Data Fields

timezone device_name device_id deployment_mode log_id

Type

string string string string log_type log_component log_subtype priority string string string string

System Logs

Log Component

HA

DHCP Server

Message ID

60012

60013

60014

60015

60016

60017

60018

60019

17838

60020

| Appendix A - Logs | 535

Description

Time zone set on the appliance e.g. IST

Model number of the device

Serial number of the device

Mode in which appliance is deployed

Possible values: Route, Bridge

Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11) e.g. 0101011, 0102011 c1c2 - Log Type e.g. 01 for firewall log c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack etc.

c5c6 - Log Sub Type i.e. allow/violation c7 - Priority e.g. 0 for Emergency c8c9c10c11 - Message ID e.g. 00001 for traffic allowed by firewall

Refer

Log ID Structure

Type of event e.g. firewall event

Refer

Log Type

Component responsible for logging e.g. Firewall rule

Refer

Log Component

.

Sub type of event

Refer

Log Sub-type

.

Severity level of traffic

Refer

Priority

.

Message

Appliance becomes standalone

Appliance goes in fault

Appliance becomes auxiliary

Appliance becomes primary

Appliance becomes standalone at appliance start up

Appliance goes in fault at appliance start up

Appliance becomes auxiliary at appliance start up

Appliance becomes primary at appliance start up

HA was disabled

DHCP lease renew

Log Component

Appliance

Interface

Gateway

DDNS

WebCat

AV

IPS

Interface

Dial-In

17817

17920

17819

17922

17921

17820

17821

17822

17905

17943

17944

17813

17814

18036

17815

17923

17924

17931

17932

17933

17934

17941

17942

Message ID

60021

60022

17807

17808

17809

17810

17811

17812

17816

17904

| Appendix A - Logs | 536

Message

DHCP lease release

DHCP lease expired

CPU usage exceeded the threshold

Physical memory usage exceeded the threshold

SWAP memory usage exceeded the threshold

Config disk usage exceeded the threshold

Signature disk usage exceeded the threshold

Reports disk usage reached the higher threshold

Appliance started successfully

Reserved for OPCODE failure snmp trap (logs will be added later)

Reserved for Service failure snmp trap (logs will be added later)

Scheduled backup was successfully taken (Information)

Failed to send scheduled backup

Fan Speed has decreased below the desirable level

Temperature has increased above the desired level

Report disk usage reached lower than the lower threshold

Report disk usage exceeded the lower threshold

The audit subsystem has successfully shut down.

Fail to send certificate passphrase .

Connectivity to ConnectWise Server has been lost.

Fail to send test mail : <Reason>

Interface UP/Interface Down

Gateway live/ Gateway dead

Up/down gateway detail to SFM

DDNS Update successful/failed

WebCat Database upgraded from <old version> to <new version>

WebCat Database upgrade failed

AV Definitions upgraded from <old version> to <new version>

AV Definitions upgrade failed

IPS Signatures upgrade failed

Primary Link down/Up and link failover/failback to backup/ primary link

Dial-In client connected

Dial-In client disconnected

Log Component

Quarantine

SSL VPN

L2TP

PPTP

IPSec

17840

17841

17842

17843

17844

17832

17833

17834

17835

17836

17936

17937

17803

17804

17805

17806

17801

17802

Message ID

17823

17824

17825

17826

17827

17828

17829

17830

17831

17837

17839

| Appendix A - Logs | 537

Message

Quarantined email could not be released because <reason>

SSL VPN Connection (Tunnel Access) Established

SSL VPN Connection (Tunnel Access) Terminated

SSL VPN Connection (Web Access) Established

SSL VPN Connection (Web Access) Terminated

SSL VPN Connection (Application Access) Established

SSL VPN Connection (Application Access) Terminated

SSL VPN resource access allowed

SSL VPN resource access denied

User Certificate <certificate_name> was created for user

<username>

All User Certificates deleted

L2TP Connection Established

L2TP Connection Terminated

PPTP Connection Established

PPTP Connection Terminated

IPSec Connection Established

IPSec Connection Terminated

Failover group Activation successful. A particular connection/

No connection established

Failover successful

Failover failed. Connection will be established on next failback event

Failback successful

Failback failed, revert back to current running connection successful

Failback failed, revert back to current running connection also failed. Connection will be established on next failback event

<connectionname>, activation: Connection activated successfully

<connectionname>, activation: Failed to activate this connection. Reason: <reason>

<connectionname>, activation: Trying to deactivate/initiate/ terminate an inactive connection. Probable DB sync problem

<connectionname>, EST-P1-MM: Response to establishment request from <peeris> peer <peerrequesterip> successful

<connectionname>, EST-P1-MM: Response to establishment request from <peerrequesterip> failed because <reason>

<connectionname>, EST-P1-AM: Responding to establishment request from <peerrequesterip>, state # <state>

Log Component Message ID

17845

17846

17847

17848

17849

17850

17851

17852

17853

17854

17855

17856

17857

17858

17859

17860

17861

| Appendix A - Logs | 538

Message

<connectionname>, EST-P1-AM: Response to establishment request from <peerrequesterip> failed because <reason>

<connectionname>, EST-P1-MM: Connection being initiated on request

<connectionname>, EST-P1-AM: Connection with state

<state> being initiated on request

<connectionname>, EST-P1-MM: Peer ID is <peerid>

<connectionname>, EST-P1-AM: Peer ID is <peerid>

<connectionname>, EST-P1: Phase-1 ID mismatch.

Configured peer id is <remoteid> and received peer id is

<peerid>. System is initiator. Verify ID configuration at both the ends is in sync.

<connectionname>, EST-P1: Phase-1 ID mismatch. No suitable connection for peer id <peerid>. System is responder.

Verify ID configuration at both the ends is in sync.

<connectionname2>, EST-P1: switched the connection from <connectionname> to <connectionname2> because a

<connection name2>'s configuration matches the request better.

<connectionname>, EST-P1: Peer did not accept any proposal sent. Reconfigure the connection on either of the ends

<connectionname>, EST-P1: System did not accept any proposal received. Need to reconfigure the connection on either of the ends.

<connectionname>, EST-P1: An error (mostly related to network) has occurred while sending a packet to advance the

IKE state machine from state <state>.

<connectionname>, EST-P1: max number of retransmissions

<count> reached STATE_MAIN_I1. No response (or no acceptable response) to first IKE message

<connectionname>, EST-P1: max number of retransmissions

<count> reached STATE_MAIN_I3. Possible authentication failure or NAT device in between: no acceptable response to first encrypted message

<connectionname>, EST-P1: Malformed payload in packet.

probable authentication failure (mismatch of preshared secrets). Verify pre-shared secrets are same at both the ends.

<connectionname>, EST-P1: unexpected message received in state <state>. payload received from the peer do not lead the

System to the next expected IKE state

<connectionname>, EST-P1: Informational Exchange message is invalid because it has a previously used Message ID

<messageid>

<connectionname>, EST-P1-MM: Phase-1 SA initiated by peer is established

Log Component Message ID

17865

17866

17867

17868

17869

17870

17871

17876

17877

17878

17879

17872

17873

17874

17875

17880

17881

| Appendix A - Logs | 539

Message

<connectionname>, EST-P2: Initiating Phase-2 (protected by

Phase-1 SA with <state>) on request with policy <policybits>

<connectionname>, EST-P2: Initiating Phase-2 SA re-keying using Phase-1 SA <state>

<connectionname>, EST-P2: Responding to a Phase-2 establishment request with Message id <MESSAGE ID>

<connectionname>, EST-P2: max number of retransmissions

<count> reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

<connectionname>, EST-P2: System require Perfect Forward

Secrecy(PFS) but peer proposed not to use PFS

<connectionname>, EST-P2: Local subnet – Remote subnet configuration of the connection being initiated conflicts with that of an already established connection

<establishedconnectionname>. Terminate connection

<establishedconnectionname> before initiating.

<connectionname>, EST-P2: System received a Phase-2 connection request whose Local subnet – Remote subnet configuration conflicts with that of an already established connection <establishedconnectionname>. System is terminating connection <establishedconnectionname> to honour the incoming request.

<connectionname>, EST-P2: A Phase-2 SA initiated by

System is established.

<connectionname>, EST-P2: A Phase-2 SA initiated by peer is established

<connectionname>, NAT-T: No NAT device detected between

Local Server and Remote Server

<connectionname>, NAT-T: Local server is behind a NAT device

<connectionname>, NAT-T: Remote server is behind a NAT device

<connectionname>, NAT-T: Both Local and remote server are behind NAT devices

<connectionname>, SA-MGT: Peer requested to delete

Phase-1 SA. Deleting ISAKMP state <state>

<connectionname>, SA-MGT: Peer requested to delete

Phase-2 SA. Deleting IPSec state <state>

<connectionname>, SA-MGT: Peer requested to delete

Phase-2 SA. Deleting existing SA and re-inititate a new one.

Replacing IPSEC State #<state>

<connectionname>, SA-MGT: Deleting remote access connection instance with peer <remoteinterfaceip>, isakmp=#<isakmp>, ipsec=#<ipsec>

Log Component

17901

17902

17903

17939

17895

17896

17897

17898

17899

17900

17885

17886

17887

17888

17889

17890

17891

17892

17893

17894

Message ID

17882

17883

17884

| Appendix A - Logs | 540

Message

<connectionname>, SA-MGT: Deleting connection

<connectionname>, SA-MGT: On deletion of connection, corresponding SA <state> is being deleted

<connectionname>, SA-MGT: Initiating Re-keying of connection 's Phase-1 (main mode) SA <state>

<connectionname>, SA-MGT: Initiating Re-keying of connection 's Phase-1 (aggresive mode) state <oldstate> to state <newstate>

<connectionname>, SA-MGT: Phase 1 SA is being re-keyed

<connectionname>, SA-MGT: Phase 2 SA is being re-keyed

<connectionname>, SA-MGT: Phase 1 SA has expired

<connectionname>, SA-MGT: Phase 1 SA has expired.

Connection is configured not to re-key

<connectionname>, SA-MGT: Phase 2 SA has expired

<connectionname>, SA-MGT: Phase 2 SA has expired.

Connection is configured not to re-key

<connectionname>, DPD: Dead peer detection enabled

<connectionname>, DPD: Peer was unreachable and was marked as dead for this connection

<connectionname>, DPD: Connection was

<actiononpeerdead> because peer was dead

<connectionname>, DPD: Connection was scheduled to be rekeyed because peer was unreachable and connection was reinitiated

<connectionname>, XAUTH: Sending username/password request

<connectionname>, XAUTH: User <user> attempting to login

<connectionname>, XAUTH: User <user> authenticated successfully

<connectionname>, XAUTH: User <user> failed to authenticate because <reason>

<connectionname>, XAUTH: received MODECFG message when in state <STATE NAME>, and Appliance is not

XAUTH client

<connectionname>, XAUTH: Username/password requested but connection configured as XAUTH client cannot be rekeyed. Turn off rekey for the connection

<connectionname>, XAUTH: XAUTH: Answering XAUTH challenge with user <user>

<connectionname>, XAUTH: Successfully authenticated.

Appliance is XAUTH Client

Failed to send IPSec tunnel UP/Down notification mail

Log Component

Landing Page

WLAN

CCC

Appliance Access

HTTPS

Guest User

Virtual Host

CTA

PPPoE

Message ID

17938

17906

17907

17908

17909

17911

17910

17912

17918

17919

17927

17928

17929

17930

17935

17940

17953

17913

17914

17915

17916

17917

17925

17926

17954

17955

17956

17957

17958

| Appendix A - Logs | 541

Message

IPSec tunnel UP/Down notification mail sent successfully

Landing page accepted

Landing page declined

Rogue AP scan successfully completed

Rogue AP scan failed

System triggered Rogue AP Scan was initiated

Failed to send heartbeat from appliance to CCC (reserved for use with CCC, no log is generated) heartbeat sent from appliance to CCC (reserved for use with

CCC, no log is generated)

Failed to send keep-alive from appliance to CCC (reserved for use with CCC, no log is generated) keep-alive sent from appliance to CCC (reserved for use with

CCC, no log is generated)

System blocked administrator account for login because of too may wrong login attempts

System unblocked administrator account

System locked administrator's session

Unknown protocol traffic was denied

Invalid Certificate was blocked

Guest user is added in system

Access details SMS sent to the SMS gateway for delivery to guest user

One or more Guest user expired and auto-purged successfully

One or more Guest user expired and auto-purged failed

One or more Guest user expired and auto-purge partially failed

Failed to send Access details SMS

Mapped Server <server_ipaddress> is UP/Mapped Server

<server_ipaddress> is DOWN

CTA started with active collectors

<interface name: PADO packet timeout no response from server.

<interface name>: Terminating Session, Reattempting in

<seconds> Sec.

<interface name>: Discovery process completed

<interface name>: LCP link established

<interface name>: ISP not supporting LCP

<interface name>: Authentication successful

Log Component

PPTP

L2TP

17977

17978

17979

17980

Message ID

17959

17960

17961

17962

17963

17964

17965

17966

17967

17969

17972

17973

17974

17975

17976

17981

17982

17983

17984

17985

17986

17987

17988

| Appendix A - Logs | 542

Message

<interface name>: Authentication Fail. Please check username and password

<interface name>: Set interface IP < local IP>

<interface name>: Set gateway IP < remote IP>

<interface name>: Set Primary DNS < DNS IP if enable>

<interface name>: Set Aux DNS < DNS IP>

<interface name>: PPPoE Link Up

<interface name>: PPPoE Link Down

<interface name>: Disconnect PPPoE due to LCP timeout

<interface name>: Disconnect PPPoE due to Idle timeout

<interface name>: Reconnected on schedule event.

LCP : Negotiation Opening for < Client IP >

LCP : Link Established for < Client IP >

< PAP/CHAP/MS-CHAPv2 > : Starting Authentication

< PAP/CHAP/MS-CHAPv2 > : Authentication Successful for

User < user name >

< PAP/CHAP/MS-CHAPv2 > : Authentication Failed for User

< user name >

IPCP : IP allocated : < IP allocated >, IPCP : Set DNS : <

Primary/secondary DNS Server >, IPCP : Set WINS : <

Primary/secondary WINS Server >

LCP : Disconnect due to LCP timeout

STATS : Connect time : < connection time >, STATS : Sent < no. of bytes > bytes, received < no. of bytes > bytes

IPCP : Taking IPCP down for < Client IP > : < Reason >,

LCP : Negotiation Closing for <Client IP > : < Reason >,

LCP : Negotiation Closed for < Client IP >

IPCP : Taking IPCP down for < Client IP > : < Reason >,

LCP : Negotiation Closing for <Client IP > : < Reason >,

LCP : Negotiation Closed for < Client IP >

LCP : Negotiation Opening for < Client IP >

LCP : Link Established for < Client IP >

< PAP/CHAP/MS-CHAP > : Starting Authentication

< PAP/CHAP/MS-CHAP > : Authentication Successful for

User < user name >

< PAP/CHAP/MS-CHAP > : Authentication Failed for User < user name >

IPCP : IP allocated : < IP allocated >, IPCP : Set DNS : <

Primary/secondary DNS Server >, IPCP : Set WINS : <

Primary/secondary WINS Server >

LCP : Disconnect due to LCP timeout

Log Component Message ID

17989

17990

System

WC

RED

ATP

SSLVPN clients

IPSEC clients

Authentication clients

RED firmware

18017

18018

18019

18020

18021

18022

18023

18024

18025

18001

18002

18003

18004

18005

18006

18007

18008

18014

18015

18016

18032

17991

18000

17998

17999

| Appendix A - Logs | 543

Message

STATS : Connect time : < connection time >, STATS : Sent < no. of bytes > bytes, received < no. of bytes > bytes

IPCP : Taking IPCP down for < Client IP > : < Reason >,

LCP : Negotiation Closing for <Client IP > : < Reason >,

LCP : Negotiation Closed for < Client IP >

IPCP : Taking IPCP down for < Client IP > : < Reason >,

LCP : Negotiation Closing for <Client IP > : < Reason >,

LCP : Negotiation Closed for < Client IP >

Event new firmware detected for <type>: <version>

[ <AP-ID>] unknown AP model encountered: <type>, dropping.

[<AP-ID>] no firmware available for AP type '<type>', dropping.

[ <AP-ID> ] device not authorized yet, dropping.

[ <AP-ID> ] Corrupt payload. Device may have wrong key.

Delete device to re-register it.

[ <AP-ID>] sent firmware <firmware> to device, releasing connection.

[ <AP-ID> ] failed to send <firmware> to device, dropping.

[MASTER] sending notification about offline AP <AP>

Successfully sent config to AP [ <AP-ID> ].

Failed to send config to AP [ <AP-ID> ].

RED is connected

RED in disconnected

RED interim event

Red devices: Disabled: 5 Enabled: 15 Connected: 12

Disconnected 3

ATP Definitions upgraded from <old version> to <new version>

ATP Definitions upgrade failed

SSLVPN clients upgraded from <old version> to <new version>

SSLVPN clients upgrade failed

IPSEC clients upgraded from <old version> to <new version>

IPSEC clients upgrade failed

Authentication clients upgraded from <old version> to <new version>

Authentication clients upgrade failed

RED firmware upgraded from <old version> to <new version>