet.

ote admin to check if that device e attacker is attempting to force

us signature payloads.

in front of the { local | remote }

functioning as either an initiator or the data path either in front of itself

IPSec/NAT incompatibilities, see on both IKE participants, IPSec PSec header from modification by on via the IPSec tunnel—is

��

Message IKE <ip_addr> Phase 1: Received an incorrect public key authenticatio

Meaning In the first and second Phase 1 messages, the IKE participants agreedauthentication. Then, in the fifth or sixth message (Main mode) or secomode), the remote peer sent a signature payload, which requires the loa preshared key) to authenticate the packet.

The NetScreen device, however, does not attempt to authenticate the

Action Check if the remote peer is a legitimate IKE peer. If so, contact the remhas malfunctioned. If not, this might be an ineffectual attack in which ththe NetScreen device to consume bandwidth while trying to verify bog

Message IKE <ip_addr> Phase 1: IKE { initiator | responder } has detected NATdevice.

Meaning The local NetScreen device, with NAT-Traversal (NAT-T) enabled andresponder of Phase 1 IKE negotiations, has detected a NAT device in or in front of its remote peer.

There are several reasons for IPSec/NAT incompatibility. (For a list of draft-ietf-ipsec-nat-reqts-00.txt by Bernard Aboba.) If NAT-T is enabledpackets are encapsulated within UDP packets, protecting the original INAT devices. Consequently, packet authentication—and communicatisuccessful.


(<; (��'��0��41

.��

limit has elapsed.

ith the specified remote peer hase 2—has elapsed.

nd request the remote gateway out before completion.

ions failed.

osals sent by the specified IKE

min of the remote peer and th peers participate in the next

��

Message IKE <ip_addr> Phase { 1 | 2 }: Aborted negotiations because the time

Meaning The NetScreen device has aborted Phase 1 or Phase 2 negotiations wbecause the time limit—60 seconds for Phase 1 and 40 seconds for P

Action Verify network connectivity to the peer gateway. Consult the local log aadmin to consult his or her log to determine why the negotiations timed

Message IKE <ip_addr> Phase { 1 | 2 }: Rejected proposals from peer. Negotiat

Meaning The local NetScreen device has rejected the Phase 1 or Phase 2 proppeer.

Action To see the local and remote peers’ Phase 1 proposals, contact the adcompare configurations, or enter the following CLI commands when boPhase 1 negotiation:

debug ike detail

clear dbuf

get dbuf stream

Check that at least one of the Phase 1 proposals for both peers match

To stop the debugger, press the ESCAPE key.

(<; (��'��0��41

.4��

2 negotiations to the specified

y because id-mode is set to IP or

rom the specified peer, it could not g was disabled.

payload when initiating a Phase 2 netmask, protocol, and port eer cannot use the information in

IKE module builds an SA without

t ike id-mode subnet) and enable

��

Message IKE <ip_addr> Phase 2: Initiated negotiation.

Meaning The local NetScreen device has sent the initial message for IKE Phasepeer.


Message IKE <ip_addr> Phase 2: Received a message but did not check a policpolicy-checking is disabled.

Meaning When the local NetScreen device received an IKE Phase 2 message fcheck for a policy because the id-mode was set to IP or policy-checkin

If the id-mode is set to IP, the remote peer does not send the proxy IDsession. The proxy ID consists of the local end entity’s IP address andnumber; and those for the remote end entity. Consequently, the local pthe proxy ID to match the information in a local policy.

If policy-checking is disabled for IKE traffic with the specified peer, theverifying the policy configuration.

Action Verify if this is intended behavior. If not, set the id-mode to subnet (sepolicy-checking (set ike policy-checking).

(<; (��'��0��41

.2��

al ID (<ip_addr>/<mask>, port_num>).

rom the specified peer, it detected xy ID payload.

ote end entities, configure the

cted group <value2> for PFS.

ic keys with Perfect Forward ed a different Diffie-Hellman group on has failed.

in for the remote peer to change or PFS.

e notification.

ion message from the specified D.

kilobytes. The peers use the

��

Message IKE <ip_addr> Phase 2: No policy exists for the proxy ID received: loc<protocol>, <port_num>) remote ID (<ip_addr>/<mask>, <protocol>, <

Meaning When the local NetScreen device received an IKE Phase 2 message fthat no access policy exists matching the attributes specified in the pro

Action If you intend to allow IPSec traffic between the specified local and remnecessary access policy.

Message IKE <ip_addr> Phase 2: Received DH group <value1> instead of expe

Meaning While executing a Diffie-Hellman exchange to refresh the cryptographSecrecy (PFS) during Phase 2 Messages 1 and 2, the remote peer usthan did the local NetScreen device. Consequently, the Phase 2 sessi

Action Change the Phase 2 configuration on the local peer or request the admthat configuration so that both employ the same Diffie-Hellman group f

Message IKE <ip_addr> Phase 2 msg-id <number>: Received responder lifetim

Meaning The local NetScreen device has received a responder lifetime notificatpeer. The Phase 2 negotiation is identified by the specified message I

The notification includes the Phase 2 SA lifetime in both seconds and shortest lifetime defined.


(<; (��'��0��41

.5��

been disabled but multiple VPN

ies for VPN traffic to the specified r traffic covered by each policy.

fic to the same gateway exist.

message.

h sent the first message for Phase

her log for possible causes.

��

Message IKE <ip_addr> Phase 2: Negotiations have failed. Policy-checking haspolicies to the peer exist.

Meaning An admin has disabled policy-checking although multiple access policpeer exist. Consequently, the IKE module cannot find the correct SA fo

Note: Policy-checking must be enabled if multiple policies for VPN traf

Action Enable policy-checking or limit one policy per remote gateway.

Message IKE <ip_addr> Phase 2 msg-id <number>: Responded to the first peer

Meaning The local NetScreen device has responded to the specified peer, whic2 IKE negotiations.


Message IKE <ip_addr> Phase 2 msg-id <number>: Negotiations have failed.

Meaning The specified Phase 2 negotiations to the identified peer have failed.

Action Examine the local log and request the remote admin to examine his or

(<; (��'��0��41

.��

h SPI <number1>, tunnel ID

ssion with the specified peer. The

is not used in any VPN tunnel

e specified remote gateway VPN tunnel configurations.

ish a VPN. If so, configure a VPN

ved and discarded a transaction e following TRNXTN_XCHG

��

Message IKE <ip_addr> Phase 2 msg-id <number>: Completed negotiations wit<number2>, and lifetime <number3> seconds/<number> KB.

Meaning The local NetScreen device has successfully negotiated a Phase 2 sePhase 2 session consists of the specified attributes.


Message IKE <ip_addr>: Dropped packet because remote gateway <name_str>configurations.

Meaning The local NetScreen device has discarded an IKE packet sent from thbecause the local device does not reference that gateway in any of its

Action Verify that the packet came from a peer with whom you want to establusing that gateway.

Message IKE <ip_addr> Recv TRNXTN_XCHG:payloadtype (<number>)

Meaning After Phase 1 negotiations are completed, the NetScreen device receiexchange (TRNXTN_XCHG) packet with a number indicating one of thpayload types: request, reply, set, ack.


(<; (��'��0��41

..��

<string1> | UFQDN <string2> | g4> | UFQDN <string5> |

the one that it was configured to

reen.com

such as cn=ns100, ou=eng,

mote gateway devices.

sage to the specified remote cation message when contacting a ice has no previous state with it

��

Message IKE <ip_addr> rcv incorrect ID payload: (IP address <ip_addr> | FQDNASN1_DN <string3>), expecting (IP address <ip_addr> | FQDN <strinASN1_DN <string6>).

Meaning The NetScreen device received an incorrect IKE ID payload instead ofreceive.

NetScreen supports the following four IKE ID types:




Abstract Syntax Notation, version 1, distinguished name (ASN1_DN), o=netscreen, l=santa clara, s=ca, c=us

Action Check that the IKE ID configuration is identical on both the local and re

Message IKE <ip_addr>: Sent initial contact notification to peer to use new sa.

Meaning The local NetScreen device has sent an initial contact notification mesgateway. After rebooting, the local device sends an initial contact notifipeer for the first time. The message informs the peer that the local devand to delete any existing security associations (SAs).


(<; (��'��0��41

...��

ed peer gateway.

the specified address. However, y configuration, it rejected the

rom a legitimate peer.

fied peer through the IPSec tunnel

alid security parameters index a system reboot for a configurable

with an invalid SPI, use the NetScreen device reboots, it loses es in earlier SAs that have not yet

with bad SPI values, modify the

��

Message IKE <ip_addr>: Rejected an initial Phase 1 packet from an unrecogniz

Meaning The local NetScreen device has received an initial Phase 1 packet frombecause the NetScreen device could not find a matching peer gatewapacket.

Action Review the local VPN configurations to determine if the packet came f

Message IKE <ip_addr> Heartbeats have been lost <number> times.

Meaning The IKE heartbeats that the local NetScreen device sends to the specihave been lost the specified number of times.


Message IKE <ip_addr>: Responded to a packet with a bad SPI after rebooting.

Meaning The local NetScreen device responded to an IPSec packet with an inv(SPI) number from the specified peer. If configured, this happens after number of times.

Note: To enable the NetScreen device to respond to an IPSec packet following CLI command: set ike respond-bad-spi <number>. When the any SPI values it had. However, the peers might still try to use SPI valutimed out on their devices.

Action If you do not want the NetScreen device to respond to IPSec packets configuration.

(<; (��'��0��41

../��

r2> <string>.

the specified Domain of

error described. For the status

osen

yntax

rmed

rmation

mation

coding

te

pported

thority

formation

failed

re

ation

us

ct

��

Message IKE <ip_addr>: Received notify message for DOI <number1> <numbe

Meaning The device has received one of the following notification messages in Interpretation (DOI):

Error Types

Status Types

Action For the error notification messages, take action as appropriate for the notification messages, No recommended action is necessary.

1. Invalid payload type

2. DOI not supported

3. Situation not supported

4. Invalid cookie

5. Invalid major version

6. Invalid minor version

7. Invalid exchange type

8. Invalid flags

9. Invalid message ID

10. Invalid protocol ID

11. Invalid SPI

12. Invalid transform ID

13. Attributes not supported

14. No proposal ch

15. Bad proposal s

16. Payload malfo

17. Invalid key info

18. Invalid ID infor

19. Invalid cert en

20. Invalid certifica

21. Cert type unsu

22. Invalid cert au

23. Invalid hash in

24. Authentication

25. Invalid signatu

26. Address notific

16384 Connected

24576 Responder lifetime

24577 Replay stat

24578 Initial conta

(<; (��'��0��41

..��

after rebooting | <number> times ].

dex (SPI) number in IPSec traffic in the message, such as the

ording of this event in the log

e source of the traffic with the bad

n device

r, if you receive a large number of

age to the specified peer because

��

Message IKE <ip_addr>: Received a bad SPI <spi_num> [ from unknown peer |

Meaning The local NetScreen device detected an invalid security parameters inreceived from the specified peer. Additional information might appear following:

The time that elapsed between the reception of a bad SPI and the rec

The peer is unknown (that is, no IKE gateway configuration exists for thSPI

The reception of a bad SPI occurred after rebooting the local NetScree

The number of times that the remote peer sent the bad SPI

Action Receiving a few messages of this kind during rekey is normal. Howevethese messages, check the SA status.

Message IKE <ip_addr>: Sent initial contact notification message.

Meaning The local NetScreen device has sent an initial contact notification messthis is the first time for the local device to contact that peer.


(<; (��'��0��41

..��

st the transmission of an initial

ifth message (when the device is ode message exchanges. When otiations are completed.

the local NetScreen device noted sk exists.

se 1 negotiations are completed.

tart a Phase 2 session with the

��

Message IKE <ip_addr>: Added the initial contact task to the task list.

Meaning The IKE module in the local NetScreen device has added to the task licontact notification message for the Phase 1 SA being negotiated.

The device sends the initial contact notification message in either the fthe initiator) or the sixth message (when it is the responder) of Main musing Aggressive mode, it sends the notification after the Phase 1 neg


Message IKE <ip_addr> Initial contact task exist.

Meaning Before adding the initial contact task to the task list, the IKE module inthat the task was already in the task list. This can occur if a pending ta

The device sends the initial contact notification message after the Pha


Message IKE <ip_addr>: Added Phase 2 session tasks to the task list.

Meaning The IKE module in the local NetScreen device has added the task to sspecified peer to the task list for the Phase 1 SA being negotiated.


(<; (��'��0��41

..��

d a Phase 2 negotiation task to its the specified peer.

tasks that the Phase 1 security erform Phase 2 negotiations. If other Phase 2 SA request to the to its task list, it will discover that ate.

completed.

ddr2/port_num2)

rface from the specified source IP s and port number. The NetScreen ugh the set firewall log-self ike

ID: { <string> | “[none]” } has been

specified remote gateway.

��

Message IKE <ip_addr> Phase 2 negotiation request is already in the task list.

Meaning The IKE module in the local NetScreen device, when attempting to adtask list, discovered that the list already contained an identical task for

When beginning Phase 1 negotiations, the NetScreen device adds theassociation (SA) must do to its Phase 1 task list. One such task is to pPhase 1 negotiations progress too slowly, local traffic might initiate anIKE module. If so, before the NetScreen device adds the Phase 2 taskan identical task is already in the list and refrain from adding the duplic

Action Check if the IKE Phase 1 negotiations with that peer have successfully

Message Receive UDP packets from (ip_addr1/port_num1) on <interface> (ip_a

Meaning The NetScreen device has received UDP packets on the indicated inteaddress and port number bound for the specified destination IP addresdevice logs this information if an admin has enabling such logging throcommand.


Message Gateway <name_str> at <ip_addr> in { main | aggressive } mode with { added | deleted | modified }.

Meaning An admin has added, deleted, or modified the IKE configuration for the


(<; (��'��0��41

..4��

e { 1 | 2 } SAs.

essage from a peer and removed

n message, it removes all Phase 1 se 2 SAs occurs separately, the

negotiations.

otiations in either Main or as begun its response.

essage.

a peer and removed all IKE Phase

Phase 2 SA expires or when the , use the CLI command clear sa

��

Message IKE <ip_addr>: Received initial contact notification and removed Phas

Meaning The local NetScreen device has received an initial contact notification mall IKE Phase 1 or Phase 2 security associations (SAs) for that peer.

Note: When the NetScreen device receives an initial contact notificatioand Phase 2 SAs. However, because the removal of Phase 1 and PhaNetScreen device logs both removals separately.


Message IKE <ip_addr> Phase 1: Responder starts { Main | Aggressive } mode

Meaning The remote peer at the specified IP address has initiated Phase 1 negAggressive mode, and the local NetScreen device (the “Responder”) h


Message IKE <ip_addr>: Removed Phase 2 SAs after receiving a notification m

Meaning The local NetScreen device has received a notification message from 2 security associations (SAs) for that peer.

A notification to remove Phase 2 SAs can occur when the lifetime of apeer manually deletes an SA before it expires. (To delete a specific SA<id_number>. To delete all SAs, use the command clear ike all .)


(<; (��'��0��41

..2��

urce.

e from a source that does not

ecurity association (SA) with the

configuration.

KE peer because no access policy

peer, verify that an access policy ccess control list (ACL).

t sending them.

ot enabled IKE heartbeat sion to that peer.

for this feature to remain active. If e, the local peer automatically

��

Message IKE <ip_addr> Rejected first Phase 1 packet from an unrecognized so

Meaning The local NetScreen device has rejected the first IKE Phase 1 messagmatch any configured VPN gateways.

Action Check your VPN configurations and investigate if you want to build a speer at the address from which the message originated.

Message IKE <ip_addr> Dropped peer packet because no policy uses the peer

Meaning The local NetScreen device has dropped a packet from the specified Iusing that peer can be found.

Action If you intend to establish a security association (SA) with the specifiedpermitting traffic via that peer exists and is positioned correctly in the a

Message IKE <ip_addr> Heartbeats have been disabled because the peer is no

Meaning The local NetScreen device has detected that the specified peer has ntransmission, so the local device has also disabled heartbeat transmis

Both ends of the IPSec tunnel must enable IKE heartbeat transmissionthe local peer detects that the remote peer has not enabled this featurceases heartbeat transmission


(<; (��'��0��41

..5��

rval than was originally configured to that peer.

r VPN termination from 0.0.0.0 to

nts! Check outgoing interface.

e specified VPN tunnel. However,

eer has an IP address.

��

Message IKE <ip_addr>: Changed heartbeat interval to <number>.

Meaning After detecting that the specified peer is using a shorter heartbeat intelocally, the local device has adjusted its rate of heartbeat transmission


Message Local gateway IP address has changed from 0.0.0.0 to <ip_addr>.

Meaning An admin has changed the IP address that the local device can use foanother address.


Message Attempt to set tunnel (<name_str>) without IP address at both end poi

Meaning An admin has unsuccessfully attempted to set up an IPSec SA using that least one of the two tunnel endpoints did not have an IP address.

Action Check that the outgoing interface for the VPN tunnel on the local IKE p

(<; (��'��0��41

..��

<id_num2>

traffic from the tunnel with the 2>. The IP address belongs to the

. The policy ID number belongs to

id_num> from <tun_id_num2>

a security association (SA) with a nd has attempted to transfer VPN dress belongs to the targeted

cy ID number belongs to the policy

e sa <tun_id_num2> in policy

a security association (SA) with a target, has failed over VPN traffic belongs to the targeted remote mber belongs to the policy that

��

Message IKE <ip_addr> policy id <id_num> fails over from sa <id_num1> to sa

Meaning The monitoring device in a redundant VPN group has failed over VPNsecurity association (SA) <id_num1> to the tunnel with the SA <id_numtargeted remote gateway to which the VPN traffic has been redirectedthe policy that references this particular redundant VPN group.


Message IKE <ip_addr> new sa <tun_id_num1> is up, try to switch policy <pol_

Meaning The monitoring device in a redundant VPN group, having established targeted device with a higher priority than the currently active target, atraffic from tunnel <tun_id_num1> to tunnel <tun_id_num2>. The IP adremote gateway to which the VPN traffic has been redirected. The polithat references this particular redundant VPN group.


Message IKE <ip_addr>: A sa <tun_id_num1> with a higher weight replaced th<pol_id_num>.

Meaning The monitoring device in a redundant VPN group, having established targeted device with a higher weight (priority) than the currently activefrom tunnel <tun_id_num2> to tunnel <tun_id_num1>. The IP addressgateway to which the VPN traffic has been redirected. The policy ID nureferences this particular redundant VPN group.


(�� 0�1

./��

addr2>.

<mask2>.

> to <ip_addr2>.

ce.

��

( -;��&!;The following messages relate to interface configurations.

��0�1

Message IP for interface <interface> has been changed from <ip_addr1> to <ip_

Meaning An admin has changed the IP address for the specified interface.


Message Netmask for interface <interface> has been changed from <mask1> to

Meaning An admin has changed the netmask for the specified interface.


Message Manage IP for interface <interface> has been changed from <ip_addr1

Meaning An admin has changed the manage IP address for the specified interfa


(�� 0�1

./.��

1> to <ip_addr2>.

interface.

number> ] was created.

as the specified IP address,

��

Message Gateway IP for interface <interface> has been changed from <ip_addr

Meaning An admin has changed the IP address of the gateway for the specified


Message Interface <interface> in <name_str> with IP <ip_addr> <mask> [ tag <

Meaning An admin has created an interface for the specified virtual system. It hnetmask, and VLAN tag.


Message Interface <interface> in <name_str> was removed.

Meaning An admin has removed the specified interface from the virtual system.


(�� 0�1

.//��

than total guaranteed bandwidth

guaranteed bandwidth specified in ace.

ng bandwidth settings on the

ged to <number> kbps.

rface.

has been { enabled | disabled } on

SL, Telnet, or Web manageability,

Route | NAT }.

e to { Route | NAT }.

ly in the new operational mode.

��

Message Maximum bandwidth <number1> kbps on interface <interface> is less<number2> kbps.

Meaning The specified interface bandwidth settings are insufficient for the total the traffic shaping option of the access policies that traverse that interf

Action Increase the interface bandwidth settings or decrease the traffic shapiaccess policies.

Message The configured bandwidth on the interface <interface> has been chan

Meaning An admin has changed the configured bandwidth for the specified inte


Message { Global PRO | Ident-reset | Ping | SCS | SNMP | SSL | Telnet | Web } interface <interface>

Meaning An admin has either enabled or disabled Global PRO, SCS, SNMP, Sor ident-reset or ping functionality for the specified interface.


Message The operational mode for interface <interface> has been changed to {

Meaning An admin has changed the operational mode for the specified interfac

Action Check access policy configurations to ensure that they function proper

(�� 0�1

./��

ly in the new operational mode.

<interface>.

specified interface. The interface

��

Message DHCP client has been { enabled | disabled } on interface <interface>

Meaning An admin has enabled or disabled DHCP on the specified interface.

Action Check access policy configurations to ensure that they function proper

Message Interface <interface> was unbound from zone <zone>.

Meaning An admin unbound the named interface from the specified zone.


Message Interface <interface1> was bound to zone <zone>.

Meaning An admin bound the named interface to the specified zone.


Message Secondary IP address <ip_addr>/<mask> was removed from interface

Meaning An admin successfully removed a specified backup IP address from ano longer identifies itself by the IP address.


(�� 0�1

./��

rface.

| disabled }.

addresses on the specified

��

Message Secondary IP address <ip_addr> was added to interface <interface>.

Meaning An admin successfully added a specified IP address to a specified inte


Message Route between secondary IPs on interface <interface> was { enabled

Meaning An admin has either enabled or disabled the routes to all secondary IPinterface.


�/-� (��'��0��1

./��

eling Protocol (L2TP).

the named L2TP user.

ool specifically to the user:

t ippool <name_str>

e> remote-settings ippool

��

�/-�The following messages concern the configuration and operation of Layer 2 Tunn

(��'��0��1

Message Cannot allocate IP addr from Pool <name_str> for user <usr_str>

Meaning The PPP server cannot assign an IP address from its address pool for

Action You can enlarge the size of the L2TP default IP pool or assign an IP p

• set ippool <name> <ip_addr1> <ip_addr2>

• set user <user_name> remote-settings ippool <name_str>

Message No IP Pool has been assigned. You cannot allocate an IP address

Meaning There is no L2TP IP address pool on the PPP server.

Action You must create an L2TP IP pool:

• set ippool <name> <ip_addr1> <ip_addr2>

• To make the above IP pool the default L2TP IP pool: set l2tp defaul

• To use the above IP pool for the specified user: set user <user_nam<name_str>

�/-� (��'��0��1

./4��

NetScreen device.

over a NetScreen device.

��

Message Dialup HDLC PPP session has successfully established.

Meaning An admin successfully established a dialup HDLC PPP session over a


Message Dialup HDLC PPP failed to establish a session: <string>.

Meaning An admin successfully failed to establish a dialup HDLC PPP session


Message PPP settings changed.

Meaning PPP parameters changed.


��$�� 0�.�1

./2��

wn }.

own, or from down to up.

��

�( <��-&-=�The following messages relate to the status of the physical interface links.

��0�.�1

Message The physical state of the interface <interface> has changed to { up | do

Meaning The physical state of the specified interface has changed from up to d


�� (��'��0��1

./5��

dmin <name>.

tination. [ <number> packets were

device sent all log entries to an en device stopped receiving traffic number of packets.

d processing traffic.

��

��The following messages relate to the event, traffic, and self logs.

(��'��0��1

(��'��02421

Message <name_str> has been cleared.

Meaning An admin has cleared the specified log.


Message { Alarm | Traffic | Event | Asset recovery | Self } log was reviewed by a

Meaning The named admin has viewed the entries in the specified log.


Message Log buffer was full and remaining messages were sent to external desdropped. ]

Meaning When the log buffer in the NetScreen device reached its capacity, the external host for storage. During the transmission process, the NetScreand—as reported on some NetScreen devices—dropped the specified

Note: After the device transmits all log entries, it resumes receiving an


�� (��'��02421

./��

ed admin.

ame>

ges at the specified severity level: bugging.

ed admin.

��

Message All logged events or alarms are cleared by admin <name>.

Meaning The named admin has deleted all entries from the event or alarm log.


Message Log setting is modified to { enable | disable } <level> level by admin <n

Meaning The named admin has either enabled or disabled the logging of messaemergency, alert, critical, error, warning, notification, information, or de


�(� ��0.1

.��

ted }.

dress.

��

�(�The following message relates to mapped IP (MIP) addresses.

��0.1

Message Mapped IP <ip_addr1> <ip_addr2> has been { added | modified | dele

Meaning An admin has added, modified, or deleted the specified mapped IP ad


&! ��0��1

.�.��

n (NACN) protocol.

abled, the NetScreen device terface IP address change occurs. ct with the server running Policy

olicy Manager to authenticate a olicy Manager. 1 = the primary

ry.

��

&! The following messages relate to the NetScreen Address Change Notificatio

��0��1

Message The NACN protocol has been { enabled | disabled }.

Meaning An admin has either enabled or disabled the NACN protocol. When enattempts to contact the server running Policy Manager whenever an inWhen disabled, the NetScreen device does not attempt to make contaManager when an address change occurs.


Message NACN Policy Manager { 1 | 2 }’s host field has been unset.

Meaning A NetScreen device needs to send a host field to the server running Pclient device. An admin cleared the IP address of the server running PPolicy Manager server. 2 = the secondary Policy Manager server.

Action Set a new IP address for the server running Policy Manager if necessa

&! ��0��1

.�/��

licy Manager to authenticate a the olicy Manager. 1 = the primary

in who manages the Policy it with the server. Set a new IP

o the way a file manager divides a nset, Policy Manager will search

N to Policy Manager { 1 | 2 }, has

��

Message NACN Policy Manager { 1 | 2 }’s password field has been unset.

Meaning A NetScreen device needs to send a password to the server running Poclient device. An admin cleared the IP address of the server running PPolicy Manager server. 2 = the secondary Policy Manager server.

Action Set the password for the device on the Policy Manager server. An admManager server needs to register the NetScreen device and sequenceaddress for the server running Policy Manager if necessary.

Message NACN Policy Manager { 1 | 2 }’s policy-domain field has been unset.

Meaning Policy Manager divides the device into several policy domains similar tfile system into several directory names when directed. If you leave it uall policy domains instead of a specified domain.

Action Specify a policy domain in Policy Manager.

Message NACN Policy Manager { 1 | 2 }’s outgoing interface, used to report NACnot been specified.

Meaning The interface has been disabled.

Action Set the interface to any interface name to enable the interface.

&! ��0��1

.��

value.

fault value and not the one for

fied.

talled on Policy Manager. The on the NetScreen device before anager sends certificates to the subject name field of the Policy e CA certificate.

olicy Manager.

ified.

CA certificate installed on the

��

Message NACN Policy Manager {1 | 2 }’s port field has been reset to the default

Meaning The console port that Policy Manager runs on has been reset to its dewhich it has been configured.

Action Enable the interface by assigning it a name.

Message NACN Policy Manager { 1 | 2 }’s Cert-Subject field has not been speci

Meaning Two certificates are significant. One is a certificate that needs to be inssecond is a Certificate Authority (CA) certificate that must be installed any activity occurs. During the handshake of both certificates, Policy Mdevice and the device authenticates using the CA certificate. When theManager certificate is cleared, it will accept any certificate signed by th

Action Specify the expected subject name of the certificate installed on the P

Message NACN Policy Manager { 1 | 2 }’s CA certificate field has not been spec

Meaning Allows any Policy Manager which the certificate directly signed by anyNetScreen device.

Action Specify a CA certificate if necessary.

&! ��0��1

.��

e>.

n from the NetScreen Address

ssword has been set.

om_name>.

ain.

o <interface>.

anager.

��

Message NACN Policy Manager { 1 | 2 }’s host field has been set to <serv_nam

Meaning Policy Manager server server_name that receives password informatioChange Notification (NACN) protocol host has been set.


Message NACN Policy Manager { 1 | 2 }’s password field has been set.

Meaning The NetScreen Address Change Notification (NACN) protocol host pa


Message NACN Policy Manager { 1 | 2 }’s policy-domain field has been set to <d

Meaning The Policy Manager was set and will search for a specified policy dom


Message NACN Policy Manager {1 | 2 }’s outgoing-interface field has been set t

Meaning The interface has been set and messages can be sent to the Policy M


&! (��'��0��51

.��

.

me_str>.

me_str>.

rity (CA) has been set to the

fully sent a request to a NetScreen

��

(��'��0��51

Message NACN Policy Manager {1 | 2 }’s port field has been set to <port_num>

Meaning The Policy Manager domain has been set.


Message NACN Policy Manager {1 | 2 }’s Cert-Subject field has been set to <na

Meaning The subject name field in the Policy Manager certificate was set.


Message NACN Policy Manager {1 | 2 }’s CA certificate field has been set to <na

Meaning The NetScreen Address Change Notification (NACN) Certificate Authospecified CA name .


Message NACN successfully registered to Policy Manager <name_str>.

Meaning The NetScreen Address Change Notification (NACN) protocol successPolicy Manager to begin a session.


&! (��'��0��51

.�4��

rong password | the device does

equests to a NetScreen Policy

termine the right password. If the on the network, see your admin. If to an active address. If the issue is

nnection timed out or aborted

ect to a Policy Manager server has session until the timeout threshold ion ends. The NACN request

e <name_str> IP address

e IP address or a device port.

��

Message NACN failed to register to Policy Manager <name_str> because of { wnot exist | an invalid IP address | an unknown error }.

Meaning The NetScreen Address Change Notification (NACN) protocol sends rManager to begin a session. This session attempt was not successful.

Action If the issue is a wrong password, see your Policy Manager admin to dePolicy Manager server does not recognize the device as a valid objectthe issue is an invalid IP address, change the IP address of the device an unknown error, see your admin.

Message NACN failed to register to Policy Manager <name_str> because the counexpectedly.

Meaning Each NetScreen Address Change Notification (NACN) attempt to conna timeout value that allows the device to continue trying to establish a is reached. Once this value has been exceeded (in seconds), the sessexceeded this value and stopped trying to establish a session.

Action Check your network connection and your NACN settings.

Message The NACN protocol has started for Policy Manager { 1 | 2 } on hostnam<ip_addr> port <port_num>.

Meaning The NACN connection has started between Policy manager and a nod


�� !��,�0//1

.�2��

sed for dynamic routing.

<id_num2>) on interface

fied OSPF neighbor arriving at the ackets it receives from that

neration by a routing instance can e over a short period of time. This and CPU processing.

d its offending OSPF neighbor.

ent (LSA) generation by a routing vice over a short period of time.

ce’s memory and CPU processing. kers using LSA flooding.

d its offending neighbor.

��

��The following messages relate to the Open Shortest Path First (OSPF) protocol u

!��,�0//1

!��,�0/�1

Message <id_num> hello-packet flood from neighbor (ip = <ip_addr>, router-id =<interface>, packet is dropped

Meaning The NetScreen device detected a flood of hello packets from the specispecified interface. The NetScreen device has begun dropping hello pneighbor.

Occasionally, the interval between instances of OSPF hello packet gebe very low, resulting in excessive hello packets sent to another devichello-packet flood can overtax the receiving routing instance’s memory

Action Remove the connection between the current virtual routing instance an

Message <id_num> lsa flood on interface <interface> has dropped a packet.

Meaning Occasionally, the interval between instances of Link State Advertiseminstance can be very low, resulting in multiple LSAs sent to another deThis event is an LSA flood and can overtax the receiving routing instanDropping the packets thwarts attacks on the NetScreen device by hac

Action Remove the connection between the current virtual routing instance an

�� 0�51

.�5��

ance. For example, the admin may

g instance to the specified virtual e mapped to an area, and has

��

��0�51

Message { Set | Unset } vrouter <vrouter> protocol ospf <string>

Meaning An admin has set or unset a parameter for an OSPF virtual routing insthave set the threshold for hello packets.


Message { Set | Unset } vrouter <vrouter> <string>

Meaning An admin has set or unset a parameter for the specified virtual router.


Message OSPF routing instance in vrouter <vrouter> is created.

Meaning An admin has added an Open Shortest Path First (OSPF) virtual routinrouter. This object generates Link State Advertisements (LSAs), can bother OSPF attributes.


�� 0�.1

.��

ting instance from the specified

router.

me_str> in virtual router <vrouter>

l routing instance was removed, ased on conditions set in the ecific route map entry in the route

��

��0�.1

Message ospf instance in vrouter <vrouter> is deleted.

Meaning An admin has removed an Open Shortest Path First (OSPF) virtual rouvirtual router.


Message vrouter <vrouter> was { set | unset }.

Meaning An admin either set or unset an OSPF instance in the specified virtual


Message A route-map entry with sequence number <number1> in route map <nahas been removed

Meaning A route map with a specified sequence number from the current virtuaindicating that the instance no longer has a way to evaluate packets bremoved route map. (Sequence numbers identify the placement of a spmap entry list.)


�� 0��1

.��

t virtual routing instance, indicating nditions set in the removed route

me_str> in virtual router <vrouter>

his route entry contains the t of a specific route map entry in

_addr>/<mask> deleted in vrouter

r.

��

��0��1

Message A route-map <name_str> in virtual router <vrouter> has been removed

Meaning An admin removed a route map with a specified name from the currenthat the instance no longer has a way to evaluate packets based on comap.


Message A route-map entry with sequence-number <number> in route-map <nahas been created

Meaning An administrator added a new route entry to the identified route map. Tspecified sequence number. Sequence numbers identify the placementhe route map entry list.


Message access list <id_num> sequence number <number> permit | deny ip <ip<vrouter>

Meaning An admin removed the specified access list entry from the virtual route


�� (��'��0��.1

.�.��

_addr>/<mask> created in vrouter

��

(��'��0��.1

Message access list <id_num> deleted in vrouter <vrouter>

Meaning An admin removed the specified access list from the virtual router.


Message access list <id_num> created in vrouter <vrouter>.

Meaning An admin created an access list on the specified virtual router.


Message access list <id_num> sequence number <number> permit | deny ip <ip<vrouter>

Meaning An admin created an access list entry on the specified virtual router.

Action No recommended action.

Message <id_num1> NBR change, rtid <id_num2> <ip_addr> state = <string>

Meaning The neighbor state of the specified device has changed.


�<( !��,�0/�1

.�/��

ration | key }.

rs, the local NetScreen device was r the public/private key pair in the

Certificate Enrollment Protocol ey pair is used for encrypting data. ey—can decrypt.

ocated and how much is still etScreen device and attempt to lem or if your second attempt was port command to an e-mail note

ir.

c/private key pair. If this action

d try again.

��

�<(The following messages relate to Public Key Infrastructure (PKI).

!��,�0/�1

Message PKI: The current device failed to save the { certificate authority configu

Meaning During a configuration synchronization between NSRP cluster membeunable to store either the certificate authority (CA) configuration data oallocated storage area in flash memory.

The CA configuration contains CA-related information, such as Simple(SCEP) server locations and CRL server locations. The public/private kWhat one key in the pair encrypts, the other key—and only the other k

Action Enter the get memory command to see how much RAM has been allavailable. If there appears to be sufficient RAM available, reboot the Nsave the PKI object again. If there appears to be a severe memory probalso unsuccessful, attach a text file with the output of the get tech-supdescribing the problem, and send it to [email protected].

Message Failed to { locate | delete } the key.

Meaning The NetScreen device failed to locate or delete a public/private key pa

Action If the NetScreen device fails to locate a key pair, generate a new publidoes not correct the problem, contact NetScreen technical support.

If the NetScreen device fails to delete a key pair, reboot the device an

�<( !��,�0/�1

.��

but the key pair was corrupted.

ic/private key pair when it received ). If the certificate authority (CA) onger associates the key pair with

generate a new certificate request mit your request to the CA.

me>.

(certificate or CRL) into the ble exceeded the maximum

objects) from the device database t that is lower than the maximum

mber of PKI object allowed in the

��

Message PKI: The device failed to save the key object.

Meaning An admin unsuccessfully attempted to save a key pair to flash memory

Action Obtain and load a new key pair.

Message PKI: The device failed to save the DSA/RSA key.

Meaning The NetScreen device was unable to save either the DSA or RSA publa local certificate via the Simple Certificate Enrollment Protocol (SCEPchanged the subject name in the certificate, the NetScreen device no lthat certificate and rejects the key pair.

Action Investigate if the CA changed the subject name in the certificate. If so, (a PKCS #10 file that includes a new public/private key pair) and resub

Message PKI: The device cannot load the X.509 object into the flash file <filena

Meaning An admin unsuccessfully attempted to load the specified X.509 object NetScreen device, but the number of X.509 objects in the database tanumber of objects allowed in the table.

Action Remove obsolete or unneeded X.509 objects (also referred to as a PKItable to bring the amount of objects in the database table to an amounvalue.

Contact NetScreen technical support to identify what the maximum nudevice database table. Each device has a different maximum.

�<( !��,�0/�1

.��

e>.

ertificate or CRL) into the the object.


me>.

to RAM. The filename can be the


��

Message PKI: The device has no memory to load PKI objects, filename <filenam

Meaning An admin unsuccessfully attempted to load the specified PKI object (cNetScreen device, but there was not enough RAM available to receive

Action Enter the get memory command to see how much RAM has been allavailable. If there appears to be sufficient RAM available, reboot the Nload the PKI object again. If there appears to be a severe memory probalso unsuccessful, attach a text file with the output of the get tech-supdescribing the problem, and send it to [email protected].

Message PKI: The device cannot load X.509 {certificate | CRL}, filename <filena

Meaning The device cannot load the specified PKI object from an outside sourcename of a certificate or certificate revocation list (CRL).

Action Enter the get memory command to see how much RAM has been allavailable. If there appears to be sufficient RAM available, reboot the Nload the PKI object again. If there appears to be a severe memory probalso unsuccessful, attach a text file with the output of the get tech-supdescribing the problem, and send it to [email protected].

�<( !��,�0/�1

.��

ta for a PKCS #10 (Certificate


ctly for a certificate request.

ocated and how much is still etScreen device and attempt to ory problem or if your second

get tech-support command to an reen.com.

��

Message PKI: The device has no memory to generate PKCS10 data.

Meaning The NetScreen device does not have enough RAM to generate the daRequest Syntax Standard) certificate request.

Action Enter the get memory command to see how much RAM has been allavailable. If there appears to be sufficient RAM available, reboot the Ngenerate the data again. If there appears to be a severe memory probalso unsuccessful, attach a text file with the output of the get tech-supdescribing the problem, and send it to [email protected].

Message PKI: The device failed to generate PKCS10 data.

Meaning The NetScreen device was unable to format the PKCS #10 data corre

Action Enter the get memory command to see how much RAM has been allavailable. If there appears to be sufficient RAM available, reboot the Ngenerate certificate request again. If there appears to be a severe memattempt was also unsuccessful, attach a text file with the output of the e-mail note describing the problem, and send it to techsupport@netsc

�<( !��,�0/�1

.�4��

0 format.

in PKCS #10 (Certificate Request

ocated and how much is still etScreen device and attempt to ory problem or if your second

get tech-support command to an reen.com.

mail.

quest file via e-mail.

ttings on the NetScreen device

format.

n sending an X.509 certificate

gain.

��

Message PKI: The device failed to generate the certificate request file in PKCS1

Meaning The NetScreen device was unable to generate a certificate request fileSyntax Standard) format.

Action Enter the get memory command to see how much RAM has been allavailable. If there appears to be sufficient RAM available, reboot the Ngenerate certificate request again. If there appears to be a severe memattempt was also unsuccessful, attach a text file with the output of the e-mail note describing the problem, and send it to techsupport@netsc

Message PKI: The device failed to send the PKCS10 certificate request file via e

Meaning The NetScreen device was unable to send the PKCS #10 certificate re

Action Ensure that the Simple Mail Transfer Protocol (SMTP) configuration seand the e-mail address of the recipient are correct, and then try again.

Message PKI: The device failed to send an X.509 certificate request in PKCS10

Meaning The NetScreen device did not use the standard PKCS #10 format wherequest to a certificate authority (CA).

Action Reconfigure the X.509 certificate request and try sending it to the CA a

�<( !��,�0/�1

.�2��

24 bits default.

y length of 0, which is invalid. To ngth of 1,024 bits.

r RSA key pair, it was unable to

jects from the database.

file to use when requesting a

ted certificate request again.

vice, and do either of the following:

it in a text file.

nterface> ] command.

il message that describes the

��

Message PKI: The device has detected zero DSA/RSA key length input. Use 10

Meaning An admin has attempted to generate a public/private key pair with a kecorrect this problem, the NetScreen device reverts to the default key le


Message PKI: The device failed to save the { RSA | DSA } key.

Meaning Although the NetScreen device was successful in generating a DSA osave the key pair.

Action Free up space in the flash memory by removing obsolete or unused ob

Message PKI: The device failed to generate a certificate request.

Meaning The NetScreen device was unable to generate a PKCS #10 formattedcertificate.

Action Reboot the NetScreen device, and try to generate a PKCS #10 format

If the problem persists, open a console session with the NetScreen de

• Enter the get tech-support command, copy the output, and paste

• Enter the get tech-support > tftp <ip_addr> <filename> [ from <i

Then, attach the text file containing the tech-support output to an emaproblem, and send it to [email protected].

�<( !��,�0/�1

.�5��

no control data.

rate a certificate request. Control f a PKCS #10 file.

S #10 file.

te certificate request.

was unable to locate the specified

ID number: get pki x509 list

ate request.

was unable to locate a e NetScreen device aborted the

��

Message PKI: The device cannot generate a certificate request because there is

Meaning The NetScreen device did not have the necessary control data to genedata is all the configurations necessary for the successful generation o

Action Reconfigure the certificate request control data and regenerate a PKC

Message PKI: The device cannot locate the keypair with id <id_num> to genera

Meaning When attempting to submit a certificate request, the NetScreen devicepublic/private key pair.

Action Use the following CLI command to check that a key pair exists for thiskey-pair .

Message PKI: The device cannot find the RSA/DSA key pair to generate certific

Meaning When attempting to submit a certificate request, the NetScreen devicepublic/private key pair because the content was lost. Consequently, threquest operation.

Action Generate another certificate request with a new key pair.

�<( ��0�1

.��

est.

10 certificate request file, but was

nguished name. (Note: Do not use ubject name.)

>.

cified certificate.

me from the NetScreen device.

��

��0�1

Message PKI: The device cannot find the subject DN to generate certificate requ

Meaning The NetScreen device unsuccessfully attempted to generate a PKCS #unable to find the subject entry in the distinguished name.

Action Reconfigure the certificate request with a valid subject entry in the distiany extended ASCII characters, such as #, -, or +, when entering the s

Message PKI: The device cannot decode the public key of certificate <name_str

Meaning The NetScreen device was unable to decode the public key in the spe

Action Request another certificate.

Message X509 certificate with subject name <name_str> is deleted.

Meaning An admin has deleted an X509 certificate with the specified subject na


�<( ��0�1

.��

| county/locality | organization | ing1>’ to none | none to ‘<string2>’

he distinguished name (DN) of a

bled’ to ‘disabled’ | ‘disabled’ to

e (as opposed to a concatenation certificate request.

anged from { ‘full’ to ‘partial’ |

partial or from partial to full.

y checking all the CAs in the he root CA certificate, which must

te—which must be loaded on the h of a peer’s certificate.

��

Message PKI: A configurable item ‘DN’s { Name | phone | e-mail | country | stateunit/department | IP address | e-mail to }’ field has changed from { ‘<str| ‘<string1>’ to ‘<string2>’ }.

Meaning An admin has changed the specified common name (CN) field within tX509 certificate request.


Message PKI: A configurable item ‘raw CN setting’ field has changed from { ‘ena‘enabled’ }.

Meaning An admin has enabled or disabled the use of the certificate name alonof all the common names) as the distinguished name (DN) of the X509


Message PKI: A configurable item ‘default certificate validation level’ field has ch‘partial’ to ‘full’ }.

Meaning An admin has changed the certificate validation level either from full to

“Full” means that the NetScreen device validates a peer’s certificate bhierarchical PKI validation path of the peer’s certificate until it verifies tbe loaded on the NetScreen device.

“Partial” means that the NetScreen device verifies the first CA certificaNetScreen device to be verified—in the hierarchical PKI validation pat


�<( ��0�1

.�.��

tring1>’ to ‘<string2>’.

partial or from partial to full.

y checking all the CAs in the he root CA certificate, which must

te—which must be loaded on the h of a peer’s certificate.

from { ‘<ip_addr1>’ to

LDAP server that manages the

ged from ‘<string1>’ to ‘<string2>’.

he certificate revocation list (CRL)

��

Message PKI: A configurable item ‘certificate FQDN’ field has changed from ‘<s

Meaning An admin has changed the certificate validation level either from full to

“Full” means that the NetScreen device validates a peer’s certificate bhierarchical PKI validation path of the peer’s certificate until it verifies tbe loaded on the NetScreen device.

“Partial” means that the NetScreen device verifies the first CA certificaNetScreen device to be verified—in the hierarchical PKI validation pat


Message PKI: A configurable item ‘default LDAP server name’ field has changed‘<ip_addr2>’ | ‘<dom_name1>’ to ‘<dom_name2>’ }.

Meaning An admin has changed the IP address or domain name of the default certificate revocation list (CRL).


Message PKI: A configurable item ‘default LDAP server CRL URL’ field has chan

Meaning An admin has changed the URL for the default LDAP server at which tis accessed.


�<( ��0�1

.�/��

ld has changed from ‘<number1>’

ice can send an X509 certificate

anged from ‘<number1>’ to

(FQDN) field in an X509 certificate

ged from ‘<string1>’ to ‘<string2>’.

ateway interface (CGI) on the CA RA). The CGI identifies the script Enrollment Protocol (SCEP)

��

Message PKI: A configurable item ‘e-mail address to send certificate request’ fieto ‘<number2>’.

Meaning An admin has changed the e-mail address to which the NetScreen devrequest.


Message PKI: A configurable item ‘default CRL Refresh Frequency’ field has ch‘<number2>’.

Meaning An admin has changed the contents of the fully qualified domain name request.


Message PKI: A configurable item ‘SCEP’s { CA | RA } CGI URL’ field has chan

Meaning An admin has changed the HTTP URL or LDAP URL of the common gserver for either the certificate authority (CA) or registration authority (path used by the CA server to process the incoming Simple Certificaterequest.


�<( ��0�1

.��

field has changed from

CA IDENT uniquely identifies the he responding CA server. The end certificate request, to validate its

d from { ‘0’ to ‘1’ | ‘1’ to ‘0’ }.

using the Digital Signature reen device references.

configuration on the NetScreen ient space in flash memory for the n, such as Simple Certificate .

��

Message PKI: A configurable item ‘SCEP’s { CA IDENT | challenge password }’ ‘<name_str1>’ to ‘<name_str2>’.

Meaning An admin has changed the CA IDENT or the Challenge password. Theinitiator of a Simple Certificate Enrollment Protocol (SCEP) request to tentity (EE) can use the challenge password, included in the PKCS #10identity when requesting the CA to revoke the EE’s certificate.


Message PKI: A configurable item ‘CRL’s signature verification’ field has change

Meaning An admin has enabled (1) or disabled (0) the use of digital signatures—Standard (DSS)—to check the integrity of CRL content that the NetSc


Message PKI: The device failed to store the authority configuration.

Meaning An admin unsuccessfully attempted to load a certificate authority (CA)device. A likely cause for this failure is that the device allocated insufficCA configuration. The CA configuration contains CA-related informatioEnrollment Protocol (SCEP) server locations and CRL server locations

Action Report the issue to NetScreen technical support.

�<( ��0�1

.��

ith the specified ID number.

existing cluster member started a ly arrived member.

ch as certificate revocation lists (CA) certificates, pending cluster members. The operation mpt is unsuccessful, the cluster

ect <number2> of <total_number>.

e local NetScreen device received receive item <number2> but

sender notifies the receiver of the ich they appear in the PKI object the current cold sync attempt, and mpts to synchronize PKI objects.

��

Message create new authcfg for CA <id_num>

Meaning An admin has created a new configuration for the certificate authority w


Message PKI: NSRP cold sync start for total of <number> items.

Meaning When the local NetScreen device came online in an NSRP cluster, ancold sync of the specified number of PKI objects from itself to the new

The cold sync operation automatically synchronizes all PKI objects su(CRLs), public/private key pairs, local certificates, certificate authority certificates, and certificate authority configurations between two NSRPsynchronizes the objects in blocks of 30 items each. If a cold sync attemembers can make up to a total of 30 attempts to synchronize them.


Message PKI: NSRP sync received cold sync item <number1> out of order, exp

Meaning During a cold sync operation between members of an NSRP cluster, than PKI item out of numerical order. The NetScreen device expected toreceived item <number1> instead.

When NSRP cluster members perform a cold sync of PKI objects, the total number of objects to expect. It then sends them in the order in whtable in flash memory. If an object arrives out of order, the devices stopbegin another one. Cluster members can make up to a total of 30 atte


�<( ��0�1

.��

ster, the local NetScreen device t table.

sender sends the objects in the smission begins with any object , and begin another one. Cluster jects.

e local NetScreen device received topped the current cold sync

can make up to 29 more attempts

ch as certificate revocation lists (CA) certificates, pending cluster members. The operation

��

Message PKI: NSRP sync received cold sync item <number> without first item.

Meaning At the start of a cold sync operation between members of an NSRP cluinitially received an PKI object other than the first one in the PKI objec

When NSRP cluster members perform a cold sync of PKI objects, the order in which they appear in the PKI table in flash memory. If the tranother than the first one, the devices stop the current cold sync attemptmembers can make up to a total of 30 attempts to synchronize PKI ob


Message PKI: NSRP sync received normal item during cold sync.

Meaning During a cold sync operation between members of an NSRP cluster, than PKI object that was not in the list of items being synchronized and sattempt. If one cold sync attempt is unsuccessful, the cluster membersto synchronize them.

The cold sync operation automatically synchronizes all PKI objects su(CRLs), public/private key pairs, local certificates, certificate authority certificates, and certificate authority configurations between two NSRPsynchronizes the objects in blocks of 30 items each.


�<( ��0�1

.�4��

ed during NSRP synchronization.

ter, the NSRP peer was unable to

commands:

r from peer

thority <name_str>.

ate authority (CA) has expired.

long <number1> to do NSRP

rtificate, or a virtual system (vsys) wed for NSRP synchronization.

ws:

the prescribed limit.

��

Message PKI: The X.509 { certificate | certificate revocation list } cannot be load

Meaning During a cold sync of PKI objects between members of an NSRP clusload either a certificate or a certificate revocation list (CRL).

Action Perform a manual file synchronization using either of the following CLI

To synchronize all files: exec nsrp sync file from peer

To synchronize a specific file: exec nsrp sync file name name_st

Message PKI: The certificate revocation list has expired, issued by certificate au

Meaning The certificate revocation list (CRL) obtained from the specified certific

Action Obtain a current CRL from the CA.

Message PKI: The { file name | friendly name of a certificate | vsys name } is toosynchronization, allowed <number2>.

Meaning A file name, a friendly name—that is, the user-defined name—for a cename contains a number of characters greater than the maximum allo

The maximum number of characters for these three names are as follo

• file name: 31

• friendly name: 7

• vsys name: 31

Action Reduce the number of characters that compose the name to fit within

�<( ��0�1

.�2��

I objects with another member of


synchronize SCEP CA

synchronize added CA

synchronize deleted CA

synchronize added CRLs

synchronize deleted RSA keys

synchronize deleted DSA keys

��

Message PKI: The NSRP high availability synchronization <cmd_id> failed.

Meaning When one member of an NSRP cluster attempted a cold sync of its PKthe cluster, one of the following synchronization commands failed:



• 0x00010000: synchronize certificate files

• 0x00020000: synchronize RSA key files

• 0x00030000: synchronize DSA key files

• 0x00040000: synchronize deleted X.509 objects

• 0x00050000: synchronize the refreshed trust store

• 0x00060000: synchronize deleted CRLs

• 0x00070000: synchronize SCEP local certificates

• 0x00080000:certificates

• 0x00090000:configurations

• 0x000A0000:configurations

• 0x000B0000:

• 0x000C0000:

• 0x000D0000:

�<( ��0�1

.�5��

t.

e NetScreen devices were unable


empt.

c operation at the specified each. If a cold sync attempt is pts to synchronize them.

��

Message PKI: The device failed to coldsync the PKI object at <number> attemp

Meaning During a cold sync operation between members of an NSRP cluster, thto synchronize a PKI object at the specified cold sync attempt.



Message PKI: The device completed the coldsync of the PKI object at <%d> att

Meaning NSRP cluster members were able to successfully complete a cold synattempt. The operation synchronizes PKI objects in blocks of 30 itemsunsuccessful, the cluster members can make up to a total of 30 attem


�<( ��0�1

.��

<string2> | from ‘none’ to

m “none” to the specified value, or

icate received via the Simple manual to auto (1 to 0).

re its fingerprint (a hash of part of e (such as at the CA’s Web site). If

st or distrust the CA certificate. tically trusts CA certificates

tScreen device distrusts them until i auth <cert_id_number> scep

me <filename>.

ificate revocation list (CRL)—

��

Message PKI: A configurable item SCEP mode has changed [ from <string1> to<string1> | from <string1> to ‘none’ ].

Meaning An admin has changed the SCEP mode from one value to another, frofrom the specified value to “none.

For example, an admin might change the mode for trusting a CA certifCertificate Enrollment Protocol (SCEP) from auto to manual (0 to 1) or

To verify the integrity of a newly loaded CA certificate, you can compathe certificate) with the hash of the same certificate available elsewherthe two hashes match, you can trust that its integrity is intact.

Until you have confirmed its integrity, you can determine whether to truWhen the SCEP mode is set to auto (0), the NetScreen device automareceived via SCEP. When the SCEP mode is set to manual (1), the Neyou have confirmed their integrity and manually approved them (set pkauthentication { failed | passed }.


Message PKI: X.509 { certificate | CRL } file has been loaded successfully, filena

Meaning An admin has successfully loaded the PKI object—certificate or a certspecified by the filename.


�<( ��0�1

.4��

to { 512 | 768 | 1024 | 2048 }.

from the first value to the second

valid.

SA key for authenticating the to be invalid.

henticated by the signer’s public , the accompanying public key) is me> command. This error

Rule (DER)-encoded certificate

Request another certificate.

ertificate.

nticates the ScreenOS image, the the X509 certificate.

��

Message PKI: The RSA key length has changed from { 512 | 768 | 1024 | 2048 }

Meaning An admin has changed the bit length of an RSA public/private key pairvalue.


Message PKI: The X.509 certificate for the ScreenOS image authentication is in

Meaning When an admin attempted to load an X.509 certificate to update the DScreenOS image, the NetScreen device determined the certificate file

In FIPS mode, the code image is digitally signed in the factory and autkey when the system boots. The signer’s digital certificate (and henceloaded into the system by the save image-key tftp <ip_addr> <filenahappens when the system cannot decode the Distinguished Encodingreceived from the Trivial File Transfer Protocol (TFTP) server.

Action Check the name of the X.509 certificate or generate a new certificate.

Message PKI: The device failed to decode the public key of the image’s signer c

Meaning When loading an X509 certificate for updating the DSA key that autheNetScreen device was unable to decode and load the public key within

Action Check the subject name of the certificate. Request another certificate.

�<( ��0�1

.4.��

ate received from the Trivial File

r future image authentication.

e ScreenOS image.

rivate key pair.

e with the specified distinguished revocation list (CRL).

��

Message PKI: The signature of the image’s signer certificate cannot be verified.

Meaning The public key failed to verify the signature of the image signer certificTransfer Protocol (TFTP) server.

Action Check the signature of the image signer certificate.

Message PKI: The public key of image’s signer has been loaded successfully, fo

Meaning An admin has successfully updated the DSA key that authenticates th


Message PKI: The device successfully generated a new { RSA | DSA } key pair.

Meaning The NetScreen device successfully generated an RSA or DSA public/p


Message PKI CRL: no revoke info, accept per config, DN <name_str>.

Meaning An admin has configured the NetScreen device to accept the certificatname even if it is not possible to check its current status in a certificate


�<( ��0�1

.4/��

te revocation list (CRL) for the or security reasons, NetScreen

private key pair.

.

gh the Simple Certificate

n open a certificate, it is valid. Also xpired, it is invalid and you must

ailable amount of memory by appears to be available, attempt to lem or if your second attempt was

t command to an e-mail note

��

Message PKI: no cert revocation check per config, DN <name_str>.

Meaning An admin has configured the NetScreen device not to check a certificastatus of the certificate with the specified distinguished name. (Note: Frecommends disabling CRL checking only for testing purposes.)


Message PKI: The device could not generate { RSA | DSA } key pair.

Meaning The NetScreen device was unable to generate an RSA or DSA public/

Action Try generating the key pair again.

Message PKI: The device cannot load the CA certificate received through SCEP

Meaning The NetScreen device was unable to load a certificate it received throuEnrollment Protocol (SCEP) to RAM.

Action First, check that the CA certificate is valid by trying to open it. If you cacheck the expiration date. If you cannot open the certificate or it has erequest another one.

If the certificate is valid, reboot the NetScreen device and check the aventering the get memory command. If a sufficient amount of memory load the certificate again. If there appears to be a severe memory probunsuccessful, attach a text file with the output of the get tech-suppordescribing the problem, and send it to [email protected].

�<( ��0�1

.4��

h SCEP.

at it received through the Simple

en device and check the available ent amount of memory appears to e a severe memory problem or if utput of the get tech-support [email protected].

certificate acquired through the the NSRP cluster. If a failover

c SA relying on this certificate.

es do not conflict. If the internal ID ynchronize files is in use for owing command to check ID the second column in the output):

r on the device to which you want command: exec nsrp sync file

��

Message PKI: The device cannot load the X.509 local certificate received throug

Meaning The NetScreen device was unable to load the X.509 local certificate thCertificate Enrollment Protocol (SCEP)..

Action Attempt to load the certificate manually. If that fails, reboot the NetScreamount of memory by entering the get memory command. If a sufficibe available, attempt to load the certificate again. If there appears to byour attempts continue to be unsuccessful, attach a text file with the ocommand to an e-mail note describing the problem, and send it to tech

Message PKI: The X.509 local certificate cannot be sync to vsd member.

Meaning The local NetScreen device in an NSRP cluster cannot synchronize a Simple Certificate Enrollment Protocol (SCEP) with another member inoccurs, the newly elected master might be unable to support the IPSe

Action Check that the internal ID numbers of PKI objects stored in both devicnumber for the local certificate on the device from which you want to sanother PKI object on the peer, the synchronization fails. Enter the follnumbers on both devices (note that the internal ID number is listed in get pki x509 list local.

If you find a conflict, delete the PKI object with the conflicting ID numbeto synchronize files and synchronize files again with the following CLI from peer .

�<( ��0�1

.4��

min to renew the specified ure is not enabled.

he specified certificate through the newal interval configuration.

f the Simple Certificate Enrollment

.

sion of ScreenOS. The ed to each individual CA certificate.

��

Message PKI: The certificate <name_str> will expire, please renew.

Meaning The Simple Certificate Enrollment Protocol (SCEP) has notified the adcertificate because it is about to expire and the automatic renewal feat

Action Renew the certificate.

Message PKI: The certificate <name_str> will expire, auto renew.

Meaning The NetScreen device automatically submitted a renewal request for tSimple Certificate Enrollment Protocol (SCEP) as prescribed by the re


Message PKI: The device cannot load a certificate pending SCEP completion.

Meaning An admin attempted to load a certificate still pending the completion oProtocol (SCEP) process.

Action Wait for the SCEP procedure to complete before loading the certificate

Message upgrade to 4.0, copy authcfg from global.

Meaning An admin upgraded the device to ScreenOS 4.0.0 from a previous verconfiguration related to each Certificate Authority (CA) is now associat


�<( ��0�1

.4��

hat is earlier than the current el.

memory to RAM during bootup or n object whose recorded title was

ate key pairs, local certificates, te authority configurations.

t by comparing that list with the rt | pending-cert } command, you

��

Message PKI: The device is loading the version 0 PKI data.

Meaning The NetScreen device is loading a version of the certificate database tversion. This action can occur if the NetScreen device is an older mod


Message PKI: The device has failed to load an invalid X.509 object.

Meaning When loading X.509 objects (also referred to as PKI objects) from flashduring an NSRP cold sync operation, the NetScreen device detected aa different length from that of its current title.

Typical X.509 objects are certificate revocation lists (CRLs), public/privcertificate authority (CA) certificates, pending certificates, and certifica

Action If you have a list of all X.509 objects and can deduce the invalid objecoutput of the get pki x509 list { ca-cert | cert | crl | key-pair | local-cecan obtain a replacement for the invalid object.

�<( ��0�1

.44��

memory to RAM during bootup or n object whose recorded content alid X.509 object content in a it currently displays.

ate key pairs, local certificates, te authority configurations.

t by comparing that list with the rt | pending-cert } command, you

ion list } during boot.

certificate or certificate revocation ecome corrupted.

ject by comparing that list with the rt | pending-cert } command, you

st (CRL) it received from a

��

Message PKI: The device has detected invalid X.509 object content.

Meaning When loading X.509 objects (also referred to as PKI objects) from flashduring an NSRP cold sync operation, the NetScreen device detected awas a different length from that of its current content. For example, invcertificate revocation list (CRL) might have more entries recorded than

Typical X.509 objects are certificate revocation lists (CRLs), public/privcertificate authority (CA) certificates, pending certificates, and certifica

Action If you have a list of all X.509 objects and can deduce the invalid objecoutput of the get pki x509 list { ca-cert | cert | crl | key-pair | local-cecan obtain a replacement for the invalid object.

Message PKI: The device cannot load the X.509 { certificate | certificate revocat

Meaning During device initialization, the NetScreen device was unable to load alist (CRL) stored in flash memory because the certificate or CRL had b

Action If you have a list of all X.509 objects and can deduce the corrupted oboutput of the get pki x509 list { ca-cert | cert | crl | key-pair | local-cecan obtain a replacement for the corrupted certificate or CRL.

Message PKI: The device cannot extract the X.509 certificate revocation list.

Meaning The NetScreen device was unable to decode a certificate revocation licertificate authority (CA).

Action Obtain another CRL from the certificate authority and reload it.

�<( ��0�1

.42��

detected an invalid RSA emory.

air from a flash memory file to RAM

ey.

file but was unable to correct a

nature Algorithm (DSA) key pair

��

Message PKI: The device detected an invalid RSA key.

Meaning During bootup or an NSRP cold sync operation, the NetScreen devicepublic/private key pair, which it was unable to load to RAM from flash m

Action Generate a new RSA key pair.

Message PKI: The device failed to install the RSA key.

Meaning The NetScreen device unsuccessfully attempted to load an RSA key p

Action Regenerate the RSA key pair.

Message PKI: The device detected an invalid digital signature algorithm (DSA) k

Meaning The NetScreen device obtained the DSA key pair from a flash memorycorrupted portion of the file, and so failed to load the key pair to RAM.

Action Regenerate the DSA key pair.

Message PKI: failed to install DSA key.

Meaning The NetScreen device unsuccessfully attempted to load the Digital Sigfrom a flash memory file to RAM.

Action Regenerate the DSA key pair.

�<( ��0�1

.45��

t valid.

ut cannot decode it. This error

tion.

to RAM, the NetScreen device

r>.

red to as a PKI object) is incorrect:

e invalid attribute by comparing ey-pair | local-cert | t.

tion settings for that CA.

Certificate revocation list (CRL)

Pending local certificate

Certificate authority configuration

��

Message PKI: The configuration content of certificate authority <name_str> is no

Meaning The NetScreen device has loaded the configuration to flash memory boccurred because a conversion failed in the flash memory.

Action Reenter the configuration settings for the certificate authority.

Message PKI: The device failed to save the certificate authority related configura

Meaning When loading a certificate authority (CA) configuration from a flash filewas unable to save it.

Action Reenter the configuration information for the certificate authority.

Message PKI: The device has detected an invalid X.509 object attribute <numbe

Meaning The configuration type for one of the following X.509 object (also refer

Action If you have a list of all X.509 objects and can deduce the object with ththat list with the output of the get pki x509 list { ca-cert | cert | crl | kpending-cert } command, you can obtain a replacement for that objec

If a CA configuration attribute is invalid, manually reenter the configura

• 0x0000F001: CA certificate

• 0x0000F002: Local certificate

• 0x0000F004: RSA public/private key pair

• 0x0000F005: DSA public/private key pair

• 0x0000F009:

• 0x0000F00A:

• 0x0000F00B:

�<( ��0�1

.4��

.

RP cluster, the NetScreen device


nsrp sync.

rs, the local NetScreen device did

commands:

r from peer

AM during bootup or an NSRP

��

Message PKI: The device cannot find the PKI object <id_num> during cold sync

Meaning When attempting to cold sync PKI objects between members of an NSwas unable to locate the specified object.



Message PKI: The device failed to remove existing authority configuration when

Meaning During a configuration synchronization between NSRP cluster membenot replace the existing certificate authority (CA) configuration.

Action Perform a manual file synchronization using either of the following CLI

To synchronize all files: exec nsrp sync file from peer

To synchronize a specific file: exec nsrp sync file name name_st

Message PKI: The device cannot load the X.509 certificate file.

Meaning The NetScreen device cannot load a certificate from flash memory to Rcold sync operation.

�<( ��0�1

.2��

rtificate file by comparing that list nding-cert } command, you can

boot.

n X.509 certificate revocation list

from the file.

CRL) from a file in flash memory to

RL) ].

e list has become corrupted.

��

Action If you have a list of all X.509 objects and can deduce the corrupted cewith the output of the get pki x509 list { ca-cert | cert | local-cert | peobtain a replacement for the corrupted certificate.

Message PKI: The device cannot load the X.509 certificate revocation list during

Meaning During the bootup process, the NetScreen device was unable to load a(CRL) from flash memory to RAM.

Action Obtain another CRL and reload it.

Message PKI: The device cannot load the X.509 certificate revocation list (CRL)

Meaning The NetScreen device cannot load an X.509 certificate revocation list (RAM.

Action Obtain another CRL and reload it.

Message PKI: The device cannot extract the X.509 certificate revocation list [ (C

Meaning The device cannot decode the CRL stored in flash memory because th

Action Obtain and load a new CRL.

�<( ��0�1

.2.��

successfully assigned PKI objects bers to flash memory.

NSRP cluster, the NetScreen 5.0. These objects cannot be

h the following CLI command:

te <name_str>.

ave the certificate to RAM.

pen a certificate, it is valid. Also xpired, it is invalid and you must

ailable amount of memory by appears to be available, attempt to lem or if your second attempt was

t command to an e-mail note

��

Message PKI: Upgrade from earlier version, save to file.

Meaning When an admin upgraded the ScreenOS image, the NetScreen devicewith ID numbers in RAM and then saved the objects with their ID num


Message PKI: no nsrp sync for pre 2.5 objects.

Meaning When attempting to synchronize PKI objects between members of an device detected PKI objects stored on the device prior to ScreenOS 2.synchronized

Action Delete the pre-ScreenOS 2.5.0 objects and synchronize files again witexec nsrp sync file from peer.

Message PKI: The device cannot load X.509 certificate onto the device, certifica

Meaning When loading a certificate onto the device, the device was unable to s

Action First, check that the certificate is valid by trying to open it. If you can ocheck the expiration date. If you cannot open the certificate or it has erequest another one.

If the certificate is valid, reboot the NetScreen device and check the aventering the get memory command. If a sufficient amount of memory load the certificate again. If there appears to be a severe memory probunsuccessful, attach a text file with the output of the get tech-suppordescribing the problem, and send it to [email protected].

�<( ��0�1

.2/��

r.

cluster, the local NetScreen ir with another cluster member.

es do not conflict. If the internal ID nize files is in use for another PKI and to check ID numbers on both n in the output): get pki x509 list

r on the device to which you want command: exec nsrp sync file

e Simple Certificate Enrollment lified domain name (FQDN)—host ain name—or there was not an DN in all certificate requests.

vice is in an NSRP cluster) and a N for PKI purposes with the

��

Message PKI: The device failed to synchronize DSA/RSA key pair to NSRP pee

Meaning When synchronizing PKI objects between members of the same NSRPdevice was unable to synchronize a DSA or RSA public/private key pa

Action Check that the internal ID numbers of PKI objects stored in both devicnumber for the key pair on the device from which you want to synchroobject on the peer, the synchronization fails. Enter the following commdevices (note that the internal ID number is listed in the second columlocal .

If you find a conflict, delete the PKI object with the conflicting ID numbeto synchronize files and synchronize files again with the following CLI from peer .

Message PKI: no FQDN available when requesting certificate.

Meaning When the NetScreen device submitted a certificate request through thProtocol (SCEP), either the device was not configured with a fully quaname (or a cluster name if the device is in an NSRP cluster) plus domFQDN configured specifically for PKI purposes. SCEP requires an FQ

Action Assign the NetScreen device a host name (or a cluster name if the dedomain name, and then resubmit the request. You can also set a FQDfollowing CLI command: set pki x509 cert-fqdn <fqdn_string> .

�<( ��0�1

.2��

ificate authority (CA) certificate.

peer.

tween the local NetScreen device a DSA or RSA public/private key


le RAM.

ory by entering the get memory ttempt to load the CRL again. If pt was unsuccessful, attach a text describing the problem, and send

��

Message loadCert: Cannot acquire authcfg for this CA cert <name_str>.

Meaning The device cannot acquire the auth configuration for the specified cert

Action Manually reenter the configuration settings for this CA.

Message PKI: The device failed to synchronize new DSA/RSA key pair to NSRP

Meaning When attempting to perform a cold sync operation of PKI object files beand another member in its NSRP cluster, it was unable to synchronizepair.



Message PKI: The device cannot load an X.509 certificate revocation list (CRL).

Meaning The NetScreen device was unable to load a CRL due to limited availab

Action Reboot the NetScreen device and check the available amount of memcommand. If a sufficient amount of memory appears to be available, athere appears to be a severe memory problem or if your second attemfile with the output of the get tech-support command to an e-mail noteit to [email protected].

�<( ��0�1

.2��

lassified as pending) through the

as previously assigned to another

e NetScreen device automatically

��

Message PKI: The device failed to retrieve the pending certificate <name_str>.

Meaning The NetScreen device was unable to retrieve a requested certificate (cSimple Certificate Enrollment Protocol (SCEP).

Action Contact the CA, and request them to send the certificate again.

Message PKI: The device cannot allocate this object id number <id_num>.

Meaning An admin attempted to assign an PKI object the same ID number that wPKI object.

Action Assign the object a different ID number or accept the ID number that thassigns it.

�<( (��'��0��1

.2��

tr>.

ecified distinguished name.

sing the HTTP protocol.

creen device was unable to certificate is still valid, through the

r that contains the CRL.

��

(��'��0��1

Message PKI: X.509 certificate has been deleted, distinguished name <name_s

Meaning An admin or PKI process has removed an X.509 certificate with the sp


Message PKI: The CRL <id_num> is deleted.

Meaning An admin deleted the specified certificate revocation list (CRL).


Message PKI: The current device cannot retrieve the certificate revocation list u

Meaning In attempting to verify that a certificate has not been revoked, the NetSretrieve the certificate revocation list (CRL), which indicates whether aHyperText Transfer Protocol (HTTP).

Action Check that the NetScreen device has network connectivity to the serve

�<( (��'��0��1

.24��

e SCEP & HTTP protocol.

rText Transfer Protocol (HTTP), ertificate authority (CA).

erver that issues the local rough a different method (such as etScreen device.

erifying a certificate received from

expired

or in certificate's notBefore field

or in certificate's notAfter field

or in CRL's lastUpdate field

or in CRL's nextUpdate field

mory

d certificate

d certificate in certificate chain

get local issuer certificate

verify the first certificate

chain too long

��

Message PKI: The current device cannot successfully enroll a certificate using th

Meaning Using the Simple Certificate Enrollment Protocol (SCEP) and the Hypethe NetScreen device was unable to retrieve a local certificate from a c

Action Check that the NetScreen device has network connectivity to the CA scertificate. If not, contact the CA and arrange to obtain the certificate than e-mail attachment), and then load the certificate manually on the N

Message PKI Verify Error: <id_num>:<text_str>

Meaning The NetScreen device has detected one of the following errors when van IKE peer:

• 0: ok

• 2: unable to get issuer certificate

• 3: unable to get certificate CRL

• 4: unable to decrypt certificate's signature

• 5: unable to decrypt CRL's signature

• 6: unable to decode issuer public key

• 7: certificate signature failure

• 8: CRL signature failure

• 9: certificate is not yet valid

• 10: Certificate has expired

• 11: CRL is not yet valid

• 12: CRL has

• 13: format err

• 14: format err

• 15: format err

• 16: format err

• 17: out of me

• 18: self signe

• 19: self signe

• 20: unable to

• 21: unable to

• 22: certificate

�<( (��'��0��1

.22��

ifferent CRL because the one s expired.

IKE peer to use a different ause it is unclear if the one sent

IKE peer to use a different ause it is unclear if the one sent

ifferent CRL because it is the CRL was last updated.

ifferent CRL because it is its next update is scheduled to

e NetScreen device.

he IKE peer to use another t is not self-signed.

he IKE peer to use another t does not include a self-signed ts certificate chain.

CA certificate for the CA that peer’s certificate, or request the

end a certificate chain containing A’s certificate.

IKE peer that the NetScreen nable to verify the signature on and advise him to investigate.

IKE peer to use a shorter in.

��

Action Take action as appropriate for the message received:

• 0: No recommended action

• 2: Load the CA certificate for the CA that issued the IKE peer’s certificate, or request the IKE peer to send a different certificate.

• 3: Obtain a certificate revocation list (CRL) from the IKE peer’s CA.

• 4: Notify the IKE peer that the signature on his or her certificate is invalid and advise him to investigate.

• 5: Reload the CRL.

• 6: Notify the IKE peer that the NetScreen device cannot decode the public key of the CA that issued the IKE peer’s certificate. Perhaps the peer needs to reload the CA’s certificate.

• 7: Notify the IKE peer that the NetScreen device cannot verify signature on his or her certificate.

• 8: Reload the CRL, the CA certificate that verifies the CRL, or both.

• 9: Notify the IKE peer to use a different certificate because the one sent is not yet valid.

• 10: Notify the IKE peer to use a different certificate because the one sent has expired.

• 11: Obtain a different CRL because the one referenced is not yet valid.

• 12: Obtain a dreferenced ha

• 13: Notify thecertificate becis valid yet.

• 14: Notify thecertificate becis still valid.

• 15: Obtain a dunclear when

• 16: Obtain a dunclear whenoccur.

• 17: Reboot th

• 18: Request tcertificate tha

• 19: Request tcertificate thacertificate in i

• 20: Load the issued the IKEIKE peer to sthe issuing C

• 21: Notify thedevice was uhis certificate

• 22: Notify thecertificate cha

�<( (��'��0��1

.25��

memory for X.509 objects (also key pairs, local certificates,

ocated and how much is still etScreen device and attempt to ory problem or if your second get tech-support command to an reen.com.

Simple Certificate Enrollment

latform. The maximum allowed is

etScreen device has attempted to .509 objects are certificate

ficate authority (CA) certificates,

jects from the database.

��

Message PKI: The device cannot create the X.509 object database table.

Meaning The NetScreen device was unable to create a database table in flash referred to as PKI objects) such as certificate revocation lists (CRLs), certificate authority (CA) certificates, and CA configurations.

Action Enter the get memory command to see how much RAM has been allavailable. If there appears to be sufficient RAM available, reboot the Ngenerate the X.509 object again. If there appears to be a severe memattempt was also unsuccessful, attach a text file with the output of the e-mail note describing the problem, and send it to techsupport@netsc

Message PKI: The device has disabled the SCEP renewal process.

Meaning An admin has disabled the automatic certificate renewal option for theProtocol (SCEP).


Message PKI: The number of the X.509 object entries exceeds the limit for the p<number>.

Meaning The number of X.509 objects (also referred to as PKI objects) that the Nstore in its database is greater than the maximum limit (128). Typical Xrevocation lists (CRLs), public/private key pairs, local certificates, certipending certificates, and certificate authority configurations.

Action Free up space in the flash memory by removing obsolete or unused ob

�<( (��'��0��1

.2��

r> bytes.

is too big. The maximum limit for

reboot the NetScreen device.

NetScreen device, the device

ntrusted chain is not issued by the

(CA) for the remote peer to use h a different CA at the top of the

.

��

Message PKI: The size of the CRL is too big to save to flash. Maximum <numbe

Meaning The device cannot save the certificate revocation list (CRL) because itstorage space in flash memory is 20 kilobytes per CRL.

Action Remove the CRL from the certificate authority configuration, and then

Message PKI: X.509 local certificate is not valid, certificate <name>.

Meaning While an admin attempted to load the specified local certificate into thedetected that it was invalid.

Action Obtain and load another certificate.

Message PKI: When building a certificate chain, the certificate at the top of the udesignated certificate authority.

Meaning The local NetScreen device designated a specific certificate authority during IKE negotiations. However, the peer sent a certificate chain witchain.

Action Do either of the following:

• On the local NetScreen device, designate the CA that the peer used

• Contact the remote IKE peer to use the CA that you prefer.

�<( (��'��0��1

.5��

ate with the specified subject

.

ertificate with the specified subject

e.

evice was unable to allocate RAM

ocated and how much is still etScreen device and attempt to ory problem or if your second get tech-support command to an reen.com.

��

Message PKI: The subject name of the received CA certificate is <name_str>.

Meaning The NetScreen device has received a certificate authority (CA) certificname.


Message PKI: The correct CA certificate should have subject name <name_str>

Meaning The NetScreen device expected to receive a certificate authority (CA) cname, but the CA certificate had a different subject name instead.


Message PKI: The device cannot allocate memory to request an X.509 certificat

Meaning When attempting to make an X.509 certificate request, the NetScreen dto generate the request in the standard PKCS #10 file format.

Action Enter the get memory command to see how much RAM has been allavailable. If there appears to be sufficient RAM available, reboot the Ncertificate request process again. If there appears to be a severe memattempt was also unsuccessful, attach a text file with the output of the e-mail note describing the problem, and send it to techsupport@netsc

�<( (��'��0��1

.5.��

nd request the CA admin to check

n device cannot retrieve the

tents are invalid.

n device checked the CRL the signature failed the

quest has failed.

on has failed.

host name is empty.

operation has failed.

ation: The del operation is not orted.

ation: The add operation is not orted.

RIFY_CERT_RSP. The peer’s nnot be decoded.

��

Message PKI: The device has received PKI error message <string>.

Meaning The NetScreen device generated one of the following messages:

Action Check the LDAP and SCEP configurations on the NetScreen device aif the CA server is properly configured.

• The NetScreen device has received an invalid X509 certificate.

• The return packet for an X509 certificate request is empty.

• The NetScreen device has received an invalid end entity (EE) certificate. (That is, a IPSec peer’s local certificate is invalid.)

• The NetScreen device has received an invalid CA certificate.

• The NetScreen device is unable to decode the issuer CA’s public key.

• The CA is not responding.

• The NetScreen device cannot find the issuer CA certificate for the CRL.

• The NetScreen device failed to retrieve the CRL.

• The NetScreeCRL.

• The CRL con

• The NetScreesignature andinspection.

• LDAP bind re

• LDAP operati

• LDAP server

• LDAP search

• LDAP modificcurrently supp

• LDAP modificcurrently supp

• PKI_CID_VEpublic key ca

�<( (��'��0��1

.5/��

days

EP) renewal interval to the en device automatically submits a fined number of days before the

1> to <number2>.

EP) polling interval from the first ice automatically polls a certificate ready for automatic retrieval.

lid.

certificate request is invalid.

t together define the subject of the ocality, state, country, e-mail

e in the certificate request.

��

Message PKI: The device has changed the SCEP renewal interval to <number>

Meaning An admin has changed the Simple Certificate Enrollment Protocol (SCindicated number of days. Using the SCEP renewal facility, the NetScrecertificate renewal request to a certificate authority (CA) at the user-decurrent certificate expires.


Message PKI: The device has changed the SCEP polling interval from <number

Meaning An admin has changed the Simple Certificate Enrollment Protocol (SCvalue to the second. Using the SCEP polling facility, the NetScreen devauthority (CA) at the defined interval to check if a pending certificate is


Message PKI: The distinguished name <name_str> for certificate request is inva

Meaning The NetScreen device has detected that the distinguished name in the

A distinguished name is a concatenation of the following elements tharequest: name, phone number, unit/department, organization, county/laddress, and IP address.

Action Change one or more of the elements composing the distinguished nam

�<( (��'��0��1

.5��

evice, the device detected invalid

n open a certificate, it is valid. Also xpired, it is invalid and you must

evice, and do either of the

it in a text file.



e key pair in the certificate request

��

Message PKI: The device has detected invalid input parameters.

Meaning When trying to load a certificate or certificate revocation list onto the dsettings on the certificate or CRL, and rejected the object.

Action First, check that the CA certificate is valid by trying to open it. If you cacheck the expiration date. If you cannot open the certificate or it has erequest another one.

If the PKI object is valid, open a console session with the NetScreen dfollowing:




Message PKI: The keypair for certificate request is invalid.

Meaning The NetScreen device has detected that the RSA or DSA public/privatis invalid.

Action Regenerate the key pair.

�<( (��'��0��1

.5��

uring a certificate request.

id not have enough available RAM

ocated and how much is still etScreen device and attempt to emory problem or if your second get tech-support command to an reen.com.

certificate request.

id not have enough available RAM the certificate.


��

Message PKI: The device cannot allocate memory for the challenge password d

Meaning When attempting to make a certificate request, the NetScreen device dto complete the challenge password validation operation.

Action Enter the get memory command to see how much RAM has been allavailable. If there appears to be sufficient RAM available, reboot the Nsubmit the certificate request again. If there appears to be a severe mattempt was also unsuccessful, attach a text file with the output of the e-mail note describing the problem, and send it to techsupport@netsc

Message PKI: The device cannot allocate memory for X.509 extensions during a

Meaning When attempting to make a certificate request, the NetScreen device dto include X.509 extensions, which are additional information stored in


�<( (��'��0��1

.5��

e was unable to sign a hash of the

en a console session with the

it in a text file.



request.

evice was unable to allocate

ocated and how much is still etScreen device and attempt to memory problem or if your second get tech-support command to an reen.com.

.

ate request file.

��

Message PKI: The device cannot sign the X.509 request.

Meaning When attempting to generate a certificate request, the NetScreen devicrequest with its private key.

Action Reboot the NetScreen device and try again. If the problem persists, opNetScreen device, and do either of the following:




Message PKI: The device cannot allocate memory to store keypair in certificate

Meaning When generating a PKCS #10 certificate request file, the NetScreen dsufficient RAM to include the generated key pair in the file.

Action Enter the get memory command to see how much RAM has been allavailable. If there appears to be sufficient RAM available, reboot the Ngenerate the certificate request again. If there appears to be a severe attempt was also unsuccessful, attach a text file with the output of the e-mail note describing the problem, and send it to techsupport@netsc

Message PKI: The device has generated a certificate request in PKCS10 format

Meaning The NetScreen device has successfully generated a PKCS #10 certific


�<( (��'��0��1

.54��

ificate Enrollment Protocol (SCEP) ated PKCS #10 certificate request.

.


it in a text file.



he certificate request in PKCS #10

allocated and how much is still nerate the certificate request.


it in a text file.



��

Message Need X509_REQ.

Meaning When generating the SCEP_PKCSREQ packet during the Simple Certprocess, the NetScreen device was unable to find the previously gener

Action Regenerate the certificate request, and begin the SCEP process again





Message No memory to store certificate request.

Meaning The NetScreen device does not have sufficient RAM memory to store tformat.

Action Enter the get memory command to see how much memory has beenavailable. If the memory is low, reboot the NetScreen device and rege





�<( (��'��0��1

.52��

matted file.

of a PKCS #10 certificate request

at.

0 certificate request in

questing a certificate.

nrollment Protocol (SCEP), the ertificate request data in PKCS #7


��

Message PKI: The device failed to convert the certificate request into a DER for

Meaning The NetScreen device unsuccessfully attempted to convert the formatto a Distinguished Encoding Rule (DER) formatted file.

Action Perform the certificate request conversion again.

Message PKI: The device failed to encode the certificate request into DER form

Meaning The NetScreen device unsuccessfully attempted to encode a PKCS #1Distinguished Encoding Rule (DER) format.

Action Generate the certificate request again.

Message PKI: The device has no memory to store PKCS7 content data when re

Meaning When submitting a certificate request through the Simple Certificate ENetScreen device was unable to allocate sufficient RAM to store the c(Cryptographic Message Syntax Standard) format.


�<( (��'��0��1

.55��

col (SCEP), the NetScreen device te issuer.

ory by entering the get memory ttempt to retrieve the certificate nd attempt was unsuccessful, an e-mail note describing the

been consumed.

ng unneeded certificates, such as

questing a certificate.

nrollment Protocol (SCEP), the ertificate request data in PKCS #7

ory by entering the get memory ttempt to submit the certificate nd attempt was unsuccessful, an e-mail note describing the

��

Message PKI: The device has no memory to store the certificate issuer name.

Meaning When retrieving a certificate via the Simple Certificate Enrollment Protowas unable to allocate sufficient RAM to store the name of the certifica

Action Reboot the NetScreen device and check the available amount of memcommand. If a sufficient amount of memory appears to be available, aagain. If there appears to be a severe memory problem or if your secoattach a text file with the output of the get tech-support command to problem, and send it to [email protected].

Message X509 certificate database is full.

Meaning The amount of available flash memory for X509 certificate storage has

Action If possible, free up more memory in the certificate database by removiexpired certificates.

Message PKI: The device has no memory to store PKCS7 content data when re

Meaning When submitting a certificate request through the Simple Certificate ENetScreen device was unable to allocate sufficient RAM to store the c(Cryptographic Message Syntax Standard) format.


�<( (��'��0��1

.5��

e_str>.

nrollment Protocol (SCEP), the 509 certificate.

ombined—does not exceed the , increase the available amount of rtificate again.

through the Simple Certificate ope in which to enclose the


��

Message PKI: The device cannot generate a self-signed X.509 certificate <nam

Meaning When submitting a certificate request through the Simple Certificate ENetScreen device was unable to generate the specified self-signed X.

Action Check that the total number of certificates—CA and local certificates cmaximum of 128. If the total is less than 128 and the problem persistsRAM by deleting unused processes, and then attempt to submit the ce

Message PKI: The device failed to set type of PKCS7 outer envelope.

Meaning When the NetScreen device attempted to submit a certificate request Enrollment Protocol (SCEP), it was unable to create a PKCS #7 envelcertificate request.


�<( (��'��0��1

.��

.

through the Simple Certificate ter PKCS #7 envelope.

ns the content of the certificate d contains envelope details.


CS7 envelope.

through the Simple Certificate quest content within the inner

ns the content of the certificate d contains envelope details.


��

Message PKI: The device failed to add a signature to the PKCS7 outer envelope

Meaning When the NetScreen device attempted to submit a certificate request Enrollment Protocol (SCEP), it was unable to add a signature to the ou

Two types of PKCS7 envelopes exist: an inner envelope, which contairequest, and an outer envelope, which encloses the inner envelope an


Message PKI: The device cannot encrypt the SCEP content data in an inner PK

Meaning When the NetScreen device attempted to submit a certificate request Enrollment Protocol (SCEP), it was unable to encrypt the certificate rePKCS #7 envelope.

Two types of PKCS7 envelopes exist: an inner envelope, which contairequest, and an outer envelope, which encloses the inner envelope an


�<( (��'��0��1

.�.��

through the Simple Certificate er PKCS #7 envelope.

generates both an inner and outer at, and must specify the type of


through the Simple Certificate er envelope in which to store the

generates both an inner and outer at.


��

Message PKI: The device failed to set the type of inner PKCS7 envelope.

Meaning When the NetScreen device attempted to submit a certificate request Enrollment Protocol (SCEP), it was unable to define the type of the inn

When submitting a certificate request via SCEP, the NetScreen deviceenvelope in PKCS #7 (Cryptographic Certificate Syntax Standard) formeach PKCS #7 envelope.


Message PKI: The device failed to create an inner PKCS7 envelope.

Meaning When the NetScreen device attempted to submit a certificate request Enrollment Protocol (SCEP), it was unable to generate a PKCS #7 inncertificate request file.

When submitting a certificate request via SCEP, the NetScreen deviceenvelope in PKCS #7 (Cryptographic Certificate Syntax Standard) form


�<( (��'��0��1

.�/��

pe.

through the Simple Certificate S #7 outer envelope to ensure the


through the Simple Certificate CS #7 outer envelope.


��

Message PKI: The device cannot sign the SCEP request in outer PKCS7 envelo

Meaning When the NetScreen device attempted to submit a certificate request Enrollment Protocol (SCEP), it was unable to add a signature to a PKCintegrity of the request.


Message PKI: The device cannot encrypt the data in outer PKCS7 envelope.

Meaning When the NetScreen device attempted to submit a certificate request Enrollment Protocol (SCEP), it was unable to encrypt the data in a PK


�<( (��'��0��1

.��

through the Simple Certificate request file in a PKCS #7 outer

generates both an inner and outer at.


ate request through the Simple

e.

S #7 envelope that it received

ertificate. If the problem persists,

��

Message PKI: The device failed to create an outer PKCS7 envelope.

Meaning When the NetScreen device attempted to submit a certificate request Enrollment Protocol (SCEP), it was unable to encapsulate a certificateenvelope.

When submitting a certificate request via SCEP, the NetScreen deviceenvelope in PKCS #7 (Cryptographic Certificate Syntax Standard) form


Message PKI: The SCEP certificate request has been completed successfully.

Meaning The NetScreen device successfully generated and submitted a certificCertificate Enrollment Protocol (SCEP).


Message PKI: The device cannot decode SCEP content data in PKCS7 envelop

Meaning The NetScreen device was unable to decode the content within a PKCthrough the Simple Certificate Enrollment Protocol (SCEP).

Action Contact the CA about the problem, and request that they resend the ccontact NetScreen technical support.

�<( (��'��0��1

.��

lope that it received through the


te Enrollment Protocol (SCEP) was zero.


ntent data.

te Enrollment Protocol (SCEP) uter envelope.


��

Message PKI: The device cannot decode the inner PKCS7 envelope.

Meaning The NetScreen device was unable to decode the PKCS #7 inner enveSimple Certificate Enrollment Protocol (SCEP).


Message PKI: The device received zero length SCEP content data.

Meaning When the NetScreen device received a response to a Simple Certificacertificate request, the length of the file that contained the content data


Message PKI: The device cannot decode an outer PKCS7 envelope of SCEP co

Meaning When the NetScreen device received a response to a Simple Certificacertificate request, it was unable to decode the data in the PKCS #7 o


�<( (��'��0��1

.��

te Enrollment Protocol (SCEP) empty.


te Enrollment Protocol (SCEP) pe.


imple Certificate Enrollment ate key pair.

ia SCEP again.

��

Message PKI: The device received empty SCEP content data.

Meaning When the NetScreen device received a response to a Simple Certificacertificate request, the file that normally contains the content data was


Message PKI: The device cannot decrypt SCEP data in outer PKCS7 envelope.

Meaning When the NetScreen device received a response to a Simple Certificacertificate request, it was unable to decrypt the PKCS #7 outer envelo


Message PKI: The device has a bad SCEP key pair.

Meaning When generating the submission of a certificate request through the SProtocol (SCEP), the NetScreen device detected an invalid public/priv

Action Regenerate the key pair and attempt to submit the certificate request v

�<( (��'��0��1

.�4��

llment Protocol (SCEP) certificate

certificate. If the problem persists,

EP) request with a has been rejected.

he certificate request, and attempt e message, contact the CA admin

A certificate containing the grity of the certificate. If the digest peer sent, the content might have be trusted.

��

Message PKI: The device failed to process an SCEP response.

Meaning The NetScreen device received a response to a Simple Certificate Enrorequest, but was unable to process it.

Action Contact the certificate authority (CA) and request them to send anothercontact NetScreen technical support.

Message PKI: The device received a SCEP_FAILURE message from the CA.

Meaning The CA has responded to a Simple Certificate Enrollment Protocol (SCSCEP_FAILURE message indicating that the X509 certificate request

Action Check the SCEP configuration on the NetScreen device. Regenerate tto submit it to the CA through SCEP again. If you receive another failurabout the problem.

Message PKI: finger print of CA certificate rejected. DN <name_str>

Meaning The NetScreen device rejected the fingerprint, or hash digest, of the Cspecified distinguished name (DN). The digest is used to verify the intethat the NetScreen device produces does not match the digest that thebeen altered between the creation of the two digests and thus cannot

Action Contact the CA and request another CA certificate.

�<( (��'��0��1

.�2��

file—a kind of table of contents for ted up a NetScreen device that RLs), public/private key pairs, tes, and certificate authority

nyway as configured.

tion list (CRL)—even though it tion instructs the device to ignore

rogress of a certificate request

ory by entering the get memory ttempt to initiate the SCEP your second attempt was t command to an e-mail note

��

Message PKI: Empty certificate descriptor file.

Meaning No PKI objects exist in the NetScreen device. The certificate descriptorPKI objects—is empty. This message appears after an admin has boodoes not contain any PKI objects, such as certificate revocation lists (Clocal certificates, certificate authority (CA) certificates, pending certificaconfigurations.


Message PKI: The device cannot verify the signature on CRL. Accept the CRL a

Meaning The NetScreen device has received and accepted a certificate revocacannot verify the digital signature on the CRL—because the configurathe results of the signature checking test.


Message PKI: The device cannot create a state for SCEP operation.

Meaning The NetScreen device was unable to create internal data to track the pthrough the Simple Certificate Enrollment Protocol (SCEP).

Action Reboot the NetScreen device and check the available amount of memcommand. If a sufficient amount of memory appears to be available, aoperation again. If there appears to be a severe memory problem or ifunsuccessful, attach a text file with the output of the get tech-suppordescribing the problem, and send it to [email protected].

�<( (��'��0��1

.�5��

called PLDAP_STATE.

rt certificate request.

llment Protocol (SCEP), the ertificate already exists in a region

tScreen device aborted the

��

Message failed to create PLDAP_STATE instance

Meaning The NetScreen device was unable to create an internal data structure

Action This is an internal NetScreen system error and requires no action.

Message PKI: The device found the X.509 certificate in the local trust store, abo

Meaning When making a certificate request through the Simple Certificate EnroNetScreen device detected that a certificate identical to the requested cinside the device known as the local trust store. Consequently, the Necertificate request.

Action Do not repeat the certificate request for that particular certificate.

��; ��0��1

.��

Ethernet (PPPoE) connections.

n the specified interface.

hanged

��

��;The following messages relate to the configuration of Point-to-Point Protocol over

��0��1

Message PPPoE is { enabled | disabled } on <interface> interface

Meaning Point-to-Point Protocol over Ethernet (PPPoE) is enabled or disabled o


Message The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings c

Meaning PPPoE parameters on the NetScreen device changed.


Message PPPoE Settings changed

Meaning PPPoE parameters on the NetScreen device changed.


��; (��'��0��21

/��

ed the PPPoE session.

dvertising the specified URL.

t the specified message.

with the PPPoE server.

��

(��'��0��21

Message PPPoE’s session closed by AC

Meaning The access concentrator to which the NetScreen device connects clos


Message AC <name_str> is advertising URL <string>

Meaning The access concentrator to which the NetScreen device connects is a


Message Message from AC <name_str>: <string>

Meaning The access concentrator to which the NetScreen device connects sen


Message PPPoE session starts to negotiate

Meaning The PPPoE client on the NetScreen device begins to initiate a session


��; (��'��0��21

/.��

the PPPoE server.

a session: {PADI | PADR} timeout

ession with a PPPoE server Activate Discovery Request

h a session: no IP address

e, the session failed and no IP

��

Message PPPoE session has successfully established

Meaning The NetScreen device successfully established a PPPoE session with


Message The point-to-point over Ethernet (PPPoE) connection failed to establish

Meaning The NetScreen device was unsuccessful in its attempt to establish a sbecause either the PPPoE Activate Discovery Initiate (PADI) or PPPoE(PADR) timed out.

Action Increase the session timeout value.

Message The Point-to-Point over Ethernet (PPPoE) connection failed to establisassigned

Meaning After attempting to establish a PPPoE session on the NetScreen devicaddress was assigned.


��; (��'��0��21

//��

ystem Error Tag | Generic Error

rect service tag or AC system tag,

password.

h a session: <string> received

ring was received.

ession on the NetScreen device.

��

Message PPPoE failed to establish a session: { Service Name Error Tag | AC STag } received

Meaning The PPPoE session was unable to establish a session due to an incoror other error.

Action Report the problem to NetScreen.

Message PPPoE failed to establish a session: LCP, CHAP/PAP, IPCP link setup

Meaning The PPPoE session was unable to establish a session during PPP.

Action Check PPPoE configuration parameters, including the user name and

Message The point-to-point over Ethernet (PPPoE) connection failed to establis

Meaning The PPPoE connection was unable to create a session. A message st


Message PPPoE session shuts down: by user

Meaning A user terminated the Point-to-Point Protocol over Ethernet (PPPoE) s


��; (��'��0��21

/��

session has shut down.

��

Message PPPoE session shuts down: idle timeout

Meaning The PPPoE session has been idle for the specified idle timeout so the


Message PPPoE session shuts down: PPPoE disabled

Meaning PPPoE is disabled so the session has shut down.


Message PPPoE session shuts down: System reset

Meaning The device has been reset so the session has shut down.


��,�� 0.51

/��

t_addr>, <svc_name>, { permit | by admin <name_str>

s policy with the following

ed admin.

r has occurred and the ice cannot find the destination .)

The kind of traffic (such as ANY—which means all kinds

t the NetScreen device takes y matches traffic received:

ffic to passicffic through a VPN tunnel

��

��(!(;�The following messages relate to the configuration of access policies.

��0.51

Message Policy (<id_num>, { <zone1> -> <zone2> | global }, <src_addr> -> <dsdeny | tunnel }) was { added | modified | deleted | enabled | disabled }

Meaning An admin has added, modified, deleted, enabled, or disabled an accesattributes:


• <id_num> – The ID number of the access policy.

• <zone1> – The zone from which traffic originates.

• <zone2> – The zone to which traffic travels.

• <src_addr> – The name of the source address from which the traffic is sent. (Note: If the source address appears as NULL Name, an error has occurred and the NetScreen device cannot find the source address name.)

• <dst_addr> – The name of the destination address to which the traffic is sent. (Note: If the destination address appears as NULL

Name, an erroNetScreen devaddress name

• <svc_name> –HTTP, FTP, orof traffic)

• The action thawhen this polic

- Permitting tra- Denying traff- Tunneling tra

��,�� 0.51

/��

min <name_str>

ied policies (<id_num1> and

ed admin.

ermit | deny | tunnel }) was added

ed admin.

o { disabled | enabled } by admin

disabled to enabled.

ed admin.

��

Message Policy <id_num1> has been moved { before | after } <id_num2> by ad

Meaning An admin (<name_str>) has exchanged the positions of the two specif<id_num2>).


Message Policy (<id_num>, global, <src_addr> -> <dst_addr>, <svc_name>, { p

Meaning A policy name was added to the current device.


Message Device’s default policy has been changed from { enabled | disabled } t<name_str>

Meaning The default policy has been changed from enabled to disabled or from


�� !��,�0/1

/4��

ber of system route entries

ber of routes. Once the number of eive any new routes.

for new routes.

ter> because the number of route umber> allowed

utes that the router can reference maximum amount of routes that it the maximum amount allowed, the other route after its route table he submission of the current route.

m to add new routes to the virtual irtual router.

��

��=-;�The following messages relate to routing configurations.

!��,�0/1

!��,�0/.1

Message A new route cannot be added to the device because the maximum num<number> has been exceeded

Meaning An administrator attempted to exceed the system-wide maximum numroutes equals this maximum number, the NetScreen device cannot rec

Action Remove obsolete or unused routes from the route table to create room

Message A route <ip_addr>/<mask> cannot be added to the virtual router <vrouentries in the virtual router exceeds the maximum number of routes <n

Meaning Each virtual router has a route table that stores all learned or added rofor sending data to the destination addresses. Each route table has a can store. Once the number of routes stored in the route table equals virtual router cannot learn any new routes. By attempting to accept anmaximum had been reached, the virtual router reports that it rejected t

Action Remove obsoleted or unused routes from the route table to create roorouter, or set a higher value for the maximum allowable routes in the v

�� 0..1

/2��

sk> and gateway <ip_addr> has

etmask and gateway address is

k> through interface <interface>

dress/netmask, interface, gateway

s <ip_addr>/<mask> and next-hop

dress/netmask and next-hop

��

��0..1

Message Route(s) in virtual router <vrouter> with an IP address <ip_addr>/<mabeen deleted

Meaning The route in the specified virtual router with the specified IP address/ndeleted.


Message A route in virtual router <vrouter> that has IP address <ip_addr>/<masand gateway <ip_addr> with metric <number> has been created

Meaning A route is created in the specified virtual router with the specified IP adaddress, and metric.


Message A route has been created in virtual router <vrouter1> with an IP addresas virtual router <vrouter2>

Meaning A route is created in the specified virtual router with the specified IP advirtual router.


�� 0..1

/5��

uter2> with IP-prefix

ing or exporting routes on the

uter2> with route-map <id_num>

oute map for a specified protocol

een created

tScreen device.

bled

o-exporting is the process of ther.

��

Message An import | export rule in virtual router <vrouter1> to virtual router <vro<<ip_addr>/<mask> has been created | removed

Meaning An administrator successfully set or unset the identified rule for importspecified virtual routing instance.


Message An import | export rule in virtual router <vrouter1> to virtual router <vroand protocol <name_str> has been created | removed

Meaning An administrator has successfully set or unset a rule from a specified ron a virtual router.


Message A sharable virtual router using name <vrouter> and id <id_num> has b

Meaning An admin created the identified virtual on the routing domain on the Ne


Message The auto-route-export feature in virtual router <vrouter> has been ena

Meaning An admin has initiated auto-exporting for the current virtual router. Autautomatically exporting routes from one virtual routing instance to ano


�� 0..1

/��

vrouter> is <number>

e current virtual router. Once the outer cannot learn any new routes.

ual router <vrouter> has been set

er> has been set to <number>

ol for the virtual router. The local e value, the more desirable the

rtual system <name_str>

stem.

��

Message The maximum number of routes that can be created in virtual router <

Meaning An admin has set the maximum number of routes that can be set for thnumber of routes in the route table equals this maximum number, the r


Message The router-id that can be used by OSPF, BGP routing instances in virtto <id_num>

Meaning An admin set the router ID for the specified virtual router.


Message The routing preference for protocol <name_str> in virtual router <vrout

Meaning An admin has set a local preference parameter for the specified protocpreference parameter specifies the desirability of a path. The higher thpath.


Message The virtual router <vrouter> has been made default virtual router for vi

Meaning An admin specified the default virtual router for the specified virtual sy


�� 0..1

/.��

s in the network.

dded in virtual router <vrouter2>

another specified virtual router. By ss can be modified. This route can

bled

uto-exporting is the process of

d

the current virtual router, returning uals this maximum number, the

��

Message The virtual router <vrouter> has been made sharable

Meaning An admin designated the current virtual router sharable by other entitie


Message The system default-route through virtual router <vrouter1> has been a

Meaning The default route used in a specified virtual router has been added to default, the address of the default route is 0.0.0.0, although this addrebe used by another virtual routing instance.


Message The auto-route-export feature in virtual router <vrouter> has been disa

Meaning An admin has turned off auto-exporting for the current virtual router. Aautomatically exporting routes from one virtual router to another.


Message The maximum routes limit in virtual router <vrouter> has been remove

Meaning An admin has unset the maximum number of routes that can be set forit to the default value. Once the number of routes in the route table eqrouter cannot learn any new routes.


�� 0..1

/..��

stances id has been uninitialized

ifies the router as a distinct entity

er> has been reset

n autonomous system. The higher y set local preference value for the ng.

by other entities in the network.

��

Message The router-id of virtual router <vrouter> used by OSPF, BGP routing in

Meaning An admin uninitialized the router ID. The router ID is a value that identon the network.


Message The routing preference for protocol <name_str> in virtual router <vrout

Meaning The local preference parameter specifies the desirability of a path to athe value, the more desirable the path. An admin has unset a previouslspecified virtual routing instance, returning the value to its default setti


Message The virtual router <vrouter> has been made unsharable

Meaning An admin designated the current virtual routing instance as unsharable


Message The system default-route in virtual router <vrouter> has been removed

Meaning An admin has deleted the default route in the specified virtual router.


�� 0..1

/./��

and virtual systems.

ed

��

Message The virtual router <vrouter> has been made sharable

Meaning An admin designated the current virtual router as sharable by the root


Message A virtual router with name <vrouter> and id <id_num> has been remov

Meaning An admin removed the specified virtual router.


��6� �,� ��0/1

/.��
��
�!9;*=�;The following messages relate to schedules created for use in access policies.

��0/1

Message Schedule <name_str> has been { added | modified | deleted }.

Meaning An admin has added, modified, or deleted the specified schedule.


�!� !��,�0��1

/.��

etScreen device. SCS is client) to securely access a

ia the CLI.

addr>:<port_num>.

f to the specified SSH client during vel internal processing error.

ice. If the problem persists, reset

dr>:<port_num>.

nticate the specified SSH client

nfigured correctly and is using a

��

�!�The following messages relate to the secure command shell (SCS) utility on the Ncompatible with secure shell (SSH™) , which provides a method for an admin (SSHNetScreen device (SCS server) remotely over unsecured channels to manage it v

!��,�0��1

Message SCS: NetScreen device failed to identify itself to the SSH client at <ip_

Meaning The NetScreen device, acting as the SCS server, failed to identify itselthe SCS connection procedure. This most likely is the result of a low-le

Action Advise the SSH admin user to initiate another connection with the devthe NetScreen device and have the SSH user try again.

Message SCS: NetScreen device failed to authenticate the SSH client at <ip_ad

Meaning The NetScreen device, acting as the SCS server, was unable to autheduring the SCS connection procedure.

Action Advise the SSH admin user to verify that the SSH client software is cocipher that the NetScreen device supports—DES and 3DES.

�!� !��,�0��1

/.��

rom the SSH client at

mpatible version of the SSH edure.

creen device.

t_num>.

ction procedure.

ource of the connection attempt. If ntil you determine the cause.

ey ID=<id_num>)

ed PKA key bound to the specified

��

Message SCS: Incompatible SSH version <version_string> has been received f<ip_addr>:<port_num>.

Meaning The NetScreen device, acting as the SCS server, has received an incoprotocol from the specified SSH client during the SCS connection proc

Action Advise the SSH user to run SSH version 1 for compatibility with a NetS

Message SCS: Unable to validate cookie from the SSH client at <ip_addr>:<por

Meaning The specified SSH client sent an invalid cookie during the SCS conne

Action An attempted security attack might be in progress. First, validate the syou repeatedly receive this message, you might want to disable SCS u

Message SCS: Failed to retrieve PKA key bound to SSH user <user_name>. (K

Meaning The NetScreen device unsuccessfully attempted to retrieve the specifiadmin user attempting to log in using SCS.

Action Contact NetScreen technical support.

�!� !��,�0��1

/.4��

name>. (Key ID=<id_num>)

A key to the specified admin user.

dy bound to the specified admin r her. In the latter case, you must one.

nd to the specified admin user.

SH user <user_name> at

PKA RSA challenge for the ge requires the SSH user to

process.

ser on the NetScreen device) client to specify the identity file

rt_num>.

f or send the identification string to ost likely is the result of a low-level

ice. If the problem persists, reset

��

Message SCS: Failed to { bind | unbind } PKA key { to | from } SSH user <user_

Meaning An admin unsuccessfully attempted to bind or unbind the specified PK

Action If binding is the problem, it might be that the specified PKA key is alreauser or that four PKA keys (the maximum) are already bound to him ofirst unbind one of the other keys from the user before binding the new

If unbinding is the problem, verify that the specified key is actually bou

Message SCS: NetScreen device failed to generate a PKA RSA challenge for S<ip_addr>:<port_num>. (Key ID=<id_num>)

Meaning The NetScreen device, acting as the SCS server, failed to generate a specified SSH user during the SCS connection procedure. The challenrespond with an appropriate password to complete the authentication

Action Check that the SSH user has the PKA RSA public key (bound to that uloaded on the SSH client. Also check that the user has configured the containing that PKA RSA public key during the log in process.

Message SCS: Failed to send identification string to client host at <ip_addr>:<po

Meaning The NetScreen device, acting as the SCS server, failed to identify itselthe specified SSH client during the SCS connection procedure. This minternal processing error.

Action Advise the SSH admin user to initiate another connection with the devthe NetScreen device and have the SSH user try again.

�!� !��,�0��1

/.2��

ed PKA key bound to the client

ed PKA key.

g the SCS connection procedure.

lf test during the SCS connection

��

Message SCS: Failed to retrieve host key

Meaning The NetScreen device unsuccessfully attempted to retrieve the specifihost.


Message SCS: Failed to remove PKA key removed.

Meaning The NetScreen device unsuccessfully attempted to remove the specifi


Message SCS: FIPS self test failed

Meaning The NetScreen device unsuccessfully performed a FIPS self test durin


Message SCS: Unable to perform FIPS self test

Meaning The NetScreen device unsuccessfully attempted to perform a FIPS seprocedure.


�!� ;��0��1

/.5��

:<port_num>

NetScreen device but failed

r supported by the NetScreen

d. Connection request from SSH

e SCS connections are currently the specified SSH user.

o close before attempting another

connection to vsys <name_str> out.

e specified virtual system on the

ther SCS connection.

��

;��0��1

Message SCS: Unsupported cipher type <name_str> requested from: <ip_addr>

Meaning The specified SSH client attempted to make an SCS connection to thebecause it requested a cipher not supported by the NetScreen device.

Action Recommend that the SSH client reconfigure its request, using a ciphedevice—DES and 3DES—and then attempt another SCS connection.

Message SCS: Maximum number for SCS sessions <number> has been reacheuser at <ip_addr>:<port_num> has been denied.

Meaning The maximum number of concurrent SCS sessions is five. Because fivactive, the NetScreen device has denied the connection request from

Action Advise the admin user to wait for one of the currently active sessions tSCS connection.

Message SCS: SSH client at <ip_addr>:<port_num> has failed to make an SCSbecause SCS cannot generate the host and server keys before timing

Meaning The SCS utility was unable to generate the host and server keys for thNetScreen device before the connection request timed out.

Action Recommend that the SSH client wait one minute and then attempt ano

�!� 3��0��1

/.��

PKA RSA challenge.

process while attempting to make

g the log in process. Compare the hat the SSH user is using to see if

er> existing PKA keys already

with the specified number of users.

SSH users in the specified system

discard them. A large number of by discarding the unused keys.

tifying remote admins running

eys and delete any for which you ccess the NetScreen device, you mins.

��

3��0��1

Message SCS: SSH user <user_name> at <ip_addr>:<port_num> has failed the

Meaning The specified SSH user has failed the Public Key Authentication (PKA)an SCS connection to the NetScreen device.

Action SCS: It is possible that the SSH user selected the wrong PKA key durinfingerprint for the PKA key bound to the SSH user and the fingerprint tthey match.

Message SCS: SCS has been { enabled | disabled } for <name_str> with <numbbound to <number> SSH users.

Meaning An admin has enabled or disabled SCS for the specified virtual systemPublic Key Authentication (PKA) keys for the specified number of SSH

Note that this message only appears if PKA keys are already bound to when SCS is enabled or disabled.

Action If you disable SCS, review the PKA keys to see if you need to keep orkeys can consume considerable memory space, which you can reclaimAlso, because SSH clients can no longer log in, you might consider nounmanned scripts via their SSH connections.

If you enable SCS, after having disabled it earlier, review all the PKA kcannot account. Because anyone who has one of the PKA keys can amust ensure that the NetScreen device is only storing keys for valid ad

�!� 3��0��1

//��

sword authentication, which is not

device, the specified SSH user not been configured for that user.

or reconfigure the SSH client e.

RSA authentication, which is not

device, the specified SSH user not been configured for that user.

or reconfigure the SSH client e.

��

Message SCS: SSH user <name> at <ip_addr>:<port_num> has requested pasenabled for that user.

Meaning SCS: While attempting to make an SCS connection to the NetScreen requested an authentication mode—password or PKA RSA—that had

Action Enable the requested authentication method on the NetScreen deviceapplication to use the method already enabled on the NetScreen devic

Message SCS: SSH user <name> at <ip_addr>:<port_num> has requested PKAsupported for that client.

Meaning SCS: While attempting to make an SCS connection to the NetScreen requested an authentication mode—password or PKA RSA—that had

Action Enable the requested authentication method on the NetScreen deviceapplication to use the method already enabled on the NetScreen devic

�!� 3��0��1

//.��

attempted to log in via SCS to bled on that interface.

ified virtual system, which shares

ot system—not those of the virtual H client has the public host key of

terface with the root system, make

em and enable SCS manageability

<ip_addr>:<port_num>

e SCS connections are currently the specified SSH user.

o close before attempting another

addr>:<port_num>

the specified virtual system. mpt was unsuccessful.

tem via SCS, enter that virtual

��

Message SCS: SSH user <name> at <ip_addr>:<port_num> has unsuccessfully<name_str> using the shared untrusted interface because SCS is disa

Meaning The specified SSH user failed to make an SCS connection to the specthe untrusted interface with the root system.

Action Because the NetScreen device uses the host and server keys of the rosystem—when sharing the untrusted interface, make sure that the SSthe root system loaded on its system.

To allow SCS management of a virtual system sharing the untrusted insure that SCS is enabled at the root level.

(Optional) Create a separate untrusted subinterface for that virtual syston its untrusted subinterface.

Message SCS: Max <number> sessions reached, unabel to accept connection :

Meaning The maximum number of concurrent SCS sessions is five. Because fivactive, the NetScreen device has denied the connection request from

Action Advise the admin user to wait for one of the currently active sessions tSCS connection.

Message SCS: Disabled for <name_str>. Attempted connection failed from <ip_

Meaning The specified SSH client has attempted to make an SCS connection toHowever, because SCS is not enabled for that virtual system, the atte

Action If you want the SSH client to be able to access the specified virtual syssystem and enable SCS manageability.

�!� 3��0��1

///��

via SCS to <name_str> using the

specified virtual system, which bled at the root level, it disables rface.

to which the SSH user attempted

interface with the root system,

em and enable SCS manageability

ction to interface <interface> with .

the NetScreen device at the terface, the attempt was

ied interface via SCS, enable SCS

��

Message SCS: SSH user <user_name> at <ip_addr>:<port_num> cannot log inshared untrusted interface because SCS is disabled.

Meaning The specified SSH user has failed to make an SCS connection to the shares the untrusted interface with the root system. When SCS is disaSCS manageability for all virtual systems that share the untrusted inte

Note: This message only appears in the event log of the virtual systemto connect.

Action To allow an SCS connection to a virtual system sharing the untrusted make sure that SCS is enabled at the root level.

(Optional) Create a separate untrusted subinterface for that virtual syston its untrusted subinterface.

Message SCS: SSH client at <ip_addr1> has attempted to make an SCS conneIP <ip_addr2> but failed because SCS is not enabled for that interface

Meaning The specified SSH client has attempted to make an SCS connection tospecified interface. However, because SCS was not enabled on that inunsuccessful.

Action If you want the SSH client to be able to access the device on the specifmanageability for that interface.

�!� ��0/41

//��

SCS connection to vsys that system.

e specified virtual system on the

ther SCS connection.

the SCS message exchange.

supported by the NetScreen

em }.

or root system.

��

��0/41

Message SCS: SSH client at <ip_addr>:<port_num> has attempted to make an <name_str> but failed because SCS was not completely initialized for

Meaning The SCS utility was unable to generate the host and server keys for thNetScreen device before the connection request timed out.

Action Recommend that the SSH client wait one minute and then attempt ano

Message SCS: Host client has requested NO cipher from <name_str>

Meaning The host client has requested that no encryption algorithm be used for

Action The SSH client should reconfigure its request, using a cipher algorithmdevice, to make the connection more secure.

Message SCS: SCS has been { enabled | disabled } for { <name_str> | root syst

Meaning An admin has enabled or disabled SCS for the specified virtual system


�!� ��0/41

//��

<number2>.

enerates a new SCS server key.

<ip_addr>:<port_num>.

e specified IP address and port d.

m <ip_addr>:<port_num>.

e specified IP address and port Authentication (PKA). The user nd used for SCS authentication.

��

Message SCS: Key regeneration interval has been changed from <number1> to

Meaning An admin has changed how often (in seconds) the NetScreen device g


Message SCS: SSH user <usr_str> has been authenticated using password from

Meaning The specified SSH user has logged in to the NetScreen device from thnumber via SCS and authenticated himself or herself using a passwor


Message SCS: SSH user <usr_str> has been authenticated using PKA RSA fro(key-ID=<key_id_num>

Meaning The specified SSH user has logged in to the NetScreen device from thnumber via SCS and authenticated himself or herself using Public Keyspecifies the key ID number for the RSA key pair bound to that client a


�!� ��0/41

//��

r_name>. (Key ID = <id_num>)

key ID number to the named this key to authenticate himself or nection to the NetScreen device.

ip_addr>:<port_num>

connection for the specified admin

��

V

Message SCS: PKA key has been { bound to | unbound from } admin user <use

Meaning The root admin has either bound the RSA public key with the specifiedadmin user, or unbound the key from him or her. The admin user usesherself via Public Key Authentication (PKA) when making an SCS con


Message SCS: Connection has been terminated for admin user <name_str> at <

Meaning Either the SSH client or the NetScreen device has terminated the SCSuser.


�� 0./1

//4��

ice groups.

ervice.

ed member }

the named service group

��

�;�>(!;�The following messages relate to user-defined and predefined services, and serv

��0./1

Message Service <serv_name> has been { added | modified | deleted }

Meaning An admin has added, modified, or deleted the specified user-defined s


Message Service group <grp_name> has been { added | deleted | modified}

Meaning An admin has added, modified, or deleted the specified service group.


Message Service group <grp_name> has { added member <serv_name> | delet

Meaning An admin has added the specified service to or deleted a service from


�� 0./1

//2��

name2>.

��

Message Service group <grp_name> comments have been modified.

Meaning An admin has modified the comments for the specified service group.


Message Service group <grp_name1> group name has been changed to <grp_

Meaning An admin has changed the name of the service group.


� �� !��,�0/21

//5��

MP).

61. This change goes into effect in

o the default SNMP listen port into effect.

ager at which the management

>. This change goes into effect in

to another user-configured port to go into effect.

ager at which it makes SNMP

��

� ��The following messages pertain to the Simple Network Management Protocol (SN

!��,�0/21

Message SNMP listen port has been restored from <port_num> to default port 1three seconds.

Meaning An admin has restored the user-configured SNMP listen port number tnumber (161). The port number assignment takes three seconds to go

Action Advise the SNMP admin to change the port number on the SNMP manstation makes SNMP requests.

Message SNMP listen port has been changed from <port_num1> to <port_num2three seconds.

Meaning An admin has changed the user-configured SNMP listen port number number. The change of port number assignments takes three seconds

Action Advise the SNMP admin to change the port number on the SNMP manrequests.

� �� 0/1

//��

m2>. This change goes into effect

ager at which it receives SNMP

61. This change goes into effect in

o the default SNMP listen port into effect.


>. This change goes into effect in

to another user-configured port to go into effect.


��

��0/1

Message SNMP trap port has been changed from <port_num1> to port <port_nuin three seconds.

Meaning An admin has changed the user-configured SNMP trap port number.

Action Advise the SNMP admin to change the port number on the SNMP mantraps.

Message SNMP listen port has been restored from <port_num> to default port 1three seconds.

Meaning An admin has restored the user-configured SNMP listen port number tnumber (161). The port number assignment takes three seconds to go


Message SNMP listen port has been changed from <port_num1> to <port_num2three seconds.

Meaning An admin has changed the user-configured SNMP listen port number number. The change of port number assignments takes three seconds


� �� 0�.1

/��

2.

he default SNMP trap port number


ffic between the SNMP agent (that

entication-failure traps or disabled community name string.

��

��0�.1

Message SNMP trap port has been restored from <port_num> to default port 16

Meaning An admin has restored the user-configured SNMP trap port number to t(162).

Action Advise the SNMP admin to change the port number on the SNMP manstation receives SNMP traps.

Message SNMP VPN has been { enabled | disabled }.

Meaning An admin has either enabled or disabled VPN encryption for SNMP trais, the NetScreen device) and the SNMP manager.


Message SNMP AuthenTraps have been { enabled | disabled }.

Meaning An admin has either enabled the SNMP agent to generate SNMP auththe agent from doing so when the SNMP manager sends the incorrect


� �� 0�.1

/�.��

Screen admin’s telephone number NetScreen device.

ceive traps, { yes | no }; receive

pecified SNMP community:

te access, no)

s, yes) or not receiving traps information from the agent

ive traffic alarms, yes) or not

mmunity <name_str>.

ty or removed it from the

��

Message SNMP { contact | location } description has been modified.

Meaning An admin has modified the SNMP contact information, such as the Netor e-mail address, or the information about the physical location of the


Message SNMP community <name_str> attributes—write access, { yes | no }; retraffic alarms, { yes | no }—have been modified.

Meaning An admin has modified at least one of the following attributes for the s

• Read/write privileges (write access, yes) or read-only privileges (wri

• Receiving traps sent from the NetScreen SNMP agent (receive trap(receive traps, no), in which case the SNMP manager must request

• Receiving traffic alarms sent from the NetScreen SNMP agent (recereceiving traffic alarms (receive traffic alarms, no)


Message SNMP host <ip_addr> has been { added to | removed from } SNMP co

Meaning An admin has added the specified host to the named SNMP communicommunity.


� �� (��'��0�/�1

/�/��

> has been received, but the

ed in the specified NetScreen MP version 1 and the SNMP ch as SNMP version 2C or SNMP

use SNMP version 1.

r2>:<port_num2> has failed due to

oding/decoding error occurred. he transfer syntax for SNMP.

��

(��'��0�/�1

Message SNMP request from <ip_addr1>:<port_num> to <ip_addr2>:<port_numSNMP version type is incorrect.

Meaning A request from the specified SNMP manager to the SNMP agent locatdevice has been received. However, because NetScreen supports SNmanager making the request uses a different version of the protocol (suversion 3), the agent cannot respond to the request.

Action If the request is from a legitimate SNMP manager, advise the admin to

Message Response to SNMP request from <ip_addr1>:<port_num1> to <ip_adda coding error.

Meaning When the NetScreen device responded to an SNMP request, a BER cBER (Basic Encoding Rules) converts data into bits and bytes and is t

Action Advise the SNMP admin to retry.

� �� (��'��0�/�1

/��

_addr1>:<port_num1> to

ed in the specified NetScreen cognize the specified SNMP

se the SNMP admin to check the

sfully to SNMP request from

ssfully responded to an SNMP

ity list is full.

NetScreen device already has the

ne, or forgo the attempt.

��

Message SNMP request from an unknown SNMP community <name_str> at <ip<ip_addr2>:<port_num2> has been received.

Meaning A request from the specified SNMP manager to the SNMP agent locatdevice has been received. However, the NetScreen device does not recommunity name.

Action If the SNMP manager IP address and port number are legitimate, adviconfiguration.

Message NetScreen device at <ip_addr1>:<port_num1> has responded succes<ip_addr2>:<port_num2>.

Meaning The SNMP agent located in the specified NetScreen device has succerequest from the specified SNMP manager.


Message SNMP community <name_str> cannot be added because the commun

Meaning An admin has attempted to add the named SNMP community, but the maximum number of communities configured.

Action Either remove one of the existing communities and then add the new o

� �� (��'��0�/�1

/��

tr> is full.

community, but the community

forgo the attempt.

cause of an IP address conflict.

community, but its IP address

ady been added to the community.

r> because host cannot be found.

SNMP community, but the host is

ant to remove.

��

Message SNMP host <ip_addr> cannot be added because community <name_s

Meaning An admin has attempted to add the specified host to the named SNMPalready has the maximum number of hosts allowed.

Action Either remove one of the existing hosts and then add the new one, or

Message SNMP host <ip_addr> cannot be added to community <name_str> be

Meaning An admin has attempted to add the specified host to the named SNMPduplicates another entry.

Action Check that the IP address for the host is correct and that it has not alre

Message SNMP host <ip_addr> cannot be removed from community <name_st

Meaning An admin has attempted to remove the specified host from the namednot listed in the community.

Action Check that you are using the correct IP address for the host that you w

� �� (��'��0�/�1

/��

munity <name_str> at

unity has been received.

dd the IP address for that host to

with read-only privileges to

ber with read-only privileges has creen device.

tion on the NetScreen device for

without read privileges to

ber without read privileges has creen device.

on the NetScreen device for that

��

Message SNMP request has been received from an unknown host in SNMP com<ip_addr1>:<port_num1> to <ip_addr2>:<port_num2>.

Meaning An SNMP request from an unknown host in the specified SNMP comm

Action If the SNMP request is from a legitimate SNMP community member, athe SNMP community configuration on the NetScreen device.

Message SNMP request has been received from host <ip_addr1>:<port_num1><ip_addr2>:<port_num2>.

Meaning An SNMP request from a host at the specified IP address and port numbeen received at the specified IP address and port number of the NetS

Action If you want the host to have read/write privileges, change the configurathat SNMP community to permit it.

Message SNMP request has been received from host <ip_addr1>:<port_num1><ip_addr2>:<port_num2>.

Meaning An SNMP request from a host at the specified IP address and port numbeen received at the specified IP address and port number of the NetS

Action If you want the host to have read privileges, change the configuration SNMP community to permit it.

� �� (��'��0�/�1

/�4��

configured.

uest, but no SNMP communities

��

Message SNMP request has been received, but no SNMP community has been

Meaning The SNMP agent on the NetScreen device has received an SNMP reqhave been configured yet.

Action Configure an SNMP community.

��:��<�) ��0�41

/�2��

r adding optional features to the

are key.

��

��-3&�;�<;@The following message relates to software keys used for enhancing functionality oScreenOS.

��0�41

Message An optional ScreenOS feature has been activated via a software key.

Meaning An admin has activated an optional ScreenOS feature by using a softw


�� 0��1

/�5��

ause no SSL context exists.

nnection.

SL) CA information.

��

��The following message relates to the Secure Socket Layer (SSL) protocol.

��0��1

Message SSL No ssl context. Not ready for connections.

Meaning The device cannot make a Secure Socket Layer (SSL) connection bec

Action You need to configure SSL on the NetScreen device.

Message SSL enabled | disabled

Meaning The device has { enabled | disabled } a Secure Socket Layer (SSL) co


Message SSL memory allocation fails in process_ca()

Meaning The device could not allocate memory to store Secure Socket Layer (S


�� 0��1

/��

(SSL) certificate that enables SSL

ontext.

ncorrect SSL certificate was

nd loaded into the NetScreen

certificate selected does not have

��

Message SSL memory allocation fails in process_cert()

Meaning The device could not allocate memory to store a Secure Socket Layer to run.

Action Contact NetScreen technical support

Message SSL ssl context init failed

Meaning The device cannot build a Secure Socket Layer (SSL) connection or c


Message SSL no ssl cert

Meaning A Secure Socket Layer (SSL) certificate could not be set because an iselected.

Action Verify the SSL certificate. Certificates must be obtained from the CA adevice.

Message SSL set | verify cert failed. Key type is not RSA

Meaning A Secure Socket Layer (SSL) certificate could not be set because the an RSA key associated with it.

Action Select a certificate that has an RSA key type.

�� 0��1

/��

NetScreen device cannot be

ting to retrieve a local CA.

ting to retrieve a local certificate.

.

oming mail message <string>.

��

Message PKI Verify Error: <id_num>:<string>

Meaning The certificate received by the Secure Socket Layer (SSL) layer of theverified by a PKI service in the device.

Action Make sure PKI has a CA that matches the issuing CA.

Message SSL Error when retrieve local ca(verify): <number>

Meaning The device generated a Secure Socket Layer (SSL) error when attemp

Action Make sure the CA is in the PKI service in the NetScreen device.

Message SSL Error when retrieve local cert(verify | all): <number>

Meaning The device generated a Secure Socket Layer (SSL) error when attemp

Action Make sure the certificate is in the PKI service in the NetScreen device

Message SSL - Error MessageID in incoming mail - <id_num>

Meaning A Secure Socket Layer (SSL) error message was generated by an inc


�� 0��1

/�.��

ificate name.

m

ed in export or on a firewall-only

��

Message SSL certificate changed

Meaning The Secure Socket Layer (SSL) certificate has changed.


Message SSL cert changed to none

Meaning The administrative user has unset the Secure Socket Layer (SSL) cert


Message SSL set cert id is invalid<id_num>

Meaning The Secure Socket Layer (SSL) certificate ID is invalid.


Message SSL - cipher type <string> is not allowed in export or firewall only syste

Meaning The cipher type for the Secure Socket Layer (SSL) session is not allowsystem.

Action Do not use 3DES in export or on a firewall-only system.

�� 0��1

/�/��

ertificate authority <name_str>.

cause the certificate authority

her you want to use.

��

Message SSL ca changed to none

Meaning Administrative user <user_name> unset Secure Socket Layer (SSL) c


Message SSL no ssl ca

Meaning The client side Secure Socket Layer (SSL) session could not be set becertificate has not been set.

Action Obtain a certificate and load it on the NetScreen device. Select the cip

Message SSL CA changed

Meaning Secure Socket Layer (SSL) certificate authority has changed.


Message SSL set ca id is invalid<id_num>

Meaning The Secure Socket Layer (SSL) certificate authority ID is invalid.


�� 0��1

/��

icate with the wrong subject from a

etScreen device.

cure communications.

ed admin.

cure communications.

ed admin.

device via SSL.

ed admin.

��

Message SSL cert subject mismatch: <string1> recieved, <string2> is expected

Meaning The Secure Socket Layer (SSL) context on the device received a certifPKI service on the device.

Action Make sure the CA certificates match on both the web server and the N

Message Web SSL cipher changed from <name_str1> to <name_str2>

Meaning An admin has changed the cipher used by the NetScreen device to se


Message SSL cipher changed from <name_str1> to <name_str2>

Meaning An admin has changed the cipher used by the NetScreen device to se


Message Web SSL Port changed from <port_num1> to <port_num2>

Meaning An admin has changed the number of the port used for managing the


�)�,�� 3�#-�� 0.�1

/��

ds facilities. The following

se syslog settings have not yet

ia syslog before configuring the

re the syslog settings.

ging via syslog.

��

�@��& *�3;8-�; *�The following messages pertain to configuring and enabling syslog and WebTrenmessages are divided into the following two sections:

• “Syslog” on page 244

• “WebTrends” on page 246

�)�,��

��0.�1

Message Attempt to enable { syslog | traffic logging via syslog } has failed becaubeen configured.

Meaning An admin has attempted to enable the syslog facility or traffic logging vsyslog settings. Consequently the attempt has failed.

Action Before attempting to enable syslog or traffic logging via syslog, configu

Message { Syslog | Traffic logging via syslog } has been { enabled | disabled }.

Meaning An admin has either enabled or disabled the syslog facility or traffic log


�)�,�� 3�#-�� 0.�1

/��

essages sent from the NetScreen

<ip_addr> | <domain_name> |

ost or the port number to which the

| local2 | local3 | local4 | local5 |

ty for the messages sent to the

��

Message Syslog VPN encryption has been { enabled | disabled }.

Meaning An admin has either enabled or disabled VPN encryption of all syslog mdevice to the syslog host.


Message Syslog host { IP | domain name | port number } has been changed to {<port_num> }.

Meaning An admin has changed the IP address or domain name of the syslog hNetScreen device sends UDP packets bound for the syslog host.


Message Syslog { facility | security facility } has been changed to { local0 | local1local6 | local7 | auth/sec }.

Meaning An admin has changed the name of the syslog facility or security facilisyslog host.


�)�,�� 3�#-�� 0.�1

/�4��

ility.

s as connection tools, such as

have not yet been configured.

guring the WebTrends settings.

ttings.

��

3�#-��

��0.�1

Message Socket cannot be assigned for syslog.

Meaning The NetScreen system cannot allocate an IP socket for the syslog fac

Action To free up a socket, close other management facilities that use socketTelnet or the Web, and which are not currently in use.

Message Attempt to enable WebTrends has failed because WebTrends settings

Meaning An admin has attempted to enable the WebTrends facility before confiConsequently the attempt has failed.

Action Before attempting to enable WebTrends, configure the WebTrends se

Message WebTrends has been { enabled | disabled }.

Meaning An admin has either enabled or disabled the WebTrends facility.


�)�,�� 3�#-�� 0.�1

/�2��

ends messages sent from the

d to { <ip_addr> | <dom_name> |

nds host or the port number to ends host.

s facility.

are not currently in use.

��

Message WebTrends VPN encryption has been { enabled | disabled }.

Meaning An admin has either enabled or disabled VPN encryption of all WebTrNetScreen device to the WebTrends host.


Message WebTrends host { IP | domain name | port number } has been change<port_num> }.

Meaning An admin has changed the IP address or domain name of the WebTrewhich the NetScreen device sends UDP packets bound for the WebTr


Message Socket cannot be assigned for WebTrends.

Meaning The NetScreen system cannot allocate an IP socket for the WebTrend

Action To free up a socket, close some other facilities, such as Telnet, which

�)��' !��,�0/1

/�5��

bytes total.

alarm threshold.

old memory command to increase wall attack is in progress. Seek

ber3> times in 1 minute

alarm threshold that was set by a

e the threshold. Check if a firewall

��

�@�-;�The following message pertains to NetScreen system memory.

!��,�0/1

Message System memory is low: <number1> bytes allocated out of <number2>

Meaning The number of bytes allocated for system memory has surpassed the

Action If the memory alarm threshold was set too low, use the set alarm threshthe threshold. (The default is 95% of the total memory.) Check if a fireways to reduce traffic.

Message System memory is low (<number1> allocated out of <number2>) <num

Meaning The number of bytes allocated for system memory has surpassed the policy in bytes per minute.

Action If the policy set the alarm threshold too low, modify the policy to increasattack is in progress. Seek ways to reduce traffic.

-��6�+�� 0/51

/��

reen device.

��

-�&��(!��9&�( �The following messages relate to the traffic shaping function.

0/51

Message traffic shaping is turned { ON | OFF }

Meaning An admin enabled or disabled the traffic shaping feature on the NetSc


=�� (��'��0�/41

/��

that can access the NetScreen the specified IP address has been

��

=�;��The following messages pertain to events that affect user settings and status.

(��'��0�/41

Message The user limit has been exceeded and <ip_addr> cannot be added.

Meaning (NetScreen-5 and -5XP only) The limit for the number of internal usersdevice has been exceeded. Therefore, a communication attempt from denied.


>(� !��,�0/�1

/�.��

g to the heartbeat PINGs sent by

k, and that its TCP/IP settings are

t by the NetScreen device.

k, and that its TCP/IP settings are

| deleted }.

��

>(�The following messages concern virtual IP addresses (VIPs).

!��,�0/�1

��0.41

Message VIP/load balance server <ip_addr> cannot be contacted

Meaning The specified VIP server or VIP load balancing server is not respondinthe NetScreen device.

Action Check that the server is powered up, that it is connected to the networcorrect.

Message VIP server <ip_addr> cannot be contacted

Meaning The specified VIP server is not responding to the heartbeat PINGs sen

Action Check that the server is powered up, that it is connected to the networcorrect.

Message Address VIP (<ip_addr1>) for <ip_addr2> has been { added | modified

Meaning An admin has added, modified, or deleted the specified VIP.


>(� (��'��0��1

/�/��

P.

nding to the heartbeat PINGs sent

��

(��'��0��1

Message VIP multi-port was { enabled | disabled }

Meaning An admin enabled multi-port mapping from a multi-port service to a VI


Message VIP/ load balance server <ip_addr> now alive.

Meaning The specified VIP server or VIP load balancing server has begun respoby the NetScreen device.


Message VIP server <ip_addr> now alive.

Meaning The Virtual IP server has been brought up and is operational.


Message VIP/load balance server <ip_addr> is in manual mode

Meaning The admin disabled server auto-detection.


>(� (��'��0��1

/��
��
Message VIP server <ip_addr> is in manual mode

Meaning The admin disabled server auto-detection.


>��,��)��'� ��0�/1

/��

>

��

>(�-=&��@�-;��The following messages relate to virtual system configurations.

��0�/1

Message Vsys <name_str> has been created

Meaning A root level admin has created the specified virtual system.


Message Vsys <name_str> ID has been changed from <id_num1> to <id_num2

Meaning A root level admin has changed the ID of the specified virtual system.


Message Vsys <name_str1> has been changed to <name_str2>.

Meaning A root level admin has changed the name of a virtual system.


>��,��)��'� ��0�/1

/��

_num1> to <id_num2>

ied virtual system.

��

Message Vsys <name_str> has been deleted

Meaning A root level admin has deleted the specified virtual system.


Message NSRP VSD group ID for vsys <name_str> has been changed from <id

Meaning A root level admin has changed the NSRP VSD group ID of the specif


>�& � ��0�1

/�4��

er> from <number>

e.

��

>�& �The following messages relate to virtual local area networks (VLANs).

��0�1

Message VLAN tag <number> has been { created | deleted }

Meaning An admin has created or deleted the specified VLAN tag.


Message The 802.1Q tag for interface <interface> has been removed

Meaning An admin deleted the specified interface and 802.1Q VLAN tag.


Message The 802.1Q tag for interface <interface> has been changed to <numb

Meaning An admin has changed the 802.1Q VLAN tag for the specified interfac


>�& � ��0�1

/�2��

off }

specified interface. Note that this

��

Message 802.1Q VLAN trunking for interface <interface> has been turned { on |

Meaning An admin has either enabled or disabled 802.1Q VLAN trunking for theoption is only available in Transparent mode.


>� � !��,�0/41

/�5��

d VPN-related technologies.

ip_addr>:<port_num>, using mber> times.]

SP, protocol 50) or Authentication e a specified range for VPNs with

ied source IP address and port, ol, and enter the NetScreen device e times per second the internal tside the defined range of

eries of previously intercepted ding the NetScreen device to

t cluster, check if a failover has nized between master and backup e enabled appear to be out of these packets as components of a

��

>� �The following messages relate to IPSec virtual private network (VPN) tunnels, an

!��,�0/41

Message Replay packets have been detected! From <ip_addr>:<port_num> to <protocol { 50 | 51 }, on interface <interface>. [ The attack occurred <nu

Meaning The NetScreen device has detected Encapsulating Security Payload (EHeader (AH, protocol 51) packets whose sequence numbers fall outsidthe replay protection feature enabled. The packets are from the specifdestined for the specified IP address and port, use the specified protocat the specified interface. The number indicates how many consecutivtimer detected the arrival of packets with sequence numbers falling ouacceptability.

Out-of-sequence packets might indicate that somebody has resent a spackets with the intent of gaining entry to the trusted network or of floocause a denial-of-service (DoS).

Action If the NetScreen device is in high availability (HA) mode in a redundanrecently occurred. Because packet sequence numbers are not synchrounits, all ESP or AH packets for VPNs with the replay protection featursequence to the new master. Consequently, the new master registers replay attack.

>� � ��0.21

/��

ting. The VPN monitoring feature end to check if the tunnel is up or

.

r the specified VPN tunnel. VPN an SNMP trap is triggered and the

��

��0.21

Message vpnmonitor interval is unset.

Meaning An admin has returned the VPN monitoring frequency to its default setsends an ICMP echo request (PING) through a VPN tunnel from end todown. The default setting is one PING per minute.


Message vpnmonitor threshold is unset.

Meaning An admin has returned the VPN monitor threshold to its default setting


Message VPN monitoring for VPN <name_str> has been { enabled | disabled }

Meaning An admin has either enabled or disabled the VPN monitoring option fomonitoring checks if a VPN tunnel is up or down. If the state changes, NetScreen device sends a message to an SNMP manager.


>� � ��0.21

/4��

number of seconds. The VPN tunnel from end to end at the

number of packets. The VPN tunnel from end to end at the

value indicates the number of r down.

ragment BIT in the outside header e header to the outside header.

��

Message vpnmonitor interval is set to <number>

Meaning An admin has changed the VPN monitoring frequency to the specifiedmonitoring feature sends an ICMP echo request (PING) through a VPNspecified frequency to check if the tunnel is up or down.


Message vpnmonitor threshold is set to <number>

Meaning An admin has changed the VPN monitoring threshold to the specified monitoring feature sends an ICMP echo request (PING) through a VPNspecified frequency to check if the tunnel is up or down. The thresholdthese requests that can be sent before determining if the tunnel is up o


Message The DF-BIT for VPN <name_str> has been set to { clear | set | copy }.

Meaning For the specified VPN tunnel, an admin has cleared or set the Don’t Fof an encapsulated packet, or copied the DF-BIT setting from the insid


>� � ��0.21

/4.��

p2-proposal <name> has been

t one of its attributes.

_num2> has been { added |

t one of its attributes.

tion for the specified VPN.

original IPSec packet (using ESP

IPSec packets. When the NAT-T in a UDP packet. The NAT server off the UDP packet and processes

��

Message VPN <name_str> with gateway <name_str2>, { no-rekey | rekey }, and{ added | modified | deleted }.

Meaning An admin has added or deleted the specified VPN, or modified at leas


Message VPN <name_str> with gateway <ip_addr> and SPI <hex_num1>/<hexmodified | deleted }.

Meaning An admin has added or deleted the specified VPN, or modified at leas


Message IPSec NAT-T for VPN <name_str> has been { enabled | disabled }.

Meaning An admin has either enabled or disabled the NAT traversal (NAT-T) op

NAT traversal adds an extra layer of encapsulation, encapsulating theor AH protocols) within a UDP packet.

Most NAT servers cannot recognize the ESP or AH protocols and dropoption is enabled, the sender encapsulates the ESP or AH packet withrecognizes the UDP protocol and sends it on. The recipient then strips the inner ESP or AH packet accordingly.


>� � ��0.21

/4/��

ted

ed.

ted

ed.

ically assigned to a device using

ed to a device.

��

Message IP pool <name_str> with range <ip_addr1>-<ip_addr2> has been crea

Meaning The named IP pool with the specified range of IP addresses was creat


Message IP pool <name_str> with range <ip_addr1>-<ip_addr2> has been dele

Meaning The named IP pool with the specified range of IP addresses was delet


Message IP pool <name_str> with range <ip_addr1>-<ip_addr2> was removed

Meaning An IP pool that contains a group of available addresses to be automatDHCP with the given name was removed.


Message No IP pool has been assigned. You cannot allocate an IP address.

Meaning An IP address from a specified pool could not be allocated and assign

Action Contact NetScreen to determine if the address pool is valid.

>� � (��'��0��41

/4��

erface> <ip_addr2>/<port_num2>

n received at the named interface

ign the VPN tunnel an ID number, Consequently, the configuration of

mum limit.

��

(��'��0��41

Message Receive UDP packets from <ip_addr1>/<port_num1> on interface <int

Meaning UDP packets from the specified IP address and port number have beeat the specified IP address and port number.


Message VPN ID number cannot be assigned.

Meaning During VPN tunnel configuration, NetScreen device was unable to asspossibly because the maximum number of tunnels had been reached. the VPN tunnel was unsuccessful.

Action Check if the number of the defined VPN tunnels has reached the maxi

?�� 0�21

/4��

er.

ter.

��

?� ;�The following messages relate to security zones and tunnel zones.

��0�21

Message New zone <zone> (id: <id_num>) was created.

Meaning An admin successfully created a new zone with the indicated ID numb


Message Zone <zone> (id: <id_num>) was deleted.

Meaning An admin successfully deleted the specified zone.


Message Zone <zone> was bound to virtual router <vrouter>.

Meaning An admin successfully bound a specified zone to a specified virtual rou


?�� 0�21

/4��

t, from a specified virtual router.

tbound zone.

��

Message Zone <zone> was unbound from virtual router <vrouter>.

Meaning An admin successfully unbound a specified zone, either trust or untrus


Message Intra-zone block for zone <zone> was set to { on | off }.

Meaning This action turns the intra-zone block on or off for a given zone.


Message Tunnel zone <zone1> was bound to out zone <zone2>.

Meaning An admin successfully bound a specified tunnel zone to a specified ou


Message Zone <zone> was changed to non-shared.

Meaning An admin changed a zone’s attribute from shared to non-shared.


-�� 0�21

/44��

supports a traffic log which ields is shown here.

0170 system notification-0025 mp proto=1 src zone=Trust dst dst=10.10.10.1 icmp

ssage was generated.

sage was generated. This value is t: HH:MM:SS.

evice that generated the traffic log

he device that generated the traffic

evice which is the 16-digit serial by NetScreen.

��

-�&��(!��;��&�;�Message logging automatically begins when a device boots up. NetScreen 4.0.0 contains entries that have multiple fields in them. An example of an entry and its f

May 18 15:59:26 192.168.10.1 ns204: NetScreen device_id=-002901200200(traffic): start_time=”2001-04-29 16:46:16” duration=88 policy id=2 service=iczone=Untrust action=Tunnel(VPN_3 03) sent=102 rcvd=0 src=192.168.10.10type=8The following table breaks these fields down and describes them.


May 10 Date Stamp Displays the date when the me

15:59:26 Time Stamp Displays the time when the mesdisplayed in the following forma

192.168.10.1 Source IP Address Displays the IP address of the dmessage.

ns204 Device Model Displays the model number of tlog message.

NetScreen device id=0029012002000170

Device Serial Number Displays the ID number of the dnumber assigned to the device

-�� 0�21

/42��

e event which generated the traffic

sable

ired to resolve the event on the

vice is severely affected.

n the device.

affected on the device.

as normal on the device.

tion message about the device.

ebugging a problem on the

e associated with the type.

criptive string about the error.

n the traffic began being

seconds that elapsed since the .

ith the policy type that generated

ed by the device that generated ervices for traffic messages

ciated with the protocol service ted the traffic message.

��

system notification Severity Level Displays the severity level of thmessage. Severity levels are:

Emergency: The device is unu

Alert: Immediate action is requdevice.

Critical: Functionality on the de

Error: An error was reported o

Warning: Functionality may be

Notification: The event is seen

Information: A general informa

Debug: A message related to ddevice.

0025 Type ID Displays the error type in a cod

(traffic) Type Displays the error type in a des

start_time=”2001-04-29 16:46:16

Start Time Displays the time and date whegenerated.

duration=88 Duration Displays the amount of time in traffic message was generated

policy_id=2 Traffic Policy Displays the code associated wthe traffic message.

service=icmp Service Displays the protocol service usthe traffic message. Common sinclude ICMP, TCP, and UDP.

proto=1 Protocol Number Displays the code number assoused by the device that genera


-�� 0�21

/45��

from where the error-generating

to where the error-generating

on the device from the detection of

identifies the VPN on which the ning.

ssociated with the error that were

ssociated with the error that were ice.

device sending the traffic

device receiving the traffic

iated with a sub-type of a protocol c associated with the error. Not all ional Field).

��

src zone=Trust Source Zone Displays the name of the zone traffic was forwarded.

dst zone=Untrust Destination Zone Displays the name of the zone traffic was forwarded.

action= Policy Action Displays the action that results the error: forward or denial.

(VPN_303) VPN ID Displays the code number that error-generating traffic was run

sent=102 Bytes Sent Displays the number of bytes asent by the source device.

rcvd=0 Bytes Received Displays the number of bytes areceived by the destination dev

src=192.168.10.10 Source IP Address Displays the IP address of the associated with the error.

dst=10.10.10.1 Destination IP Address Displays the IP address of the associated with the error.

icmp type=8 Protocol Type Displays a code number assocon the device sending the traffiprotocols have sub-types. (Opt


-�� 0�21

/4��
��
Acronym Full Text

3DES Triple Data Encryption Standard

ACK Acknowledge

ACL Access Control List

AES Advanced Encryption Standard

AH Authentication Header

ARIN American Registry of Internet Numbers

AS Autonomous System

AS-PATH Autonomous System Path

BER Basic Encoding Rules

BGP Border Gateway Protocol

CA Certificate Authority

CERT Certificate

CN Common Name (X.509 certificate)

CR Certificate Revocation

CRL Certificate Revocation List

DER Distinguished Encoding Rule

DES Data Encryption Standard

DH Diffie-Hellmann

DHCP Dynamic Host Configuration Protocol

DIP Dynamic IP

DN Distinguished Name

DNS Domain Name System

-�� 0�21

/2��
��
DOI Domain of Interpretation

DoS Denial of Service

DSA Digital Signature Authority

DSS Digital Signature Standard

EE End Entity

ESP Encapsulating Security Payload

FQDN Fully Qualified Domain Name

HA High Availability

HDLC High Level Data Link Control

HTTP HyperText Transfer Protocol

HTTPS HypterText Transfer Protocol Secure

ICMP Internet Control Message Protocol

IKE Internet Key Exchange

IP Internet Protocol

IPSec Internet Protocol Security

L2TP Layer 2 Tunneling Protocol

LDAP Lightweight Directory Access Protocol

LSA Link State Advertisement

MD5 Message Digest 5

MIP Managed IP

NACN NetScreen Address Change Notification

NAT Network Address Translation

NAT-T Network Address Translation - Transparent Mode

Acronym Full Text

-�� 0�21

/2.��
��
NSO Network Security Officer

NSRP NetScreen Redundancy Protocol

NTP Network Time Protocol

OSPF Open Shortest Path First

PFS Perfect Forwarding Secrecy

PKA Public Key Authentication

PKCS Public Key Cryptography Standards

PKI Public Key Infrastructure

PLDAP Primary Connection Lightweight Directory Access Protocol

PM NetScreen Policy Manager

PPP Point-to-Point Protocol

PPPoE Point-to-Point Protocol over Ethernet

RADIUS Remote Authentication Dial-In User Service

RSA Rivest Shamir Adelman (authors of RSA security standard)

RTO Run Time Objects

SA Security Association

SCEP Simple Certificate Enrollment Protocol

SHA Secure Hash Algorithm

SMTP Simple Mail Transfer Protocol

SNMP Simple Network Management Protocol

SPI Security Parameter Index

SSH Secure Shell

SSL Secure Socket Layer

Acronym Full Text

-�� 0�21

/2/��
��
TFTP Trivial File Transfer Protocol

UDP User Datagram Protocol

UFQDN User’s Fully Qualified Domain Name

URL Uniform Resource Locator

VIP Virtual IP

VLAN Virtual Local Area Network

VOIP Voice Over IP

VPN Virtual Private Network

VSD Virtual Security Device

VSYS Virtual System

Acronym Full Text

&�.

&��

mergency.

��

;'��)��The following list contains page references for the messages at the highest severity level: e

;'��)��

��44�52��

&++�� %�&�;'��)��

&�/��
��

8�.

8��

y level: alert.

��

&,��The following list contains page references for the messages at the second highest severit

&,��

�//��7��5��..�/..��./��.4��.2�4/4��

&++�� %�8�&,��

8�/��
��

!�.

!��

vel: critical.

/4/4.�2.�2��447�4.

��

!��,��The following list contains page references for the messages at the third highest severity le

!��,��

.�2.//�5//��/�/�./�.�//4/�5/2�7�//5/544/��4��./7��2�/�47��2��5��/.�4/�/4��4��22�7�57�5.2.2�2/242�222�2�2�2�245

/ /. // /� �.� �.� ��2 ��5

&++�� %�!�!��,��

!�/��
��

*�.

*��

level: error.

��

;��The following list contains page references for the messages at the fourth highest severity

;��

��/.5

&++�� %�*�;��

*�/��
��

;�.

;��

level: warning.

��

3��The following list contains page references for all the messages at the fifth highest severity

3��

��/.��.�4�.5//7�/��.�/��//��.5

&++�� %�;�3��

;�/��
��

��.

��

y level: notification.

/��447�.�..��/�5/�2/4�.�5/2.��.�./2

��

��The following list contains page references for all the messages at the sixth highest severit

��

.//57�//��.��4.4��25/5�.�./7�/�4..�../2.///4.4/�..2��7�/��.5/�.�/��7�/�4//.�/.�//��5/4//�/5/��/��.��./�

�/ �� 4 �2 �5 �� . �� .�

&++�� %��

��/��
��

��.

��

formation.

��

(��'��The following list contains page references for the messages at the lowest severity level: in

(��'��

�/�/�/�/�/��/4/��/2�5�/��/�/��./5��.2��4�57�/4��2/��54�7�.��./��..�.242.�7�/47��.7�./5

&++�� %��(��'��

��/��
��

Documents

Msg