MSG

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH
6FUHHQ26 31 5HY )
&RS\ULJKW 1RWLFH
NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of NetScreen Technologies, Inc. NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-1000, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of NetScreen Technologies, Inc. All other trademarks and registered trademarks are the property of their respective companies.Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from NetScreen Technologies, Inc. 350 Oakmead Parkway Sunnyvale, CA 94085 U.S.A. www.netscreen.com
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreens installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
)&& 6WDWHPHQW
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.
'LVFODLPHU
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR NETSCREEN REPRESENTATIVE FOR A COPY.
LL
&RQWHQWV
&RQWHQWV
3UHIDFH YLL
2UJDQL]DWLRQ YLLL )HHGEDFN L[ &RQYHQWLRQV [ $GPLQ ,QIRUPDWLRQ [L $FURQ\PV [LL
:DUQLQJ ,QIRUPDWLRQ ,QIRUPDWLRQ
%*3
1RWLILFDWLRQ
&ORFN
1RWLILFDWLRQ
,QWURGXFWLRQ [YLL

$QDWRP\ RI D 0HVVDJH [YLLL 'LVSOD\ 2SWLRQV [[ 7UDIILF /RJ 0HVVDJHV [[L
'HYLFH
&ULWLFDO &ULWLFDO
0HVVDJHV
$GGUHVV
&ULWLFDO 1RWLILFDWLRQ /HYHO
'+&3 '+&3 6HUYHU DQG 5HOD\ $JHQW

&ULWLFDO 1RWLILFDWLRQ 1RWLILFDWLRQ ,QIRUPDWLRQ ,QIRUPDWLRQ ,QIRUPDWLRQ
$GPLQ
&ULWLFDO :DUQLQJ :DUQLQJ 1RWLILFDWLRQ 1RWLILFDWLRQ ,QIRUPDWLRQ
'+&3 &OLHQW
',3
1RWLILFDWLRQ
'16
1RWLILFDWLRQ 1RWLILFDWLRQ 1RWLILFDWLRQ ,QIRUPDWLRQ
$XWK
$OHUW :DUQLQJ :DUQLQJ
LLL
&RQWHQWV
)LUHZDOO
(PHUJHQF\ (PHUJHQF\ (PHUJHQF\ $OHUW $OHUW $OHUW $OHUW $OHUW $OHUW $OHUW $OHUW $OHUW &ULWLFDO &ULWLFDO &ULWLFDO &ULWLFDO &ULWLFDO &ULWLFDO &ULWLFDO &ULWLFDO &ULWLFDO 1RWLILFDWLRQ
3DWK 0RQLWRULQJ

&ULWLFDO &ULWLFDO &ULWLFDO
&ULWLFDO &ULWLFDO &ULWLFDO &ULWLFDO &ULWLFDO &ULWLFDO &ULWLFDO 1RWLILFDWLRQ
,.(
$OHUW 1RWLILFDWLRQ ,QIRUPDWLRQ
,QWHUIDFH
1RWLILFDWLRQ
/73
,QIRUPDWLRQ
/LQN 6WDWXV
1RWLILFDWLRQ
*OREDO
&ULWLFDO 1RWLILFDWLRQ ,QIRUPDWLRQ
/RJV
,QIRUPDWLRQ ,QIRUPDWLRQ
+LJK $YDLODELOLW\ +$ DQG 1653

&ULWLFDO &ULWLFDO &ULWLFDO
0,3
1RWLILFDWLRQ
1$&1
1RWLILFDWLRQ ,QIRUPDWLRQ
LY
&RQWHQWV
263)
&ULWLFDO &ULWLFDO 1RWLILFDWLRQ 1RWLILFDWLRQ 1RWLILFDWLRQ ,QIRUPDWLRQ
6103
&ULWLFDO 1RWLILFDWLRQ 1RWLILFDWLRQ ,QIRUPDWLRQ
6RIWZDUH .H\

1RWLILFDWLRQ
3.,
66/
1RWLILFDWLRQ
6\VORJ DQG :HE7UHQGV 6\VORJ :HE7UHQGV

1RWLILFDWLRQ 1RWLILFDWLRQ
333R(
1RWLILFDWLRQ ,QIRUPDWLRQ
3ROLFLHV
1RWLILFDWLRQ
6\VWHP
&ULWLFDO
5RXWHV
&ULWLFDO &ULWLFDO 1RWLILFDWLRQ
7UDIILF 6KDSLQJ

8VHUV
,QIRUPDWLRQ
6FKHGXOH
1RWLILFDWLRQ
9,3
6&6
&ULWLFDO (UURU :DUQLQJ 1RWLILFDWLRQ
9LUWXDO 6\VWHPV
1RWLILFDWLRQ
6HUYLFHV
1RWLILFDWLRQ
9/$1V
1RWLILFDWLRQ
&RQWHQWV
931V
$SSHQGL[ % $OHUW 0HVVDJHV% $SSHQGL[ & &ULWLFDO 0HVVDJHV & $SSHQGL[ ' (UURU 0HVVDJHV ' $SSHQGL[ ( :DUQLQJ 0HVVDJHV ( $SSHQGL[ ) 1RWLILFDWLRQ 0HVVDJHV ) $SSHQGL[ * ,QIRUPDWLRQ 0HVVDJHV *
=RQHV
1RWLILFDWLRQ
7UDIILF /RJ 0HVVDJHV
$SSHQGL[ $ (PHUJHQF\ 0HVVDJHV $
YL
3UHIDFH
This reference guide documents the log messages that appear in ScreenOS 4.0.0. It serves a dual purpose:
Managing Message Log Databases It provides a tool for categorizing and filtering messages for administrators using such network management tools as NetScreen-Global Manager, NetScreen-Global PRO, SNMP, syslog, or WebTrends. Because the book is organized by subject, you can quickly find all the messages related to particular areas and filter those into meaningful sections in the database. For example, you can find all the messages related to firewall status in the Firewall section. All the messages related to VPNs are in the VLANs section.
Understanding Messages It provides the NetScreen administrator with a comprehensive list of all the messages that the NetScreen system generates with explanations of what the messages mean and what possible actions you might take upon receiving them. You can find appendices at the end of the book organized by severity level. In each appendix, the messages are listed by their message type ID numbers. For example, if you see a message with the severity level Notification and the ID 00001, you can look it up in the Notification Messages appendix, and see that message 00001 is explained on page 2.
Note: A text file with only message text ships on the documentation CD: NetScreen Messages--Text Only . You can use it to cut-and-paste messages when creating scripts. You must still do some editing for multiple messages that have been combined into a single documented entry.
YLL
3UHIDFH
2UJDQL]DWLRQ
25*$1,=$7,21
The book is organized into the following sections: Preface The Preface explains the purpose of this book, its organization, and the terminology conventions used in all NetScreen documentation. Introduction The Introduction examines the discrete components of a message and the options that affect how a message is displayed. Messages This section contains all the messages organized by subject, then severity level, then message type ID number. For example, Address >> Notification Level >> 00001 (subject >> severity level >> message type ID). Each entry contains the following elements: Message The text of the message that appears in the log. Meaning An explanation of what the message means. Action One or more recommended actions for the administrator to take, when such action is required. For example, one of the messages found at Address >> Notification Level >> 00001 is the following:
Message Meaning Action Address group <grp_name> has been { added | modified | deleted }. An administrator has added, modified, or deleted the specified address group. No recommended action
Emergency Messages This appendix lists all the emergency messages by message type ID numbers, allowing you to find any emergency message quickly via its message type ID. Alert Messages This appendix lists all the alert messages by message type ID numbers. Critical Messages This appendix lists all the critical messages by message type ID numbers.
YLLL
3UHIDFH
)HHGEDFN
Error Messages This appendix lists all the error messages by message type ID numbers. Warning Messages This appendix lists all the warning messages by message type ID numbers. Notification Messages This appendix lists all the notification messages by message type ID numbers. Information Messages This appendix lists all the information messages by message type ID numbers.
)(('%$&.
This version of the NetScreen Message Log Reference Guide marks the first attempt to document all of the ScreenOS messages. As it stands, this effort continues to be an ongoing project. If you find any errors or omissions in the following content, please contact us at the e-mail address below: techpubs@netscreen.com
L[
3UHIDFH
&RQYHQWLRQV
&219(17,216
NetScreen publications use the following conventions to indicate optional and required elements, variables, and options: A parameter inside [ ] (square brackets) is optional. This element might appear in the message. A parameter inside { } (braces) is required. This element must appear in the message. Anything inside < > (angle brackets) is a variable and denotes the type, rather than the exact wording, of element that appears in the message. If there is more than one option for an element inside [ ] and { }, they are separated by a pipe ( | ). Address group sales has been added. Address group sales has been modified. Address group sales has been deleted. Address group <grp_name> has been { added | modified | deleted }.
For example, the following three messages can appear in the log:
In this book, these three messages are combined into one and written as follows: Note that the variable <grp_name> denotes the specific name of the address group (sales in this example). The braces and pipes indicate that one of the elementsadded, modified, deletedmust appear in the message.
3UHIDFH
&RQYHQWLRQV
$GPLQ ,QIRUPDWLRQ
When a message results from an administrators action, the administrators name precedes the message and the location from which the administrator acted is included at the end of the message. All such log entries include the following information: <admin_name>: <message text> from { the console | scs <ip_addr> | telnet <ip_addr> | web <ip_addr> | the master | the backup | the LCD display }. Note: The terms master and backup denote the status of NetScreen devices configured for high availability (HA) in a redundant cluster. The LCD display is available only on the NetScreen-500. For example, messages such as the following can appear in the log: netscreen: Address group sales has been added from the console. joe: Address group sales has been modified from web 10.10.2.171. xo: Address group sales has been deleted from the master.
In the messages that follow in this book, the administrators name and location have been omitted to avoid unnecessary repetition. Note: Not all messages report the results of an admins action. For example, a message such as CPU utilization has reached 90% of capacity does not include such information because no admin is involved in the event.
[L
3UHIDFH
$FURQ\PV
$&521<06
NetScreen publications use the following acronyms to represent various concepts, terms, and standards:
Acronym 3DES ACK ACL AES AH ARIN AS AS-PATH BER BGP CA CERT CN CR CRL DER DES DH DHCP DIP Full Text Triple Data Encryption Standard Acknowledge Access Control List Advanced Encryption Standard Authentication Header American Registry of Internet Numbers Autonomous System Autonomous System Path Basic Encoding Rules Border Gateway Protocol Certificate Authority Certificate Common Name (X.509 certificate) Certificate Revocation Certificate Revocation List Distinguished Encoding Rule Data Encryption Standard Diffie-Hellmann Dynamic Host Configuration Protocol Dynamic IP
[LL
3UHIDFH
$FURQ\PV
Acronym DN DNS DOI DoS DSA DSS EE ESP FQDN HA HDLC HTTP HTTPS ICMP IKE IP IPSec L2TP LDAP LSA MD5 MIP NACN
Full Text Distinguished Name Domain Name System Domain of Interpretation Denial of Service Digital Signature Authority Digital Signature Standard End Entity Encapsulating Security Payload Fully Qualified Domain Name High Availability High Level Data Link Control HyperText Transfer Protocol HypterText Transfer Protocol Secure Internet Control Message Protocol Internet Key Exchange Internet Protocol Internet Protocol Security Layer 2 Tunneling Protocol Lightweight Directory Access Protocol Link State Advertisement Message Digest 5 Managed IP NetScreen Address Change Notification
[LLL
3UHIDFH
$FURQ\PV
Acronym NAT NAT-T NSO NSRP NTP OSPF PFS PKA PKCS PKI PLDAP PM PPP PPPoE RADIUS RSA RTO SA SCEP SHA SMTP SNMP SPI
Full Text Network Address Translation Network Address Translation - Transparent Mode Network Security Officer NetScreen Redundancy Protocol Network Time Protocol Open Shortest Path First Perfect Forwarding Secrecy Public Key Authentication Public Key Cryptography Standards Public Key Infrastructure Primary Connection Lightweight Directory Access Protocol NetScreen Policy Manager Point-to-Point Protocol Point-to-Point Protocol over Ethernet Remote Authentication Dial-In User Service Rivest Shamir Adelman (authors of RSA security standard) Run Time Objects Security Association Simple Certificate Enrollment Protocol Secure Hash Algorithm Simple Mail Transfer Protocol Simple Network Management Protocol Security Parameter Index
[LY
3UHIDFH
$FURQ\PV
Acronym SSH SSL TFTP UDP UFQDN URL VIP VLAN VOIP VPN VSD VSYS
Full Text Secure Shell Secure Socket Layer Trivial File Transfer Protocol User Datagram Protocol Users Fully Qualified Domain Name Uniform Resource Locator Virtual IP Virtual Local Area Network Voice Over IP Virtual Private Network Virtual Security Device Virtual System
[Y
3UHIDFH
$FURQ\PV
[YL
,QWURGXFWLRQ
The messages explained in this book report events useful for system administrators when recording, monitoring, and tracing the operation of a NetScreen device. The messages provide information regarding the following events: Firewall attacks Configuration changes Successful and unsuccessful system operations
The following sections in the Introduction explain the separate components of each message and the available display options: Anatomy of a Message on page xviii Display Options on page xx Traffic Log Messages on page xxi
[YLL
,QWURGXFWLRQ
$QDWRP\ RI D 0HVVDJH
$1$720< 2) $ 0(66$*(
All messages consist of the following elements: Date Time Module Severity Level Message Type Message Text
Date Time Module Severity Level
Message Type
Message Text
Date
Time
Module system
Level info
Type
Description
2001-9-2512:02:57
00767 netscreen: System Config saved from host 10.100.2.21
The date shows the year-month-day when the event occurred. The time shows the hour:minute:second when the event occurred. The module shows the device type where the event occurred. The severity level places the event in one of eight levels of severity, using the hierarchical structure established by syslog, as shown in the following table. The message type displays a code number associated with the severity level. The message text displays the content of the event message. The event message includes the administrators login name when the administrator performed an action. In the example, the administrator login name is netscreen.
[YLLL
,QWURGXFWLRQ
$QDWRP\ RI D 0HVVDJH
Levels 0 Emergency 1 Alert 2 Critical 3 Error 4 Warning 5 Notification 6 Information 7 Debugging
Explanation of Levels The system has become unusable. Immediate action is required. Functionality is affected. An erroneous condition exists and functionality is probably affected. Functionality might be affected. Notification of normal events. General information about system operations. Detailed information useful for debugging purposes. (currently not used)
The message type ID provides a number for classifying the category for each type of message. For example, a notification message with ID 00001 indicates that it belongs in the address category. A critical message with ID 00027 indicates that it belongs in the admin category. You can find a list of message type ID numbers organized by severity level in the indexes at the back of this book: Emergency Messages on page A-1 Alert Messages on page B-1 Critical Messages on page C-1 Error Messages on page D-1 Warning Messages on page E-1 Notification Messages on page F-1 Information Messages on page G-1
The message text describes the event being reported and often contains detailed information such as IP addresses, port numbers, and specific configuration settings.
[L[
,QWURGXFWLRQ
'LVSOD\ 2SWLRQV
',63/$< 237,216
By default, messages appear as described in the previous section Anatomy of a Message on page xviii. Optionally, you can change the message display to include return-address information. This information is useful for debugging purposes. To change the message display to include the return-address, use the following CLI command: set logging header-format return-address The message format changes to include the return-address (in bold below) for each message, as the following examples illustrate: 2001-9-25 10:56:03 system-critical-00027(ra=0x8013b6fc): Multiple login failures for user jSm1th from 10.100.2.171:80. 2001-9-25 11:00:00 system-notification-00008(ra=0x8013b754): The system clock has been updated through NTP. 2001-9-25 11:28:38 system-information-00527(ra=0x8013b7d8): A DHCP-assigned IP address has been manually released from web 10.2.150.22. To change the format back to the default style, use the following CLI command: set logging header-format detail The messages no longer display the return-address information, as shown below: 2001-9-25 10:56:03 system-critical-00027: Multiple login failures for user jSm1th from 10.100.2.171:80. 2001-9-25 11:00:00 system-notification-00008: The system clock has been updated through NTP. 2001-9-25 11:28:38 system-information-00527: A DHCP-assigned IP address has been manually released from web 10.2.150.22.
[[
,QWURGXFWLRQ
75$)),& /2* 0(66$*(6

Message logging automatically begins when a device boots up. NetScreen 4.0.0 supports a traffic log which contains entries that have multiple fields in them. An example of an entry and its fields is shown here. May 18 15:59:26 192.168.10.1 ns204: NetScreen device_id=-0029012002000170 system notification-0025 (traffic): start_time=2001-04-29 16:46:16 duration=88 policy id=2 service=icmp proto=1 src zone=Trust dst zone=Untrust action=Tunnel(VPN_3 03) sent=102 rcvd=0 src=192.168.10.10 dst=10.10.10.1 icmp type=8 The following table breaks these fields down and describes them.
Field Example May 10 15:59:26 192.168.10.1 ns204 Field Name Date Stamp Time Stamp Source IP Address Device Model Description Displays the date when the message was generated. Displays the time when the message was generated. This value is displayed in the following format: HH:MM:SS. Displays the IP address of the device that generated the traffic log message. Displays the model number of the device that generated the traffic log message. Displays the ID number of the device which is the 16-digit serial number assigned to the device by NetScreen. Displays the severity level of the event which generated the traffic message. Severity levels are: Emergency: The device is unusable Alert: Immediate action is required to resolve the event on the device. Critical: Functionality on the device is severely affected. Error: An error was reported on the device. Warning: Functionality may be affected on the device. Notification: The event is seen as normal on the device. Information: A general information message about the device. Debug: A message related to debugging a problem on the device. Displays the error type in a code associated with the type.
NetScreen device Device Serial Number id=0029012002000170 system notification Severity Level
0025
Type ID
[[L
,QWURGXFWLRQ
Field Example (traffic)
Field Name Type
Description Displays the error type in a descriptive string about the error. Displays the time and date when the traffic began being generated. Displays the amount of time in seconds that elapsed since the traffic message was generated. Displays the code associated with the policy type that generated the traffic message. Displays the protocol service used by the device that generated the traffic message. Common services for traffic messages include ICMP, TCP, and UDP. Displays the code number associated with the protocol service used by the device that generated the traffic message. Displays the name of the zone from where the error-generating traffic was forwarded. Displays the name of the zone to where the error-generating traffic was forwarded. Displays the action that results on the device from the detection of the error: forward or denial. Displays the code number that identifies the VPN on which the error-generating traffic was running. Displays the number of bytes associated with the error that were sent by the source device. Displays the number of bytes associated with the error that were received by the destination device. Displays the IP address of the device sending the traffic associated with the error.
start_time=2001-04-29 Start Time 16:46:16 duration=88 policy_id=2 service=icmp Duration Traffic Policy Service
proto=1 src zone=Trust dst zone=Untrust action=Tunnel (VPN_303) sent=102 rcvd=0 src=192.168.10.10 dst=10.10.10.1
Protocol Number Source Zone Destination Zone Policy Action VPN ID Bytes Sent Bytes Received Source IP Address
Destination IP Address Displays the IP address of the device receiving the traffic associated with the error.
[[LL
0HVVDJHV
This section contains a compendium of all the NetScreen messages. Each message text description includes an explanation of its meaning, and (when appropriate), a recommended action. The messages are grouped by message type, and then within that type by severity level, from the most severe to the least.
Address on page 2 Admin on page 5 Auth on page 22 BGP on page 27 Clock on page 31 Device on page 33 DHCP on page 36 DIP on page 42 DNS on page 43 Firewall on page 46 Global on page 66 High Availability on page 71 IKE on page 95 Interface on page 120 L2TP on page 125 Link Status on page 127 Logs on page 128 MIP on page 130 NACN on page 131 OSPF on page 137 PKI on page 142 PPPoE on page 199 Policies on page 204 Routes on page 206 Schedule on page 213 SCS on page 214 Services on page 226 SNMP on page 228 Software Key on page 237 SSL on page 238 Syslog and WebTrends on page 244 System on page 248 Traffic Shaping on page 249 Users on page 250 VIP on page 251 Virtual Systems on page 254 VLANs on page 256 VPNs on page 258 Zones on page 264 Traffic Log Messages on page 266
All messages reporting an administrative action include the location from which that action has been made: either from the console, from an admins host IP address via SCS, Telnet, or the Web, or from the LCD display (NetScreen-500). When devices are used in a redundant cluster for high availability, the message also states whether the action occurred on a master or backup unit. Note that because the part of a message stating the source of an action is the same in all such messages, it is not included in the messages listed here. For more information, see Admin Information on page xi.
$GGUHVV
&ULWLFDO
$''5(66
These messages relate to the the creation, modification, and removal of addresses.
&ULWLFDO
Message Meaning Action { arp req | arp reply }, detect IP conflict (<ip_addr>), mac <mac_addr> on interface <interface> An ARP request (or reply) reveals that the specified NetScreen device interface uses the same IP address as another network device, which creates a conflict. Change the IP address of one of the devices.
1RWLILFDWLRQ /HYHO

Message Meaning Action Address <mbr_name> for { ip address <ip_addr> | domain address <dom_name> } in zone <zone> has been { added | deleted | modified } An admin has added, deleted, or modified the address book entry (<mbr_name>) with the specified IP address (or domain name) in the security zone. No recommended action
Message Meaning Action
Address group <grp_name> has { added | deleted } member <mbr_name> An admin has added (or deleted ) the address (<mbr_name>) in the address group (<grp_name>). No recommended action
$GGUHVV
1RWLILFDWLRQ /HYHO
Address group <grp_name> has been { added | deleted } An admin has added, modified, or deleted an address group (<grp_name>). No recommended action
Address group <grp_name> comments have been modified An admin has modified the comment for the address group (<grp_name>). No recommended action
Address group <grp_name1> group name has been changed to <grp_name2> An admin has assigned a new name (<grp_name2>) to an existing address group (<grp_name1>). No recommended action
Address group <grp_name> has been { added | deleted | modified } An admin added, deleted, or modified the specified address group (<grp_name>). No recommended action
$GGUHVV
1RWLILFDWLRQ /HYHO
Address <name_str> for ip address <ip_addr> in zone <zone> has been { added | deleted | modified } An admin added, deleted, or modified an address book entry (<name_str>) from the specified zone. No recommended action
arp entry <ip_addr> interface changed! The interface mapped to the Address Resolution Protocol (ARP) service changed to another interface, thus creating the possibility of future ARP errors. Map ARP to the correct interface.
arp entry <ip_addr> interface changed old <interface1> new <interface2>! The interface mapped to the Address Resolution Protocol (ARP) service changed from <interface1> to <interface2>. This could cause future ARP errors. Map ARP to the correct interface.
$GPLQ
&ULWLFDO
$'0,1
These messages relate to the administration of the NetScreen device.
&ULWLFDO
Message Meaning Action Device Reset (Asset Recovery) has been { performed | aborted } An admin performed an asset recovery operation (or aborted one). An asset recovery returns the ScreenOS to its factory default settings. After successfully performing the asset recovery operation, an admin must reconfigure the NetScreen device.
Multiple login failures occurred for user <usr_str> The user <usr_str> has made three unsuccessful login attempts. (After three failed login attempts, the NetScreen device automatically terminates the connection.) No recommended action
$GPLQ
:DUQLQJ
:DUQLQJ
Message Meaning Action [ Vsys ] Admin User <name_str> has logged { on | out } via ( Telnet | SCS | console } An admin (<name_str>) has logged on or out, with a console connection, a SCS session, or a Telnet session. No recommended action
[ Vsys ] Admin User <name_str> logged in for Web({ http | https }) management (port <port_num1>) An admin <name_str> has logged on to the WebUI at the specified port number using HTTP or HTTPS from the specified IP address and port number. No recommended action
Management session via { the console | Telnet from <ip_addr>:<port_num> | SCS from <ip_addr>:<port_num> } for [ vsys ] admin <name_str> timed out The management session (established via the console, Telnet, or SCS by the named admin) has expired. No recommended action
$GPLQ
:DUQLQJ
Login attempt to system by admin <name_str> via { the console | Telnet from <ip_addr>:<port_num> | SCS from <ip_addr>:<port_num> } has failed. An attempt to log in to the NetScreen system by the named admin via the console, Telnet, or SCS has failed. No recommended action
[ Vsys ] Admin User %s has logged out via (the console | Telnet from <ip_addr>:<port_num> | SCS from <ip_addr>:<port_num> } The general admin logged out of the NetScreen device from a console, Telnet, or SCS session. No recommended action
The session limit threshold has been set to <number> on zone <zone>. An admin has set a session limit threshold to <number> minutes on the security zone <zone>. No recommended action
Admin user <name_str> login attempt for Web{ https | http } management (port <number>) from <ip_addr>:<port_num> failed. The named admin failed to log on to the WebUI using HTTP or HTTPS from the specified IP address and port number. No recommended action
$GPLQ
:DUQLQJ
Admin user <name_str> attempt access to <name_str> illegal from Web{ https | http } management (port <number>) from <ip_addr>:<port_num>. The named admin attempted to access a site using HTTP or HTTPS from the specified IP address and port number. No recommended action
:DUQLQJ
Message Meaning Action ScreenOS <string> serial # <id_num>: Asset recovery has been aborted. Admin has aborted an asset recovery operation for the specified ScreenOS version (<string>) on a NetScreen device with the specified serial number. No recommended action
1RWLILFDWLRQ
Message Meaning Action System configuration has been erased. An admin has erased the system configuration. This may be due to a successful asset recovery executed via a console connection, or successful execution of the unset all command. The system configuration must be reconfigured.
$GPLQ
1RWLILFDWLRQ
Message Meaning
Management restriction for <ip_addr> subnet <mask> has been { added | removed } An admin has either restricted access to admins logging in from the specified IP address, or removed such a restriction. If the restriction is removed, admins can manage the NetScreen device from any IP address. This is the default setting. No recommended action
Action
Management restriction from all IPs and subnets has been removed An admin has removed all restrictions to accessing the NetScreen device. Admins can administer the NetScreen device from any IP address. Confirm that the action was appropriate, and performed by an authorized admin.
System IP has been changed from <ip_addr1> to <ip_addr2> An admin has changed the system IP address. No recommended action
{ SCS | Telnet } port has been changed from <port_num1> to <port_num2> An admin has changed the number (<port_num1> to <port_num2>) of the port used for managing the device via SCS or Telnet. No recommended action
$GPLQ
1RWLILFDWLRQ
HTTP port has been changed from <port_num1> to <port_num2> An admin has changed the number (<port_num1> to <port_num2>) of the port used for managing the device via HTTP. Confirm that the action was appropriate, and performed by an authorized admin.
SSL port changed from <port_num1> to <port_num2> An admin has changed the number (<port_num1> to <port_num2>) of the port used for managing the device via SSL. Confirm that the action was appropriate, and performed by an authorized admin.
Message Meaning
{ Root admin | Vsys admin } { password | name } has been changed by admin <name_str> Either of the following events has occurred: The root admin has changed the root password or user name, or the password or user name of any other admin. A vsys read/write admin has changed password.
Action
Confirm that the action was appropriate, and performed by an authorized admin.

$GPLQ
1RWLILFDWLRQ
Admin user <name_str> password has been changed The password of the named admin user has changed. No recommended action
Vsys admin user <name_str> is modified The root admin has added the named vsys admin user, modified the users administrative privileges, or deleted the user. No recommended action
Admin user <name_str> has been { added | modified | deleted } The root admin has added the named admin user, modified the users administrative privileges, or deleted the user. No recommended action
Web Admin Authentication idle timeout value has been changed from <number1> to number2> minutes An admin has changed the management idle timeout value from <number1> minutes to <number2> minutes. If there is no activity for this specified period of time, the management session terminates. No recommended action

$GPLQ
1RWLILFDWLRQ
Unexpected error from email server(state=<id_num>): An email server generated an error condition with the specified ID number. Contact NetScreen.
E-mail notification has been { enabled | disabled }. An admin has enabled or disabled e-mail notification of event alarms. No recommended action
E-mail notification has been { enabled | disabled }. An admin has enabled or disabled e-mail notification of event alarms. No recommended action
Mail server { IP address | domain name } has been changed. An admin has changed the IP address or domain name of the SMTP server used for sending e-mail event alarm notifications. No recommended action

$GPLQ
1RWLILFDWLRQ
E-mail address { 1 | 2 } has been changed. An admin has changed the primary or secondary e-mail address to which the NetScreen device sends event alarm notifications. No recommended action
Inclusion of traffic logs with e-mail notification of event alarms has been { enabled | disabled }. An admin has enabled or disabled the inclusion of traffic logs with e-mail event alarm notifications. No recommended action
LCD control keys have been locked. An admin has locked the LCD control keys on a NetScreen device. No recommended action
LCD display has been turned off and the LCD control keys have been locked. An admin has locked the LCD control keys and turned off the LCD display on a NetScreen device. No recommended action

$GPLQ
1RWLILFDWLRQ
LCD display has been turned on. An admin has turned on the LCD display on a NetScreen device. No recommended action
LCD display has been turned on and the LCD control keys have been unlocked. An admin has turned on the LCD display and unlocked the LCD control keys on a NetScreen device. No recommended action
1RWLILFDWLRQ
Message Meaning Action The console timeout value changed from <number1> to <number2> of minutes. An admin has changed the console idle timeout value. If there is no activity for this specified period of time, the console session terminates. No recommended action
The console page size changed from <number1> to <number2>. The number of pixels that comprise the console page size has changed. No recommended action

$GPLQ
,QIRUPDWLRQ
The local console has been { enabled | disabled }. An admin has enabled (or disabled) local console connectivity. No recommended action
The console debug buffer has been { enabled | disabled }. An admin has enabled (or disabled) the console debug buffer. No recommended action
,QIRUPDWLRQ
Message Meaning Action All System Config saved by admin <name_str> An admin just saved the system configuration to flash memory. Confirm that the action was appropriate, and performed by an authorized admin.
System Config from flash to slot - <string> by admin <name_str> An admin just copied the system configuration from flash memory to a file on the memory card. Confirm that the action was appropriate, and performed by an authorized admin.

$GPLQ
,QIRUPDWLRQ
The system configuration was loaded from the slot by admin <name_str> An admin just loaded a saved system configuration from a file on the memory card into RAM. Confirm that the action was appropriate, and performed by an authorized admin.
System Config load from <ip_addr> (file <filename>) by admin <name_str> An admin just loaded a saved system configuration from a file (<filename>) on a TFTP server (<ip_addr>) into RAM. Confirm that the action was appropriate, and performed by an authorized admin.
System Config load from <ip_addr> (file <filename>) to slot - <string> by admin <name_str> An admin just copied a saved system configuration from a file (<filename>) on a TFTP server (<ip_addr>) to a memory card in a slot (<string>). Confirm that the action was appropriate, and performed by an authorized admin.
Save configuration to <ip_addr> (file: <filename>) by admin <name_str> An admin just saved the current configuration to a file (<filename>) on a TFTP server (<ip_addr>). Confirm that the action was appropriate, and performed by an authorized admin.

$GPLQ
,QIRUPDWLRQ
Get new software from flash to slot (file: <filename>) by admin <name_str> An admin just saved the ScreenOS image from flash memory to a file (<filename>) in the memory card slot. Confirm that the action was appropriate, and performed by an authorized admin.
Save new software from slot (file: <filename>) to flash by admin <name_str> An admin just copied a ScreenOS image from a file (<filename>) on a memory card to flash memory. Confirm that the action was appropriate, and performed by an authorized admin.
Save new software from <ip_addr> (file: <filename>) to flash by admin <name_str> An admin just copied a ScreenOS image from a file (<filename>) on a TFTP server (<ip_addr>) to flash memory. Confirm that the action was appropriate, and performed by an authorized admin.
Get new software from <ip_addr> (file: <filename1>) to slot (file: <filename2>) by admin <name_str> An admin just loaded a ScreenOS image from a file (<filename1>) on a TFTP server (<ip_addr>) to a file (<filename2>) on a memory card. Confirm that the action was appropriate, and performed by an authorized admin.

$GPLQ
,QIRUPDWLRQ
Get new software to <ip_addr> (file: <filename>) by admin <name_str> An admin just saved the ScreenOS image to a file (<filename>) on a TFTP server (<ip_addr>). Confirm that the action was appropriate, and performed by an authorized admin.
Admin <name> issued command <string> to redirect output. An admin has issued a command and redirected the command output to an external server, such as a TFTP server. Confirm that the action was appropriate, and performed by an authorized admin.
System is operational. The system has become initialized and is now operational. No recommended action
The system configuration was saved by admin <name_str> An admin (<name_str>) has saved the system configuration. Confirm that the action was appropriate, and performed by an authorized admin.

$GPLQ
,QIRUPDWLRQ
System Config saved to filename <filename> An admin saved the system configuration to the specified filename. Confirm that the action was appropriate, and performed by an authorized admin.
System auto-config of file <name_str> from TFTP server <ip_addr> has been loaded successfully The NetScreen device has successfully loaded the specified configuration file from the TFTP server. No recommended action
System auto-config of file <name_str> from TFTP server <ip_addr> has failed. The NetScreen device attempted to load the named configuration file from the specified TFTP server and failed. Verify that the TFTP server is operational and that the IP address is correct.
New GMT zone: <number> seconds An admin set the time zone by specifying the number of seconds by which the local time is ahead or behind the Greenwich Mean Time (GMT). No recommended action

$GPLQ
,QIRUPDWLRQ
The Daylight Saving Time ended Daylight saving time has ended. The NetScreen device automatically reverts to the standard time if the option was previously set. No recommended action
The Daylight Saving Time started Daylight saving time has started. The NetScreen device automatically adjusts to daylight saving time if the option was previously set. No recommended action.
System log was reviewed An admin viewed the system log. No recommended action
Event log was reviewed An admin viewed the event log. No recommended action

$GPLQ
,QIRUPDWLRQ
Asset-recovery log was reviewed An admin viewed the asset-recovery log. No recommended action
Self log was reviewed An admin viewed the self log. No recommended action
Traffic log was reviewed An admin viewed the traffic log. No recommended action
Alarm log was reviewed An admin viewed the alarm log. No recommended action

$XWK
$OHUW
$87+
The following messages relate to user authentication.
$OHUW
Message Meaning Action Multiple authentication failures have been detected! The NetScreen device has detected multiple failed authentication attempts. (This message may include the user name and the source IP address.) An unauthorized party might be trying to access the NetScreen device. Research the owner of the source IP address and the user name to determine the cause of the multiple authentication failures. If they appear suspicious, notify your network security officer (NSO).
:DUQLQJ
Message Meaning Action User <usr_str> at <ip_addr1> must enter Next Code for SecurID <ip_addr2> The user at the specified IP address must enter the next token code from his or her SecurID card to authenticate with the SecurID server at the specified IP address. No recommended action

$XWK
:DUQLQJ
:DUQLQJ

Message Meaning Action Local authentication for user <usr_str> was { denied | successful }. An authentication attempt by a user was either successful or denied. No recommended action
WebAuth user <name_str> at <ip_addr1> has been { accepted | rejected/timedout } via the <string> server at <ip_addr2> The user at the specified IP address has been accepted or rejected by the specified WebAuth authentication server. No recommended action
Local authentication for WebAuth user <usr_str> was { denied | successful } The user (<usr_str>) was rejected by the WebAuth authentication server. No recommended action
Error in authentication for WebAuth user <usr_str> The user (<usr_str>) attempted authentication via the WebAuth authentication server, but encountered an error condition. No recommended action

$XWK
:DUQLQJ
Admin user <name_str> has been { accepted | rejected } via the RADIUS server at <ip_addr> The named admin user has been accepted or rejected by the specified RADIUS server. No recommended action
:DUQLQJ
Message Meaning Action User <name_str> at <ip_addr> {RADIUS | SecurID | LDAP | Local } authentication attempt has timed out The NetScreen device could not make a network connection to the RADIUS, SecurID, LDAP, or Local server to authenticate a user, and the attempt has timed out. Check the network cable connection, the IP address of the authentication server entered on the NetScreen device, and the authentication settings on both the NetScreen device and the authentication server.
,QIRUPDWLRQ
Message Meaning Action User <usr_str> at <ip_addr1> must enter the New PIN for SecurID <ip_addr2> The user at the specified IP address must enter the new PIN to authenticate with the SecurID server at the specified IP address. No recommended action

$XWK
,QIRUPDWLRQ
User <usr_str> at <ip_addr1> must make a New PIN choice for SecurID <ip_addr2> The user at IP address <ip_addr1> must create a new user-generated PIN, use a new system-generated PIN, or quit the session. The SecurID server is at IP address <ip_addr2>. No recommended action
User <usr_str> at <ip_addr1> has selected a system-generated PIN for authentication with SecurID <ip_addr2> The specified user has performed some action that requests a New PIN from the SecurID server. No recommended action
The new PIN for user <usr_str> at <ip_addr1> has been { accepted | rejected } by SecurID <ip_addr2>. The SecurID server at the specified IP address has accepted or rejected the specified users new PIN. No recommended action

$XWK
,QIRUPDWLRQ
,QIRUPDWLRQ
Message Meaning Action The device cannot contact the SecurID server The NetScreen device cannot make a network connection to the SecurID server. Check that the network and authentication settings on both the NetScreen device and the SecurID server are correctly configured, and that the SecurID server has an active physical network connection.
The device cannot send data to the SecurID server The device cannot send material to the SecurID server because the server does not recognize the device. Check to see if the SecurID server has permissions for the device.

%*3
1RWLILFDWLRQ
%*3
The following messages relate to the Border Gateway Protocol (BGP) used for dynamic routing.
1RWLILFDWLRQ
Message Meaning Action BGP instance in virtual router <vrouter> was removed from the device An admin removed a BGP virtual routing instance from the device. No recommended action
BGP instance in virtual router <vrouter> was created An admin created a BGP virtual routing instance. No recommended action
BGP peer: <ip_addr> changed to Established state The address of the specified peer BGP virtual routing instance has taken on the IP address of the current routing instance. No recommended action

%*3
1RWLILFDWLRQ
BGP peer: <ip_addr> changed to Idle state The state of the specified peer BGP virtual routing instance changed from a connection state to the idle state. In the idle state, the instance cannot establish a connection with another routing instance. No recommended action
BGP peer: <ip_addr> is enabled An admin successfully enabled a BGP virtual routing instance that uses the specified address. No recommended action
BGP peer: <ip_addr> is disabled An admin successfully disabled a BGP virtual routing instance that uses the specified address. No recommended action

%*3
1RWLILFDWLRQ
Message Meaning
{ Message Header Error | Open Message Error | Update Message Error } A BGP routing message error occurred that was either the result of a bad message header, a bad open message, or an updated message. Each error type can result from a variety of error conditions. The following table details each condition with the message error indicated. Connection not Synchronized (message header) Bad Message Length (message header) Bad Message Type (message header) Unsupported Version Number (open message) Bad Peer Autonomous System (open message) Bad BGP Identifier (open message) Unsupported Optional Parameter (open message) Authentication Failure (open message) Unacceptable Hold Time (open message) Malformed Attribute List (update message) Unrecognized Well-known Attribute (update message) Missing Well-known Attribute (update message) Attribute Flags Error (update message) Attribute Length Error (update message) Invalid Origin Attribute (update message) Autonomous System Routing Loop (update message) Invalid NextHop Attribute (update message) Optional Attribute Error (update message) Invalid Network Field (update message) Malformed AS_PATH (update message)
Action
No recommended action
Received notification Invalid Error code from notification message The system detected an unrecognizable error code. Report the problem to NetScreen.

%*3
1RWLILFDWLRQ
BGP instance <name_str> created for vr <vrouter> An admin successfully created a BGP virtual routing instance for the specified virtual router. No recommended action
BGP instance deleted for vr <vrouter> An admin successfully removed a BGP virtual routing instance for the specified virtual router. No recommended action
BGP peer: <ip_addr> created An admin successfully created a peer routing instance to the current BGP virtual routing instance. No recommended action
BGP peer: <ip_addr> deleted An admin successfully removed a peer routing instance that used the specified address. The removed instance was a peer to the current BGP virtual routing instance. No recommended action

&ORFN
1RWLILFDWLRQ
&/2&.
The following messages relate to the system clock.
1RWLILFDWLRQ
Message Meaning Action System clock configurations have been changed by admin <name_str> An admin has changed the configuration for the system clock. Confirm that the action was appropriate, and performed by an authorized admin.
The system clock has been updated through NTP. The NetScreen system clock has used Network Time Protocol (NTP) to update itself automatically. No recommended action
NTP settings have been changed An admin has changed at least one of the Network Time Protocol (NTP) settings. Confirm that the action was appropriate, and performed by an authorized admin.

&ORFN
1RWLILFDWLRQ
failed to get clock through NTP An admin has made an unsuccessful attempt to capture the current clock setting using NTP. No recommended action
New system time: <number> An admin set the system time with the set clock command. No recommended action
system clock is changed manually An admin changed the NetScreen devices clock by synchronizing it with the client or through the CLI. No recommended action

'HYLFH
&ULWLFDO
'(9,&(
The following messages relate to the physical hardware components of the NetScreen device.
&ULWLFDO
Message Meaning Action At least one power supply is not functioning properly At least one power supply is incorrectly seated, is unplugged, or is malfunctioning in some other way. Check to see if the power supplies are fully seated, that the power cords are plugged in to both power supplies and plugged in to active power sources, and that the power cords are undamaged. If the problem persists, replace the faulty power supply.
The { primary | secondary } power supply is not functioning properly The primary or secondary power supply is incorrectly seated, unplugged, or malfunctioning in some other way. Check to see if the specified power supply is fully seated, that the power cord is plugged in to both the power supply and an active power source, and that the power cord is undamaged. If the problem persists, replace the power supply.
At least one fan is not functioning properly At least one fan assembly is incorrectly seated, or malfunctioning in some other way. First check that the fan assembly is properly in place and that nothing is restricting air flow to the fans. If the problem persists, replace the fan assembly.

'HYLFH
&ULWLFDO
The system temperature (<number1> C, <number2> F) is too high. The system temperature has exceeded the alarm threshold. First check that the fan assembly is functioning properly. If it is functioning properly, check that nothing is restricting air flow to the fans. If it is not functioning properly, check that the fan assembly is correctly seated. If the problem persists, replace the fan assembly. Also, remove power from the device and wait until it cools. After it reaches an acceptable temperature range, reconnect the device to a power source and evaluate device components (such as the CPU board) to see if it runs too hot. Report your findings to the network admin.
The { primary | secondary } power supply is now functioning properly. The specified power supply, which had malfunctioned, has returned to normal operation. No recommended action
All fans are now functioning properly. At least one fan that had malfunctioned has returned to normal operation. No recommended action

'HYLFH
&ULWLFDO
All power supplies are functioning properly now. At least one power supply that had malfunctioned has returned to normal operation. No recommended action
The auxiliary board has been pulled out or otherwise made inactive The admin has pulled out the auxiliary board. No recommended action
The board in slot <number>, has been pulled out or otherwise made inactive The admin has pulled out the module in the specified slot. No recommended action
&ULWLFDO
System CPU utilization is high (<number1> alarm threshold:<number2>) <number3> times in 1 minute CPU utilization has surpassed the alarm threshold that was set by a policy in bytes per minute. If the policy set the alarm threshold too low, modify the policy to increase the threshold.

'+&3
&ULWLFDO
'+&3
The following messages relate to Dynamic Host Configuration Protocol (DHCP). Some NetScreen devices can act as a DHCP server or relay agent. Some NetScreen devices can also act as a DHCP client. The following messages are divided into two sections: The first is for DHCP server and relay agent messages; the second is for DHCP client messages.
'+&3 6HUYHU DQG 5HOD\ $JHQW

&ULWLFDO
Message Meaning Action The DHCP process cannot open file <filename> to { read | write } data. The Dynamic Host Configuration Protocol (DHCP) process cannot open a specified filename to read IP address data. Try running DHCP again.
DHCP file write: out of memory. The Dynamic Host Configuration Protocol (DHCP) process cannot store IP address information to a file because the server on which the DHCP process runs is out of memory. Try freeing up some memory on the server on which the DHCP process runs.

'+&3
1RWLILFDWLRQ
1RWLILFDWLRQ
Message Meaning Action DHCP server shared IP has been enabled An admin has enabled a reserved IP address to be assigned dynamically when it is not being used by the registered MAC address. No recommended action
DHCP server has been { enabled | disabled } An admin has either enabled or disabled the NetScreen device to act as a DHCP server. No recommended action
DHCP server option have been { changed | removed } An admin has changed or removed one or more of the DHCP options that were set, for example the IP addresses of the DNS servers, the gateway IP address or the lease period. Confirm that the action was appropriate, and performed by an authorized admin..

'+&3
1RWLILFDWLRQ
DHCP relay agent settings have been changed The NetScreen device has been configured to function as a DHCP relay agent. An admin has changed or removed one or more of the DHCP settings. Confirm that the action was appropriate, and performed by an authorized admin.
1RWLILFDWLRQ
Message Meaning Action The DHCP server IP address pool has changed. The NetScreen device, acting as a DHCP server, has offered, committed, or freed at least one IP address in its DHCP address pool. No recommended action
,QIRUPDWLRQ
Message Meaning Action One or more DHCP-assigned IP addresses have been manually released. An admin has manually released an IP address that the NetScreen device had assigned to a DHCP client. (The client then automatically requests another IP address.) No recommended action

'+&3
,QIRUPDWLRQ
A DHCP-assigned IP address <ip_addr> has been { assigned to <mac_addr1> | freed from <mac_addr2> }. The NetScreen device, acting as a DHCP server, has either assigned or freed an IP address for a DHCP client with the specified MAC address. No recommended action
Message Meaning
MAC address <mac_addr> has detected an IP conflict and has declined address <ip_addr>. The DHCP client has detected an IP address conflict and has declined the specified address. (After a DHCP client has been offered an IP address and before it accepts it, the client checks if there is any other host using the same address. If the client does not find a conflict, it accepts the address. If it does find a conflict, it rejects it.) No recommended action
Action
DHCP server has assigned or released an IP address. The NetScreen device, acting as a DHCP server, has either assigned or released an IP address. No recommended action

'+&3
,QIRUPDWLRQ
'+&3 &OLHQW
,QIRUPDWLRQ
Message Meaning Action DHCP client lease for <ip_addr> has expired The specified DHCP client IP address is no longer valid. (The NetScreen device automatically requests another IP address from the DHCP server.) No recommended action
DHCP server <ip_addr> has assigned the untrust interface <interface> with lease <number>. The specified DHCP server has assigned an IP address to the named interface for the specified length of time. No recommended action
Message Meaning
An IP conflict has been detected and the DHCP client has declined address <ip_addr>. The DHCP client has detected an IP address conflict and has declined the specified address. (After a DHCP client has been offered an IP address and before it accepts it, the client checks if there is any other host using the same address. If the client does not find a conflict, it accepts the address. If it does find a conflict, it rejects it.) No recommended action
Action

'+&3
,QIRUPDWLRQ
DHCP client IP <ip_addr> for the interface <interface> has been manually released. An admin has manually released the specified IP address assigned to the named interface acting as a DHCP client. No recommended action
DHCP client is unable to get IP address for the untrust interface. The NetScreen device, acting as a DHCP client, requested an IP address (perhaps repeatedly) for the specified interface but did not receive one from the DHCP server. If none of the requests for an IP address from the DHCP server are successful, check the DHCP client settings on the NetScreen device and the settings on the DHCP server.
,QIRUPDWLRQ
Message Meaning Action System auto-config of file <filename> from TFTP server <ip_addr> has { been loaded successfully | failed }. The NetScreen device, acting as a DHCP client, has either automatically loaded or failed to load the specified system configuration file from the specified TFTP server. No recommended action

',3
1RWLILFDWLRQ
',3
The following messages relate to dynamic IP (DIP) addresses.
1RWLILFDWLRQ
Message Meaning Action IP pool <name_str> with range <ip_addr1>-<ip_addr2> has been { created | modified | deleted } An admin has created, modified, or deleted the DIP pool consisting of the specified range of IP addresses. No recommended action

'16
1RWLILFDWLRQ
'16
The following messages concern Domain Name System (DNS) settings.
1RWLILFDWLRQ
Message Meaning Action Daily DNS lookup time has been changed. An admin has changed the time when the NetScreen device performs the daily DNS lookup, resolving domain names with IP addresses in its DNS table. No recommended action
Daily DNS lookup has been disabled. An admin has disabled the automatic daily lookup of entries in the DNS table. To refresh the DNS table, an admin must manually invoke the DNS lookup operation.
{ Primary | Secondary } DNS server IP has been changed. An admin has changed the IP address of the primary or secondary DNS server. No recommended action

'16
1RWLILFDWLRQ
DNS cache table has been cleared. An admin has cleared the DNS entries stored in the cache. No recommended action
1RWLILFDWLRQ
Hostname set to <name_str> The admin set the name of the NetScreen device. The default name is based on the model of the device. No recommended action
Domain set to <name_str> The admin set the domain name of the NetScreen device. No recommended action

'16
1RWLILFDWLRQ
1RWLILFDWLRQ
Message Meaning DNS has been refreshed. The NetScreen device has just performed a DNS lookup and refreshed its DNS table of domain name to IP address mappings. Each domain name has an IP address that identifies the same device that the domain name does. The device stores both the domain name and the IP addresses in the system cache and continually updates the cache by obtaining new domain name and address information coming into the device. This information is made available for checking by performing system refreshes. No recommended action
Action
,QIRUPDWLRQ
Message Meaning Action DNS entries have been { manually | automatically } refreshed. An admin has refreshed the entries in the DNS table, or the NetScreen device has refreshed the entries through a scheduled operation. No recommended action
DNS entries have been refreshed by HA. HA has refreshed the entries in the DNS table. No recommended action

)LUHZDOO
(PHUJHQF\
),5(:$//
The following messages concern firewall settings and reports of attacks.
(PHUJHQF\
Message Meaning SYN flood has been detected! From <ip_addr1>:<port_num1> to <ip_addr2>:<port_num2>, using protocol TCP, on interface <interface>. [ The attack occurred <number> times. ] The NetScreen device has detected an excessive number of SYN packets arriving at the specified interface from the specified source IP address and port, destined for the specified IP address and port, and using Transmission Control Protocol (TCP). The number indicates how many consecutive times per second the internal timer detected SYN packets in excess of the SYN attack alarm threshold. First determine if a valid SYN flood attack triggered the alarm. If the traffic originated from a small number of consistently fixed IP addresses or was destined for a popular server, it might be a false alarm. In that case, you might want to adjust the SYN flood alarm threshold. If the traffic came from a wide range of noncontiguous IP addresses or was bound for IP addresses that do not normally receive much traffic, it was probably an attack. In that case, contact your network security officer (NSO) and your upstream service provider to resolve the issue.
Action

)LUHZDOO
(PHUJHQF\
Message Meaning
syn proxy drop packet with unknown mac! The NetScreen device, operating in Transparent mode, detected a SYN attack and dropped a SYN packet containing an unknown MAC address. Generally, when a NetScreen device detects a SYN attack, it proxies all TCP connection requests. However, when in Transparent mode, the device cannot proxy a TCP connection request if the destination MAC address is not in its MAC learning table. By default, a NetScreen device passes such packets. In this case, the NetScreen device dropped the SYN packet because an admin had previously configured it to do so.
Action

)LUHZDOO
(PHUJHQF\
(PHUJHQF\
Message Meaning Teardrop attack has been detected! From <ip_addr1>:<port_num1> to <ip_addr2>:<port_num2>, using protocol { TCP | UDP | <number1> }, on interface <interface>. [ The attack occurred <number2> times. ] The NetScreen device has detected a Teardrop attack at the specified interface, from the specified source IP address and port, destined for the specified IP address and port, and using the specified protocol. (Note: If the protocol is not TCP or UDP, the source and destination port numbers are not included in the message.) The number of times the attack occurred indicates how many consecutive fragmented packets per second the NetScreen device received and was unable to reassemble because of discrepant fragment sizes and offset values. A Teardrop attack exploits the reassembly of fragmented packets, altering the offset values used when recombining fragments so that the target device cannot successfully complete the reassembly procedure. A flood of such packets can force the target device to expend all its resources on reassembling fragmented packets, causing a denial-of-service (DoS) for legitimate traffic. Action Investigate the source IP address by checking a service such as the American Registry of Internet Numbers (ARIN) in the United States and performing a Whois lookup on the address. If the source address raises suspicion, notify your network security officer (NSO).

)LUHZDOO
(PHUJHQF\
(PHUJHQF\
Message Meaning Ping of Death has been detected! From <ip_addr1> to <ip_addr2>, using protocol 1, on interface <interface>. [ The attack occurred <number> times. ] The NetScreen device has detected an attempted Ping of Death attack at the specified interface, from the specified source IP address, destined for the specified IP address, and using the specified protocol (1). The number of times the attack occurred indicates how many consecutive oversized ICMP echo requests (or PINGs) per second the NetScreen device received. When encountering a Ping of Death attack, the NetScreen device detects grossly oversized ICMP packets and rejects them. Action Investigate the source IP address by checking a service such as the American Registry of Internet Numbers (ARIN) in the United States and performing a Whois lookup on the address. If the source address raises suspicion, notify your network security officer (NSO).
$OHUW
Message Meaning Action Multiple authentication failures have been detected! The NetScreen device has detected multiple authentication failures from the same source IP address. No recommended action

)LUHZDOO
$OHUW
$OHUW
Message Meaning WinNuke attack has been detected! From <ip_addr1>:<port_num1> to <ip_addr2>:139, using protocol TCP, on interface <interface>. [ The attack occurred <number> times. ] The NetScreen device has detected and corrected the overlapping offset value of a NetBIOS Session Service (port 139) packet from the specified source IP address and port number, destined for the specified address, using TCP, and arriving at the specified interface. The number indicates how many consecutive times per second the internal timer detected tampered NetBIOS Session Service (port 139) packets. Investigate the source IP address by checking a service such as the American Registry of Internet Numbers (ARIN) in the United States and performing a Whois lookup on the address. If the source address raises suspicion, notify your network security officer (NSO).
Action
$OHUW
Message Meaning IP spoof has been detected! From <ip_addr1>:<port_num1> to <ip_addr2>:<port_num2>, using protocol { TCP | UDP | <number1> }, on interface <interface>. [ The attack occurred <number2> times. ] The NetScreen device has detected and rejected a packet having a source IP address and arriving at an interface that conflicts with the NetScreen route table. (Note: If the protocol is not TCP or UDP, the source and destination port numbers are not included in the message.) The number indicates how many consecutive times per second the internal timer detected incidents of spoofed IP packets. If the IP spoofing continues long enough and you consider it worth the effort, contact your upstream service provider to initiate a backtracking operation, basically tracking packets with the spoofed address from router to router back to their actual source. After locating the source, investigate it to determine if it is the instigator or merely an innocent and unwitting pawn hosting a zombie agent controlled by another device.
Action

)LUHZDOO
$OHUW
$OHUW
Message Meaning
IP Source Route has been detected! From <ip_addr1>:<port_num1> to <ip_addr2>:<port_num2>, using protocol { TCP | UDP | <number1> }, on interface <interface>. [ The attack occurred <number2> times. ] The NetScreen device has detected and blocked a packet having the source route option enabled in its header. The packet came from the specified source IP address and port number, bound for the specified destination address and port number, using the specified protocol, and arriving at the specified interface. (Note: If the protocol is not TCP or UDP, the source and destination port numbers are not included in the message.) The number indicates how many consecutive times per second the internal timer detected packets with the source route option enabled in their headers. In IP, the source route option can contain routing information that specifies a different source IP address than that in the packet header. The NetScreen device rejects any packets with this option enabled.
Action
Investigate the source IP address by checking a service such as the American Registry of Internet Numbers (ARIN) in the United States and performing a Whois lookup on the address. If the source address raises suspicion, notify your network security officer (NSO).

)LUHZDOO
$OHUW
$OHUW
Message Meaning Land attack has been detected! From <ip_addr1>:<port_num> to <ip_addr2>:<port_num>, using protocol TCP, on interface <interface>. [ The attack occurred <number> times. ] The NetScreen device has detected and blocked SYN packets whose source IP addresses have been spoofed to be the same as the destination addresses. The packets used TCP and arrived at the specified interface. The number indicates how many consecutive times per second the internal timer detected incidents of spoofed IP packets with identical source and destination IP addresses. By combining elements of the SYN flood defense and IP Spoofing detection, the NetScreen device blocks any attempted attacks of this nature. Action If the attack continues long enough and you consider it worth the effort, contact your upstream service provider to initiate a backtracking operation, basically tracking packets with the spoofed address from router to router back to their actual source. After discovering the source, investigate it to determine if it is the instigator or merely an innocent and unwitting pawn hosting a zombie agent controlled by another device.

)LUHZDOO
$OHUW
$OHUW
Message Meaning ICMP flood has been detected! From <ip_addr1> to <ip_addr2>, using protocol 1, on interface <interface>. [ The attack occurred <number> times. ] The NetScreen device has detected an excessive number of ICMP echo requests arriving at the specified interface from the specified source IP address, and destined for the specified IP address. The number indicates how many consecutive times the internal timer detected ICMP echo requests in excess of the ICMP attack alarm threshold. First determine if a valid ICMP flood attack triggered the alarm. If the traffic originated from a small number of consistently fixed IP addresses or was destined for a popular server, it might be a false alarm. In that case, you might want to adjust the ICMP flood alarm threshold. If the traffic came from a wide range of noncontiguous IP addresses or was bound for IP addresses that do not normally receive much traffic, it was probably an attack. In that case, contact your network security officer (NSO) and your upstream service provider to resolve the issue.
Action

)LUHZDOO
$OHUW
$OHUW
Message Meaning UDP flood has been detected! From <ip_addr1>:<port_num1> to <ip_addr2>:<port_num2>, using protocol UDP, on interface <interface>. [ The attack occurred <number> times. ] The NetScreen device has detected an excessive number of UDP packets arriving at the specified interface from the specified source IP address and port, destined for the specified IP address and port, and using User Datagram Protocol (UDP). The number indicates how many consecutive times the internal timer detected UDP packets in excess of the UDP attack alarm threshold. First, determine if this was indeed a UDP flood attack by checking whether the NetScreen is processing Voice-over-IP (VoIP) or Video over IP (H.323) traffic, which can appear to the device as a flood of UDP traffic. Second, determine if this was an attack by checking if the traffic originated from a small number of consistently fixed IP addresses or was destined for a popular server. If so, it might be a false alarm, and you might want to adjust the ICMP flood alarm threshold. If the traffic came from a wide range of noncontiguous IP addresses or was bound for IP addresses that do not normally receive much traffic, it was probably an attack. In that case, contact your network security officer (NSO) and your upstream service provider to resolve the issue.
Action

)LUHZDOO
$OHUW
$OHUW
Message Meaning Port scan has been detected! From <ip_addr1>:<port_num1> to <ip_addr2>:<port_num2>, using protocol { TCP | UDP | <number1> }, on interface <interface>. [ The attack occurred <number2> times. ] The NetScreen device has detected an excessive number of port scans arriving at the specified interface from the specified source IP address and port, destined for the specified IP address, and using the specified protocol. (Note: If the protocol is not TCP or UDP, the source and destination port numbers are not included in the message. Also, the destination port number that appears in the message is the one in the packet that triggered the port scan detection feature.) The number indicates how many times the event was logged. Investigate the source IP address. If the address belongs to a server, verify that it is not infected with a port-scanning worm. If the address raises suspicion, notify your network security officer (NSO) and resolve the issue with the owner of the address. Note: If you enable logging on your basic inbound deny any policy, all inbound denied packets are logged in the logging table associated with that policy. This allows you to check for patterns of activity and more easily discern suspicious activity from innocent.
Action

)LUHZDOO
$OHUW
$OHUW
Message Meaning Address sweep has been detected! From <ip_addr1> to <ip_addr2>, using protocol 1, on interface <interface>. [ The attack occurred <number> times. ] The NetScreen device has detected an excessive number of IP address scans arriving at the specified interface from the specified source IP address and port, and using the ICMP protocol. (Note: The destination IP address that appears in the message is the one in the packet that triggered the address sweep detection feature.) The number indicates how many consecutive times per second the internal timer detected IP addresses being scanned in excess of the address sweep alarm threshold. Investigate the source IP address. If the address belongs to a server, verify that it is not infected with a port-scanning worm. If the address raises suspicion, notify your network security officer (NSO) and resolve the issue with the owner of the address. Note: If you enable logging on your basic inbound deny any policy, all inbound denied packets are logged in the logging table associated with that policy. This allows you to check for patterns of activity and more easily discern suspicious activity from innocent.
Action
&ULWLFDO
Message Meaning Action inconsistent configuration between master and slave The configurations of the master device and the slave device differ. No recommended action

)LUHZDOO
&ULWLFDO
&ULWLFDO
Message Meaning Action Deny Policy Alarm Content to come. No recommended action
&ULWLFDO
Message Meaning Malicious URL has been detected! From <ip_addr1>:<port_num1> to <ip_addr2>:<port_num2>, using protocol TCP, on interface <interface>. [ The attack occurred <number> times. ] The NetScreen device has detected and rejected a HyperText Transport Protocol (HTTP) packet with a URL containing a malicious string used to attack Web servers. The packet came from the specified source IP address and port number, bound for the specified destination address and port number, using the Transmission Control Protocol (TCP), and arriving at the specified interface. The number indicates how many consecutive times per second the internal timer detected packets with such malicious URL strings. No recommended action
Action

)LUHZDOO
&ULWLFDO
&ULWLFDO
Message Session threshold has been detected! From <ip_addr1>:<port_num1>, to <ip_addr2>:<port_num2>, using protocol { TCP | UDP | <number> }, and arriving at interface <interface>. [ The attack occurred <number> times. ] The NetScreen device has detected an excessive number of packets from the same source IP address, destined for the specified IP address, using the specified protocol, and arriving at the specified interface. (Note: If the protocol is not TCP or UDP, the source and destination port numbers are not included in the message.) The number indicates how many consecutive times per second the internal timer detected packets in excess of the session threshold. Investigate the source IP address and check the session threshold setting. If the address belongs to a server with a high number of sessions, valid traffic from the address might exceed the threshold. In that case, you might want to adjust the threshold. If the source address raises suspicion, check if it is infected with a port-scanning worm (which can quickly generate thousands of sessions) and notify your network security officer (NSO).
Meaning
Action

)LUHZDOO
&ULWLFDO
&ULWLFDO
Message No tcp flag has been detected! From <ip_addr1>:<port_num1>, to <ip_addr2>:<port_num2>, using protocol { TCP | UDP | <number> }, and arriving at interface <interface>. [ The attack occurred <number> times. ] The NetScreen device has detected a TCP packet with a missing or malformed flags field. The packet came from the specified source IP address and port number, bound for the specified destination address and port number, using the specified protocol, and arriving at the specified interface. The number indicates how many consecutive times per second the internal timer detected TCP packets without any flags set. No recommended action
Meaning
Action
&ULWLFDO
Message IP bad option has been detected! From <ip_addr1>:<port_num1>, to <ip_addr2>:<port_num2>, using protocol { TCP | UDP | <number> }, and arriving at interface <interface>. [ The attack occurred <number> times. ] The NetScreen device detected a packet in which the list of IP options in the IP datagram header is incomplete or malformed. The packet came from the specified source IP address and port number, bound for the specified destination address and port number, using the specified protocol, and arriving at the specified interface. The number indicates how many consecutive times per second the internal timer detected TCP packets with an incomplete or malformed IP options list. No recommended action
Meaning
Action

)LUHZDOO
&ULWLFDO
&ULWLFDO
Message SYN and FIN set has been detected! From <ip_addr1>:<port_num1>, to <ip_addr2>:<port_num2>, using protocol { TCP | UDP | <number> }, and arriving at interface <interface>. [ The attack occurred <number> times. ] Both the SYN and FIN flags are not normally set in the same packet. The NetScreen device has detected a packet with both SYN and FIN flags set. The packet came from the specified source IP address and port number, bound for the specified destination address and port number, using the specified protocol, and arriving at the specified interface. The number indicates how many consecutive times per second the internal timer detected TCP packets with both SYN and FIN flags set. No recommended action
Meaning
Action
&ULWLFDO
Message
FIN without ACK has been detected! From <ip_addr1>:<port_num1>, to <ip_addr2>:<port_num2>, using protocol { TCP | UDP | <number> }, and arriving at interface <interface>. [ The attack occurred <number> times. ] TCP packets with the FIN flag set normally also have the ACK bit set. The NetScreen device has detected a packet in which the FIN flag is set but the ACK bit is not set in the flags field. The packet came from the specified source IP address and port number, bound for the specified destination address and port number, using the specified protocol, and arriving at the specified interface. The number indicates how many consecutive times per second the internal timer detected TCP packets that do not have both FIN flag and ACK bit set. No recommended action
Meaning
Action

)LUHZDOO
&ULWLFDO
&ULWLFDO
ip fragment, From <ip_addr1>:<port_num1>, to <ip_addr2>:<port_num2>, using protocol { TCP | UDP | <number> }, and arriving at interface <interface>. [ The attack occurred <number> times. ] An admin has enabled the screen option that allows the NetScreen device to block all IP packet fragments that it receives at interfaces bound to a specific security zone. No recommended action
1RWLILFDWLRQ
Message Meaning <name_str> has been { enabled | disabled }. An admin has either enabled or disabled one of the following firewall protection or packet handling options: IP spoofing protection Teardrop attack protection Ping of death protection IP source route filtering protection SYN flood protection Land attack protection ICMP flood protection UDP flood protection Action No recommended action WinNuke attack protection Port scan protection IP sweep protection Java/ActiveX/ZIP/EXE blocking Default packet-deny policy Bypass-others-IPSec option Bypass non-IP traffic option Deny policy alarm option

)LUHZDOO
1RWLILFDWLRQ
SYN flood { alarm threshold | packet queue size | timeout value | attack threshold | same source IP threshold } is set to <number>. An admin has changed the SYN flood alarm threshold, packet queue size, timeout value, attack threshold, or attack threshold from the same source IP address to the specified setting. No recommended action
SYN flood timeout has been set to <number> on <zone> <name_str>. An admin has changed the SYN flood timeout value for the specified zone. No recommended action
{ ICMP | UDP } flood alarm threshold has been changed to <number>/second. An admin has changed the ICMP or UDP flood alarm threshold from the same source IP address to the specified setting. No recommended action
Logging of { dropped | IKE | SNMP | ICMP } traffic to self has been { enabled | disabled }. An admin has enabled or disabled the logging of dropped traffic, IKE traffic, SNMP, or ICMP traffic destined for the NetScreen device. No recommended action

)LUHZDOO
1RWLILFDWLRQ
The SYN flood { alarm threshold | packet queue size | timeout value | attack threshold | same source IP threshold } has been set to <number> on <zone> <name_str>. An admin has changed the SYN flood alarm threshold, packet queue size, timeout value, attack threshold, attack threshold, or attack threshold from the same source IP address for the specified zone. No recommended action
SYN flood { same destination ip | same source ip } threshold has been set to <number> on <zone> <name_str>. An admin has changed the SYN flood same destination ip or same source ip threshold for the specified zone. No recommended action
Message Meaning
The SYN-ACK-ACK proxy threshold value has been set to <number> on <interface> <name_str>. Establishing multiple telnet sessions without letting each complete, uses up all open slots, creating a Denial of Service (DOS) condition. The SYN-ACK-ACK proxy protects your device from a DOS. You can set the threshold to a level that tests how many sessions are created. When the amount exceeds the threshold, the system generates an alarm. No recommended action
Action

)LUHZDOO
1RWLILFDWLRQ
Screen service <serv_name> is { enabled | disabled } on <zone> <name_str>. The specified screen service has been enabled or disabled for the current zone. No recommended action
Screen service <serv_name> is { enabled | disabled } on interface <name_str>. The specified screen service has been enabled or disabled for the current interface. No recommended action
Message Meaning
SYN flood drop pak in xparent mode when receiving unknown dst mac has been enabled on <zone> <name_str>. An admin has instructed the device to drop SYN packets containing unknown destination MAC addresses. Generally, when a NetScreen device detects a SYN attack, it proxies all TCP connection requests. However, when in Transparent mode, the device cannot proxy a TCP connection request if the destination MAC address is not in its MAC learning table. By default, a NetScreen device passes such packets. In this case, an admin has configured the NetScreen device to drop SYN packets with unknown destination MAC addresses: set zone zone screen syn-flood drop-unknown-mac .
Action

)LUHZDOO
1RWLILFDWLRQ
{ IP sweep | Port scan | UDP flood | ICMP flood | } threshold has been set to <number> on <zone> <name_str>. The threshold for address sweep, port scan, UDP flood, or ICMP flood has been set for the specified zone. No recommended action
The session limit threshold has been set to <number> on <zone> <name_str>. The session limit threshold has been set for the specified zone. No recommended action

*OREDO
&ULWLFDO
*/2%$/
The following messages relate to configuration changes to NetScreen-Global PRO central management software.
&ULWLFDO
Message An intruted has attempted to connect to the NetScreen-Global PRO port! From <ip_addr1>:<port_num1> to <ip_addr2>:15400, using protocol { TCP | UDP | <number> }, at interface <interface>. [ The attack occurred <number> times. ] The NetScreen device has detected an unauthorized attempt to connect to the device via the NetScreen-Global PRO port. The connection attempt was from the specified source IP address and port number, to the specified address and port number (15400 for NetScreen-Global PRO Report Manager), using the specified protocol, and arriving at the specified interface. The number indicates how many consecutive times per second the internal timer detected unauthorized connection attempts to the NetScreen-Global PRO port. Investigate the source IP address by checking a service such as the American Registry of Internet Numbers (ARIN) in the United States and performing a Whois lookup on the address. If the source address raises suspicion, notify your network security officer (NSO).
Meaning
Action
1RWLILFDWLRQ
Message Meaning Action <name_str> { primary | secondary } host has been set to { dom_name | IP_addr }. An admin has changed the IP address or domain name of the Global PRO primary or secondary host. No recommended action

*OREDO
1RWLILFDWLRQ
<name_str> has been { enabled | disabled }. An admin has enabled or disabled Global-PRO manageability. No recommended action
<name_str> { primary | secondary } host has been disabled. An admin has disabled the Global-PRO primary or secondary host. No recommended action
User-defined service <serv_name> has been { added | removed } from <name_str> distribution. An admin has either added or removed the specified user-defined service from the Global-PRO protocol distribution table. No recommended action
<name_str> timeout value has been returned to the default: 30 seconds. An admin has returned the NetScreen-Global PRO timeout value to its default setting. No recommended action

*OREDO
1RWLILFDWLRQ
<name_str> timeout value has been changed to <number> seconds. An admin has changed the NetScreen-Global PRO timeout value to the specified number of seconds. No recommended action
Message Meaning
Reporting of { the <name_str1> table | <name_str2> alarms | <name_str3> logs } to <name_str4> has been { enabled | disabled }. An admin has either enabled or disabled the inclusion of one of the following Global PRO tables, alarms, or logs in reports to NetScreen-Global PRO: Protocol distribution table Ethernet statistics table Attack statistics table Flow statistics table Policy table Traffic alarms Attack alarms Miscellaneous alarms Configuration logs Information logs Self-Management logs Traffic logs
When one of the above tables is enabled, the NetScreen device reports that type of information to the Global PRO data collector (DC). When one of the above tables is disabled, the device does not report that information to the DC. Action No recommended action

*OREDO
,QIRUPDWLRQ
,QIRUPDWLRQ
Message Meaning Action Cannot connect to <name_str> data collector at <ip_addr>. The NetScreen device cannot make a network connection to the NetScreen-Global PRO data collector (DC) at the specified IP address. Check that the DC IP address settings are correct and that the DC is connected to the network and functioning properly.
Device is not known to <name_str> data collector at <ip_addr>. The NetScreen device is not registered with the NetScreen-Global PRO data collector (DC) at the specified IP address. Using the NetScreen-Global PRO program, register the NetScreen device with the DC.
Lost connection to <name_str> data collector at <ip_addr>. The TCP connection between the NetScreen device and the NetScreen-Global PRO data collector (DC) at the specified IP address has been lost. Check that the DC has an active network link, is currently running, is accepting new connections at the specified IP address, and is accessible from the NetScreen device.

*OREDO
,QIRUPDWLRQ
Connection to <name_str> data collector at <ip_addr> has timed out. The NetScreen-Global PRO data collector (DC) at the specified IP address has stopped responding to the keep-alive messages sent by the NetScreen device. Check that the DC has an active network link, is currently running, is accepting new connections at the specified IP address, and is accessible from the NetScreen device.
Lost socket connection to <name_str> data collector at <ip_addr>. Due to network failure, the TCP connection between the NetScreen device and the NetScreen-Global PRO data collector (DC) at the specified IP address has been lost. Check the network, and make sure that the DC is accessible from the NetScreen device.
Device has connected to the <name_str> { primary | secondary } data collector at <ip_addr>. The NetScreen device has established a TCP connection to either the primary or secondary NetScreen-Global PRO data collector (DC) at the specified IP address. No recommended action
Connection to <name_str> data collector at <ip_addr> has been closed. An admin has closed the TCP connection between the NetScreen device and the NetScreen-Global PRO data collector at the specified IP address. No recommended action

+LJK $YDLODELOLW\
&ULWLFDO
+,*+ $9$,/$%,/,7<
The following messages concern high availability (HA) settings, features, and operations using the NetScreen Redundancy Protocol (NSRP), and the related functionality of IP tracking. It is divided into the following sections: HA and NSRP on page 71 Path Monitoring on page 92
+$ DQG 1653
&ULWLFDO
Message Meaning Action Configuration out of sync between local unit and remote unit The local device to which the administrative session is linked is not in synchronization with the remote device (the other device in the NSRP cluster). Perform a manual synchronization.
Message Meaning
no HA <string> channel available (<string> used by other channel) The link to which the channel attempted to move is unavailable because it is in use by another channel type. For example, the data channel was unable to move to another link because the control channel is on that link. No recommended action
Action

+LJK $YDLODELOLW\
&ULWLFDO
Message Meaning
HA { control | data } channel moved from link { up | down } to { up | down } (<interface>) A High Availability link is a physical connection or line, typically an Ethernet cable connecting two devices in a redundancy arrangement or where both devices are connected to a LAN, typically a 10/100 switch. With HA links another link is present called link candidate that can be used as a backup link in the event that the active link fails. A channel is a logical connection that resides on the link. A channel can be one of two types: Control Channel that performs High Availability tasks including copying information over to the link candidate known as synchronization. The control channel has a higher priority than the data channel. Data Channel that performs packet forwarding tasks over the link. The data channel has less priority than the control channel. In this instance, the link in use stopped running and the link candidate now attempts to run the channel.
Action
NSRP link { up | down }. The physical link used for NSRP communications has either become active or inactive. Try to determine why the link went down. Typical reasons include the cable is unplugged, the cable is not seated in the port correctly, or the cable is faulty, possibly due to an electrical short. Also, check the port to see if you can establish a link with it.
HA control channel change to <interface>. The name of the physical interface that sends and receives control messages between the members of an NSRP cluster has changed. No recommended action

+LJK $YDLODELOLW\
&ULWLFDO
HA data channel change to <interface>. The name of the physical interface that sends and receives data packets between the members of an NSRP cluster has changed. No recommended action
HA change from <string> to <string>. The state of the current HA link has changed. No recommended action
HA: Slave is down The state of the HA link for the backup device is down. No recommended action

+LJK $YDLODELOLW\
&ULWLFDO
&ULWLFDO
Message Meaning NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state from inoperable to init The state of the local NetScreen device in the specified VSD group has changed from inoperable to initial. When a device returns from the inoperable state (after a system or network problem has been corrected), it transitions to the initial state first. No recommended action
Action
NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state from ineligible to init The state of the local NetScreen device in the specified VSD group has changed from ineligible to initial. When a device returns from the ineligible state, it transitions to the initial state first. No recommended action
NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state from { master | primary backup | backup | ineligible | inoperable } to init, force command. An admin used the exec nsrp vsd-group mode CLI command to change the state of the local NetScreen device in the specified VSD group to initial. No recommended action

+LJK $YDLODELOLW\
&ULWLFDO
&ULWLFDO
Message Meaning NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state from init to master, missing master For a variety of reasons, the identified local unit in the specified VSD group has not detected a master device, causing the local device to become master. A typical reason for the absence of a master device is that a former master in the VSD group has failed or has become disconnected. Check the status of the former master device. See if it has been removed, unplugged, of if it failed or if it became corrupted for some reason. Try to reset the device once you correct the problem.
Action
Message Meaning
NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state from backup to master, missing master For a variety of reasons, the identified local unit in the specified VSD group has not detected a master device, causing the local device to become master. A typical reason for the absence of a master device is that a former master in the VSD group has failed or has become disconnected. Check the status of the former master device. See if it has been removed, unplugged, of if it failed or if it became corrupted for some reason. Try to reset the device once you correct the problem.
Action

+LJK $YDLODELOLW\
&ULWLFDO
Message Meaning
NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state from primary backup to master, missing master For a variety of reasons, the identified local unit in the specified VSD group has not detected a master device, causing the local device to become master. A typical reason for the absence of a master device is that a former master in the VSD group has failed or has become disconnected. Check the status of the former master device. See if it has been removed, unplugged, of if it failed or if it became corrupted for some reason. Try to reset the device once you correct the problem.
Action
NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state from { primary backup | backup | ineligible | inoperable } to master, force command. An admin used the exec nsrp vsd-group mode CLI command to change the state of the local NetScreen device in the specified VSD group to master. No recommended action
&ULWLFDO
Message Meaning Action NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state from init to primary backup, missing primary backup The state of the local NetScreen device in the specified VSD group has changed from initial to primary backup. No recommended action

+LJK $YDLODELOLW\
&ULWLFDO
NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state from backup to primary backup, missing primary backup The state of the local NetScreen device in the specified VSD group has changed from backup to primary backup. No recommended action
NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state from { backup | ineligible | inoperable } to primary backup, force command. An admin used the exec nsrp vsd-group mode CLI command to change the state of the local NetScreen device in the specified VSD group to primary backup. No recommended action
&ULWLFDO
Message Meaning Action NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state from init to backup, elected The state of the local NetScreen device in the specified VSD group has changed from initial to backup. No recommended action

+LJK $YDLODELOLW\
&ULWLFDO
Message Meaning
NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state from master to backup, { duplicate master | preempt by primary backup } A second master VSD may exist in the VSD group and one of the master VSDs opted to change its state because two master devices in one group creates a conflict, or the primary backup device has been configured with a higher priority than the master device and has the preempt option enabled. If there are duplicate masters, change the state of one of the devices so there will be only one master in the VSD group..
Action
NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state from primary backup to backup, duplicate primary backup The local NetScreen device detected a second primary VSD, causing the device to change its state from primary backup to backup. Change the state of one of the devices so there will be only one primary backup in the VSD group..
NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state from { primary backup | ineligible | inoperable } to backup, force command An admin used the exec nsrp vsd-group mode CLI command to change the state of the local NetScreen device in the specified VSD group to backup. No recommended action

+LJK $YDLODELOLW\
&ULWLFDO
&ULWLFDO
Message Meaning Action NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state from { master | primary backup | backup | ineligible | inoperable | init } to ineligible An admin has changed the state of the local NetScreen device to ineligible so that it cannot participate in the election process. No recommended action
&ULWLFDO
Message Meaning Action NSRP: local unit=<id_num1> of VSD group (<id_num2>) change state from { master | primary backup | backup | ineligible | inoperable | init } to inoperable The state of the local NetScreen device has changed to inoperable because of an internal system problem or a link failure. Check the device. Try to reset the device once you correct the problem.

+LJK $YDLODELOLW\
&ULWLFDO
&ULWLFDO
Message Meaning NSRP: local unit=<id_num1> of VSD group (<id_num2>) send 2nd path request to unit=<id_num3> The local device registered a missed heartbeat from the master device and as a result asks the master to retransmit the heartbeat via the secondary HA path (if it is configured). Having a secondary HA path can minimize the number of failovers in the event that the first HA link fails. No recommended action
Action
&ULWLFDO
Message Meaning NSRP: local unit=<id_num1> of VSD group (<id_num2>) receive 2nd path request from unit=<id_num3> to unit=<id_num4> The local device received a request to retransmit a missed heartbeat via the secondary HA path (if it is configured). Having a secondary HA path can minimize the number of failovers in the event that the first HA link fails. No recommended action
Action

+LJK $YDLODELOLW\
&ULWLFDO
Message Meaning
HA link disconnect. Begin to use second path of HA The primary HA path between the VSD and the other device to which it is bound in a redundancy pair does not work. A secondary HA path configured to act as a backup path works. The VSD uses this path to connect with the other device. Determine what is wrong with the primary path and correct the problem. Typically, the reason for a path being down is simply that a cable has been disconnected or that the port to which the path is connected is down.
Action
&ULWLFDO
Message Meaning ARP req, detect duplicate VSD group master <ip_addr> <mac_addr> on interface <interface> A second master device with the specified IP and MAC addresses sent an ARP broadcast on the specified interface. Since there can be only one master in a VSD group, the election process uses device priorities to determine the master. No recommended action
Action

+LJK $YDLODELOLW\
1RWLILFDWLRQ
1RWLILFDWLRQ
Message Meaning Action NSRP: VSD <id_num> change to { preempt | non-preempt } mode. An admin has either enabled or disabled the preempt mode option on a member of the specified virtual security device (VSD) group. No recommended action
VSD heartbeat interval changed from <number1>(msec) to <number2>(msec). An admin has changed the interval (in milliseconds) at which members of a virtual security device (VSD) group send VSD heartbeats. No recommended action
Message Meaning
Remove pathname <name_str> (ifnum=<id_num>) as secondary HA path A local and a remote device in a redundant arrangement in an NSRP cluster can have two paths connecting each other, one a primary path, and a second, a secondary or backup path used when the primary path is down. An admin successfully removed an existing secondary path connecting two devices in the NSRP cluster. No recommended action
Action

+LJK $YDLODELOLW\
1RWLILFDWLRQ
Message Meaning
Change secondary HA path from <name_str1> to <name_str2>. A local and a remote device in an NSRP cluster can have two paths connecting each other, one a primary path, and the other, a secondary or backup path used when the primary path is down. An admin successfully established a new secondary path connecting the local device with a remote device in the NSRP cluster. No recommended action
Action
Message Meaning
Set secondary HA path to <name_str> (ifnum=<id_num>) A local and a remote device in a redundant arrangement in an NSRP cluster can have two paths connecting each other, one a primary path, and a second, the other a secondary or backup path used when the primary path is down. An admin successfully created a secondary path connecting the local and remote devices in the NSRP cluster. No recommended action
Action
NSRP: nsrp interface change to <interface>. Some NetScreen devices do not have dedicated physical interfaces for HA links, therefore users have to manually set them. The interface for the HA link has been changed. No recommended action

+LJK $YDLODELOLW\
1RWLILFDWLRQ
Message Meaning
Session sync ended by unit=<dev_name> To assure a continuous traffic flow, you can cable and configure two NetScreen devices in a redundant cluster, with one device acting as a master and the other as its backup. The master propagates all its network and configuration settings and the current session information to the backup. You terminated this information transfer, called a synchronization, on one of the devices in the NSRP cluster. No recommended action
Action
Message Meaning
NSRP encryption password changed. An NSRP encryption password protects an NSRP message. In this case, the HA message passing between two NSRP devices was encrypted with a different password than the receiving device expected from it. When the password changes, configuration operations between devices that use the message, (for example, policies or firewalls) fail. Two exceptions exist in instances of NSRP message encryption password changes: neither heartbeat nor synchronization sessions will not fail as these operations do not rely on encryption passwords. Check the message encryption password and correct it if it is wrong.
Action
Message Meaning
NSRP authentication password changed. An NSRP authentication password protects an NSRP authentication session. In this case, the HA authentication session exchanged between two NSRP devices was encrypted with a different password than the receiving device expected from it. When the authentication password changes, configuration operations between devices affected by that session (for example, policies or firewalls) fail. Two exceptions exist in instances of NSRP authentication session password changes: both heartbeat and synchronization sessions will not fail as these operations do not rely on encryption passwords. Check the authentication session password and correct it if it is wrong.
Action

+LJK $YDLODELOLW\
1RWLILFDWLRQ
Message Meaning
NSRP: message <string> dropped: invalid encryption password. The NetScreen device dropped a message of the specified type (for example, SESS_CR, SESS_CL, SESS_CH) because one device in an NSRP cluster was encrypted with one key while the corresponding device in the NSRP cluster was encrypted with another key, forcing the operation to fail. Check the encryption password and correct it if it is wrong.
Action
Message Meaning
RTO mirror group id=<id_num> direction={ in | out } is set Run time objects (RTOs) are code objects created dynamically in memory during normal operation, for example, session table entries, ARP cache entries, and DHCP leases. In the event of a failover, it is critical that the current RTOs be maintained by the new master to avoid service interruption. A mirror group refers to the two devices in an NSRP cluster that exchange RTOs to each other for backup purposes. You can set a direction that determines which device transmits a copy (direction=out) and which device receives the copy (direction=in) of the RTOs. You successfully set the RTO mirror group direction. No recommended action
Action
Message Meaning
RTO mirror group id=<id_num> is set Run time objects (RTOs) are code objects created dynamically in memory during normal operation, for example, session table entries, ARP cache entries, and DHCP leases. In the event of a failover, it is critical that the current RTOs be maintained by the new master to avoid service interruption. A mirror group refers to the two devices in an NSRP cluster that exchange RTOs to each other for backup purposes. You have successfully added the local device to the RTO mirror group with the specified ID. No recommended action
Action

+LJK $YDLODELOLW\
1RWLILFDWLRQ
Message Meaning
RTO mirror group id=<id_num>, direction={ in | out } is unset Run time objects (RTOs) are code objects created dynamically in memory during normal operation, for example, session table entries, ARP cache entries, and DHCP leases. In the event of a failover, it is critical that the current RTOs be maintained by the new master to avoid service interruption. A mirror group refers to the two devices in an NSRP cluster that exchange RTOs to each other for backup purposes. You can set a direction that determines which device transmits a copy (direction=out) and which device receives the copy (direction=in) of the RTOs. The specified RTO mirror group is unidirectional, therefore both a group ID and a directional attribute are required to uniquely identify this group. You have successfully removed the local device from the RTO mirror group by unsetting its direction. No recommended action
Action
Message Meaning
RTO mirror group id=<id_num> is unset Run time objects (RTOs) are code objects created dynamically in memory during normal operation, for example, session table entries, ARP cache entries, and DHCP leases. In the event of a failover, it is critical that the current RTOs be maintained by the new master to avoid service interruption. A mirror group refers to the two devices in an NSRP cluster that exchange RTOs to each other for backup purposes. You have successfully removed the local device from the RTO mirror group with the specified ID. No recommended action
Action

+LJK $YDLODELOLW\
1RWLILFDWLRQ
RTO mirror group id=<id_num> direction={ in | out } peer=<id_num> from { undefined | set | active } to { undefined | set | active } state, { missed heartbeat | group detached } The specified peer with the specified direction in the specified RTO mirror group has changed state. No recommended action
RTO mirror group id=<id_num1> direction={ in | out } local unit=<id_num2>, duplicate from unit=<id_num3> The local device has detected a device using the same IP address in the specified RTO mirror group and specified direction. Change the IP address of one of the devices using the same address.
Message Meaning
vsd group id=<id_num> is deleted, total number=<number> A virtual security device (VSD) is composed of two devices, one acts as master and the other as backup. A VSD group is composed of two VSDs, each configured on a High Availability device. This message informs you that you have successfully removed the specified VSD group and of how many VSD groups remain. No recommended action
Action

+LJK $YDLODELOLW\
1RWLILFDWLRQ
Message Meaning
vsd group id=<id_num> is created, total number=<number> A virtual security device (VSD) is composed of two devices, one acts as master and the other as backup. A VSD group is composed of two VSDs, each configured on a High Availability device. This message informs you that you have successfully created the specified VSD group and of how many VSD groups exist. No recommended action
Action
Message Meaning
vsd group <id_num> local unit priority changed from <number1> to <number2> Each VSD in a High Availability VSD group is assigned a value that indicates how likely the device is to be elected the master in the redundancy relationship established between the two VSD group members. This value is known as a priority and ranges from 1 to 254. The default priority is 100. In this instance the priority value of the current VSD has been changed. No recommended action
Action
HA Slave is { up | down } The state of the HA link for the slave device is up or down. No recommended action

+LJK $YDLODELOLW\
1RWLILFDWLRQ
HA: ha link { up | down } The state of the current HA link is up or down. No recommended action
HA change state to init The state of the current HA link has changed to initial (init). No recommended action
HA: Change state to initial state. The state of the current HA link has changed to initial (init). No recommended action
HA: Elected slave, { lower priority | MAC value is larger | master already exists | detect new master with higher priority | detect new master with smaller MAC value } The current device has been elected slave. No recommended action

+LJK $YDLODELOLW\
1RWLILFDWLRQ
HA: Promoted master, command issued from original master to change state The original master device has promoted the current device to master. No recommended action
HA: Change to master, command issued from original master to change state The original master device has promoted the current device to master. No recommended action
HA: Change state to slave { for tracking ip failed | for linkdown } The state of the master device changed to slave because track-ip was not successful or the link is down. No recommended action
HA: Elected master, no other master The current device was elected master because no other master exists. No recommended action

+LJK $YDLODELOLW\
1RWLILFDWLRQ
HA change group id to <id_num> The ID of the current HA group changed. No recommended action
HA change priority to <number> The priority of the current HA device changed. No recommended action
HA { encryption password | authentication password | encryption key | authentication key } changed. The encryption or authentication password, or encryption or authentication key for the current HA device changed. No recommended action

+LJK $YDLODELOLW\
&ULWLFDO
3DWK 0RQLWRULQJ
&ULWLFDO
Message Meaning nsrp track-ip ip <ip_addr> succeed! NetScreen uses the track-ip feature to search for an IP address out on the network, usually to identify a device to which the current device wants to connect. The device successfully located the object on the network using the specified IP address. No recommended action
Action
Message Meaning
IP tracking to <ip_addr> has failed! NetScreen uses the track-ip feature to search for an IP address out on the network, usually to identify a device to which the current device wants to connect. The device cannot locate the object on the network using the specified IP address. No recommended action
Action
HA linkdown The current HA link is down. No recommended action

+LJK $YDLODELOLW\
&ULWLFDO
&ULWLFDO
Message Meaning nsrp track-ip ip <ip_addr> failed! NetScreen uses the track-ip feature to search for an IP address out on the network, usually to identify a device to which the current device wants to connect. The NetScreen device cannot locate the object on the network using the specified IP address. Check to see if the IP address specified is correct.
Action
&ULWLFDO
Message Meaning track ip fail reaches threshold, system may fail over! The NetScreen device attempted to track a specified IP address out on the network, and the number of failed attempts has reached a specified threshold. In such case, the device may fail over to a backup device. Verify the network connectivity between the NetScreen device and the external IP address being tracked.
Action

+LJK $YDLODELOLW\
&ULWLFDO
Message Meaning
Can not create track-ip list NetScreen uses the track-ip feature to search for an IP address out on the network, generally to identify a device to which the current device wants to connect. Before attempting to locate an object out on the network that has a specified address, the track-ip feature generates a list of addresses it will attempt to search for in the current track-ip session. Track-ip cannot construct this list. Determine if the track-ip feature attempted to build a list with too many addresses in it. Depending on the CPU and memory in your NetScreen device, track-ip can accommodate varying amounts of IP addresses for searching. If the track-ip list exceeds this amount, the feature cannot build the list. Reduce the amount of IP addresses specified for searching using track-ip.
Action

,.(
$OHUW
,.(
The following messages relate to the Internet Key Exchange (IKE) protocol, one of the three main components of IPSecthe other two are the Encapsulating Security Payload (ESP) and Authentication Header (AH) protocols. IKE provides a secure means for the distribution and maintenance of cryptographic keys and the negotiation of the parameters constituting a secure communications channel.
$OHUW
Message Meaning IKE <ip_addr> Policy Managers default CA is used by peer to establish IPSEC VPN. The specified IKE peer has used the default certificate authority (CA) certificate supported by the Policy Manager (PM) component of NetScreen-Global PRO when establishing an IPSec VPN tunnel with the local NetScreen device. Use a different CA certificate.
Action
1RWLILFDWLRQ
Message Meaning Action IKE key <key_id> has been deleted. An admin has deleted the specified IKE key. No recommended action

,.(
1RWLILFDWLRQ
IKE <ip_addr>: Gateway settings have been modified. An admin has modified the settings for the specified remote IKE gateway. No recommended action
Message
P1 proposal <name_str> with { Preshared | RSA-sig | DSA-sig }, DH group { 0 | 1 | 2 | 5 }, ESP { NULL | DES | 3DES | AES128 | AES192 | AES256 }, auth { NULL | MD5 | SHA-1 }, and lifetime <number> has been { added | modified | deleted }. An admin has added or deleted the specified Phase 1 proposal, or modified at least one of the following Phase 1 proposal attributes: Preshared Key RSA signature DSA signature Diffie-Hellman group 1, 2, or 5 Note: DH group 0 indicates that a DH group is not employed because the proposal does not contain Perfect Forwarding Secrecy (PFS). Encapsulating Security Payload (ESP) protocol Data Encryption Standard (DES) encryption algorithm Triple DES (3DES) encryption algorithm Advanced Encryption Standard (AES) encryption algorithm Authentication Header (auth) protocol Message Digest version 5 (MD5) hash algorithm Secure Hash Algorithm-1 (SHA-1) hash algorithm Lifetime (number in seconds, minutes, hours, or days)
Meaning
Action

,.(
1RWLILFDWLRQ
Message
P2 proposal <name_str> with DH group { 0 | 1 | 2 | 5 }, { AH | ESP }, enc { NULL | DES | 3DES | AES128 | AES192 | AES256 }, auth { NULL | MD5 | SHA-1 }, and lifetime (sec <number>) (kb <number>) has been { added | modified | deleted }. An admin has added or deleted the specified Phase 1 proposal, or modified at least one of the following attributes: Diffie-Hellman group 1, 2, or 5 Note: DH group 0 indicates that a DH group is not employed because the proposal does not contain Perfect Forwarding Secrecy (PFS). Authentication Header (AH) protocol Encapsulating Security Payload (ESP) protocol DSA signature Data Encryption Standard (DES) encryption algorithm Triple DES (3DES) encryption algorithm Advanced Encryption Standard (AES) encryption algorithm Message Digest version 5 (MD5) hash algorithm Secure Hash Algorithm-1 (SHA-1) hash algorithm Lifetime (number in seconds, minutes, hours, or days)
Meaning
Action

,.(
,QIRUPDWLRQ
,QIRUPDWLRQ
Message Meaning IKE <ip_addr>: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed. The number of IKE heartbeats that the local NetScreen device sends to the specified peer through the IPSec tunnel has exceeded the failure threshold. The security associations (SAs) for both Phase 1 and Phase 2 have been removed. Verify network connectivity to the peer gateway. Check if the peer has changed or deleted the tunnel configuration or rebooted the remote gateway device.
Action
Message Meaning
IKE <ip_addr> Phase 1: Cert received has a different { IP address | FQDN | UFQDN } SubAltName than expected. The local NetScreen device received a certificate from the specified IKE peer that contained a different subject alternative name (SubAltName) than was configured as the IKE ID on the local device. The SubAltName is an alternative name for the subject of a certificate. NetScreen supports the following kinds: IP address, such as 209.157.66.170 Fully Qualified Domain Name (FQDN), such as www.netscreen.com Users Fully Qualified Domain Name (UFQDN), such as jsmith@netscreen.com
Action
Recommend the peer use a certificate with the expected SubAltName or change the IKE ID in the local VPN configuration to match that of the certificate.

,.(
,QIRUPDWLRQ
Message Meaning
IKE <ip_addr> Phase 1: Cert received has a subject name that does not match the ID payload. The local NetScreen device received a certificate from the specified IKE peer that contained a different subject than the IKE ID sent by the peer. The subject of a certificate can be a distinguished name (DN) composed of a concatenation of the common name elements listed in the request submitted for that certificate. The DN is the identity of the certificate holder.
Action
Advise the peer to change the IKE ID in its VPN configuration to match that of the certificate, or use a certificate with a subject name that matches the IKE ID configured for the VPN.
Message Meaning
IKE <ip_addr> Phase 1: Cannot use a preshared key because the peer gateway <ip_addr> has a dynamic IP address and negotiations are in Main mode. When configuring an IPSec tunnel to the specified remote gateway, which has a dynamically assigned IP address, an admin specified a preshared key and selected Main mode for the Phase 1 negotiations. Authentication via preshared key is not allowed when Main mode is used with a peer at a dynamically assigned IP address.
Action
Reconfigure the VPN using a certificate to authenticate the remote party, or select Aggressive mode for use with preshared key authentication.
IKE <ip_addr>: Received incorrect ID payload: ID type mismatch. The type of IKE ID that the local peer received from the peer at the specified IP address during Phase 1 negotiations was different than that defined in the configuration. Reconfigure the VPN to accept the different ID type, or request the remote peer to send the ID type.

,.(
,QIRUPDWLRQ
Message Meaning
IKE <ip_addr> Phase 1: Main mode packet has arrived with ID type { IP address | FQDN | UFQDN | ASN1_DN }, but no user configuration was found for that ID. The NetScreen device has received the packet in Phase 1 Main mode negotiations that specifies the identity of the remote entity. The packet is from a VPN dialup user at the specified address and contains the specified IKE ID type. However, the NetScreen device cannot find a configuration for the VPN dialup user based on the ID received. NetScreen supports the following four IKE ID types: IP address, such as 209.157.66.170 Fully Qualified Domain Name (FQDN), such as www.netscreen.com Users Fully Qualified Domain Name (UFQDN), such as jsmith@netscreen.com Abstract Syntax Notation, version 1, distinguished name (ASN1_DN), such as cn=ns100, ou=eng, o=netscreen, l=santa clara, s=ca, c=us
Action
Check that a VPN dialup user has been configured with the specified identity.
Message Meaning
IKE <ip_addr> Phase 1: Retransmission limit has been reached. The local NetScreen device has reached the retransmission limit (10 failed attempts) during Phase 1 negotiations with the specified remote peer because the local device has not received a response. Note: If the local device continues receiving outbound traffic for the remote peer after the first 10 failed attempts, it makes another 10 attempts, and continues to do so until it either succeeds at contacting the remote gateway or it no longer receives traffic bound for that gateway.
Action
Verify network connectivity to the peer gateway. Request the remote gateway admin to consult the log to determine if the connection requests reached it and, if so, why the device did not respond.

,.(
,QIRUPDWLRQ
IKE <ip_addr> Give up phase-2, session id <id_num> After several unsuccessful attempts to complete Phase 2 negotiations with the specified IKE peer, the local NetScreen device has aborted the negotiations. Check network connectivity by pinging the IKE peer. Also, request that the remote admin check the IKE configuration on that end of the tunnel.
Message Meaning
IKE <ip_addr> Phase 1: Completed { Aggressive | Main } mode negotiations with a <number>-second lifetime. The NetScreen device and the specified remote gateway have successfully completed Phase 1 negotiations in either Aggressive mode or Main mode with the lifetime of the Phase 1 security association (SA) defined in seconds. No recommended action
Action
IKE <ip_addr> Phase 1: Discarded a second initial packet, which arrived within 5 seconds after the first. The local NetScreen device received two initial Phase 1 packets from the peer at the specified address within a five-second interval. As a result, the local device dropped the second initial packet. Verify if the packets came from a legitimate peer gateway. If so, check the local logs and request the remote gateway admin to check his logs to uncover the cause of the difficulty in completing the Phase 1 negotiations.

,.(
,QIRUPDWLRQ
IKE <ip_addr> Phase 1: { Aggressive | Main } mode negotiations have failed. The Phase 1 session initiated by the local NetScreen device to the specified peer has failed. The session was in either Main mode or Aggressive mode. Request the remote admin to consult the event log to determine the cause of the failure.
IKE <ip_addr> Phase 1: Received an invalid RSA signature. The specified IKE peer has sent an invalid RSA signature in Phase 1 Message 5 or 6. Request the peer to ensure that the RSA private key used to sign the packet pairs with the public key sent in the certificate.
IKE <ip_addr1> >> <ip_addr2> Phase 1: Initiated negotiations in { Aggressive | Main } mode. The local NetScreen device has initiated Phase 1 negotiations in either Aggressive mode or Main mode from the the outgoing interface (<ip_addr1>) to the specified peer (<ip_addr2>). No recommended action
IKE <ip_addr> Phase 1: Cannot verify { RSA | DSA } signature. The local NetScreen device cannot verify the RSA or DSA signature sent by the specified IKE peer. Contact the remote admin to check if he or she sent a certificate with the public key matching the private key used to produce the signature.

,.(
,QIRUPDWLRQ
Message Meaning
IKE <ip_addr> Phase 1: No private key exists to sign packets. The private key needed to create an RSA or DSA signature to authenticate packets destined for the specified IKE peer does not exist. This situation can arise if the following conditions are met: If the local configuration for the remote gateway specifies a local certificate that an admin later removes If there are no local certificates in the certificate store and no local certificate is specified in the remote gateway configuration
Action
Obtain and load a certificate for use in authenticating IKE packets.
Message Meaning
IKE <ip_addr> Phase 1: { RSA | DSA } private key is needed to sign packets. The IKE gateway configurationslocally and remotelyrequire an RSA or DSA private key to authenticate packets destined for the specified IKE peer. However, only a different type of key pair exists locally (that is, an RSA private key is required, but only a DSA key pair is loaded; or a DSA private key is required, but only an RSA key pair is loaded). Either change the gateway configuration to specify a key type that is already loaded, or obtain and load the required certificate.
Action

,.(
,QIRUPDWLRQ
Message Meaning
IKE <ip_addr> Phase 1: Received an incorrect public key authentication method. In the first and second Phase 1 messages, the IKE participants agreed to use a preshared key for packet authentication. Then, in the fifth or sixth message (Main mode) or second or third message (Aggressive mode), the remote peer sent a signature payload, which requires the local device to use a public key (not a preshared key) to authenticate the packet. The NetScreen device, however, does not attempt to authenticate the packet; it drops the packet.
Action
Check if the remote peer is a legitimate IKE peer. If so, contact the remote admin to check if that device has malfunctioned. If not, this might be an ineffectual attack in which the attacker is attempting to force the NetScreen device to consume bandwidth while trying to verify bogus signature payloads.
Message Meaning
IKE <ip_addr> Phase 1: IKE { initiator | responder } has detected NAT in front of the { local | remote } device. The local NetScreen device, with NAT-Traversal (NAT-T) enabled and functioning as either an initiator or responder of Phase 1 IKE negotiations, has detected a NAT device in the data path either in front of itself or in front of its remote peer. There are several reasons for IPSec/NAT incompatibility. (For a list of IPSec/NAT incompatibilities, see draft-ietf-ipsec-nat-reqts-00.txt by Bernard Aboba.) If NAT-T is enabled on both IKE participants, IPSec packets are encapsulated within UDP packets, protecting the original IPSec header from modification by NAT devices. Consequently, packet authenticationand communication via the IPSec tunnelis successful.
Action

,.(
,QIRUPDWLRQ
IKE <ip_addr> Phase { 1 | 2 }: Aborted negotiations because the time limit has elapsed. The NetScreen device has aborted Phase 1 or Phase 2 negotiations with the specified remote peer because the time limit60 seconds for Phase 1 and 40 seconds for Phase 2has elapsed. Verify network connectivity to the peer gateway. Consult the local log and request the remote gateway admin to consult his or her log to determine why the negotiations timed out before completion.
IKE <ip_addr> Phase { 1 | 2 }: Rejected proposals from peer. Negotiations failed. The local NetScreen device has rejected the Phase 1 or Phase 2 proposals sent by the specified IKE peer. To see the local and remote peers Phase 1 proposals, contact the admin of the remote peer and compare configurations, or enter the following CLI commands when both peers participate in the next Phase 1 negotiation: debug ike detail clear dbuf get dbuf stream Check that at least one of the Phase 1 proposals for both peers match To stop the debugger, press the ESCAPE key.

,.(
,QIRUPDWLRQ
IKE <ip_addr> Phase 2: Initiated negotiation. The local NetScreen device has sent the initial message for IKE Phase 2 negotiations to the specified peer. No recommended action
Message Meaning
IKE <ip_addr> Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled. When the local NetScreen device received an IKE Phase 2 message from the specified peer, it could not check for a policy because the id-mode was set to IP or policy-checking was disabled. If the id-mode is set to IP, the remote peer does not send the proxy ID payload when initiating a Phase 2 session. The proxy ID consists of the local end entitys IP address and netmask, protocol, and port number; and those for the remote end entity. Consequently, the local peer cannot use the information in the proxy ID to match the information in a local policy. If policy-checking is disabled for IKE traffic with the specified peer, the IKE module builds an SA without verifying the policy configuration.
Action
Verify if this is intended behavior. If not, set the id-mode to subnet (set ike id-mode subnet) and enable policy-checking (set ike policy-checking).

,.(
,QIRUPDWLRQ
IKE <ip_addr> Phase 2: No policy exists for the proxy ID received: local ID (<ip_addr>/<mask>, <protocol>, <port_num>) remote ID (<ip_addr>/<mask>, <protocol>, <port_num>). When the local NetScreen device received an IKE Phase 2 message from the specified peer, it detected that no access policy exists matching the attributes specified in the proxy ID payload. If you intend to allow IPSec traffic between the specified local and remote end entities, configure the necessary access policy.
Message Meaning
IKE <ip_addr> Phase 2: Received DH group <value1> instead of expected group <value2> for PFS. While executing a Diffie-Hellman exchange to refresh the cryptographic keys with Perfect Forward Secrecy (PFS) during Phase 2 Messages 1 and 2, the remote peer used a different Diffie-Hellman group than did the local NetScreen device. Consequently, the Phase 2 session has failed. Change the Phase 2 configuration on the local peer or request the admin for the remote peer to change that configuration so that both employ the same Diffie-Hellman group for PFS.
Action
Message Meaning
IKE <ip_addr> Phase 2 msg-id <number>: Received responder lifetime notification. The local NetScreen device has received a responder lifetime notification message from the specified peer. The Phase 2 negotiation is identified by the specified message ID. The notification includes the Phase 2 SA lifetime in both seconds and kilobytes. The peers use the shortest lifetime defined.
Action

,.(
,QIRUPDWLRQ
Message Meaning
IKE <ip_addr> Phase 2: Negotiations have failed. Policy-checking has been disabled but multiple VPN policies to the peer exist. An admin has disabled policy-checking although multiple access policies for VPN traffic to the specified peer exist. Consequently, the IKE module cannot find the correct SA for traffic covered by each policy. Note: Policy-checking must be enabled if multiple policies for VPN traffic to the same gateway exist.
Action
Enable policy-checking or limit one policy per remote gateway.
IKE <ip_addr> Phase 2 msg-id <number>: Responded to the first peer message. The local NetScreen device has responded to the specified peer, which sent the first message for Phase 2 IKE negotiations. No recommended action
IKE <ip_addr> Phase 2 msg-id <number>: Negotiations have failed. The specified Phase 2 negotiations to the identified peer have failed. Examine the local log and request the remote admin to examine his or her log for possible causes.

,.(
,QIRUPDWLRQ
IKE <ip_addr> Phase 2 msg-id <number>: Completed negotiations with SPI <number1>, tunnel ID <number2>, and lifetime <number3> seconds/<number> KB. The local NetScreen device has successfully negotiated a Phase 2 session with the specified peer. The Phase 2 session consists of the specified attributes. No recommended action
IKE <ip_addr>: Dropped packet because remote gateway <name_str> is not used in any VPN tunnel configurations. The local NetScreen device has discarded an IKE packet sent from the specified remote gateway because the local device does not reference that gateway in any of its VPN tunnel configurations. Verify that the packet came from a peer with whom you want to establish a VPN. If so, configure a VPN using that gateway.
Message Meaning
IKE <ip_addr> Recv TRNXTN_XCHG:payloadtype (<number>) After Phase 1 negotiations are completed, the NetScreen device received and discarded a transaction exchange (TRNXTN_XCHG) packet with a number indicating one of the following TRNXTN_XCHG payload types: request, reply, set, ack. No recommended action
Action

,.(
,QIRUPDWLRQ
Message
IKE <ip_addr> rcv incorrect ID payload: (IP address <ip_addr> | FQDN <string1> | UFQDN <string2> | ASN1_DN <string3>), expecting (IP address <ip_addr> | FQDN <string4> | UFQDN <string5> | ASN1_DN <string6>). The NetScreen device received an incorrect IKE ID payload instead of the one that it was configured to receive. NetScreen supports the following four IKE ID types: IP address, such as 209.157.66.170 Fully Qualified Domain Name (FQDN), such as www.netscreen.com Users Fully Qualified Domain Name (UFQDN), such as jsmith@netscreen.com Abstract Syntax Notation, version 1, distinguished name (ASN1_DN), such as cn=ns100, ou=eng, o=netscreen, l=santa clara, s=ca, c=us
Meaning
Action
Check that the IKE ID configuration is identical on both the local and remote gateway devices.
Message Meaning
IKE <ip_addr>: Sent initial contact notification to peer to use new sa. The local NetScreen device has sent an initial contact notification message to the specified remote gateway. After rebooting, the local device sends an initial contact notification message when contacting a peer for the first time. The message informs the peer that the local device has no previous state with it and to delete any existing security associations (SAs). No recommended action
Action

,.(
,QIRUPDWLRQ
Message Meaning
IKE <ip_addr>: Rejected an initial Phase 1 packet from an unrecognized peer gateway. The local NetScreen device has received an initial Phase 1 packet from the specified address. However, because the NetScreen device could not find a matching peer gateway configuration, it rejected the packet. Review the local VPN configurations to determine if the packet came from a legitimate peer.
Action
IKE <ip_addr> Heartbeats have been lost <number> times. The IKE heartbeats that the local NetScreen device sends to the specified peer through the IPSec tunnel have been lost the specified number of times. No recommended action
Message Meaning
IKE <ip_addr>: Responded to a packet with a bad SPI after rebooting. The local NetScreen device responded to an IPSec packet with an invalid security parameters index (SPI) number from the specified peer. If configured, this happens after a system reboot for a configurable number of times. Note: To enable the NetScreen device to respond to an IPSec packet with an invalid SPI, use the following CLI command: set ike respond-bad-spi <number>. When the NetScreen device reboots, it loses any SPI values it had. However, the peers might still try to use SPI values in earlier SAs that have not yet timed out on their devices.
Action
If you do not want the NetScreen device to respond to IPSec packets with bad SPI values, modify the configuration.

,.(
,QIRUPDWLRQ
Message Meaning
IKE <ip_addr>: Received notify message for DOI <number1> <number2> <string>. The device has received one of the following notification messages in the specified Domain of Interpretation (DOI): Error Types 1. Invalid payload type 2. DOI not supported 3. Situation not supported 4. Invalid cookie 5. Invalid major version 6. Invalid minor version 7. Invalid exchange type 8. Invalid flags 9. Invalid message ID 10. Invalid protocol ID 11. Invalid SPI 12. Invalid transform ID 13. Attributes not supported Status Types 16384 Connected 24576 Responder lifetime 24577 Replay status 24578 Initial contact 14. No proposal chosen 15. Bad proposal syntax 16. Payload malformed 17. Invalid key information 18. Invalid ID information 19. Invalid cert encoding 20. Invalid certificate 21. Cert type unsupported 22. Invalid cert authority 23. Invalid hash information 24. Authentication failed 25. Invalid signature 26. Address notification
Action
For the error notification messages, take action as appropriate for the error described. For the status notification messages, No recommended action is necessary.

,.(
,QIRUPDWLRQ
Message Meaning
IKE <ip_addr>: Received a bad SPI <spi_num> [ from unknown peer | after rebooting | <number> times ]. The local NetScreen device detected an invalid security parameters index (SPI) number in IPSec traffic received from the specified peer. Additional information might appear in the message, such as the following: The time that elapsed between the reception of a bad SPI and the recording of this event in the log The peer is unknown (that is, no IKE gateway configuration exists for the source of the traffic with the bad SPI The reception of a bad SPI occurred after rebooting the local NetScreen device The number of times that the remote peer sent the bad SPI
Action
Receiving a few messages of this kind during rekey is normal. However, if you receive a large number of these messages, check the SA status.
IKE <ip_addr>: Sent initial contact notification message. The local NetScreen device has sent an initial contact notification message to the specified peer because this is the first time for the local device to contact that peer. No recommended action

,.(
,QIRUPDWLRQ
Message Meaning
IKE <ip_addr>: Added the initial contact task to the task list. The IKE module in the local NetScreen device has added to the task list the transmission of an initial contact notification message for the Phase 1 SA being negotiated. The device sends the initial contact notification message in either the fifth message (when the device is the initiator) or the sixth message (when it is the responder) of Main mode message exchanges. When using Aggressive mode, it sends the notification after the Phase 1 negotiations are completed.
Action
Message Meaning
IKE <ip_addr> Initial contact task exist. Before adding the initial contact task to the task list, the IKE module in the local NetScreen device noted that the task was already in the task list. This can occur if a pending task exists. The device sends the initial contact notification message after the Phase 1 negotiations are completed.
Action
IKE <ip_addr>: Added Phase 2 session tasks to the task list. The IKE module in the local NetScreen device has added the task to start a Phase 2 session with the specified peer to the task list for the Phase 1 SA being negotiated. No recommended action

,.(
,QIRUPDWLRQ
Message Meaning
IKE <ip_addr> Phase 2 negotiation request is already in the task list. The IKE module in the local NetScreen device, when attempting to add a Phase 2 negotiation task to its task list, discovered that the list already contained an identical task for the specified peer. When beginning Phase 1 negotiations, the NetScreen device adds the tasks that the Phase 1 security association (SA) must do to its Phase 1 task list. One such task is to perform Phase 2 negotiations. If Phase 1 negotiations progress too slowly, local traffic might initiate another Phase 2 SA request to the IKE module. If so, before the NetScreen device adds the Phase 2 task to its task list, it will discover that an identical task is already in the list and refrain from adding the duplicate.
Action
Check if the IKE Phase 1 negotiations with that peer have successfully completed.
Message Meaning
Receive UDP packets from (ip_addr1/port_num1) on <interface> (ip_addr2/port_num2) The NetScreen device has received UDP packets on the indicated interface from the specified source IP address and port number bound for the specified destination IP address and port number. The NetScreen device logs this information if an admin has enabling such logging through the set firewall log-self ike command. No recommended action
Action
Gateway <name_str> at <ip_addr> in { main | aggressive } mode with ID: { <string> | [none] } has been { added | deleted | modified }. An admin has added, deleted, or modified the IKE configuration for the specified remote gateway. No recommended action

,.(
,QIRUPDWLRQ
Message Meaning
IKE <ip_addr>: Received initial contact notification and removed Phase { 1 | 2 } SAs. The local NetScreen device has received an initial contact notification message from a peer and removed all IKE Phase 1 or Phase 2 security associations (SAs) for that peer. Note: When the NetScreen device receives an initial contact notification message, it removes all Phase 1 and Phase 2 SAs. However, because the removal of Phase 1 and Phase 2 SAs occurs separately, the NetScreen device logs both removals separately.
Action
IKE <ip_addr> Phase 1: Responder starts { Main | Aggressive } mode negotiations. The remote peer at the specified IP address has initiated Phase 1 negotiations in either Main or Aggressive mode, and the local NetScreen device (the Responder) has begun its response. No recommended action
Message Meaning
IKE <ip_addr>: Removed Phase 2 SAs after receiving a notification message. The local NetScreen device has received a notification message from a peer and removed all IKE Phase 2 security associations (SAs) for that peer. A notification to remove Phase 2 SAs can occur when the lifetime of a Phase 2 SA expires or when the peer manually deletes an SA before it expires. (To delete a specific SA, use the CLI command clear sa <id_number>. To delete all SAs, use the command clear ike all.)
Action

,.(
,QIRUPDWLRQ
IKE <ip_addr> Rejected first Phase 1 packet from an unrecognized source. The local NetScreen device has rejected the first IKE Phase 1 message from a source that does not match any configured VPN gateways. Check your VPN configurations and investigate if you want to build a security association (SA) with the peer at the address from which the message originated.
IKE <ip_addr> Dropped peer packet because no policy uses the peer configuration. The local NetScreen device has dropped a packet from the specified IKE peer because no access policy using that peer can be found. If you intend to establish a security association (SA) with the specified peer, verify that an access policy permitting traffic via that peer exists and is positioned correctly in the access control list (ACL).
Message Meaning
IKE <ip_addr> Heartbeats have been disabled because the peer is not sending them. The local NetScreen device has detected that the specified peer has not enabled IKE heartbeat transmission, so the local device has also disabled heartbeat transmission to that peer. Both ends of the IPSec tunnel must enable IKE heartbeat transmission for this feature to remain active. If the local peer detects that the remote peer has not enabled this feature, the local peer automatically ceases heartbeat transmission
Action

,.(
,QIRUPDWLRQ
IKE <ip_addr>: Changed heartbeat interval to <number>. After detecting that the specified peer is using a shorter heartbeat interval than was originally configured locally, the local device has adjusted its rate of heartbeat transmission to that peer. No recommended action
Local gateway IP address has changed from 0.0.0.0 to <ip_addr>. An admin has changed the IP address that the local device can use for VPN termination from 0.0.0.0 to another address. No recommended action
Attempt to set tunnel (<name_str>) without IP address at both end points! Check outgoing interface. An admin has unsuccessfully attempted to set up an IPSec SA using the specified VPN tunnel. However, at least one of the two tunnel endpoints did not have an IP address. Check that the outgoing interface for the VPN tunnel on the local IKE peer has an IP address.

,.(
,QIRUPDWLRQ
Message Meaning
IKE <ip_addr> policy id <id_num> fails over from sa <id_num1> to sa <id_num2> The monitoring device in a redundant VPN group has failed over VPN traffic from the tunnel with the security association (SA) <id_num1> to the tunnel with the SA <id_num2>. The IP address belongs to the targeted remote gateway to which the VPN traffic has been redirected. The policy ID number belongs to the policy that references this particular redundant VPN group. No recommended action
Action
Message Meaning
IKE <ip_addr> new sa <tun_id_num1> is up, try to switch policy <pol_id_num> from <tun_id_num2> The monitoring device in a redundant VPN group, having established a security association (SA) with a targeted device with a higher priority than the currently active target, and has attempted to transfer VPN traffic from tunnel <tun_id_num1> to tunnel <tun_id_num2>. The IP address belongs to the targeted remote gateway to which the VPN traffic has been redirected. The policy ID number belongs to the policy that references this particular redundant VPN group. No recommended action
Action
Message Meaning
IKE <ip_addr>: A sa <tun_id_num1> with a higher weight replaced the sa <tun_id_num2> in policy <pol_id_num>. The monitoring device in a redundant VPN group, having established a security association (SA) with a targeted device with a higher weight (priority) than the currently active target, has failed over VPN traffic from tunnel <tun_id_num2> to tunnel <tun_id_num1>. The IP address belongs to the targeted remote gateway to which the VPN traffic has been redirected. The policy ID number belongs to the policy that references this particular redundant VPN group. No recommended action
Action

,QWHUIDFH
1RWLILFDWLRQ
,17(5)$&(
The following messages relate to interface configurations.
1RWLILFDWLRQ
Message Meaning Action IP for interface <interface> has been changed from <ip_addr1> to <ip_addr2>. An admin has changed the IP address for the specified interface. No recommended action
Netmask for interface <interface> has been changed from <mask1> to <mask2>. An admin has changed the netmask for the specified interface. No recommended action
Manage IP for interface <interface> has been changed from <ip_addr1> to <ip_addr2>. An admin has changed the manage IP address for the specified interface. No recommended action

,QWHUIDFH
1RWLILFDWLRQ
Gateway IP for interface <interface> has been changed from <ip_addr1> to <ip_addr2>. An admin has changed the IP address of the gateway for the specified interface. No recommended action
Interface <interface> in <name_str> with IP <ip_addr> <mask> [ tag <number> ] was created. An admin has created an interface for the specified virtual system. It has the specified IP address, netmask, and VLAN tag. No recommended action
Interface <interface> in <name_str> was removed. An admin has removed the specified interface from the virtual system. No recommended action

,QWHUIDFH
1RWLILFDWLRQ
Maximum bandwidth <number1> kbps on interface <interface> is less than total guaranteed bandwidth <number2> kbps. The specified interface bandwidth settings are insufficient for the total guaranteed bandwidth specified in the traffic shaping option of the access policies that traverse that interface. Increase the interface bandwidth settings or decrease the traffic shaping bandwidth settings on the access policies.
The configured bandwidth on the interface <interface> has been changed to <number> kbps. An admin has changed the configured bandwidth for the specified interface. No recommended action
{ Global PRO | Ident-reset | Ping | SCS | SNMP | SSL | Telnet | Web } has been { enabled | disabled } on interface <interface> An admin has either enabled or disabled Global PRO, SCS, SNMP, SSL, Telnet, or Web manageability, or ident-reset or ping functionality for the specified interface. No recommended action
The operational mode for interface <interface> has been changed to { Route | NAT }. An admin has changed the operational mode for the specified interface to { Route | NAT }. Check access policy configurations to ensure that they function properly in the new operational mode.

,QWHUIDFH
1RWLILFDWLRQ
DHCP client has been { enabled | disabled } on interface <interface> An admin has enabled or disabled DHCP on the specified interface. Check access policy configurations to ensure that they function properly in the new operational mode.
Interface <interface> was unbound from zone <zone>. An admin unbound the named interface from the specified zone. No recommended action
Interface <interface1> was bound to zone <zone>. An admin bound the named interface to the specified zone. No recommended action
Secondary IP address <ip_addr>/<mask> was removed from interface <interface>. An admin successfully removed a specified backup IP address from a specified interface. The interface no longer identifies itself by the IP address. No recommended action

,QWHUIDFH
1RWLILFDWLRQ
Secondary IP address <ip_addr> was added to interface <interface>. An admin successfully added a specified IP address to a specified interface. No recommended action
Route between secondary IPs on interface <interface> was { enabled | disabled }. An admin has either enabled or disabled the routes to all secondary IP addresses on the specified interface. No recommended action

/73
,QIRUPDWLRQ
/73
The following messages concern the configuration and operation of Layer 2 Tunneling Protocol (L2TP).
,QIRUPDWLRQ
Message Meaning Action Cannot allocate IP addr from Pool <name_str> for user <usr_str> The PPP server cannot assign an IP address from its address pool for the named L2TP user. You can enlarge the size of the L2TP default IP pool or assign an IP pool specifically to the user: set ippool <name> <ip_addr1> <ip_addr2> set user <user_name> remote-settings ippool <name_str>
No IP Pool has been assigned. You cannot allocate an IP address There is no L2TP IP address pool on the PPP server. You must create an L2TP IP pool: set ippool <name> <ip_addr1> <ip_addr2> To make the above IP pool the default L2TP IP pool: set l2tp default ippool <name_str> To use the above IP pool for the specified user: set user <user_name> remote-settings ippool <name_str>

/73
,QIRUPDWLRQ
Dialup HDLC PPP session has successfully established. An admin successfully established a dialup HDLC PPP session over a NetScreen device. No recommended action
Dialup HDLC PPP failed to establish a session: <string>. An admin successfully failed to establish a dialup HDLC PPP session over a NetScreen device. No recommended action
PPP settings changed. PPP parameters changed. No recommended action

/LQN 6WDWXV
1RWLILFDWLRQ
/,1. 67$786
The following messages relate to the status of the physical interface links.
1RWLILFDWLRQ
Message Meaning Action The physical state of the interface <interface> has changed to { up | down }. The physical state of the specified interface has changed from up to down, or from down to up. No recommended action

/RJV
,QIRUPDWLRQ
/2*6
The following messages relate to the event, traffic, and self logs.
,QIRUPDWLRQ
Message Meaning Action <name_str> has been cleared. An admin has cleared the specified log. No recommended action
,QIRUPDWLRQ
Message Meaning Action { Alarm | Traffic | Event | Asset recovery | Self } log was reviewed by admin <name>. The named admin has viewed the entries in the specified log. No recommended action
Message Meaning
Log buffer was full and remaining messages were sent to external destination. [ <number> packets were dropped. ] When the log buffer in the NetScreen device reached its capacity, the device sent all log entries to an external host for storage. During the transmission process, the NetScreen device stopped receiving traffic andas reported on some NetScreen devicesdropped the specified number of packets. Note: After the device transmits all log entries, it resumes receiving and processing traffic.
Action

/RJV
,QIRUPDWLRQ
All logged events or alarms are cleared by admin <name>. The named admin has deleted all entries from the event or alarm log. Confirm that the action was appropriate, and performed by an authorized admin.
Log setting is modified to { enable | disable } <level> level by admin <name> The named admin has either enabled or disabled the logging of messages at the specified severity level: emergency, alert, critical, error, warning, notification, information, or debugging. Confirm that the action was appropriate, and performed by an authorized admin.

0,3
1RWLILFDWLRQ
0,3
The following message relates to mapped IP (MIP) addresses.
1RWLILFDWLRQ
Message Meaning Action Mapped IP <ip_addr1> <ip_addr2> has been { added | modified | deleted }. An admin has added, modified, or deleted the specified mapped IP address. No recommended action

1$&1
1RWLILFDWLRQ
1$&1
The following messages relate to the NetScreen Address Change Notification (NACN) protocol.
1RWLILFDWLRQ
Message Meaning The NACN protocol has been { enabled | disabled }. An admin has either enabled or disabled the NACN protocol. When enabled, the NetScreen device attempts to contact the server running Policy Manager whenever an interface IP address change occurs. When disabled, the NetScreen device does not attempt to make contact with the server running Policy Manager when an address change occurs. No recommended action
Action
Message Meaning
NACN Policy Manager { 1 | 2 }s host field has been unset. A NetScreen device needs to send a host field to the server running Policy Manager to authenticate a client device. An admin cleared the IP address of the server running Policy Manager. 1 = the primary Policy Manager server. 2 = the secondary Policy Manager server. Set a new IP address for the server running Policy Manager if necessary.
Action

1$&1
1RWLILFDWLRQ
Message Meaning
NACN Policy Manager { 1 | 2 }s password field has been unset. A NetScreen device needs to send a password to the server running Policy Manager to authenticate a the client device. An admin cleared the IP address of the server running Policy Manager. 1 = the primary Policy Manager server. 2 = the secondary Policy Manager server. Set the password for the device on the Policy Manager server. An admin who manages the Policy Manager server needs to register the NetScreen device and sequence it with the server. Set a new IP address for the server running Policy Manager if necessary.
Action
Message Meaning
NACN Policy Manager { 1 | 2 }s policy-domain field has been unset. Policy Manager divides the device into several policy domains similar to the way a file manager divides a file system into several directory names when directed. If you leave it unset, Policy Manager will search all policy domains instead of a specified domain. Specify a policy domain in Policy Manager.
Action
NACN Policy Manager { 1 | 2 }s outgoing interface, used to report NACN to Policy Manager { 1 | 2 }, has not been specified. The interface has been disabled. Set the interface to any interface name to enable the interface.

1$&1
1RWLILFDWLRQ
NACN Policy Manager {1 | 2 }s port field has been reset to the default value. The console port that Policy Manager runs on has been reset to its default value and not the one for which it has been configured. Enable the interface by assigning it a name.
Message Meaning
NACN Policy Manager { 1 | 2 }s Cert-Subject field has not been specified. Two certificates are significant. One is a certificate that needs to be installed on Policy Manager. The second is a Certificate Authority (CA) certificate that must be installed on the NetScreen device before any activity occurs. During the handshake of both certificates, Policy Manager sends certificates to the device and the device authenticates using the CA certificate. When the subject name field of the Policy Manager certificate is cleared, it will accept any certificate signed by the CA certificate. Specify the expected subject name of the certificate installed on the Policy Manager.
Action
NACN Policy Manager { 1 | 2 }s CA certificate field has not been specified. Allows any Policy Manager which the certificate directly signed by any CA certificate installed on the NetScreen device. Specify a CA certificate if necessary.

1$&1
1RWLILFDWLRQ
NACN Policy Manager { 1 | 2 }s host field has been set to <serv_name>. Policy Manager server server_name that receives password information from the NetScreen Address Change Notification (NACN) protocol host has been set. No recommended action
NACN Policy Manager { 1 | 2 }s password field has been set. The NetScreen Address Change Notification (NACN) protocol host password has been set. No recommended action
NACN Policy Manager { 1 | 2 }s policy-domain field has been set to <dom_name>. The Policy Manager was set and will search for a specified policy domain. No recommended action
NACN Policy Manager {1 | 2 }s outgoing-interface field has been set to <interface>. The interface has been set and messages can be sent to the Policy Manager. No recommended action

1$&1
,QIRUPDWLRQ
NACN Policy Manager {1 | 2 }s port field has been set to <port_num>. The Policy Manager domain has been set. No recommended action
NACN Policy Manager {1 | 2 }s Cert-Subject field has been set to <name_str>. The subject name field in the Policy Manager certificate was set. No recommended action
NACN Policy Manager {1 | 2 }s CA certificate field has been set to <name_str>. The NetScreen Address Change Notification (NACN) Certificate Authority (CA) has been set to the specified CA name . No recommended action
,QIRUPDWLRQ
Message Meaning Action NACN successfully registered to Policy Manager <name_str>. The NetScreen Address Change Notification (NACN) protocol successfully sent a request to a NetScreen Policy Manager to begin a session. No recommended action

1$&1
,QIRUPDWLRQ
NACN failed to register to Policy Manager <name_str> because of { wrong password | the device does not exist | an invalid IP address | an unknown error }. The NetScreen Address Change Notification (NACN) protocol sends requests to a NetScreen Policy Manager to begin a session. This session attempt was not successful. If the issue is a wrong password, see your Policy Manager admin to determine the right password. If the Policy Manager server does not recognize the device as a valid object on the network, see your admin. If the issue is an invalid IP address, change the IP address of the device to an active address. If the issue is an unknown error, see your admin.
Message Meaning
NACN failed to register to Policy Manager <name_str> because the connection timed out or aborted unexpectedly. Each NetScreen Address Change Notification (NACN) attempt to connect to a Policy Manager server has a timeout value that allows the device to continue trying to establish a session until the timeout threshold is reached. Once this value has been exceeded (in seconds), the session ends. The NACN request exceeded this value and stopped trying to establish a session. Check your network connection and your NACN settings.
Action
The NACN protocol has started for Policy Manager { 1 | 2 } on hostname <name_str> IP address <ip_addr> port <port_num>. The NACN connection has started between Policy manager and a node IP address or a device port. No recommended action

263)
&ULWLFDO
263)
The following messages relate to the Open Shortest Path First (OSPF) protocol used for dynamic routing.
&ULWLFDO
Message Meaning <id_num> hello-packet flood from neighbor (ip = <ip_addr>, router-id = <id_num2>) on interface <interface>, packet is dropped The NetScreen device detected a flood of hello packets from the specified OSPF neighbor arriving at the specified interface. The NetScreen device has begun dropping hello packets it receives from that neighbor. Occasionally, the interval between instances of OSPF hello packet generation by a routing instance can be very low, resulting in excessive hello packets sent to another device over a short period of time. This hello-packet flood can overtax the receiving routing instances memory and CPU processing. Action Remove the connection between the current virtual routing instance and its offending OSPF neighbor.
&ULWLFDO
Message Meaning <id_num> lsa flood on interface <interface> has dropped a packet. Occasionally, the interval between instances of Link State Advertisement (LSA) generation by a routing instance can be very low, resulting in multiple LSAs sent to another device over a short period of time. This event is an LSA flood and can overtax the receiving routing instances memory and CPU processing. Dropping the packets thwarts attacks on the NetScreen device by hackers using LSA flooding. Remove the connection between the current virtual routing instance and its offending neighbor.
Action

263)
1RWLILFDWLRQ
1RWLILFDWLRQ
Message Meaning Action { Set | Unset } vrouter <vrouter> protocol ospf <string> An admin has set or unset a parameter for an OSPF virtual routing instance. For example, the admin may have set the threshold for hello packets. No recommended action
{ Set | Unset } vrouter <vrouter> <string> An admin has set or unset a parameter for the specified virtual router. No recommended action
Message Meaning
OSPF routing instance in vrouter <vrouter> is created. An admin has added an Open Shortest Path First (OSPF) virtual routing instance to the specified virtual router. This object generates Link State Advertisements (LSAs), can be mapped to an area, and has other OSPF attributes. No recommended action
Action

263)
1RWLILFDWLRQ
ospf instance in vrouter <vrouter> is deleted. An admin has removed an Open Shortest Path First (OSPF) virtual routing instance from the specified virtual router. No recommended action
vrouter <vrouter> was { set | unset }. An admin either set or unset an OSPF instance in the specified virtual router. No recommended action
1RWLILFDWLRQ
Message Meaning A route-map entry with sequence number <number1> in route map <name_str> in virtual router <vrouter> has been removed A route map with a specified sequence number from the current virtual routing instance was removed, indicating that the instance no longer has a way to evaluate packets based on conditions set in the removed route map. (Sequence numbers identify the placement of a specific route map entry in the route map entry list.) No recommended action
Action

263)
1RWLILFDWLRQ
Message Meaning
A route-map <name_str> in virtual router <vrouter> has been removed An admin removed a route map with a specified name from the current virtual routing instance, indicating that the instance no longer has a way to evaluate packets based on conditions set in the removed route map. No recommended action
Action
Message Meaning
A route-map entry with sequence-number <number> in route-map <name_str> in virtual router <vrouter> has been created An administrator added a new route entry to the identified route map. This route entry contains the specified sequence number. Sequence numbers identify the placement of a specific route map entry in the route map entry list. No recommended action
Action
1RWLILFDWLRQ
Message Meaning Action access list <id_num> sequence number <number> permit | deny ip <ip_addr>/<mask> deleted in vrouter <vrouter> An admin removed the specified access list entry from the virtual router. No recommended action

263)
,QIRUPDWLRQ
access list <id_num> deleted in vrouter <vrouter> An admin removed the specified access list from the virtual router. No recommended action
access list <id_num> created in vrouter <vrouter>. An admin created an access list on the specified virtual router. No recommended action
access list <id_num> sequence number <number> permit | deny ip <ip_addr>/<mask> created in vrouter <vrouter> An admin created an access list entry on the specified virtual router. No recommended action.
,QIRUPDWLRQ
Message Meaning Action <id_num1> NBR change, rtid <id_num2> <ip_addr> state = <string> The neighbor state of the specified device has changed. No recommended action

3.,
&ULWLFDO
3.,
The following messages relate to Public Key Infrastructure (PKI).
&ULWLFDO
Message Meaning PKI: The current device failed to save the { certificate authority configuration | key }. During a configuration synchronization between NSRP cluster members, the local NetScreen device was unable to store either the certificate authority (CA) configuration data or the public/private key pair in the allocated storage area in flash memory. The CA configuration contains CA-related information, such as Simple Certificate Enrollment Protocol (SCEP) server locations and CRL server locations. The public/private key pair is used for encrypting data. What one key in the pair encrypts, the other keyand only the other keycan decrypt. Action Enter the get memory command to see how much RAM has been allocated and how much is still available. If there appears to be sufficient RAM available, reboot the NetScreen device and attempt to save the PKI object again. If there appears to be a severe memory problem or if your second attempt was also unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.
Failed to { locate | delete } the key. The NetScreen device failed to locate or delete a public/private key pair. If the NetScreen device fails to locate a key pair, generate a new public/private key pair. If this action does not correct the problem, contact NetScreen technical support. If the NetScreen device fails to delete a key pair, reboot the device and try again.

3.,
&ULWLFDO
PKI: The device failed to save the key object. An admin unsuccessfully attempted to save a key pair to flash memory but the key pair was corrupted. Obtain and load a new key pair.
Message Meaning
PKI: The device failed to save the DSA/RSA key. The NetScreen device was unable to save either the DSA or RSA public/private key pair when it received a local certificate via the Simple Certificate Enrollment Protocol (SCEP). If the certificate authority (CA) changed the subject name in the certificate, the NetScreen device no longer associates the key pair with that certificate and rejects the key pair. Investigate if the CA changed the subject name in the certificate. If so, generate a new certificate request (a PKCS #10 file that includes a new public/private key pair) and resubmit your request to the CA.
Action
Message Meaning
PKI: The device cannot load the X.509 object into the flash file <filename>. An admin unsuccessfully attempted to load the specified X.509 object (certificate or CRL) into the NetScreen device, but the number of X.509 objects in the database table exceeded the maximum number of objects allowed in the table. Remove obsolete or unneeded X.509 objects (also referred to as a PKI objects) from the device database table to bring the amount of objects in the database table to an amount that is lower than the maximum value. Contact NetScreen technical support to identify what the maximum number of PKI object allowed in the device database table. Each device has a different maximum.
Action

3.,
&ULWLFDO
PKI: The device has no memory to load PKI objects, filename <filename>. An admin unsuccessfully attempted to load the specified PKI object (certificate or CRL) into the NetScreen device, but there was not enough RAM available to receive the object. Enter the get memory command to see how much RAM has been allocated and how much is still available. If there appears to be sufficient RAM available, reboot the NetScreen device and attempt to load the PKI object again. If there appears to be a severe memory problem or if your second attempt was also unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.
PKI: The device cannot load X.509 {certificate | CRL}, filename <filename>. The device cannot load the specified PKI object from an outside source to RAM. The filename can be the name of a certificate or certificate revocation list (CRL). Enter the get memory command to see how much RAM has been allocated and how much is still available. If there appears to be sufficient RAM available, reboot the NetScreen device and attempt to load the PKI object again. If there appears to be a severe memory problem or if your second attempt was also unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.

3.,
&ULWLFDO
PKI: The device has no memory to generate PKCS10 data. The NetScreen device does not have enough RAM to generate the data for a PKCS #10 (Certificate Request Syntax Standard) certificate request. Enter the get memory command to see how much RAM has been allocated and how much is still available. If there appears to be sufficient RAM available, reboot the NetScreen device and attempt to generate the data again. If there appears to be a severe memory problem or if your second attempt was also unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.
PKI: The device failed to generate PKCS10 data. The NetScreen device was unable to format the PKCS #10 data correctly for a certificate request. Enter the get memory command to see how much RAM has been allocated and how much is still available. If there appears to be sufficient RAM available, reboot the NetScreen device and attempt to generate certificate request again. If there appears to be a severe memory problem or if your second attempt was also unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.

3.,
&ULWLFDO
PKI: The device failed to generate the certificate request file in PKCS10 format. The NetScreen device was unable to generate a certificate request file in PKCS #10 (Certificate Request Syntax Standard) format. Enter the get memory command to see how much RAM has been allocated and how much is still available. If there appears to be sufficient RAM available, reboot the NetScreen device and attempt to generate certificate request again. If there appears to be a severe memory problem or if your second attempt was also unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.
PKI: The device failed to send the PKCS10 certificate request file via email. The NetScreen device was unable to send the PKCS #10 certificate request file via e-mail. Ensure that the Simple Mail Transfer Protocol (SMTP) configuration settings on the NetScreen device and the e-mail address of the recipient are correct, and then try again.
PKI: The device failed to send an X.509 certificate request in PKCS10 format. The NetScreen device did not use the standard PKCS #10 format when sending an X.509 certificate request to a certificate authority (CA). Reconfigure the X.509 certificate request and try sending it to the CA again.

3.,
&ULWLFDO
PKI: The device has detected zero DSA/RSA key length input. Use 1024 bits default. An admin has attempted to generate a public/private key pair with a key length of 0, which is invalid. To correct this problem, the NetScreen device reverts to the default key length of 1,024 bits. No recommended action
PKI: The device failed to save the { RSA | DSA } key. Although the NetScreen device was successful in generating a DSA or RSA key pair, it was unable to save the key pair. Free up space in the flash memory by removing obsolete or unused objects from the database.
PKI: The device failed to generate a certificate request. The NetScreen device was unable to generate a PKCS #10 formatted file to use when requesting a certificate. Reboot the NetScreen device, and try to generate a PKCS #10 formatted certificate request again. If the problem persists, open a console session with the NetScreen device, and do either of the following: Enter the get tech-support command, copy the output, and paste it in a text file. Enter the get tech-support > tftp <ip_addr> <filename> [ from <interface> ] command. Then, attach the text file containing the tech-support output to an email message that describes the problem, and send it to techsupport@netscreen.com.

3.,
&ULWLFDO
PKI: The device cannot generate a certificate request because there is no control data. The NetScreen device did not have the necessary control data to generate a certificate request. Control data is all the configurations necessary for the successful generation of a PKCS #10 file. Reconfigure the certificate request control data and regenerate a PKCS #10 file.
PKI: The device cannot locate the keypair with id <id_num> to generate certificate request. When attempting to submit a certificate request, the NetScreen device was unable to locate the specified public/private key pair. Use the following CLI command to check that a key pair exists for this ID number: get pki x509 list key-pair .
Message Meaning
PKI: The device cannot find the RSA/DSA key pair to generate certificate request. When attempting to submit a certificate request, the NetScreen device was unable to locate a public/private key pair because the content was lost. Consequently, the NetScreen device aborted the request operation. Generate another certificate request with a new key pair.
Action

3.,
1RWLILFDWLRQ
PKI: The device cannot find the subject DN to generate certificate request. The NetScreen device unsuccessfully attempted to generate a PKCS #10 certificate request file, but was unable to find the subject entry in the distinguished name. Reconfigure the certificate request with a valid subject entry in the distinguished name. (Note: Do not use any extended ASCII characters, such as #, -, or +, when entering the subject name.)
PKI: The device cannot decode the public key of certificate <name_str>. The NetScreen device was unable to decode the public key in the specified certificate. Request another certificate.
1RWLILFDWLRQ
Message Meaning Action X509 certificate with subject name <name_str> is deleted. An admin has deleted an X509 certificate with the specified subject name from the NetScreen device. No recommended action

3.,
1RWLILFDWLRQ
Message
PKI: A configurable item DNs { Name | phone | e-mail | country | state | county/locality | organization | unit/department | IP address | e-mail to } field has changed from { <string1> to none | none to <string2> | <string1> to <string2> }. An admin has changed the specified common name (CN) field within the distinguished name (DN) of a X509 certificate request. No recommended action
Meaning Action
PKI: A configurable item raw CN setting field has changed from { enabled to disabled | disabled to enabled }. An admin has enabled or disabled the use of the certificate name alone (as opposed to a concatenation of all the common names) as the distinguished name (DN) of the X509 certificate request. No recommended action
Message Meaning
PKI: A configurable item default certificate validation level field has changed from { full to partial | partial to full }. An admin has changed the certificate validation level either from full to partial or from partial to full. Full means that the NetScreen device validates a peers certificate by checking all the CAs in the hierarchical PKI validation path of the peers certificate until it verifies the root CA certificate, which must be loaded on the NetScreen device. Partial means that the NetScreen device verifies the first CA certificatewhich must be loaded on the NetScreen device to be verifiedin the hierarchical PKI validation path of a peers certificate.
Action

3.,
1RWLILFDWLRQ
Message Meaning
PKI: A configurable item certificate FQDN field has changed from <string1> to <string2>. An admin has changed the certificate validation level either from full to partial or from partial to full. Full means that the NetScreen device validates a peers certificate by checking all the CAs in the hierarchical PKI validation path of the peers certificate until it verifies the root CA certificate, which must be loaded on the NetScreen device. Partial means that the NetScreen device verifies the first CA certificatewhich must be loaded on the NetScreen device to be verifiedin the hierarchical PKI validation path of a peers certificate.
Action
PKI: A configurable item default LDAP server name field has changed from { <ip_addr1> to <ip_addr2> | <dom_name1> to <dom_name2> }. An admin has changed the IP address or domain name of the default LDAP server that manages the certificate revocation list (CRL). No recommended action
PKI: A configurable item default LDAP server CRL URL field has changed from <string1> to <string2>. An admin has changed the URL for the default LDAP server at which the certificate revocation list (CRL) is accessed. No recommended action

3.,
1RWLILFDWLRQ
PKI: A configurable item e-mail address to send certificate request field has changed from <number1> to <number2>. An admin has changed the e-mail address to which the NetScreen device can send an X509 certificate request. No recommended action
PKI: A configurable item default CRL Refresh Frequency field has changed from <number1> to <number2>. An admin has changed the contents of the fully qualified domain name (FQDN) field in an X509 certificate request. No recommended action
Message Meaning
PKI: A configurable item SCEPs { CA | RA } CGI URL field has changed from <string1> to <string2>. An admin has changed the HTTP URL or LDAP URL of the common gateway interface (CGI) on the CA server for either the certificate authority (CA) or registration authority (RA). The CGI identifies the script path used by the CA server to process the incoming Simple Certificate Enrollment Protocol (SCEP) request. No recommended action
Action

3.,
1RWLILFDWLRQ
Message Meaning
PKI: A configurable item SCEPs { CA IDENT | challenge password } field has changed from <name_str1> to <name_str2>. An admin has changed the CA IDENT or the Challenge password. The CA IDENT uniquely identifies the initiator of a Simple Certificate Enrollment Protocol (SCEP) request to the responding CA server. The end entity (EE) can use the challenge password, included in the PKCS #10 certificate request, to validate its identity when requesting the CA to revoke the EEs certificate. No recommended action
Action
PKI: A configurable item CRLs signature verification field has changed from { 0 to 1 | 1 to 0 }. An admin has enabled (1) or disabled (0) the use of digital signaturesusing the Digital Signature Standard (DSS)to check the integrity of CRL content that the NetScreen device references. No recommended action
Message Meaning
PKI: The device failed to store the authority configuration. An admin unsuccessfully attempted to load a certificate authority (CA) configuration on the NetScreen device. A likely cause for this failure is that the device allocated insufficient space in flash memory for the CA configuration. The CA configuration contains CA-related information, such as Simple Certificate Enrollment Protocol (SCEP) server locations and CRL server locations. Report the issue to NetScreen technical support.
Action

3.,
1RWLILFDWLRQ
create new authcfg for CA <id_num> An admin has created a new configuration for the certificate authority with the specified ID number. No recommended action
Message Meaning
PKI: NSRP cold sync start for total of <number> items. When the local NetScreen device came online in an NSRP cluster, an existing cluster member started a cold sync of the specified number of PKI objects from itself to the newly arrived member. The cold sync operation automatically synchronizes all PKI objects such as certificate revocation lists (CRLs), public/private key pairs, local certificates, certificate authority (CA) certificates, pending certificates, and certificate authority configurations between two NSRP cluster members. The operation synchronizes the objects in blocks of 30 items each. If a cold sync attempt is unsuccessful, the cluster members can make up to a total of 30 attempts to synchronize them.
Action
Message Meaning
PKI: NSRP sync received cold sync item <number1> out of order, expect <number2> of <total_number>. During a cold sync operation between members of an NSRP cluster, the local NetScreen device received an PKI item out of numerical order. The NetScreen device expected to receive item <number2> but received item <number1> instead. When NSRP cluster members perform a cold sync of PKI objects, the sender notifies the receiver of the total number of objects to expect. It then sends them in the order in which they appear in the PKI object table in flash memory. If an object arrives out of order, the devices stop the current cold sync attempt, and begin another one. Cluster members can make up to a total of 30 attempts to synchronize PKI objects.
Action

3.,
1RWLILFDWLRQ
Message Meaning
PKI: NSRP sync received cold sync item <number> without first item. At the start of a cold sync operation between members of an NSRP cluster, the local NetScreen device initially received an PKI object other than the first one in the PKI object table. When NSRP cluster members perform a cold sync of PKI objects, the sender sends the objects in the order in which they appear in the PKI table in flash memory. If the transmission begins with any object other than the first one, the devices stop the current cold sync attempt, and begin another one. Cluster members can make up to a total of 30 attempts to synchronize PKI objects.
Action
Message Meaning
PKI: NSRP sync received normal item during cold sync. During a cold sync operation between members of an NSRP cluster, the local NetScreen device received an PKI object that was not in the list of items being synchronized and stopped the current cold sync attempt. If one cold sync attempt is unsuccessful, the cluster members can make up to 29 more attempts to synchronize them. The cold sync operation automatically synchronizes all PKI objects such as certificate revocation lists (CRLs), public/private key pairs, local certificates, certificate authority (CA) certificates, pending certificates, and certificate authority configurations between two NSRP cluster members. The operation synchronizes the objects in blocks of 30 items each.
Action

3.,
1RWLILFDWLRQ
PKI: The X.509 { certificate | certificate revocation list } cannot be loaded during NSRP synchronization. During a cold sync of PKI objects between members of an NSRP cluster, the NSRP peer was unable to load either a certificate or a certificate revocation list (CRL). Perform a manual file synchronization using either of the following CLI commands: To synchronize all files: exec nsrp sync file from peer To synchronize a specific file: exec nsrp sync file name name_str from peer
PKI: The certificate revocation list has expired, issued by certificate authority <name_str>. The certificate revocation list (CRL) obtained from the specified certificate authority (CA) has expired. Obtain a current CRL from the CA.
Message Meaning
PKI: The { file name | friendly name of a certificate | vsys name } is too long <number1> to do NSRP synchronization, allowed <number2>. A file name, a friendly namethat is, the user-defined namefor a certificate, or a virtual system (vsys) name contains a number of characters greater than the maximum allowed for NSRP synchronization. The maximum number of characters for these three names are as follows: file name: 31 friendly name: 7 vsys name: 31
Action
Reduce the number of characters that compose the name to fit within the prescribed limit.

3.,
1RWLILFDWLRQ
Message Meaning
PKI: The NSRP high availability synchronization <cmd_id> failed. When one member of an NSRP cluster attempted a cold sync of its PKI objects with another member of the cluster, one of the following synchronization commands failed: 0x00010000: synchronize certificate files 0x00020000: synchronize RSA key files 0x00030000: synchronize DSA key files 0x00040000: synchronize deleted X.509 objects 0x00050000: synchronize the refreshed trust store 0x00060000: synchronize deleted CRLs 0x00070000: synchronize SCEP local certificates 0x00080000: synchronize SCEP CA certificates 0x00090000: synchronize added CA configurations 0x000A0000: synchronize deleted CA configurations 0x000B0000: synchronize added CRLs 0x000C0000: synchronize deleted RSA keys 0x000D0000: synchronize deleted DSA keys
The cold sync operation automatically synchronizes all PKI objects such as certificate revocation lists (CRLs), public/private key pairs, local certificates, certificate authority (CA) certificates, pending certificates, and certificate authority configurations between two NSRP cluster members. The operation synchronizes the objects in blocks of 30 items each. If a cold sync attempt is unsuccessful, the cluster members can make up to a total of 30 attempts to synchronize them. Action No recommended action

3.,
1RWLILFDWLRQ
Message Meaning
PKI: The device failed to coldsync the PKI object at <number> attempt. During a cold sync operation between members of an NSRP cluster, the NetScreen devices were unable to synchronize a PKI object at the specified cold sync attempt. The cold sync operation automatically synchronizes all PKI objects such as certificate revocation lists (CRLs), public/private key pairs, local certificates, certificate authority (CA) certificates, pending certificates, and certificate authority configurations between two NSRP cluster members. The operation synchronizes the objects in blocks of 30 items each. If a cold sync attempt is unsuccessful, the cluster members can make up to a total of 30 attempts to synchronize them.
Action
Message Meaning
PKI: The device completed the coldsync of the PKI object at <%d> attempt. NSRP cluster members were able to successfully complete a cold sync operation at the specified attempt. The operation synchronizes PKI objects in blocks of 30 items each. If a cold sync attempt is unsuccessful, the cluster members can make up to a total of 30 attempts to synchronize them. No recommended action
Action

3.,
1RWLILFDWLRQ
Message Meaning
PKI: A configurable item SCEP mode has changed [ from <string1> to <string2> | from none to <string1> | from <string1> to none ]. An admin has changed the SCEP mode from one value to another, from none to the specified value, or from the specified value to none. For example, an admin might change the mode for trusting a CA certificate received via the Simple Certificate Enrollment Protocol (SCEP) from auto to manual (0 to 1) or manual to auto (1 to 0). To verify the integrity of a newly loaded CA certificate, you can compare its fingerprint (a hash of part of the certificate) with the hash of the same certificate available elsewhere (such as at the CAs Web site). If the two hashes match, you can trust that its integrity is intact. Until you have confirmed its integrity, you can determine whether to trust or distrust the CA certificate. When the SCEP mode is set to auto (0), the NetScreen device automatically trusts CA certificates received via SCEP. When the SCEP mode is set to manual (1), the NetScreen device distrusts them until you have confirmed their integrity and manually approved them (set pki auth <cert_id_number> scep authentication { failed | passed }.
Action
PKI: X.509 { certificate | CRL } file has been loaded successfully, filename <filename>. An admin has successfully loaded the PKI objectcertificate or a certificate revocation list (CRL) specified by the filename. No recommended action

3.,
1RWLILFDWLRQ
PKI: The RSA key length has changed from { 512 | 768 | 1024 | 2048 } to { 512 | 768 | 1024 | 2048 }. An admin has changed the bit length of an RSA public/private key pair from the first value to the second value. No recommended action
Message Meaning
PKI: The X.509 certificate for the ScreenOS image authentication is invalid. When an admin attempted to load an X.509 certificate to update the DSA key for authenticating the ScreenOS image, the NetScreen device determined the certificate file to be invalid. In FIPS mode, the code image is digitally signed in the factory and authenticated by the signers public key when the system boots. The signers digital certificate (and hence, the accompanying public key) is loaded into the system by the save image-key tftp <ip_addr> <filename> command. This error happens when the system cannot decode the Distinguished Encoding Rule (DER)-encoded certificate received from the Trivial File Transfer Protocol (TFTP) server.
Action
Check the name of the X.509 certificate or generate a new certificate. Request another certificate.
PKI: The device failed to decode the public key of the images signer certificate. When loading an X509 certificate for updating the DSA key that authenticates the ScreenOS image, the NetScreen device was unable to decode and load the public key within the X509 certificate. Check the subject name of the certificate. Request another certificate.

3.,
1RWLILFDWLRQ
PKI: The signature of the images signer certificate cannot be verified. The public key failed to verify the signature of the image signer certificate received from the Trivial File Transfer Protocol (TFTP) server. Check the signature of the image signer certificate.
PKI: The public key of images signer has been loaded successfully, for future image authentication. An admin has successfully updated the DSA key that authenticates the ScreenOS image. No recommended action
PKI: The device successfully generated a new { RSA | DSA } key pair. The NetScreen device successfully generated an RSA or DSA public/private key pair. No recommended action
PKI CRL: no revoke info, accept per config, DN <name_str>. An admin has configured the NetScreen device to accept the certificate with the specified distinguished name even if it is not possible to check its current status in a certificate revocation list (CRL). No recommended action

3.,
1RWLILFDWLRQ
Message Meaning
PKI: no cert revocation check per config, DN <name_str>. An admin has configured the NetScreen device not to check a certificate revocation list (CRL) for the status of the certificate with the specified distinguished name. (Note: For security reasons, NetScreen recommends disabling CRL checking only for testing purposes.) No recommended action
Action
PKI: The device could not generate { RSA | DSA } key pair. The NetScreen device was unable to generate an RSA or DSA public/private key pair. Try generating the key pair again.
PKI: The device cannot load the CA certificate received through SCEP. The NetScreen device was unable to load a certificate it received through the Simple Certificate Enrollment Protocol (SCEP) to RAM. First, check that the CA certificate is valid by trying to open it. If you can open a certificate, it is valid. Also check the expiration date. If you cannot open the certificate or it has expired, it is invalid and you must request another one. If the certificate is valid, reboot the NetScreen device and check the available amount of memory by entering the get memory command. If a sufficient amount of memory appears to be available, attempt to load the certificate again. If there appears to be a severe memory problem or if your second attempt was unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.

3.,
1RWLILFDWLRQ
PKI: The device cannot load the X.509 local certificate received through SCEP. The NetScreen device was unable to load the X.509 local certificate that it received through the Simple Certificate Enrollment Protocol (SCEP).. Attempt to load the certificate manually. If that fails, reboot the NetScreen device and check the available amount of memory by entering the get memory command. If a sufficient amount of memory appears to be available, attempt to load the certificate again. If there appears to be a severe memory problem or if your attempts continue to be unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.
Message Meaning
PKI: The X.509 local certificate cannot be sync to vsd member. The local NetScreen device in an NSRP cluster cannot synchronize a certificate acquired through the Simple Certificate Enrollment Protocol (SCEP) with another member in the NSRP cluster. If a failover occurs, the newly elected master might be unable to support the IPSec SA relying on this certificate. Check that the internal ID numbers of PKI objects stored in both devices do not conflict. If the internal ID number for the local certificate on the device from which you want to synchronize files is in use for another PKI object on the peer, the synchronization fails. Enter the following command to check ID numbers on both devices (note that the internal ID number is listed in the second column in the output): get pki x509 list local . If you find a conflict, delete the PKI object with the conflicting ID number on the device to which you want to synchronize files and synchronize files again with the following CLI command: exec nsrp sync file from peer .
Action

3.,
1RWLILFDWLRQ
PKI: The certificate <name_str> will expire, please renew. The Simple Certificate Enrollment Protocol (SCEP) has notified the admin to renew the specified certificate because it is about to expire and the automatic renewal feature is not enabled. Renew the certificate.
PKI: The certificate <name_str> will expire, auto renew. The NetScreen device automatically submitted a renewal request for the specified certificate through the Simple Certificate Enrollment Protocol (SCEP) as prescribed by the renewal interval configuration. No recommended action
PKI: The device cannot load a certificate pending SCEP completion. An admin attempted to load a certificate still pending the completion of the Simple Certificate Enrollment Protocol (SCEP) process. Wait for the SCEP procedure to complete before loading the certificate.
upgrade to 4.0, copy authcfg from global. An admin upgraded the device to ScreenOS 4.0.0 from a previous version of ScreenOS. The configuration related to each Certificate Authority (CA) is now associated to each individual CA certificate. No recommended action

3.,
1RWLILFDWLRQ
PKI: The device is loading the version 0 PKI data. The NetScreen device is loading a version of the certificate database that is earlier than the current version. This action can occur if the NetScreen device is an older model. No recommended action
Message Meaning
PKI: The device has failed to load an invalid X.509 object. When loading X.509 objects (also referred to as PKI objects) from flash memory to RAM during bootup or during an NSRP cold sync operation, the NetScreen device detected an object whose recorded title was a different length from that of its current title. Typical X.509 objects are certificate revocation lists (CRLs), public/private key pairs, local certificates, certificate authority (CA) certificates, pending certificates, and certificate authority configurations.
Action
If you have a list of all X.509 objects and can deduce the invalid object by comparing that list with the output of the get pki x509 list { ca-cert | cert | crl | key-pair | local-cert | pending-cert } command, you can obtain a replacement for the invalid object.

3.,
1RWLILFDWLRQ
Message Meaning
PKI: The device has detected invalid X.509 object content. When loading X.509 objects (also referred to as PKI objects) from flash memory to RAM during bootup or during an NSRP cold sync operation, the NetScreen device detected an object whose recorded content was a different length from that of its current content. For example, invalid X.509 object content in a certificate revocation list (CRL) might have more entries recorded than it currently displays. Typical X.509 objects are certificate revocation lists (CRLs), public/private key pairs, local certificates, certificate authority (CA) certificates, pending certificates, and certificate authority configurations.
Action
If you have a list of all X.509 objects and can deduce the invalid object by comparing that list with the output of the get pki x509 list { ca-cert | cert | crl | key-pair | local-cert | pending-cert } command, you can obtain a replacement for the invalid object.
PKI: The device cannot load the X.509 { certificate | certificate revocation list } during boot. During device initialization, the NetScreen device was unable to load a certificate or certificate revocation list (CRL) stored in flash memory because the certificate or CRL had become corrupted. If you have a list of all X.509 objects and can deduce the corrupted object by comparing that list with the output of the get pki x509 list { ca-cert | cert | crl | key-pair | local-cert | pending-cert } command, you can obtain a replacement for the corrupted certificate or CRL.
PKI: The device cannot extract the X.509 certificate revocation list. The NetScreen device was unable to decode a certificate revocation list (CRL) it received from a certificate authority (CA). Obtain another CRL from the certificate authority and reload it.

3.,
1RWLILFDWLRQ
PKI: The device detected an invalid RSA key. During bootup or an NSRP cold sync operation, the NetScreen device detected an invalid RSA public/private key pair, which it was unable to load to RAM from flash memory. Generate a new RSA key pair.
PKI: The device failed to install the RSA key. The NetScreen device unsuccessfully attempted to load an RSA key pair from a flash memory file to RAM Regenerate the RSA key pair.
PKI: The device detected an invalid digital signature algorithm (DSA) key. The NetScreen device obtained the DSA key pair from a flash memory file but was unable to correct a corrupted portion of the file, and so failed to load the key pair to RAM. Regenerate the DSA key pair.
PKI: failed to install DSA key. The NetScreen device unsuccessfully attempted to load the Digital Signature Algorithm (DSA) key pair from a flash memory file to RAM. Regenerate the DSA key pair.

3.,
1RWLILFDWLRQ
PKI: The configuration content of certificate authority <name_str> is not valid. The NetScreen device has loaded the configuration to flash memory but cannot decode it. This error occurred because a conversion failed in the flash memory. Reenter the configuration settings for the certificate authority.
PKI: The device failed to save the certificate authority related configuration. When loading a certificate authority (CA) configuration from a flash file to RAM, the NetScreen device was unable to save it. Reenter the configuration information for the certificate authority.
Message Meaning
PKI: The device has detected an invalid X.509 object attribute <number>. The configuration type for one of the following X.509 object (also referred to as a PKI object) is incorrect: 0x0000F001: CA certificate 0x0000F002: Local certificate 0x0000F004: RSA public/private key pair 0x0000F005: DSA public/private key pair 0x0000F009: Certificate revocation list (CRL) 0x0000F00A: Pending local certificate 0x0000F00B: Certificate authority configuration
Action
If you have a list of all X.509 objects and can deduce the object with the invalid attribute by comparing that list with the output of the get pki x509 list { ca-cert | cert | crl | key-pair | local-cert | pending-cert } command, you can obtain a replacement for that object. If a CA configuration attribute is invalid, manually reenter the configuration settings for that CA.

3.,
1RWLILFDWLRQ
Message Meaning
PKI: The device cannot find the PKI object <id_num> during cold sync. When attempting to cold sync PKI objects between members of an NSRP cluster, the NetScreen device was unable to locate the specified object. The cold sync operation automatically synchronizes all PKI objects such as certificate revocation lists (CRLs), public/private key pairs, local certificates, certificate authority (CA) certificates, pending certificates, and certificate authority configurations between two NSRP cluster members. The operation synchronizes the objects in blocks of 30 items each. If a cold sync attempt is unsuccessful, the cluster members can make up to a total of 30 attempts to synchronize them.
Action
PKI: The device failed to remove existing authority configuration when nsrp sync. During a configuration synchronization between NSRP cluster members, the local NetScreen device did not replace the existing certificate authority (CA) configuration. Perform a manual file synchronization using either of the following CLI commands: To synchronize all files: exec nsrp sync file from peer To synchronize a specific file: exec nsrp sync file name name_str from peer
Message Meaning
PKI: The device cannot load the X.509 certificate file. The NetScreen device cannot load a certificate from flash memory to RAM during bootup or an NSRP cold sync operation.

3.,
1RWLILFDWLRQ
Action
If you have a list of all X.509 objects and can deduce the corrupted certificate file by comparing that list with the output of the get pki x509 list { ca-cert | cert | local-cert | pending-cert } command, you can obtain a replacement for the corrupted certificate.
PKI: The device cannot load the X.509 certificate revocation list during boot. During the bootup process, the NetScreen device was unable to load an X.509 certificate revocation list (CRL) from flash memory to RAM. Obtain another CRL and reload it.
PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file. The NetScreen device cannot load an X.509 certificate revocation list (CRL) from a file in flash memory to RAM. Obtain another CRL and reload it.
PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ]. The device cannot decode the CRL stored in flash memory because the list has become corrupted. Obtain and load a new CRL.

3.,
1RWLILFDWLRQ
PKI: Upgrade from earlier version, save to file. When an admin upgraded the ScreenOS image, the NetScreen device successfully assigned PKI objects with ID numbers in RAM and then saved the objects with their ID numbers to flash memory. No recommended action
Message Meaning
PKI: no nsrp sync for pre 2.5 objects. When attempting to synchronize PKI objects between members of an NSRP cluster, the NetScreen device detected PKI objects stored on the device prior to ScreenOS 2.5.0. These objects cannot be synchronized Delete the pre-ScreenOS 2.5.0 objects and synchronize files again with the following CLI command: exec nsrp sync file from peer .
Action
PKI: The device cannot load X.509 certificate onto the device, certificate <name_str>. When loading a certificate onto the device, the device was unable to save the certificate to RAM. First, check that the certificate is valid by trying to open it. If you can open a certificate, it is valid. Also check the expiration date. If you cannot open the certificate or it has expired, it is invalid and you must request another one. If the certificate is valid, reboot the NetScreen device and check the available amount of memory by entering the get memory command. If a sufficient amount of memory appears to be available, attempt to load the certificate again. If there appears to be a severe memory problem or if your second attempt was unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.

3.,
1RWLILFDWLRQ
PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer. When synchronizing PKI objects between members of the same NSRP cluster, the local NetScreen device was unable to synchronize a DSA or RSA public/private key pair with another cluster member. Check that the internal ID numbers of PKI objects stored in both devices do not conflict. If the internal ID number for the key pair on the device from which you want to synchronize files is in use for another PKI object on the peer, the synchronization fails. Enter the following command to check ID numbers on both devices (note that the internal ID number is listed in the second column in the output): get pki x509 list local . If you find a conflict, delete the PKI object with the conflicting ID number on the device to which you want to synchronize files and synchronize files again with the following CLI command: exec nsrp sync file from peer .
Message Meaning
PKI: no FQDN available when requesting certificate. When the NetScreen device submitted a certificate request through the Simple Certificate Enrollment Protocol (SCEP), either the device was not configured with a fully qualified domain name (FQDN)host name (or a cluster name if the device is in an NSRP cluster) plus domain nameor there was not an FQDN configured specifically for PKI purposes. SCEP requires an FQDN in all certificate requests. Assign the NetScreen device a host name (or a cluster name if the device is in an NSRP cluster) and a domain name, and then resubmit the request. You can also set a FQDN for PKI purposes with the following CLI command: set pki x509 cert-fqdn <fqdn_string> .
Action

3.,
1RWLILFDWLRQ
loadCert: Cannot acquire authcfg for this CA cert <name_str>. The device cannot acquire the auth configuration for the specified certificate authority (CA) certificate. Manually reenter the configuration settings for this CA.
Message Meaning
PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer. When attempting to perform a cold sync operation of PKI object files between the local NetScreen device and another member in its NSRP cluster, it was unable to synchronize a DSA or RSA public/private key pair. The cold sync operation automatically synchronizes all PKI objects such as certificate revocation lists (CRLs), public/private key pairs, local certificates, certificate authority (CA) certificates, pending certificates, and certificate authority configurations between two NSRP cluster members. The operation synchronizes the objects in blocks of 30 items each. If a cold sync attempt is unsuccessful, the cluster members can make up to a total of 30 attempts to synchronize them.
Action
PKI: The device cannot load an X.509 certificate revocation list (CRL). The NetScreen device was unable to load a CRL due to limited available RAM. Reboot the NetScreen device and check the available amount of memory by entering the get memory command. If a sufficient amount of memory appears to be available, attempt to load the CRL again. If there appears to be a severe memory problem or if your second attempt was unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.

3.,
1RWLILFDWLRQ
PKI: The device failed to retrieve the pending certificate <name_str>. The NetScreen device was unable to retrieve a requested certificate (classified as pending) through the Simple Certificate Enrollment Protocol (SCEP). Contact the CA, and request them to send the certificate again.
PKI: The device cannot allocate this object id number <id_num>. An admin attempted to assign an PKI object the same ID number that was previously assigned to another PKI object. Assign the object a different ID number or accept the ID number that the NetScreen device automatically assigns it.

3.,
,QIRUPDWLRQ
PKI: X.509 certificate has been deleted, distinguished name <name_str>. An admin or PKI process has removed an X.509 certificate with the specified distinguished name. No recommended action
PKI: The CRL <id_num> is deleted. An admin deleted the specified certificate revocation list (CRL). No recommended action
,QIRUPDWLRQ
Message Meaning PKI: The current device cannot retrieve the certificate revocation list using the HTTP protocol. In attempting to verify that a certificate has not been revoked, the NetScreen device was unable to retrieve the certificate revocation list (CRL), which indicates whether a certificate is still valid, through the HyperText Transfer Protocol (HTTP). Check that the NetScreen device has network connectivity to the server that contains the CRL.
Action

3.,
,QIRUPDWLRQ
PKI: The current device cannot successfully enroll a certificate using the SCEP & HTTP protocol. Using the Simple Certificate Enrollment Protocol (SCEP) and the HyperText Transfer Protocol (HTTP), the NetScreen device was unable to retrieve a local certificate from a certificate authority (CA). Check that the NetScreen device has network connectivity to the CA server that issues the local certificate. If not, contact the CA and arrange to obtain the certificate through a different method (such as an e-mail attachment), and then load the certificate manually on the NetScreen device.
Message Meaning
PKI Verify Error: <id_num>:<text_str> The NetScreen device has detected one of the following errors when verifying a certificate received from an IKE peer: 0: ok 2: unable to get issuer certificate 3: unable to get certificate CRL 4: unable to decrypt certificate's signature 5: unable to decrypt CRL's signature 6: unable to decode issuer public key 7: certificate signature failure 8: CRL signature failure 9: certificate is not yet valid 10: Certificate has expired 11: CRL is not yet valid 12: CRL has expired 13: format error in certificate's notBefore field 14: format error in certificate's notAfter field 15: format error in CRL's lastUpdate field 16: format error in CRL's nextUpdate field 17: out of memory 18: self signed certificate 19: self signed certificate in certificate chain 20: unable to get local issuer certificate 21: unable to verify the first certificate 22: certificate chain too long

3.,
,QIRUPDWLRQ
Action
Take action as appropriate for the message received: 0: No recommended action 2: Load the CA certificate for the CA that issued the IKE peers certificate, or request the IKE peer to send a different certificate. 3: Obtain a certificate revocation list (CRL) from the IKE peers CA. 4: Notify the IKE peer that the signature on his or her certificate is invalid and advise him to investigate. 5: Reload the CRL. 6: Notify the IKE peer that the NetScreen device cannot decode the public key of the CA that issued the IKE peers certificate. Perhaps the peer needs to reload the CAs certificate. 7: Notify the IKE peer that the NetScreen device cannot verify signature on his or her certificate. 8: Reload the CRL, the CA certificate that verifies the CRL, or both. 9: Notify the IKE peer to use a different certificate because the one sent is not yet valid. 10: Notify the IKE peer to use a different certificate because the one sent has expired. 11: Obtain a different CRL because the one referenced is not yet valid. 12: Obtain a different CRL because the one referenced has expired. 13: Notify the IKE peer to use a different certificate because it is unclear if the one sent is valid yet. 14: Notify the IKE peer to use a different certificate because it is unclear if the one sent is still valid. 15: Obtain a different CRL because it is unclear when the CRL was last updated. 16: Obtain a different CRL because it is unclear when its next update is scheduled to occur. 17: Reboot the NetScreen device. 18: Request the IKE peer to use another certificate that is not self-signed. 19: Request the IKE peer to use another certificate that does not include a self-signed certificate in its certificate chain. 20: Load the CA certificate for the CA that issued the IKE peers certificate, or request the IKE peer to send a certificate chain containing the issuing CAs certificate. 21: Notify the IKE peer that the NetScreen device was unable to verify the signature on his certificate and advise him to investigate. 22: Notify the IKE peer to use a shorter certificate chain.

3.,
,QIRUPDWLRQ
Message Meaning
PKI: The device cannot create the X.509 object database table. The NetScreen device was unable to create a database table in flash memory for X.509 objects (also referred to as PKI objects) such as certificate revocation lists (CRLs), key pairs, local certificates, certificate authority (CA) certificates, and CA configurations. Enter the get memory command to see how much RAM has been allocated and how much is still available. If there appears to be sufficient RAM available, reboot the NetScreen device and attempt to generate the X.509 object again. If there appears to be a severe memory problem or if your second attempt was also unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.
Action
PKI: The device has disabled the SCEP renewal process. An admin has disabled the automatic certificate renewal option for the Simple Certificate Enrollment Protocol (SCEP). No recommended action
Message Meaning
PKI: The number of the X.509 object entries exceeds the limit for the platform. The maximum allowed is <number>. The number of X.509 objects (also referred to as PKI objects) that the NetScreen device has attempted to store in its database is greater than the maximum limit (128). Typical X.509 objects are certificate revocation lists (CRLs), public/private key pairs, local certificates, certificate authority (CA) certificates, pending certificates, and certificate authority configurations. Free up space in the flash memory by removing obsolete or unused objects from the database.
Action

3.,
,QIRUPDWLRQ
PKI: The size of the CRL is too big to save to flash. Maximum <number> bytes. The device cannot save the certificate revocation list (CRL) because it is too big. The maximum limit for storage space in flash memory is 20 kilobytes per CRL. Remove the CRL from the certificate authority configuration, and then reboot the NetScreen device.
PKI: X.509 local certificate is not valid, certificate <name>. While an admin attempted to load the specified local certificate into the NetScreen device, the device detected that it was invalid. Obtain and load another certificate.
Message Meaning
PKI: When building a certificate chain, the certificate at the top of the untrusted chain is not issued by the designated certificate authority. The local NetScreen device designated a specific certificate authority (CA) for the remote peer to use during IKE negotiations. However, the peer sent a certificate chain with a different CA at the top of the chain. Do either of the following: On the local NetScreen device, designate the CA that the peer used. Contact the remote IKE peer to use the CA that you prefer.
Action

3.,
,QIRUPDWLRQ
PKI: The subject name of the received CA certificate is <name_str>. The NetScreen device has received a certificate authority (CA) certificate with the specified subject name. No recommended action
PKI: The correct CA certificate should have subject name <name_str>. The NetScreen device expected to receive a certificate authority (CA) certificate with the specified subject name, but the CA certificate had a different subject name instead. No recommended action
PKI: The device cannot allocate memory to request an X.509 certificate. When attempting to make an X.509 certificate request, the NetScreen device was unable to allocate RAM to generate the request in the standard PKCS #10 file format. Enter the get memory command to see how much RAM has been allocated and how much is still available. If there appears to be sufficient RAM available, reboot the NetScreen device and attempt to certificate request process again. If there appears to be a severe memory problem or if your second attempt was also unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.

3.,
,QIRUPDWLRQ
Message Meaning
PKI: The device has received PKI error message <string>. The NetScreen device generated one of the following messages: The NetScreen device has received an invalid X509 certificate. The return packet for an X509 certificate request is empty. The NetScreen device has received an invalid end entity (EE) certificate. (That is, a IPSec peers local certificate is invalid.) The NetScreen device has received an invalid CA certificate. The NetScreen device is unable to decode the issuer CAs public key. The CA is not responding. The NetScreen device cannot find the issuer CA certificate for the CRL. The NetScreen device failed to retrieve the CRL. The NetScreen device cannot retrieve the CRL. The CRL contents are invalid. The NetScreen device checked the CRL signature and the signature failed the inspection. LDAP bind request has failed. LDAP operation has failed. LDAP server host name is empty. LDAP search operation has failed. LDAP modification: The del operation is not currently supported. LDAP modification: The add operation is not currently supported. PKI_CID_VERIFY_CERT_RSP. The peers public key cannot be decoded.
Action
Check the LDAP and SCEP configurations on the NetScreen device and request the CA admin to check if the CA server is properly configured.

3.,
,QIRUPDWLRQ
Message Meaning
PKI: The device has changed the SCEP renewal interval to <number> days An admin has changed the Simple Certificate Enrollment Protocol (SCEP) renewal interval to the indicated number of days. Using the SCEP renewal facility, the NetScreen device automatically submits a certificate renewal request to a certificate authority (CA) at the user-defined number of days before the current certificate expires. No recommended action
Action
Message Meaning
PKI: The device has changed the SCEP polling interval from <number1> to <number2>. An admin has changed the Simple Certificate Enrollment Protocol (SCEP) polling interval from the first value to the second. Using the SCEP polling facility, the NetScreen device automatically polls a certificate authority (CA) at the defined interval to check if a pending certificate is ready for automatic retrieval. No recommended action
Action
Message Meaning
PKI: The distinguished name <name_str> for certificate request is invalid. The NetScreen device has detected that the distinguished name in the certificate request is invalid. A distinguished name is a concatenation of the following elements that together define the subject of the request: name, phone number, unit/department, organization, county/locality, state, country, e-mail address, and IP address.
Action
Change one or more of the elements composing the distinguished name in the certificate request.

3.,
,QIRUPDWLRQ
PKI: The device has detected invalid input parameters. When trying to load a certificate or certificate revocation list onto the device, the device detected invalid settings on the certificate or CRL, and rejected the object. First, check that the CA certificate is valid by trying to open it. If you can open a certificate, it is valid. Also check the expiration date. If you cannot open the certificate or it has expired, it is invalid and you must request another one. If the PKI object is valid, open a console session with the NetScreen device, and do either of the following: Enter the get tech-support command, copy the output, and paste it in a text file. Enter the get tech-support > tftp <ip_addr> <filename> [ from <interface> ] command. Then, attach the text file containing the tech-support output to an email message that describes the problem, and send it to techsupport@netscreen.com.
PKI: The keypair for certificate request is invalid. The NetScreen device has detected that the RSA or DSA public/private key pair in the certificate request is invalid. Regenerate the key pair.

3.,
,QIRUPDWLRQ
PKI: The device cannot allocate memory for the challenge password during a certificate request. When attempting to make a certificate request, the NetScreen device did not have enough available RAM to complete the challenge password validation operation. Enter the get memory command to see how much RAM has been allocated and how much is still available. If there appears to be sufficient RAM available, reboot the NetScreen device and attempt to submit the certificate request again. If there appears to be a severe memory problem or if your second attempt was also unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.
PKI: The device cannot allocate memory for X.509 extensions during a certificate request. When attempting to make a certificate request, the NetScreen device did not have enough available RAM to include X.509 extensions, which are additional information stored in the certificate. Enter the get memory command to see how much RAM has been allocated and how much is still available. If there appears to be sufficient RAM available, reboot the NetScreen device and attempt to submit the certificate request again. If there appears to be a severe memory problem or if your second attempt was also unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.

3.,
,QIRUPDWLRQ
PKI: The device cannot sign the X.509 request. When attempting to generate a certificate request, the NetScreen device was unable to sign a hash of the request with its private key. Reboot the NetScreen device and try again. If the problem persists, open a console session with the NetScreen device, and do either of the following: Enter the get tech-support command, copy the output, and paste it in a text file. Enter the get tech-support > tftp <ip_addr> <filename> [ from <interface> ] command. Then, attach the text file containing the tech-support output to an email message that describes the problem, and send it to techsupport@netscreen.com.
PKI: The device cannot allocate memory to store keypair in certificate request. When generating a PKCS #10 certificate request file, the NetScreen device was unable to allocate sufficient RAM to include the generated key pair in the file. Enter the get memory command to see how much RAM has been allocated and how much is still available. If there appears to be sufficient RAM available, reboot the NetScreen device and attempt to generate the certificate request again. If there appears to be a severe memory problem or if your second attempt was also unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.
PKI: The device has generated a certificate request in PKCS10 format. The NetScreen device has successfully generated a PKCS #10 certificate request file. No recommended action

3.,
,QIRUPDWLRQ
Need X509_REQ. When generating the SCEP_PKCSREQ packet during the Simple Certificate Enrollment Protocol (SCEP) process, the NetScreen device was unable to find the previously generated PKCS #10 certificate request. Regenerate the certificate request, and begin the SCEP process again. If the problem persists, open a console session with the NetScreen device, and do either of the following: Enter the get tech-support command, copy the output, and paste it in a text file. Enter the get tech-support > tftp <ip_addr> <filename> [ from <interface> ] command. Then, attach the text file containing the tech-support output to an email message that describes the problem, and send it to techsupport@netscreen.com.
No memory to store certificate request. The NetScreen device does not have sufficient RAM memory to store the certificate request in PKCS #10 format. Enter the get memory command to see how much memory has been allocated and how much is still available. If the memory is low, reboot the NetScreen device and regenerate the certificate request. If the problem persists, open a console session with the NetScreen device, and do either of the following: Enter the get tech-support command, copy the output, and paste it in a text file. Enter the get tech-support > tftp <ip_addr> <filename> [ from <interface> ] command. Then, attach the text file containing the tech-support output to an email message that describes the problem, and send it to techsupport@netscreen.com.

3.,
,QIRUPDWLRQ
PKI: The device failed to convert the certificate request into a DER formatted file. The NetScreen device unsuccessfully attempted to convert the format of a PKCS #10 certificate request to a Distinguished Encoding Rule (DER) formatted file. Perform the certificate request conversion again.
PKI: The device failed to encode the certificate request into DER format. The NetScreen device unsuccessfully attempted to encode a PKCS #10 certificate request in Distinguished Encoding Rule (DER) format. Generate the certificate request again.
Message Meaning
PKI: The device has no memory to store PKCS7 content data when requesting a certificate. When submitting a certificate request through the Simple Certificate Enrollment Protocol (SCEP), the NetScreen device was unable to allocate sufficient RAM to store the certificate request data in PKCS #7 (Cryptographic Message Syntax Standard) format. Enter the get memory command to see how much RAM has been allocated and how much is still available. If there appears to be sufficient RAM available, reboot the NetScreen device and attempt to submit the certificate request again. If there appears to be a severe memory problem or if your second attempt was also unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.
Action

3.,
,QIRUPDWLRQ
PKI: The device has no memory to store the certificate issuer name. When retrieving a certificate via the Simple Certificate Enrollment Protocol (SCEP), the NetScreen device was unable to allocate sufficient RAM to store the name of the certificate issuer. Reboot the NetScreen device and check the available amount of memory by entering the get memory command. If a sufficient amount of memory appears to be available, attempt to retrieve the certificate again. If there appears to be a severe memory problem or if your second attempt was unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.
X509 certificate database is full. The amount of available flash memory for X509 certificate storage has been consumed. If possible, free up more memory in the certificate database by removing unneeded certificates, such as expired certificates.
Message Meaning
PKI: The device has no memory to store PKCS7 content data when requesting a certificate. When submitting a certificate request through the Simple Certificate Enrollment Protocol (SCEP), the NetScreen device was unable to allocate sufficient RAM to store the certificate request data in PKCS #7 (Cryptographic Message Syntax Standard) format. Reboot the NetScreen device and check the available amount of memory by entering the get memory command. If a sufficient amount of memory appears to be available, attempt to submit the certificate again. If there appears to be a severe memory problem or if your second attempt was unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.
Action

3.,
,QIRUPDWLRQ
PKI: The device cannot generate a self-signed X.509 certificate <name_str>. When submitting a certificate request through the Simple Certificate Enrollment Protocol (SCEP), the NetScreen device was unable to generate the specified self-signed X.509 certificate. Check that the total number of certificatesCA and local certificates combineddoes not exceed the maximum of 128. If the total is less than 128 and the problem persists, increase the available amount of RAM by deleting unused processes, and then attempt to submit the certificate again.
Message Meaning
PKI: The device failed to set type of PKCS7 outer envelope. When the NetScreen device attempted to submit a certificate request through the Simple Certificate Enrollment Protocol (SCEP), it was unable to create a PKCS #7 envelope in which to enclose the certificate request. Reboot the NetScreen device and check the available amount of memory by entering the get memory command. If a sufficient amount of memory appears to be available, attempt to submit the certificate again. If there appears to be a severe memory problem or if your second attempt was unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.
Action

3.,
,QIRUPDWLRQ
Message Meaning
PKI: The device failed to add a signature to the PKCS7 outer envelope. When the NetScreen device attempted to submit a certificate request through the Simple Certificate Enrollment Protocol (SCEP), it was unable to add a signature to the outer PKCS #7 envelope. Two types of PKCS7 envelopes exist: an inner envelope, which contains the content of the certificate request, and an outer envelope, which encloses the inner envelope and contains envelope details.
Action
Reboot the NetScreen device and check the available amount of memory by entering the get memory command. If a sufficient amount of memory appears to be available, attempt to submit the certificate again. If there appears to be a severe memory problem or if your second attempt was unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.
Message Meaning
PKI: The device cannot encrypt the SCEP content data in an inner PKCS7 envelope. When the NetScreen device attempted to submit a certificate request through the Simple Certificate Enrollment Protocol (SCEP), it was unable to encrypt the certificate request content within the inner PKCS #7 envelope. Two types of PKCS7 envelopes exist: an inner envelope, which contains the content of the certificate request, and an outer envelope, which encloses the inner envelope and contains envelope details.
Action

3.,
,QIRUPDWLRQ
Message Meaning
PKI: The device failed to set the type of inner PKCS7 envelope. When the NetScreen device attempted to submit a certificate request through the Simple Certificate Enrollment Protocol (SCEP), it was unable to define the type of the inner PKCS #7 envelope. When submitting a certificate request via SCEP, the NetScreen device generates both an inner and outer envelope in PKCS #7 (Cryptographic Certificate Syntax Standard) format, and must specify the type of each PKCS #7 envelope.
Action
Message Meaning
PKI: The device failed to create an inner PKCS7 envelope. When the NetScreen device attempted to submit a certificate request through the Simple Certificate Enrollment Protocol (SCEP), it was unable to generate a PKCS #7 inner envelope in which to store the certificate request file. When submitting a certificate request via SCEP, the NetScreen device generates both an inner and outer envelope in PKCS #7 (Cryptographic Certificate Syntax Standard) format.
Action

3.,
,QIRUPDWLRQ
Message Meaning
PKI: The device cannot sign the SCEP request in outer PKCS7 envelope. When the NetScreen device attempted to submit a certificate request through the Simple Certificate Enrollment Protocol (SCEP), it was unable to add a signature to a PKCS #7 outer envelope to ensure the integrity of the request. Reboot the NetScreen device and check the available amount of memory by entering the get memory command. If a sufficient amount of memory appears to be available, attempt to submit the certificate again. If there appears to be a severe memory problem or if your second attempt was unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.
Action
PKI: The device cannot encrypt the data in outer PKCS7 envelope. When the NetScreen device attempted to submit a certificate request through the Simple Certificate Enrollment Protocol (SCEP), it was unable to encrypt the data in a PKCS #7 outer envelope. Reboot the NetScreen device and check the available amount of memory by entering the get memory command. If a sufficient amount of memory appears to be available, attempt to submit the certificate again. If there appears to be a severe memory problem or if your second attempt was unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.

3.,
,QIRUPDWLRQ
Message Meaning
PKI: The device failed to create an outer PKCS7 envelope. When the NetScreen device attempted to submit a certificate request through the Simple Certificate Enrollment Protocol (SCEP), it was unable to encapsulate a certificate request file in a PKCS #7 outer envelope. When submitting a certificate request via SCEP, the NetScreen device generates both an inner and outer envelope in PKCS #7 (Cryptographic Certificate Syntax Standard) format.
Action
PKI: The SCEP certificate request has been completed successfully. The NetScreen device successfully generated and submitted a certificate request through the Simple Certificate Enrollment Protocol (SCEP). No recommended action
PKI: The device cannot decode SCEP content data in PKCS7 envelope. The NetScreen device was unable to decode the content within a PKCS #7 envelope that it received through the Simple Certificate Enrollment Protocol (SCEP). Contact the CA about the problem, and request that they resend the certificate. If the problem persists, contact NetScreen technical support.

3.,
,QIRUPDWLRQ
PKI: The device cannot decode the inner PKCS7 envelope. The NetScreen device was unable to decode the PKCS #7 inner envelope that it received through the Simple Certificate Enrollment Protocol (SCEP). Contact the CA about the problem, and request that they resend the certificate. If the problem persists, contact NetScreen technical support.
PKI: The device received zero length SCEP content data. When the NetScreen device received a response to a Simple Certificate Enrollment Protocol (SCEP) certificate request, the length of the file that contained the content data was zero. Contact the CA about the problem, and request that they resend the certificate. If the problem persists, contact NetScreen technical support.
PKI: The device cannot decode an outer PKCS7 envelope of SCEP content data. When the NetScreen device received a response to a Simple Certificate Enrollment Protocol (SCEP) certificate request, it was unable to decode the data in the PKCS #7 outer envelope. Contact the CA about the problem, and request that they resend the certificate. If the problem persists, contact NetScreen technical support.

3.,
,QIRUPDWLRQ
PKI: The device received empty SCEP content data. When the NetScreen device received a response to a Simple Certificate Enrollment Protocol (SCEP) certificate request, the file that normally contains the content data was empty. Contact the CA about the problem, and request that they resend the certificate. If the problem persists, contact NetScreen technical support.
PKI: The device cannot decrypt SCEP data in outer PKCS7 envelope. When the NetScreen device received a response to a Simple Certificate Enrollment Protocol (SCEP) certificate request, it was unable to decrypt the PKCS #7 outer envelope. Contact the CA about the problem, and request that they resend the certificate. If the problem persists, contact NetScreen technical support.
PKI: The device has a bad SCEP key pair. When generating the submission of a certificate request through the Simple Certificate Enrollment Protocol (SCEP), the NetScreen device detected an invalid public/private key pair. Regenerate the key pair and attempt to submit the certificate request via SCEP again.

3.,
,QIRUPDWLRQ
PKI: The device failed to process an SCEP response. The NetScreen device received a response to a Simple Certificate Enrollment Protocol (SCEP) certificate request, but was unable to process it. Contact the certificate authority (CA) and request them to send another certificate. If the problem persists, contact NetScreen technical support.
PKI: The device received a SCEP_FAILURE message from the CA. The CA has responded to a Simple Certificate Enrollment Protocol (SCEP) request with a SCEP_FAILURE message indicating that the X509 certificate request has been rejected. Check the SCEP configuration on the NetScreen device. Regenerate the certificate request, and attempt to submit it to the CA through SCEP again. If you receive another failure message, contact the CA admin about the problem.
Message Meaning
PKI: finger print of CA certificate rejected. DN <name_str> The NetScreen device rejected the fingerprint, or hash digest, of the CA certificate containing the specified distinguished name (DN). The digest is used to verify the integrity of the certificate. If the digest that the NetScreen device produces does not match the digest that the peer sent, the content might have been altered between the creation of the two digests and thus cannot be trusted. Contact the CA and request another CA certificate.
Action

3.,
,QIRUPDWLRQ
Message Meaning
PKI: Empty certificate descriptor file. No PKI objects exist in the NetScreen device. The certificate descriptor filea kind of table of contents for PKI objectsis empty. This message appears after an admin has booted up a NetScreen device that does not contain any PKI objects, such as certificate revocation lists (CRLs), public/private key pairs, local certificates, certificate authority (CA) certificates, pending certificates, and certificate authority configurations. No recommended action
Action
Message Meaning
PKI: The device cannot verify the signature on CRL. Accept the CRL anyway as configured. The NetScreen device has received and accepted a certificate revocation list (CRL)even though it cannot verify the digital signature on the CRLbecause the configuration instructs the device to ignore the results of the signature checking test. No recommended action
Action
PKI: The device cannot create a state for SCEP operation. The NetScreen device was unable to create internal data to track the progress of a certificate request through the Simple Certificate Enrollment Protocol (SCEP). Reboot the NetScreen device and check the available amount of memory by entering the get memory command. If a sufficient amount of memory appears to be available, attempt to initiate the SCEP operation again. If there appears to be a severe memory problem or if your second attempt was unsuccessful, attach a text file with the output of the get tech-support command to an e-mail note describing the problem, and send it to techsupport@netscreen.com.

3.,
,QIRUPDWLRQ
failed to create PLDAP_STATE instance The NetScreen device was unable to create an internal data structure called PLDAP_STATE. This is an internal NetScreen system error and requires no action.
Message Meaning
PKI: The device found the X.509 certificate in the local trust store, abort certificate request. When making a certificate request through the Simple Certificate Enrollment Protocol (SCEP), the NetScreen device detected that a certificate identical to the requested certificate already exists in a region inside the device known as the local trust store. Consequently, the NetScreen device aborted the certificate request. Do not repeat the certificate request for that particular certificate.
Action

333R(
1RWLILFDWLRQ
3332(
The following messages relate to the configuration of Point-to-Point Protocol over Ethernet (PPPoE) connections.
1RWLILFDWLRQ
Message Meaning Action PPPoE is { enabled | disabled } on <interface> interface Point-to-Point Protocol over Ethernet (PPPoE) is enabled or disabled on the specified interface. No recommended action
The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed PPPoE parameters on the NetScreen device changed. No recommended action
PPPoE Settings changed PPPoE parameters on the NetScreen device changed. No recommended action

333R(
,QIRUPDWLRQ
PPPoEs session closed by AC The access concentrator to which the NetScreen device connects closed the PPPoE session. No recommended action
AC <name_str> is advertising URL <string> The access concentrator to which the NetScreen device connects is advertising the specified URL. No recommended action
Message from AC <name_str>: <string> The access concentrator to which the NetScreen device connects sent the specified message. No recommended action
,QIRUPDWLRQ
Message Meaning Action PPPoE session starts to negotiate The PPPoE client on the NetScreen device begins to initiate a session with the PPPoE server. No recommended action

333R(
,QIRUPDWLRQ
PPPoE session has successfully established The NetScreen device successfully established a PPPoE session with the PPPoE server. No recommended action
Message Meaning
The point-to-point over Ethernet (PPPoE) connection failed to establish a session: {PADI | PADR} timeout The NetScreen device was unsuccessful in its attempt to establish a session with a PPPoE server because either the PPPoE Activate Discovery Initiate (PADI) or PPPoE Activate Discovery Request (PADR) timed out. Increase the session timeout value.
Action
The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: no IP address assigned After attempting to establish a PPPoE session on the NetScreen device, the session failed and no IP address was assigned. No recommended action

333R(
,QIRUPDWLRQ
PPPoE failed to establish a session: { Service Name Error Tag | AC System Error Tag | Generic Error Tag } received The PPPoE session was unable to establish a session due to an incorrect service tag or AC system tag, or other error. Report the problem to NetScreen.
PPPoE failed to establish a session: LCP, CHAP/PAP, IPCP link setup The PPPoE session was unable to establish a session during PPP. Check PPPoE configuration parameters, including the user name and password.
The point-to-point over Ethernet (PPPoE) connection failed to establish a session: <string> received The PPPoE connection was unable to create a session. A message string was received. No recommended action
PPPoE session shuts down: by user A user terminated the Point-to-Point Protocol over Ethernet (PPPoE) session on the NetScreen device. No recommended action

333R(
,QIRUPDWLRQ
PPPoE session shuts down: idle timeout The PPPoE session has been idle for the specified idle timeout so the session has shut down. No recommended action
PPPoE session shuts down: PPPoE disabled PPPoE is disabled so the session has shut down. No recommended action
PPPoE session shuts down: System reset The device has been reset so the session has shut down. No recommended action

3ROLFLHV
1RWLILFDWLRQ
32/,&,(6
The following messages relate to the configuration of access policies.
1RWLILFDWLRQ
Message Meaning Policy (<id_num>, { <zone1> -> <zone2> | global }, <src_addr> -> <dst_addr>, <svc_name>, { permit | deny | tunnel }) was { added | modified | deleted | enabled | disabled } by admin <name_str> An admin has added, modified, deleted, enabled, or disabled an access policy with the following attributes: <id_num> The ID number of the access policy. <zone1> The zone from which traffic originates. <zone2> The zone to which traffic travels. <src_addr> The name of the source address from which the traffic is sent. (Note: If the source address appears as NULL Name, an error has occurred and the NetScreen device cannot find the source address name.) <dst_addr> The name of the destination address to which the traffic is sent. (Note: If the destination address appears as NULL Name, an error has occurred and the NetScreen device cannot find the destination address name.) <svc_name> The kind of traffic (such as HTTP, FTP, or ANYwhich means all kinds of traffic) The action that the NetScreen device takes when this policy matches traffic received: - Permitting traffic to pass - Denying traffic - Tunneling traffic through a VPN tunnel
Action
Confirm that the action was appropriate, and performed by an authorized admin.

3ROLFLHV
1RWLILFDWLRQ
Policy <id_num1> has been moved { before | after } <id_num2> by admin <name_str> An admin (<name_str>) has exchanged the positions of the two specified policies (<id_num1> and <id_num2>). Confirm that the action was appropriate, and performed by an authorized admin.
Policy (<id_num>, global, <src_addr> -> <dst_addr>, <svc_name>, { permit | deny | tunnel }) was added A policy name was added to the current device. Confirm that the action was appropriate, and performed by an authorized admin.
Devices default policy has been changed from { enabled | disabled } to { disabled | enabled } by admin <name_str> The default policy has been changed from enabled to disabled or from disabled to enabled. Confirm that the action was appropriate, and performed by an authorized admin.

5RXWHV
&ULWLFDO
5287(6
The following messages relate to routing configurations.
&ULWLFDO
Message Meaning Action A new route cannot be added to the device because the maximum number of system route entries <number> has been exceeded An administrator attempted to exceed the system-wide maximum number of routes. Once the number of routes equals this maximum number, the NetScreen device cannot receive any new routes. Remove obsolete or unused routes from the route table to create room for new routes.
&ULWLFDO
Message Meaning A route <ip_addr>/<mask> cannot be added to the virtual router <vrouter> because the number of route entries in the virtual router exceeds the maximum number of routes <number> allowed Each virtual router has a route table that stores all learned or added routes that the router can reference for sending data to the destination addresses. Each route table has a maximum amount of routes that it can store. Once the number of routes stored in the route table equals the maximum amount allowed, the virtual router cannot learn any new routes. By attempting to accept another route after its route table maximum had been reached, the virtual router reports that it rejected the submission of the current route. Remove obsoleted or unused routes from the route table to create room to add new routes to the virtual router, or set a higher value for the maximum allowable routes in the virtual router.
Action

5RXWHV
1RWLILFDWLRQ
1RWLILFDWLRQ
Message Meaning Action Route(s) in virtual router <vrouter> with an IP address <ip_addr>/<mask> and gateway <ip_addr> has been deleted The route in the specified virtual router with the specified IP address/netmask and gateway address is deleted. No recommended action
A route in virtual router <vrouter> that has IP address <ip_addr>/<mask> through interface <interface> and gateway <ip_addr> with metric <number> has been created A route is created in the specified virtual router with the specified IP address/netmask, interface, gateway address, and metric. No recommended action
A route has been created in virtual router <vrouter1> with an IP address <ip_addr>/<mask> and next-hop as virtual router <vrouter2> A route is created in the specified virtual router with the specified IP address/netmask and next-hop virtual router. No recommended action

5RXWHV
1RWLILFDWLRQ
An import | export rule in virtual router <vrouter1> to virtual router <vrouter2> with IP-prefix <<ip_addr>/<mask> has been created | removed An administrator successfully set or unset the identified rule for importing or exporting routes on the specified virtual routing instance. No recommended action
An import | export rule in virtual router <vrouter1> to virtual router <vrouter2> with route-map <id_num> and protocol <name_str> has been created | removed An administrator has successfully set or unset a rule from a specified route map for a specified protocol on a virtual router. No recommended action
A sharable virtual router using name <vrouter> and id <id_num> has been created An admin created the identified virtual on the routing domain on the NetScreen device. No recommended action
The auto-route-export feature in virtual router <vrouter> has been enabled An admin has initiated auto-exporting for the current virtual router. Auto-exporting is the process of automatically exporting routes from one virtual routing instance to another. No recommended action

5RXWHV
1RWLILFDWLRQ
The maximum number of routes that can be created in virtual router <vrouter> is <number> An admin has set the maximum number of routes that can be set for the current virtual router. Once the number of routes in the route table equals this maximum number, the router cannot learn any new routes. No recommended action
The router-id that can be used by OSPF, BGP routing instances in virtual router <vrouter> has been set to <id_num> An admin set the router ID for the specified virtual router. No recommended action
Message Meaning
The routing preference for protocol <name_str> in virtual router <vrouter> has been set to <number> An admin has set a local preference parameter for the specified protocol for the virtual router. The local preference parameter specifies the desirability of a path. The higher the value, the more desirable the path. No recommended action
Action
The virtual router <vrouter> has been made default virtual router for virtual system <name_str> An admin specified the default virtual router for the specified virtual system. No recommended action

5RXWHV
1RWLILFDWLRQ
The virtual router <vrouter> has been made sharable An admin designated the current virtual router sharable by other entities in the network. No recommended action
Message Meaning
The system default-route through virtual router <vrouter1> has been added in virtual router <vrouter2> The default route used in a specified virtual router has been added to another specified virtual router. By default, the address of the default route is 0.0.0.0, although this address can be modified. This route can be used by another virtual routing instance. No recommended action
Action
The auto-route-export feature in virtual router <vrouter> has been disabled An admin has turned off auto-exporting for the current virtual router. Auto-exporting is the process of automatically exporting routes from one virtual router to another. No recommended action
Message Meaning
The maximum routes limit in virtual router <vrouter> has been removed An admin has unset the maximum number of routes that can be set for the current virtual router, returning it to the default value. Once the number of routes in the route table equals this maximum number, the router cannot learn any new routes. No recommended action
Action

5RXWHV
1RWLILFDWLRQ
The router-id of virtual router <vrouter> used by OSPF, BGP routing instances id has been uninitialized An admin uninitialized the router ID. The router ID is a value that identifies the router as a distinct entity on the network. No recommended action
Message Meaning
The routing preference for protocol <name_str> in virtual router <vrouter> has been reset The local preference parameter specifies the desirability of a path to an autonomous system. The higher the value, the more desirable the path. An admin has unset a previously set local preference value for the specified virtual routing instance, returning the value to its default setting. No recommended action
Action
The virtual router <vrouter> has been made unsharable An admin designated the current virtual routing instance as unsharable by other entities in the network. No recommended action
The system default-route in virtual router <vrouter> has been removed An admin has deleted the default route in the specified virtual router. No recommended action

5RXWHV
1RWLILFDWLRQ
The virtual router <vrouter> has been made sharable An admin designated the current virtual router as sharable by the root and virtual systems. No recommended action
A virtual router with name <vrouter> and id <id_num> has been removed An admin removed the specified virtual router. No recommended action

6FKHGXOH
1RWLILFDWLRQ
6&+('8/(
The following messages relate to schedules created for use in access policies.
1RWLILFDWLRQ
Message Meaning Action Schedule <name_str> has been { added | modified | deleted }. An admin has added, modified, or deleted the specified schedule. No recommended action

6&6
&ULWLFDO
6&6
The following messages relate to the secure command shell (SCS) utility on the NetScreen device. SCS is compatible with secure shell (SSH) , which provides a method for an admin (SSH client) to securely access a NetScreen device (SCS server) remotely over unsecured channels to manage it via the CLI.
&ULWLFDO
Message Meaning Action SCS: NetScreen device failed to identify itself to the SSH client at <ip_addr>:<port_num>. The NetScreen device, acting as the SCS server, failed to identify itself to the specified SSH client during the SCS connection procedure. This most likely is the result of a low-level internal processing error. Advise the SSH admin user to initiate another connection with the device. If the problem persists, reset the NetScreen device and have the SSH user try again.
SCS: NetScreen device failed to authenticate the SSH client at <ip_addr>:<port_num>. The NetScreen device, acting as the SCS server, was unable to authenticate the specified SSH client during the SCS connection procedure. Advise the SSH admin user to verify that the SSH client software is configured correctly and is using a cipher that the NetScreen device supportsDES and 3DES.

6&6
&ULWLFDO
SCS: Incompatible SSH version <version_string> has been received from the SSH client at <ip_addr>:<port_num>. The NetScreen device, acting as the SCS server, has received an incompatible version of the SSH protocol from the specified SSH client during the SCS connection procedure. Advise the SSH user to run SSH version 1 for compatibility with a NetScreen device.
SCS: Unable to validate cookie from the SSH client at <ip_addr>:<port_num>. The specified SSH client sent an invalid cookie during the SCS connection procedure. An attempted security attack might be in progress. First, validate the source of the connection attempt. If you repeatedly receive this message, you might want to disable SCS until you determine the cause.
SCS: Failed to retrieve PKA key bound to SSH user <user_name>. (Key ID=<id_num>) The NetScreen device unsuccessfully attempted to retrieve the specified PKA key bound to the specified admin user attempting to log in using SCS. Contact NetScreen technical support.

6&6
&ULWLFDO
SCS: Failed to { bind | unbind } PKA key { to | from } SSH user <user_name>. (Key ID=<id_num>) An admin unsuccessfully attempted to bind or unbind the specified PKA key to the specified admin user. If binding is the problem, it might be that the specified PKA key is already bound to the specified admin user or that four PKA keys (the maximum) are already bound to him or her. In the latter case, you must first unbind one of the other keys from the user before binding the new one. If unbinding is the problem, verify that the specified key is actually bound to the specified admin user.
Message Meaning
SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user <user_name> at <ip_addr>:<port_num>. (Key ID=<id_num>) The NetScreen device, acting as the SCS server, failed to generate a PKA RSA challenge for the specified SSH user during the SCS connection procedure. The challenge requires the SSH user to respond with an appropriate password to complete the authentication process. Check that the SSH user has the PKA RSA public key (bound to that user on the NetScreen device) loaded on the SSH client. Also check that the user has configured the client to specify the identity file containing that PKA RSA public key during the log in process.
Action
Message Meaning
SCS: Failed to send identification string to client host at <ip_addr>:<port_num>. The NetScreen device, acting as the SCS server, failed to identify itself or send the identification string to the specified SSH client during the SCS connection procedure. This most likely is the result of a low-level internal processing error. Advise the SSH admin user to initiate another connection with the device. If the problem persists, reset the NetScreen device and have the SSH user try again.
Action

6&6
&ULWLFDO
SCS: Failed to retrieve host key The NetScreen device unsuccessfully attempted to retrieve the specified PKA key bound to the client host. Contact NetScreen technical support.
SCS: Failed to remove PKA key removed. The NetScreen device unsuccessfully attempted to remove the specified PKA key. Contact NetScreen technical support.
SCS: FIPS self test failed The NetScreen device unsuccessfully performed a FIPS self test during the SCS connection procedure. Contact NetScreen technical support.
SCS: Unable to perform FIPS self test The NetScreen device unsuccessfully attempted to perform a FIPS self test during the SCS connection procedure. Contact NetScreen technical support.

6&6
(UURU
(UURU
Message Meaning Action SCS: Unsupported cipher type <name_str> requested from: <ip_addr>:<port_num> The specified SSH client attempted to make an SCS connection to the NetScreen device but failed because it requested a cipher not supported by the NetScreen device. Recommend that the SSH client reconfigure its request, using a cipher supported by the NetScreen deviceDES and 3DESand then attempt another SCS connection.
SCS: Maximum number for SCS sessions <number> has been reached. Connection request from SSH user at <ip_addr>:<port_num> has been denied. The maximum number of concurrent SCS sessions is five. Because five SCS connections are currently active, the NetScreen device has denied the connection request from the specified SSH user. Advise the admin user to wait for one of the currently active sessions to close before attempting another SCS connection.
SCS: SSH client at <ip_addr>:<port_num> has failed to make an SCS connection to vsys <name_str> because SCS cannot generate the host and server keys before timing out. The SCS utility was unable to generate the host and server keys for the specified virtual system on the NetScreen device before the connection request timed out. Recommend that the SSH client wait one minute and then attempt another SCS connection.

6&6
:DUQLQJ
SCS: SSH user <user_name> at <ip_addr>:<port_num> has failed the PKA RSA challenge. The specified SSH user has failed the Public Key Authentication (PKA) process while attempting to make an SCS connection to the NetScreen device. SCS: It is possible that the SSH user selected the wrong PKA key during the log in process. Compare the fingerprint for the PKA key bound to the SSH user and the fingerprint that the SSH user is using to see if they match.
:DUQLQJ
Message Meaning SCS: SCS has been { enabled | disabled } for <name_str> with <number> existing PKA keys already bound to <number> SSH users. An admin has enabled or disabled SCS for the specified virtual system with the specified number of Public Key Authentication (PKA) keys for the specified number of SSH users. Note that this message only appears if PKA keys are already bound to SSH users in the specified system when SCS is enabled or disabled. Action If you disable SCS, review the PKA keys to see if you need to keep or discard them. A large number of keys can consume considerable memory space, which you can reclaim by discarding the unused keys. Also, because SSH clients can no longer log in, you might consider notifying remote admins running unmanned scripts via their SSH connections. If you enable SCS, after having disabled it earlier, review all the PKA keys and delete any for which you cannot account. Because anyone who has one of the PKA keys can access the NetScreen device, you must ensure that the NetScreen device is only storing keys for valid admins.

6&6
:DUQLQJ
SCS: SSH user <name> at <ip_addr>:<port_num> has requested password authentication, which is not enabled for that user. SCS: While attempting to make an SCS connection to the NetScreen device, the specified SSH user requested an authentication modepassword or PKA RSAthat had not been configured for that user. Enable the requested authentication method on the NetScreen device or reconfigure the SSH client application to use the method already enabled on the NetScreen device.
SCS: SSH user <name> at <ip_addr>:<port_num> has requested PKA RSA authentication, which is not supported for that client. SCS: While attempting to make an SCS connection to the NetScreen device, the specified SSH user requested an authentication modepassword or PKA RSAthat had not been configured for that user. Enable the requested authentication method on the NetScreen device or reconfigure the SSH client application to use the method already enabled on the NetScreen device.

6&6
:DUQLQJ
SCS: SSH user <name> at <ip_addr>:<port_num> has unsuccessfully attempted to log in via SCS to <name_str> using the shared untrusted interface because SCS is disabled on that interface. The specified SSH user failed to make an SCS connection to the specified virtual system, which shares the untrusted interface with the root system. Because the NetScreen device uses the host and server keys of the root systemnot those of the virtual systemwhen sharing the untrusted interface, make sure that the SSH client has the public host key of the root system loaded on its system. To allow SCS management of a virtual system sharing the untrusted interface with the root system, make sure that SCS is enabled at the root level. (Optional) Create a separate untrusted subinterface for that virtual system and enable SCS manageability on its untrusted subinterface.
SCS: Max <number> sessions reached, unabel to accept connection : <ip_addr>:<port_num> The maximum number of concurrent SCS sessions is five. Because five SCS connections are currently active, the NetScreen device has denied the connection request from the specified SSH user. Advise the admin user to wait for one of the currently active sessions to close before attempting another SCS connection.
SCS: Disabled for <name_str>. Attempted connection failed from <ip_addr>:<port_num> The specified SSH client has attempted to make an SCS connection to the specified virtual system. However, because SCS is not enabled for that virtual system, the attempt was unsuccessful. If you want the SSH client to be able to access the specified virtual system via SCS, enter that virtual system and enable SCS manageability.

6&6
:DUQLQJ
Message Meaning
SCS: SSH user <user_name> at <ip_addr>:<port_num> cannot log in via SCS to <name_str> using the shared untrusted interface because SCS is disabled. The specified SSH user has failed to make an SCS connection to the specified virtual system, which shares the untrusted interface with the root system. When SCS is disabled at the root level, it disables SCS manageability for all virtual systems that share the untrusted interface. Note: This message only appears in the event log of the virtual system to which the SSH user attempted to connect.
Action
To allow an SCS connection to a virtual system sharing the untrusted interface with the root system, make sure that SCS is enabled at the root level. (Optional) Create a separate untrusted subinterface for that virtual system and enable SCS manageability on its untrusted subinterface.
Message Meaning
SCS: SSH client at <ip_addr1> has attempted to make an SCS connection to interface <interface> with IP <ip_addr2> but failed because SCS is not enabled for that interface. The specified SSH client has attempted to make an SCS connection to the NetScreen device at the specified interface. However, because SCS was not enabled on that interface, the attempt was unsuccessful. If you want the SSH client to be able to access the device on the specified interface via SCS, enable SCS manageability for that interface.
Action

6&6
1RWLILFDWLRQ
SCS: SSH client at <ip_addr>:<port_num> has attempted to make an SCS connection to vsys <name_str> but failed because SCS was not completely initialized for that system. The SCS utility was unable to generate the host and server keys for the specified virtual system on the NetScreen device before the connection request timed out. Recommend that the SSH client wait one minute and then attempt another SCS connection.
1RWLILFDWLRQ
Message Meaning Action SCS: Host client has requested NO cipher from <name_str> The host client has requested that no encryption algorithm be used for the SCS message exchange. The SSH client should reconfigure its request, using a cipher algorithm supported by the NetScreen device, to make the connection more secure.
SCS: SCS has been { enabled | disabled } for { <name_str> | root system }. An admin has enabled or disabled SCS for the specified virtual system or root system. No recommended action

6&6
1RWLILFDWLRQ
SCS: Key regeneration interval has been changed from <number1> to <number2>. An admin has changed how often (in seconds) the NetScreen device generates a new SCS server key. No recommended action
SCS: SSH user <usr_str> has been authenticated using password from <ip_addr>:<port_num>. The specified SSH user has logged in to the NetScreen device from the specified IP address and port number via SCS and authenticated himself or herself using a password. No recommended action
Message Meaning
SCS: SSH user <usr_str> has been authenticated using PKA RSA from <ip_addr>:<port_num>. (key-ID=<key_id_num> The specified SSH user has logged in to the NetScreen device from the specified IP address and port number via SCS and authenticated himself or herself using Public Key Authentication (PKA). The user specifies the key ID number for the RSA key pair bound to that client and used for SCS authentication. No recommended action
Action

6&6
1RWLILFDWLRQ
Message Meaning
SCS: PKA key has been { bound to | unbound from } admin user <user_name>. (Key ID = <id_num>) The root admin has either bound the RSA public key with the specified key ID number to the named admin user, or unbound the key from him or her. The admin user uses this key to authenticate himself or herself via Public Key Authentication (PKA) when making an SCS connection to the NetScreen device. No recommended action
Action
V
SCS: Connection has been terminated for admin user <name_str> at <ip_addr>:<port_num> Either the SSH client or the NetScreen device has terminated the SCS connection for the specified admin user. No recommended action

6HUYLFHV
1RWLILFDWLRQ
6(59,&(6
The following messages relate to user-defined and predefined services, and service groups.
1RWLILFDWLRQ
Message Meaning Action Service <serv_name> has been { added | modified | deleted } An admin has added, modified, or deleted the specified user-defined service. No recommended action
Service group <grp_name> has been { added | deleted | modified} An admin has added, modified, or deleted the specified service group. No recommended action
Service group <grp_name> has { added member <serv_name> | deleted member } An admin has added the specified service to or deleted a service from the named service group No recommended action

6HUYLFHV
1RWLILFDWLRQ
Service group <grp_name> comments have been modified. An admin has modified the comments for the specified service group. No recommended action
Service group <grp_name1> group name has been changed to <grp_name2>. An admin has changed the name of the service group. No recommended action

6103
&ULWLFDO
6103
The following messages pertain to the Simple Network Management Protocol (SNMP).
&ULWLFDO
Message Meaning Action SNMP listen port has been restored from <port_num> to default port 161. This change goes into effect in three seconds. An admin has restored the user-configured SNMP listen port number to the default SNMP listen port number (161). The port number assignment takes three seconds to go into effect. Advise the SNMP admin to change the port number on the SNMP manager at which the management station makes SNMP requests.
SNMP listen port has been changed from <port_num1> to <port_num2>. This change goes into effect in three seconds. An admin has changed the user-configured SNMP listen port number to another user-configured port number. The change of port number assignments takes three seconds to go into effect. Advise the SNMP admin to change the port number on the SNMP manager at which it makes SNMP requests.

6103
1RWLILFDWLRQ
1RWLILFDWLRQ
Message Meaning Action SNMP trap port has been changed from <port_num1> to port <port_num2>. This change goes into effect in three seconds. An admin has changed the user-configured SNMP trap port number. Advise the SNMP admin to change the port number on the SNMP manager at which it receives SNMP traps.
SNMP listen port has been restored from <port_num> to default port 161. This change goes into effect in three seconds. An admin has restored the user-configured SNMP listen port number to the default SNMP listen port number (161). The port number assignment takes three seconds to go into effect. Advise the SNMP admin to change the port number on the SNMP manager at which the management station makes SNMP requests.
SNMP listen port has been changed from <port_num1> to <port_num2>. This change goes into effect in three seconds. An admin has changed the user-configured SNMP listen port number to another user-configured port number. The change of port number assignments takes three seconds to go into effect. Advise the SNMP admin to change the port number on the SNMP manager at which the management station makes SNMP requests.

6103
1RWLILFDWLRQ
SNMP trap port has been restored from <port_num> to default port 162. An admin has restored the user-configured SNMP trap port number to the default SNMP trap port number (162). Advise the SNMP admin to change the port number on the SNMP manager at which the management station receives SNMP traps.
1RWLILFDWLRQ
Message Meaning Action SNMP VPN has been { enabled | disabled }. An admin has either enabled or disabled VPN encryption for SNMP traffic between the SNMP agent (that is, the NetScreen device) and the SNMP manager. No recommended action
SNMP AuthenTraps have been { enabled | disabled }. An admin has either enabled the SNMP agent to generate SNMP authentication-failure traps or disabled the agent from doing so when the SNMP manager sends the incorrect community name string. No recommended action

6103
1RWLILFDWLRQ
SNMP { contact | location } description has been modified. An admin has modified the SNMP contact information, such as the NetScreen admins telephone number or e-mail address, or the information about the physical location of the NetScreen device. No recommended action
Message Meaning
SNMP community <name_str> attributeswrite access, { yes | no }; receive traps, { yes | no }; receive traffic alarms, { yes | no }have been modified. An admin has modified at least one of the following attributes for the specified SNMP community: Read/write privileges (write access, yes) or read-only privileges (write access, no) Receiving traps sent from the NetScreen SNMP agent (receive traps, yes) or not receiving traps (receive traps, no), in which case the SNMP manager must request information from the agent Receiving traffic alarms sent from the NetScreen SNMP agent (receive traffic alarms, yes) or not receiving traffic alarms (receive traffic alarms, no)
Action
SNMP host <ip_addr> has been { added to | removed from } SNMP community <name_str>. An admin has added the specified host to the named SNMP community or removed it from the community. No recommended action

6103
,QIRUPDWLRQ
,QIRUPDWLRQ
Message Meaning SNMP request from <ip_addr1>:<port_num> to <ip_addr2>:<port_num> has been received, but the SNMP version type is incorrect. A request from the specified SNMP manager to the SNMP agent located in the specified NetScreen device has been received. However, because NetScreen supports SNMP version 1 and the SNMP manager making the request uses a different version of the protocol (such as SNMP version 2C or SNMP version 3), the agent cannot respond to the request. If the request is from a legitimate SNMP manager, advise the admin to use SNMP version 1.
Action
Response to SNMP request from <ip_addr1>:<port_num1> to <ip_addr2>:<port_num2> has failed due to a coding error. When the NetScreen device responded to an SNMP request, a BER coding/decoding error occurred. BER (Basic Encoding Rules) converts data into bits and bytes and is the transfer syntax for SNMP. Advise the SNMP admin to retry.

6103
,QIRUPDWLRQ
Message Meaning
SNMP request from an unknown SNMP community <name_str> at <ip_addr1>:<port_num1> to <ip_addr2>:<port_num2> has been received. A request from the specified SNMP manager to the SNMP agent located in the specified NetScreen device has been received. However, the NetScreen device does not recognize the specified SNMP community name. If the SNMP manager IP address and port number are legitimate, advise the SNMP admin to check the configuration.
Action
NetScreen device at <ip_addr1>:<port_num1> has responded successfully to SNMP request from <ip_addr2>:<port_num2>. The SNMP agent located in the specified NetScreen device has successfully responded to an SNMP request from the specified SNMP manager. No recommended action
SNMP community <name_str> cannot be added because the community list is full. An admin has attempted to add the named SNMP community, but the NetScreen device already has the maximum number of communities configured. Either remove one of the existing communities and then add the new one, or forgo the attempt.

6103
,QIRUPDWLRQ
SNMP host <ip_addr> cannot be added because community <name_str> is full. An admin has attempted to add the specified host to the named SNMP community, but the community already has the maximum number of hosts allowed. Either remove one of the existing hosts and then add the new one, or forgo the attempt.
SNMP host <ip_addr> cannot be added to community <name_str> because of an IP address conflict. An admin has attempted to add the specified host to the named SNMP community, but its IP address duplicates another entry. Check that the IP address for the host is correct and that it has not already been added to the community.
SNMP host <ip_addr> cannot be removed from community <name_str> because host cannot be found. An admin has attempted to remove the specified host from the named SNMP community, but the host is not listed in the community. Check that you are using the correct IP address for the host that you want to remove.

6103
,QIRUPDWLRQ
SNMP request has been received from an unknown host in SNMP community <name_str> at <ip_addr1>:<port_num1> to <ip_addr2>:<port_num2>. An SNMP request from an unknown host in the specified SNMP community has been received. If the SNMP request is from a legitimate SNMP community member, add the IP address for that host to the SNMP community configuration on the NetScreen device.
SNMP request has been received from host <ip_addr1>:<port_num1> with read-only privileges to <ip_addr2>:<port_num2>. An SNMP request from a host at the specified IP address and port number with read-only privileges has been received at the specified IP address and port number of the NetScreen device. If you want the host to have read/write privileges, change the configuration on the NetScreen device for that SNMP community to permit it.
SNMP request has been received from host <ip_addr1>:<port_num1> without read privileges to <ip_addr2>:<port_num2>. An SNMP request from a host at the specified IP address and port number without read privileges has been received at the specified IP address and port number of the NetScreen device. If you want the host to have read privileges, change the configuration on the NetScreen device for that SNMP community to permit it.

6103
,QIRUPDWLRQ
SNMP request has been received, but no SNMP community has been configured. The SNMP agent on the NetScreen device has received an SNMP request, but no SNMP communities have been configured yet. Configure an SNMP community.

6RIWZDUH .H\
1RWLILFDWLRQ
62)7:$5( .(<
The following message relates to software keys used for enhancing functionality or adding optional features to the ScreenOS.
1RWLILFDWLRQ
Message Meaning Action An optional ScreenOS feature has been activated via a software key. An admin has activated an optional ScreenOS feature by using a software key. No recommended action

66/
1RWLILFDWLRQ
66/
The following message relates to the Secure Socket Layer (SSL) protocol.
1RWLILFDWLRQ
Message Meaning Action SSL No ssl context. Not ready for connections. The device cannot make a Secure Socket Layer (SSL) connection because no SSL context exists. You need to configure SSL on the NetScreen device.
SSL enabled | disabled The device has { enabled | disabled } a Secure Socket Layer (SSL) connection. No recommended action
SSL memory allocation fails in process_ca() The device could not allocate memory to store Secure Socket Layer (SSL) CA information. Contact NetScreen technical support.

66/
1RWLILFDWLRQ
SSL memory allocation fails in process_cert() The device could not allocate memory to store a Secure Socket Layer (SSL) certificate that enables SSL to run. Contact NetScreen technical support
SSL ssl context init failed The device cannot build a Secure Socket Layer (SSL) connection or context. Contact NetScreen technical support.
SSL no ssl cert A Secure Socket Layer (SSL) certificate could not be set because an incorrect SSL certificate was selected. Verify the SSL certificate. Certificates must be obtained from the CA and loaded into the NetScreen device.
SSL set | verify cert failed. Key type is not RSA A Secure Socket Layer (SSL) certificate could not be set because the certificate selected does not have an RSA key associated with it. Select a certificate that has an RSA key type.

66/
1RWLILFDWLRQ
PKI Verify Error: <id_num>:<string> The certificate received by the Secure Socket Layer (SSL) layer of the NetScreen device cannot be verified by a PKI service in the device. Make sure PKI has a CA that matches the issuing CA.
SSL Error when retrieve local ca(verify): <number> The device generated a Secure Socket Layer (SSL) error when attempting to retrieve a local CA. Make sure the CA is in the PKI service in the NetScreen device.
SSL Error when retrieve local cert(verify | all): <number> The device generated a Secure Socket Layer (SSL) error when attempting to retrieve a local certificate. Make sure the certificate is in the PKI service in the NetScreen device.
SSL - Error MessageID in incoming mail - <id_num> A Secure Socket Layer (SSL) error message was generated by an incoming mail message <string>. Contact NetScreen technical support.

66/
1RWLILFDWLRQ
SSL certificate changed The Secure Socket Layer (SSL) certificate has changed. No recommended action
SSL cert changed to none The administrative user has unset the Secure Socket Layer (SSL) certificate name. No recommended action
SSL set cert id is invalid<id_num> The Secure Socket Layer (SSL) certificate ID is invalid. No recommended action
SSL - cipher type <string> is not allowed in export or firewall only system The cipher type for the Secure Socket Layer (SSL) session is not allowed in export or on a firewall-only system. Do not use 3DES in export or on a firewall-only system.

66/
1RWLILFDWLRQ
SSL ca changed to none Administrative user <user_name> unset Secure Socket Layer (SSL) certificate authority <name_str>. No recommended action
SSL no ssl ca The client side Secure Socket Layer (SSL) session could not be set because the certificate authority certificate has not been set. Obtain a certificate and load it on the NetScreen device. Select the cipher you want to use.
SSL CA changed Secure Socket Layer (SSL) certificate authority has changed. No recommended action
SSL set ca id is invalid<id_num> The Secure Socket Layer (SSL) certificate authority ID is invalid. No recommended action

66/
1RWLILFDWLRQ
SSL cert subject mismatch: <string1> recieved, <string2> is expected The Secure Socket Layer (SSL) context on the device received a certificate with the wrong subject from a PKI service on the device. Make sure the CA certificates match on both the web server and the NetScreen device.
Web SSL cipher changed from <name_str1> to <name_str2> An admin has changed the cipher used by the NetScreen device to secure communications. Confirm that the action was appropriate, and performed by an authorized admin.
SSL cipher changed from <name_str1> to <name_str2> An admin has changed the cipher used by the NetScreen device to secure communications. Confirm that the action was appropriate, and performed by an authorized admin.
Web SSL Port changed from <port_num1> to <port_num2> An admin has changed the number of the port used for managing the device via SSL. Confirm that the action was appropriate, and performed by an authorized admin.

6\VORJ DQG :HE7UHQGV
1RWLILFDWLRQ
6<6/2* $1' :(%75(1'6

The following messages pertain to configuring and enabling syslog and WebTrends facilities. The following messages are divided into the following two sections: Syslog on page 244 WebTrends on page 246
6\VORJ
1RWLILFDWLRQ
Message Meaning Action Attempt to enable { syslog | traffic logging via syslog } has failed because syslog settings have not yet been configured. An admin has attempted to enable the syslog facility or traffic logging via syslog before configuring the syslog settings. Consequently the attempt has failed. Before attempting to enable syslog or traffic logging via syslog, configure the syslog settings.
{ Syslog | Traffic logging via syslog } has been { enabled | disabled }. An admin has either enabled or disabled the syslog facility or traffic logging via syslog. No recommended action

1RWLILFDWLRQ
Syslog VPN encryption has been { enabled | disabled }. An admin has either enabled or disabled VPN encryption of all syslog messages sent from the NetScreen device to the syslog host. No recommended action
Syslog host { IP | domain name | port number } has been changed to { <ip_addr> | <domain_name> | <port_num> }. An admin has changed the IP address or domain name of the syslog host or the port number to which the NetScreen device sends UDP packets bound for the syslog host. No recommended action
Syslog { facility | security facility } has been changed to { local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | auth/sec }. An admin has changed the name of the syslog facility or security facility for the messages sent to the syslog host. No recommended action

1RWLILFDWLRQ
Socket cannot be assigned for syslog. The NetScreen system cannot allocate an IP socket for the syslog facility. To free up a socket, close other management facilities that use sockets as connection tools, such as Telnet or the Web, and which are not currently in use.
:HE7UHQGV
1RWLILFDWLRQ
Message Meaning Action Attempt to enable WebTrends has failed because WebTrends settings have not yet been configured. An admin has attempted to enable the WebTrends facility before configuring the WebTrends settings. Consequently the attempt has failed. Before attempting to enable WebTrends, configure the WebTrends settings.
WebTrends has been { enabled | disabled }. An admin has either enabled or disabled the WebTrends facility. No recommended action

1RWLILFDWLRQ
WebTrends VPN encryption has been { enabled | disabled }. An admin has either enabled or disabled VPN encryption of all WebTrends messages sent from the NetScreen device to the WebTrends host. No recommended action
WebTrends host { IP | domain name | port number } has been changed to { <ip_addr> | <dom_name> | <port_num> }. An admin has changed the IP address or domain name of the WebTrends host or the port number to which the NetScreen device sends UDP packets bound for the WebTrends host. No recommended action
Socket cannot be assigned for WebTrends. The NetScreen system cannot allocate an IP socket for the WebTrends facility. To free up a socket, close some other facilities, such as Telnet, which are not currently in use.

6\VWHP
&ULWLFDO
6<67(0
The following message pertains to NetScreen system memory.
&ULWLFDO
System memory is low: <number1> bytes allocated out of <number2> bytes total. The number of bytes allocated for system memory has surpassed the alarm threshold. If the memory alarm threshold was set too low, use the set alarm threshold memory command to increase the threshold. (The default is 95% of the total memory.) Check if a firewall attack is in progress. Seek ways to reduce traffic.
System memory is low (<number1> allocated out of <number2>) <number3> times in 1 minute The number of bytes allocated for system memory has surpassed the alarm threshold that was set by a policy in bytes per minute. If the policy set the alarm threshold too low, modify the policy to increase the threshold. Check if a firewall attack is in progress. Seek ways to reduce traffic.

7UDIILF 6KDSLQJ

75$)),& 6+$3,1*
The following messages relate to the traffic shaping function.

Message Meaning Action traffic shaping is turned { ON | OFF } An admin enabled or disabled the traffic shaping feature on the NetScreen device. No recommended action

8VHUV
,QIRUPDWLRQ
86(56
The following messages pertain to events that affect user settings and status.
,QIRUPDWLRQ
Message Meaning The user limit has been exceeded and <ip_addr> cannot be added. (NetScreen-5 and -5XP only) The limit for the number of internal users that can access the NetScreen device has been exceeded. Therefore, a communication attempt from the specified IP address has been denied. No recommended action
Action

9,3
&ULWLFDO
9,3
The following messages concern virtual IP addresses (VIPs).
&ULWLFDO
Message Meaning Action VIP/load balance server <ip_addr> cannot be contacted The specified VIP server or VIP load balancing server is not responding to the heartbeat PINGs sent by the NetScreen device. Check that the server is powered up, that it is connected to the network, and that its TCP/IP settings are correct.
VIP server <ip_addr> cannot be contacted The specified VIP server is not responding to the heartbeat PINGs sent by the NetScreen device. Check that the server is powered up, that it is connected to the network, and that its TCP/IP settings are correct.
1RWLILFDWLRQ
Message Meaning Action Address VIP (<ip_addr1>) for <ip_addr2> has been { added | modified | deleted }. An admin has added, modified, or deleted the specified VIP. No recommended action

9,3
,QIRUPDWLRQ
VIP multi-port was { enabled | disabled } An admin enabled multi-port mapping from a multi-port service to a VIP. No recommended action
,QIRUPDWLRQ
Message Meaning Action VIP/ load balance server <ip_addr> now alive. The specified VIP server or VIP load balancing server has begun responding to the heartbeat PINGs sent by the NetScreen device. No recommended action
VIP server <ip_addr> now alive. The Virtual IP server has been brought up and is operational. No recommended action
VIP/load balance server <ip_addr> is in manual mode The admin disabled server auto-detection. No recommended action

9,3
,QIRUPDWLRQ
VIP server <ip_addr> is in manual mode The admin disabled server auto-detection. No recommended action

9LUWXDO 6\VWHPV
1RWLILFDWLRQ
9,578$/ 6<67(06
The following messages relate to virtual system configurations.
1RWLILFDWLRQ
Message Meaning Action Vsys <name_str> has been created A root level admin has created the specified virtual system. No recommended action
Vsys <name_str> ID has been changed from <id_num1> to <id_num2> A root level admin has changed the ID of the specified virtual system. No recommended action
Vsys <name_str1> has been changed to <name_str2>. A root level admin has changed the name of a virtual system. No recommended action

9LUWXDO 6\VWHPV
1RWLILFDWLRQ
Vsys <name_str> has been deleted A root level admin has deleted the specified virtual system. No recommended action
NSRP VSD group ID for vsys <name_str> has been changed from <id_num1> to <id_num2> A root level admin has changed the NSRP VSD group ID of the specified virtual system. No recommended action

9/$1V
1RWLILFDWLRQ
9/$16
The following messages relate to virtual local area networks (VLANs).
1RWLILFDWLRQ
Message Meaning Action VLAN tag <number> has been { created | deleted } An admin has created or deleted the specified VLAN tag. No recommended action
The 802.1Q tag for interface <interface> has been removed An admin deleted the specified interface and 802.1Q VLAN tag. No recommended action
The 802.1Q tag for interface <interface> has been changed to <number> from <number> An admin has changed the 802.1Q VLAN tag for the specified interface. No recommended action

9/$1V
1RWLILFDWLRQ
802.1Q VLAN trunking for interface <interface> has been turned { on | off } An admin has either enabled or disabled 802.1Q VLAN trunking for the specified interface. Note that this option is only available in Transparent mode. No recommended action

931V
&ULWLFDO
9316
The following messages relate to IPSec virtual private network (VPN) tunnels, and VPN-related technologies.
&ULWLFDO
Message Meaning Replay packets have been detected! From <ip_addr>:<port_num> to <ip_addr>:<port_num>, using protocol { 50 | 51 }, on interface <interface>. [ The attack occurred <number> times.] The NetScreen device has detected Encapsulating Security Payload (ESP, protocol 50) or Authentication Header (AH, protocol 51) packets whose sequence numbers fall outside a specified range for VPNs with the replay protection feature enabled. The packets are from the specified source IP address and port, destined for the specified IP address and port, use the specified protocol, and enter the NetScreen device at the specified interface. The number indicates how many consecutive times per second the internal timer detected the arrival of packets with sequence numbers falling outside the defined range of acceptability. Out-of-sequence packets might indicate that somebody has resent a series of previously intercepted packets with the intent of gaining entry to the trusted network or of flooding the NetScreen device to cause a denial-of-service (DoS). Action If the NetScreen device is in high availability (HA) mode in a redundant cluster, check if a failover has recently occurred. Because packet sequence numbers are not synchronized between master and backup units, all ESP or AH packets for VPNs with the replay protection feature enabled appear to be out of sequence to the new master. Consequently, the new master registers these packets as components of a replay attack.

931V
1RWLILFDWLRQ
1RWLILFDWLRQ
Message Meaning vpnmonitor interval is unset. An admin has returned the VPN monitoring frequency to its default setting. The VPN monitoring feature sends an ICMP echo request (PING) through a VPN tunnel from end to end to check if the tunnel is up or down. The default setting is one PING per minute. No recommended action
Action
vpnmonitor threshold is unset. An admin has returned the VPN monitor threshold to its default setting. No recommended action
Message Meaning
VPN monitoring for VPN <name_str> has been { enabled | disabled } An admin has either enabled or disabled the VPN monitoring option for the specified VPN tunnel. VPN monitoring checks if a VPN tunnel is up or down. If the state changes, an SNMP trap is triggered and the NetScreen device sends a message to an SNMP manager. No recommended action
Action

931V
1RWLILFDWLRQ
Message Meaning
vpnmonitor interval is set to <number> An admin has changed the VPN monitoring frequency to the specified number of seconds. The VPN monitoring feature sends an ICMP echo request (PING) through a VPN tunnel from end to end at the specified frequency to check if the tunnel is up or down. No recommended action
Action
Message Meaning
vpnmonitor threshold is set to <number> An admin has changed the VPN monitoring threshold to the specified number of packets. The VPN monitoring feature sends an ICMP echo request (PING) through a VPN tunnel from end to end at the specified frequency to check if the tunnel is up or down. The threshold value indicates the number of these requests that can be sent before determining if the tunnel is up or down. No recommended action
Action
The DF-BIT for VPN <name_str> has been set to { clear | set | copy }. For the specified VPN tunnel, an admin has cleared or set the Dont Fragment BIT in the outside header of an encapsulated packet, or copied the DF-BIT setting from the inside header to the outside header. No recommended action

931V
1RWLILFDWLRQ
VPN <name_str> with gateway <name_str2>, { no-rekey | rekey }, and p2-proposal <name> has been { added | modified | deleted }. An admin has added or deleted the specified VPN, or modified at least one of its attributes. No recommended action
VPN <name_str> with gateway <ip_addr> and SPI <hex_num1>/<hex_num2> has been { added | modified | deleted }. An admin has added or deleted the specified VPN, or modified at least one of its attributes. No recommended action
Message Meaning
IPSec NAT-T for VPN <name_str> has been { enabled | disabled }. An admin has either enabled or disabled the NAT traversal (NAT-T) option for the specified VPN. NAT traversal adds an extra layer of encapsulation, encapsulating the original IPSec packet (using ESP or AH protocols) within a UDP packet. Most NAT servers cannot recognize the ESP or AH protocols and drop IPSec packets. When the NAT-T option is enabled, the sender encapsulates the ESP or AH packet within a UDP packet. The NAT server recognizes the UDP protocol and sends it on. The recipient then strips off the UDP packet and processes the inner ESP or AH packet accordingly.
Action

931V
1RWLILFDWLRQ
IP pool <name_str> with range <ip_addr1>-<ip_addr2> has been created The named IP pool with the specified range of IP addresses was created. No recommended action
IP pool <name_str> with range <ip_addr1>-<ip_addr2> has been deleted The named IP pool with the specified range of IP addresses was deleted. No recommended action
IP pool <name_str> with range <ip_addr1>-<ip_addr2> was removed An IP pool that contains a group of available addresses to be automatically assigned to a device using DHCP with the given name was removed. No recommended action
No IP pool has been assigned. You cannot allocate an IP address. An IP address from a specified pool could not be allocated and assigned to a device. Contact NetScreen to determine if the address pool is valid.

931V
,QIRUPDWLRQ
,QIRUPDWLRQ
Message Meaning Action Receive UDP packets from <ip_addr1>/<port_num1> on interface <interface> <ip_addr2>/<port_num2> UDP packets from the specified IP address and port number have been received at the named interface at the specified IP address and port number. No recommended action
Message Meaning
VPN ID number cannot be assigned. During VPN tunnel configuration, NetScreen device was unable to assign the VPN tunnel an ID number, possibly because the maximum number of tunnels had been reached. Consequently, the configuration of the VPN tunnel was unsuccessful. Check if the number of the defined VPN tunnels has reached the maximum limit.
Action

=RQHV
1RWLILFDWLRQ
=21(6
The following messages relate to security zones and tunnel zones.
1RWLILFDWLRQ
Message Meaning Action New zone <zone> (id: <id_num>) was created. An admin successfully created a new zone with the indicated ID number. No recommended action
Zone <zone> (id: <id_num>) was deleted. An admin successfully deleted the specified zone. No recommended action
Zone <zone> was bound to virtual router <vrouter>. An admin successfully bound a specified zone to a specified virtual router. No recommended action

=RQHV
1RWLILFDWLRQ
Zone <zone> was unbound from virtual router <vrouter>. An admin successfully unbound a specified zone, either trust or untrust, from a specified virtual router. No recommended action
Intra-zone block for zone <zone> was set to { on | off }. This action turns the intra-zone block on or off for a given zone. No recommended action
Tunnel zone <zone1> was bound to out zone <zone2>. An admin successfully bound a specified tunnel zone to a specified outbound zone. No recommended action
Zone <zone> was changed to non-shared. An admin changed a zones attribute from shared to non-shared. No recommended action

1RWLILFDWLRQ
75$)),& /2* 0(66$*(6

Message logging automatically begins when a device boots up. NetScreen 4.0.0 supports a traffic log which contains entries that have multiple fields in them. An example of an entry and its fields is shown here. May 18 15:59:26 192.168.10.1 ns204: NetScreen device_id=-0029012002000170 system notification-0025 (traffic): start_time=2001-04-29 16:46:16 duration=88 policy id=2 service=icmp proto=1 src zone=Trust dst zone=Untrust action=Tunnel(VPN_3 03) sent=102 rcvd=0 src=192.168.10.10 dst=10.10.10.1 icmp type=8The following table breaks these fields down and describes them.
Field Example May 10 15:59:26 192.168.10.1 ns204 NetScreen device id=0029012002000170 Field Name Date Stamp Time Stamp Source IP Address Device Model Description Displays the date when the message was generated. Displays the time when the message was generated. This value is displayed in the following format: HH:MM:SS. Displays the IP address of the device that generated the traffic log message. Displays the model number of the device that generated the traffic log message.
Device Serial Number Displays the ID number of the device which is the 16-digit serial number assigned to the device by NetScreen.

1RWLILFDWLRQ
Field Example system notification
Field Name Severity Level
Description Displays the severity level of the event which generated the traffic message. Severity levels are: Emergency: The device is unusable Alert: Immediate action is required to resolve the event on the device. Critical: Functionality on the device is severely affected. Error: An error was reported on the device. Warning: Functionality may be affected on the device. Notification: The event is seen as normal on the device. Information: A general information message about the device. Debug: A message related to debugging a problem on the device.
0025 (traffic) start_time=2001-04-29 16:46:16 duration=88 policy_id=2 service=icmp
Type ID Type Start Time Duration Traffic Policy Service
Displays the error type in a code associated with the type. Displays the error type in a descriptive string about the error. Displays the time and date when the traffic began being generated. Displays the amount of time in seconds that elapsed since the traffic message was generated. Displays the code associated with the policy type that generated the traffic message. Displays the protocol service used by the device that generated the traffic message. Common services for traffic messages include ICMP, TCP, and UDP. Displays the code number associated with the protocol service used by the device that generated the traffic message.
proto=1
Protocol Number

1RWLILFDWLRQ
Field Example src zone=Trust dst zone=Untrust action= (VPN_303) sent=102 rcvd=0 src=192.168.10.10 dst=10.10.10.1 icmp type=8
Field Name Source Zone Destination Zone Policy Action VPN ID Bytes Sent Bytes Received Source IP Address
Description Displays the name of the zone from where the error-generating traffic was forwarded. Displays the name of the zone to where the error-generating traffic was forwarded. Displays the action that results on the device from the detection of the error: forward or denial. Displays the code number that identifies the VPN on which the error-generating traffic was running. Displays the number of bytes associated with the error that were sent by the source device. Displays the number of bytes associated with the error that were received by the destination device. Displays the IP address of the device sending the traffic associated with the error.
Destination IP Address Displays the IP address of the device receiving the traffic associated with the error. Protocol Type Displays a code number associated with a sub-type of a protocol on the device sending the traffic associated with the error. Not all protocols have sub-types. (Optional Field).

1RWLILFDWLRQ
Acronym 3DES ACK ACL AES AH ARIN AS AS-PATH BER BGP CA CERT CN CR CRL DER DES DH DHCP DIP DN DNS
Full Text Triple Data Encryption Standard Acknowledge Access Control List Advanced Encryption Standard Authentication Header American Registry of Internet Numbers Autonomous System Autonomous System Path Basic Encoding Rules Border Gateway Protocol Certificate Authority Certificate Common Name (X.509 certificate) Certificate Revocation Certificate Revocation List Distinguished Encoding Rule Data Encryption Standard Diffie-Hellmann Dynamic Host Configuration Protocol Dynamic IP Distinguished Name Domain Name System

1RWLILFDWLRQ
Acronym DOI DoS DSA DSS EE ESP FQDN HA HDLC HTTP HTTPS ICMP IKE IP IPSec L2TP LDAP LSA MD5 MIP NACN NAT NAT-T
Full Text Domain of Interpretation Denial of Service Digital Signature Authority Digital Signature Standard End Entity Encapsulating Security Payload Fully Qualified Domain Name High Availability High Level Data Link Control HyperText Transfer Protocol HypterText Transfer Protocol Secure Internet Control Message Protocol Internet Key Exchange Internet Protocol Internet Protocol Security Layer 2 Tunneling Protocol Lightweight Directory Access Protocol Link State Advertisement Message Digest 5 Managed IP NetScreen Address Change Notification Network Address Translation Network Address Translation - Transparent Mode

1RWLILFDWLRQ
Acronym NSO NSRP NTP OSPF PFS PKA PKCS PKI PLDAP PM PPP PPPoE RADIUS RSA RTO SA SCEP SHA SMTP SNMP SPI SSH SSL
Full Text Network Security Officer NetScreen Redundancy Protocol Network Time Protocol Open Shortest Path First Perfect Forwarding Secrecy Public Key Authentication Public Key Cryptography Standards Public Key Infrastructure Primary Connection Lightweight Directory Access Protocol NetScreen Policy Manager Point-to-Point Protocol Point-to-Point Protocol over Ethernet Remote Authentication Dial-In User Service Rivest Shamir Adelman (authors of RSA security standard) Run Time Objects Security Association Simple Certificate Enrollment Protocol Secure Hash Algorithm Simple Mail Transfer Protocol Simple Network Management Protocol Security Parameter Index Secure Shell Secure Socket Layer

1RWLILFDWLRQ
Acronym TFTP UDP UFQDN URL VIP VLAN VOIP VPN VSD VSYS
Full Text Trivial File Transfer Protocol User Datagram Protocol Users Fully Qualified Domain Name Uniform Resource Locator Virtual IP Virtual Local Area Network Voice Over IP Virtual Private Network Virtual Security Device Virtual System

6rqv6
(PHUJHQF\ 0HVVDJHV
The following list contains page references for the messages at the highest severity level: emergency.
(PHUJHQF\ 0HVVDJHV

$
$SSHQGL[ $ (PHUJHQF\ 0HVVDJHV
$
6rqv7
$OHUW 0HVVDJHV
The following list contains page references for the messages at the second highest severity level: alert.
$OHUW 0HVVDJHV

%
$SSHQGL[ % $OHUW 0HVVDJHV
%
6rqv8
&ULWLFDO 0HVVDJHV
The following list contains page references for the messages at the third highest severity level: critical.
&

&ULWLFDO 0HVVDJHV

&
$SSHQGL[ & &ULWLFDO 0HVVDJHV
&
6rqv9
(UURU 0HVVDJHV
The following list contains page references for the messages at the fourth highest severity level: error.
'
(UURU 0HVVDJHV

'
$SSHQGL[ ' (UURU 0HVVDJHV
'
6rqv@
:DUQLQJ 0HVVDJHV
The following list contains page references for all the messages at the fifth highest severity level: warning.
:DUQLQJ 0HVVDJHV

(
$SSHQGL[ ( :DUQLQJ 0HVVDJHV
(
6rqvA
1RWLILFDWLRQ 0HVVDJHV
The following list contains page references for all the messages at the sixth highest severity level: notification.
1RWLILFDWLRQ 0HVVDJHV


)
$SSHQGL[ ) 1RWLILFDWLRQ 0HVVDJHV
)
6rqvB
,QIRUPDWLRQ 0HVVDJHV
The following list contains page references for the messages at the lowest severity level: information.
,QIRUPDWLRQ 0HVVDJHV

*
$SSHQGL[ * ,QIRUPDWLRQ 0HVVDJHV
*

MSG

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MSG

Uploaded by

Copyright:

Available Formats

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

6FUHHQ26  31  5HY )

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

,QWURGXFWLRQ  [YLL

'+&3 '+&3 6HUYHU DQG 5HOD\ $JHQW

'+&3 &OLHQW 

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

3DWK 0RQLWRULQJ 

+LJK $YDLODELOLW\ +$ DQG 1653 

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

6RIWZDUH .H\ 

6\VORJ DQG :HE7UHQGV  6\VORJ  :HE7UHQGV

7UDIILF 6KDSLQJ 

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

7UDIILF /RJ 0HVVDJHV

$SSHQGL[ $ (PHUJHQF\ 0HVVDJHV  $

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

00767 netscreen: System Config saved from host 10.100.2.21

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

Levels 0 Emergency 1 Alert 2 Critical 3 Error 4 Warning 5 Notification 6 Information 7 Debugging

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

7UDIILF /RJ 0HVVDJHV

75$)),& /2* 0(66$*(6

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

7UDIILF /RJ 0HVVDJHV

Field Example (traffic)

Field Name Type

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

1RWLILFDWLRQ /HYHO 

Message Meaning Action

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

1RWLILFDWLRQ /HYHO 

Message Meaning Action

Message Meaning Action

Message Meaning Action

Message Meaning Action

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

1RWLILFDWLRQ /HYHO 

Message Meaning Action

Message Meaning Action

Message Meaning Action

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

Message Meaning Action

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

Message Meaning Action

Message Meaning Action

1HW6FUHHQ 0HVVDJH /RJ 5HIHUHQFH *XLGH

Message Meaning Action

Message Meaning Action

6FUHHQ26 31 5HY )

,QWURGXFWLRQ [YLL

'+&3 '+&3 6HUYHU DQG 5HOD\ $JHQW

'+&3 &OLHQW

3DWK 0RQLWRULQJ

+LJK $YDLODELOLW\ +$ DQG 1653

6RIWZDUH .H\

6\VORJ DQG :HE7UHQGV 6\VORJ :HE7UHQGV

7UDIILF 6KDSLQJ

7UDIILF /RJ 0HVVDJHV

$SSHQGL[ $ (PHUJHQF\ 0HVVDJHV $

1RWLILFDWLRQ /HYHO

1RWLILFDWLRQ /HYHO

1RWLILFDWLRQ /HYHO

:DUQLQJ

:DUQLQJ