GBIC_SECURITY_CRYPT through HAL_GENMEM
GBIC_SECURITY_CRYPT
| %GBIC_SECURITY_CRYPT-4-UNRECOGNIZED_VENDOR : GBIC in port [dec] manufactured by an unrecognized vendor | |
|---|---|
| Explanation | The GBIC was identified as a Cisco GBIC, but the system was unable to match its manufacturer with one on the known list of Cisco GBIC vendors |
| Recommended Action | Check to see if the Cisco IOS software running on the system supports the GBIC. If the GBIC is newer, a system software upgrade might be required. |
| %GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR : GBIC in port [dec] has bad crc | |
|---|---|
| Explanation | The GBIC was identified as a Cisco GBIC, but it does not have valid CRC in the EEPROM data. |
| Recommended Action | Check to see if the Cisco IOS software running on the system supports the GBIC. If the GBIC is newer, a system software upgrade might be required. Even if the GBIC is unrecognized by the system, the GBIC may still operate properly, but might have limited functionality. |
| %GBIC_SECURITY_CRYPT-4-ID_MISMATCH : Identification check failed for GBIC in port [dec] | |
|---|---|
| Explanation | The GBIC was identified as a Cisco GBIC, but the system was unable to verify its identity |
| Recommended Action | Check to see if the Cisco IOS software running on the system supports the GBIC. If the GBIC is newer, a system software upgrade might be required. Otherwise, verify that the GBIC was obatined from Cisco or from a supported vendor. |
GBIC_SECURITY_UNIQUE
| %GBIC_SECURITY_UNIQUE-4-DUPLICATE_SN : GBIC interface [dec]/[dec] has the same serial number as another GBIC interface | |
|---|---|
| Explanation | The GBIC was identified as a Cisco GBIC, but its serial number matches that of another interface on the system. |
| Recommended Action | Cisco GBICs are assigned unique serial numbers. Verify that the GBIC was obtained from Cisco or a supported vendor |
| %GBIC_SECURITY_UNIQUE-3-DUPLICATE_GBIC : GBIC interface [dec]/[dec] is a duplicate of GBIC interface [dec]/[dec] | |
|---|---|
| Explanation | The GBIC was identified as a Cisco GBIC, but its vendor ID and serial number match that of another interface on the system. |
| Recommended Action | Cisco GBICs are assigned unique serial numbers. Verify that the GBIC was obtained from Cisco or a supported vendor |
GDOI
| %GDOI-1-GDOI_ACL_NUM : The ACL has too many entries. GDOI will honor only the first 100 ACL entries specified. | |
|---|---|
| Explanation | The ACL has too many entries. GDOI will honor only the first 100 ACL entries specified. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-3-GDOI_ACL_RANGE : The ACL [chars] contains port range which is NOT supported. WARNING: No TEK policy will be created. | |
|---|---|
| Explanation | GDOI does not support port range in the ACL policy. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-1-GDOI_ACE_DENY : A Group Member ACL policy containing deny was attempted. This is not supported. | |
|---|---|
| Explanation | A Group Member ACL policy containing deny was attempted. This is not supported. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-1-UNREGISTERED_INTERFACE : Group [chars] received registration from unregistered interface. | |
|---|---|
| Explanation | Receiving registration from unregistered interface. Stop processing it. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-1-UNAUTHORIZED_IDENTITY : Group [chars] received registration from unauthorized identity: [chars] | |
|---|---|
| Explanation | The registration request was dropped because the requesting device was not authorized to join the group. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-1-UNAUTHORIZED_IPADDR : Group [chars] received registration from unauthorized ip address: [chars] | |
|---|---|
| Explanation | The registration request was dropped because the requesting device was not authorized to join the group. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-4-GM_RE_REGISTER : The IPSec SA created for group [chars] may have expired/been cleared, or didn't go through. Re-register to KS. | |
|---|---|
| Explanation | The IPSec SA created for one group may have expired/been cleared, or didn't go through, need to re-register to KS. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-GM_REGS_COMPL : Registration to KS [chars] complete for group [chars] using address [chars] fvrf [chars] ivrf [chars] | |
|---|---|
| Explanation | Complete registration |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-GM_FAILED_TO_INSTALL_POLICIES : FAILED: Installation of Reg/Rekey policies from KS [chars] for group [chars] & gm identity [chars] | |
|---|---|
| Explanation | Failed Policy installation |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-GM_INSTALL_POLICIES_SUCCESS : SUCCESS: Installation of Reg/Rekey policies from KS [chars] for group [chars] & gm identity [chars] fvrf [chars] ivrf [chars] | |
|---|---|
| Explanation | Policy Installation Success |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-GM_RECV_REKEY : Received Rekey for group [chars] from [chars] to [chars] with seq # [dec], spi [hex][hex] | |
|---|---|
| Explanation | Received Rekey |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-KS_SEND_MCAST_REKEY : Sending Multicast Rekey [chars]for group [chars] from address [chars] to [chars] with seq # [dec] spi: [hex][hex] | |
|---|---|
| Explanation | Sending Multicast Rekey |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-KS_SEND_UNICAST_REKEY : Sending Unicast Rekey [chars]for group [chars] from address [chars] with seq # [dec] spi: [hex][hex] | |
|---|---|
| Explanation | Sending Unicast Rekey |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-3-KS_BAD_ID : Registration: [chars] config mismatch between KS and the GM [IP_address], in the group [chars]. | |
|---|---|
| Explanation | During GDOI registration protocol, a configuration mismatch between local key server and group member. |
| Recommended Action | Contact the Group member's administrator. |
| %GDOI-3-GDOI_REKEY_FAILURE : Processing of REKEY payloads failed on GM [chars] in the group [chars], with peer at [chars] | |
|---|---|
| Explanation | During GDOI rekey the payload parsing failed on this GM from the Key Server. |
| Recommended Action | Contact the Group member's administrator. |
| %GDOI-3-GDOI_REKEY_SEQ_FAILURE : Failed to process rekey seq # [int] in seq payload for group [chars], last seq # [int] | |
|---|---|
| Explanation | During GDOI rekey the seq payload parsing failed on this GM from the Key Server. |
| Recommended Action | Contact the Group member's administrator. |
| %GDOI-4-KS_GM_REJECTS_SA_PAYLOAD : Registration: GM [IP_address] rejected a policy in the SA proposal sent by KS, in the group [chars]. | |
|---|---|
| Explanation | During GDOI registration protocol, a proposal sent by the key server was refused by the group member. |
| Recommended Action | Contact the Group member's administrator. |
| %GDOI-4-GM_REJECTING_SA_PAYLOAD : Registration: Policy in SA payload sent by KS [IP_address] rejected by GM in the group [chars] reason [chars]. | |
|---|---|
| Explanation | During GDOI registration protocol, a proposal sent by the key server was refused by the local group member. |
| Recommended Action | Contact the Key server's administrator. |
| %GDOI-4-KS_HASH_FAIL : Registration: Bad(No) Hash in Message sent by the GM [IP_address] to KS in the group [chars]. | |
|---|---|
| Explanation | During GDOI registration protocol, a message sent by the Group member has bad or no hash . |
| Recommended Action | Contact the Group member's administrator. |
| %GDOI-4-GM_HASH_FAIL : Registration: Bad(No) hash in message sent by the KS [IP_address] to GM in the group [chars]. | |
|---|---|
| Explanation | During GDOI registration protocol, a message sent by the Key server has bad or no hash . |
| Recommended Action | Contact the Key Server's administrator. |
| %GDOI-3-KS_UNAUTHORIZED : Registration: Unauthorized [IP_address] tried to join the group [chars]. | |
|---|---|
| Explanation | During GDOI registration protocol, an unauthorized member tried to join a group Some might consider this a hostile event. |
| Recommended Action | Contact the Key Server's administrator. |
| %GDOI-3-KS_GM_REVOKED : Re-Key: GM [IP_address] revoked by KS in the group [chars]. | |
|---|---|
| Explanation | During Re-key protocol, an unauthorized member tried to join a group. Some might consider this a hostile event. |
| Recommended Action | Contact the Key Server's administrator. |
| %GDOI-5-KS_GROUP_ADD : Config: KS [IP_address] added to the Group [chars]. | |
|---|---|
| Explanation | A Config command has been executed to add a Key Server in a group |
| Recommended Action | Informational message. |
| %GDOI-5-KS_GROUP_DELETE : Config: KS [IP_address] removed from the Group [chars]. | |
|---|---|
| Explanation | A Config command has been executed to remove a Key Server from a group |
| Recommended Action | Informational message. |
| %GDOI-6-KS_FIRST_GM : Re-key: First GM [IP_address] seen by KS in the group [chars]. | |
|---|---|
| Explanation | Local key server has received the first group member joining the group |
| Recommended Action | Informational message. |
| %GDOI-6-KS_LAST_GM : Re-key: Last GM [IP_address] left the group [chars]. | |
|---|---|
| Explanation | Last group member has left the group on the local key server |
| Recommended Action | Informational message. |
| %GDOI-5-GM_CM_ATTACH : Crypto map attached for GM in group [chars]. | |
|---|---|
| Explanation | A crypto map has been attached for the local group member. |
| Recommended Action | Informational message. |
| %GDOI-5-GM_CM_DETACH : Crypto map detached for GM in group [chars]. | |
|---|---|
| Explanation | A crypto map has been detached for the local group member. |
| Recommended Action | Informational message. |
| %GDOI-5-GM_UNREGISTER : GM left the group [chars]. | |
|---|---|
| Explanation | A Group member has left the group. |
| Recommended Action | Informational message. |
| %GDOI-4-GM_RECV_POLICY_REPLACE_NOW : GM received policy replace now rekey from KS in group [chars]. | |
|---|---|
| Explanation | A messages sent by the KS to immediately replace SAs policies on the GM has been received. |
| Recommended Action | Informational message. |
| %GDOI-4-GM_RECV_DELETE_IMMEDIATE : GM receive REMOVAL-NOW in group [chars] to cleanup downloaded policy now. Re-registration will start in a randomly chosen period of [dec] sec | |
|---|---|
| Explanation | A messages sent by the KS to delete the GM has been received. |
| Recommended Action | Informational message. |
| %GDOI-4-GM_RECV_RE_AUTH : GM received Re-auth-msg from KS in group [chars]. re-registration will start before SA expiry | |
|---|---|
| Explanation | A message sent by the KS to have a GM re-auth has been received. |
| Recommended Action | Informational message. |
| %GDOI-4-GM_RECV_DELETE : GM received delete-msg from KS in group [chars]. TEKs lifetime are reduced and re-registration will start before SA expiry | |
|---|---|
| Explanation | A messages sent by the KS to delete the GM has been received. |
| Recommended Action | Informational message. |
| %GDOI-5-GM_CLEAR_REGISTER : Config: GM cleared gdoi configuration for the group [chars]. | |
|---|---|
| Explanation | clear crypto gdoi command has been executed by the local GM |
| Recommended Action | Informational message. |
| %GDOI-5-KS_CLEAR_REGISTER : Config: KS cleared gdoi configuration for the group [chars]. | |
|---|---|
| Explanation | clear crypto gdoi command has been executed by the local KS |
| Recommended Action | Informational message. |
| %GDOI-3-COOP_KS_UNREACH : Cooperative KS [chars] Unreachable in group [chars]. IKE SA Status = [chars] | |
|---|---|
| Explanation | The reachability between the configugred cooperative key servers is lost. Some might consider this a hostile event. |
| Recommended Action | Contach the Administrator(s) of the configured key servers. |
| %GDOI-5-COOP_KS_REACH : Reachability restored with Cooperative KS [chars] in group [chars]. | |
|---|---|
| Explanation | The reachability between the configugred cooperative key servers is restored. |
| Recommended Action | Informational message |
| %GDOI-5-COOP_KS_ADD : [chars] added as COOP Key Server in group [chars]. | |
|---|---|
| Explanation | A key server has been added to the list of cooperative key servers in a group |
| Recommended Action | Informational message |
| %GDOI-5-COOP_KS_REMOVE : [chars] removed as COOP Key Server in group [chars]. | |
|---|---|
| Explanation | A key server has been removed from the list of cooperative key servers in a group |
| Recommended Action | Informational message |
| %GDOI-4-COOP_KS_UNAUTH : Contact from unauthorized KS [chars] in group [chars] at local address [chars] (Possible MISCONFIG of peer/local address) | |
|---|---|
| Explanation | An unauthorized remote server tried to contact the local KS may be at different key server address in a group. Some might consider this a hostile event. |
| Recommended Action | Informational message |
| %GDOI-5-COOP_KS_ELECTION : KS entering election mode in group [chars] (Previous Primary = [chars]) | |
|---|---|
| Explanation | The local Key server has entered the election process in a group |
| Recommended Action | Informational message |
| %GDOI-5-COOP_KS_TRANS_TO_PRI : KS [chars] in group [chars] transitioned to Primary (Previous Primary = [chars]) | |
|---|---|
| Explanation | The local Key server transitioned to a primary role from being a secondary server in a group |
| Recommended Action | Informational message |
| %GDOI-5-COOP_KS_ADMN_USRP_PRI : Primary role Usurped by KS [chars] in group [chars]. | |
|---|---|
| Explanation | A network adminstrator has made the local KS as primary, by means of a CLI command. Currently Unimplemented. |
| Recommended Action | Informational message |
| %GDOI-5-GM_REKEY_TRANS_2_MULTI : Group [chars] transitioned to multicast rekey. | |
|---|---|
| Explanation | GM has transitioned from using unicast rekey mechanism to multicast mechanism |
| Recommended Action | Informational message |
| %GDOI-5-KS_REKEY_TRANS_2_MULTI : Group [chars] transitioned to multicast rekey. | |
|---|---|
| Explanation | Group has transitioned from using unicast rekey mechanism to multicast mechanism |
| Recommended Action | Informational message |
| %GDOI-5-GM_REKEY_TRANS_2_UNI : Group [chars] transitioned to Unicast Rekey. | |
|---|---|
| Explanation | GM has transitioned from using multicast rekey mechanism to unicast mechanism |
| Recommended Action | Informational message |
| %GDOI-5-KS_REKEY_TRANS_2_UNI : Group [chars] transitioned to Unicast Rekey. | |
|---|---|
| Explanation | Group has transitioned from using multicast rekey mechanism to unicast mechanism |
| Recommended Action | Informational message |
| %GDOI-4-GM_REKEY_NOT_RECD : GM did not receive rekey from KS [IP_address] in group [chars]. | |
|---|---|
| Explanation | GM has not received a rekey message from a key server in a group Currently Unimplemented. |
| Recommended Action | Informational message |
| %GDOI-5-KS_NACK_GM_EJECT : KS ejected GM [IP_address] in group [chars]. | |
|---|---|
| Explanation | Key server has reached a condition of not receiving an ACK from GM and has been ejected |
| Recommended Action | Informational message |
| %GDOI-3-KS_BLACKHOLE_ACK : KS blackholing GM [IP_address] in group [chars]. | |
|---|---|
| Explanation | Key server has reached a condition of blackholing messages from GM Some might consider this a hostile event. |
| Recommended Action | |
| %GDOI-4-KS_UNSOL_ACK : KS received unsolicited ACK from GM [IP_address] in group [chars]. | |
|---|---|
| Explanation | Key server has received an unsolicited ACK from a past GM or is under a DOS attack. Some might consider this a hostile event. |
| Recommended Action | |
| %GDOI-5-KS_REGS_COMPL : KS completed successful registration in group [chars] with GM [IP_address]. | |
|---|---|
| Explanation | Key server has successfully completed a registration in a group |
| Recommended Action | |
| %GDOI-5-GM_ENABLE_GDOI_CM : GM has enabled ACL on GDOI crypto map in group [chars]. | |
|---|---|
| Explanation | Group member has enabled ACL on a GDOI Crypto map in a group with a key server |
| Recommended Action | |
| %GDOI-5-GM_ACL_MERGE : ACL betweem KS and GM in group [chars] merged. | |
|---|---|
| Explanation | The ACL differences between GM and KS are resolved and a merge took place |
| Recommended Action | |
| %GDOI-5-GM_SA_INGRESS : Receive only ACL received from KS [IP_address] in group [chars]. | |
|---|---|
| Explanation | Received only acl has been received by GM from a KS in a group |
| Recommended Action | |
| %GDOI-5-KS_CONV_SAS_DUPLEX : IPSec SAs converted to Duplex in group [chars]. | |
|---|---|
| Explanation | IPSec SAs have been converted to bidirectional mode in a group |
| Recommended Action | |
| %GDOI-5-KS_CONV_SAS_INGRESS : IPSec SAs converted to Ingress in group [chars]. | |
|---|---|
| Explanation | IPSec SAs have been converted to receive only mode in a group |
| Recommended Action | |
| %GDOI-5-GM_CONV_SA_DUPLEX : IPSec SAs converted to Duplex in group [chars] on the GM. | |
|---|---|
| Explanation | IPSec SAs have been converted to bidirectional mode in a group on a GM |
| Recommended Action | |
| %GDOI-5-GM_CONV_SA_DUPLEX_LOCAL : IPSec SAs converted to Duplex in group [chars] on a GM by a local event. | |
|---|---|
| Explanation | IPSec SAs have been converted to bidirectional mode in a group on a GM by a CLI command |
| Recommended Action | |
| %GDOI-5-LKH_ENABLE : LKH enabled in group [chars]. | |
|---|---|
| Explanation | LKH has been enabled in a group |
| Recommended Action | |
| %GDOI-5-LKH_DISABLE : LKH disabled in group [chars]. | |
|---|---|
| Explanation | LKH has been disabled in a group |
| Recommended Action | |
| %GDOI-4-LKH_GM_DELETE : GM [IP_address] deleted from LKH in group [chars]. | |
|---|---|
| Explanation | A Group member has been deleted in a group from LKH |
| Recommended Action | |
| %GDOI-4-TIMEBASED_REPLAY_FAILED : An anti replay check has failed in group [chars]: my_pseudotime = [chars], peer_pseudotime = [chars], replay_window = [dec] (sec), src_ip = [IP_address], dst_ip = [IP_address] | |
|---|---|
| Explanation | A Group member or Key server has failed an anti replay check. |
| Recommended Action | |
| %GDOI-3-PIP_PSEUDO_TIME_ERROR : An Anti-Replay check has failed for PIP in group [chars]: my_pseudotime = [chars], peer_pseudotime = [chars], replay_window = %lld (sec), src_addr = [chars], dst_addr = [chars] | |
|---|---|
| Explanation | A Group member has failed PIP anti replay check. |
| Recommended Action | |
| %GDOI-3-P2P_KGS_INFRA_ERROR : PIP session with [chars] failed because of KGS Infra failure. Reason = [chars] | |
|---|---|
| Explanation | A Group Member has encountered a KGS Infra failure. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-4-TIMEBASED_REPLAY_FAILED_IPV6 : An anti replay check has failed in group [chars]: my_pseudotime = [chars], peer_pseudotime = [chars], replay_window = [dec] (sec), src_ip = [IPV6 address], dst_ip = [IPV6 address] | |
|---|---|
| Explanation | A Group member or Key server has failed an anti replay check. |
| Recommended Action | |
| %GDOI-3-GM_FAILED_TO_INITIALISE : GDOI GM Process has failed to initialise | |
|---|---|
| Explanation | GDOI Group Member process has failed to initialise on this Network Element |
| Recommended Action | |
| %GDOI-3-PSEUDO_TIME_LARGE : Pseudotime difference between KS ([dec] sec) and GM ([dec] sec) is larger than expected in group [chars]. Adjust to new PST | |
|---|---|
| Explanation | A Group member has received pseudotime which has large difference as compared to own pseudotime |
| Recommended Action | |
| %GDOI-3-PSEUDO_TIME_TOO_OLD : Rekey received in group [chars] is too old and fail PST check: my_pst is [dec] sec, peer_pst is [dec] sec, allowable_skew is [dec] sec | |
|---|---|
| Explanation | A Group member has received pseudotime which has large difference as compared to own pseudotime |
| Recommended Action | |
| %GDOI-3-GM_INCOMPLETE_CFG : Registration: incomplete config for group [chars] | |
|---|---|
| Explanation | Registration can not be completed since the GDOI group configuration may be missing the group id, server id, or both |
| Recommended Action | Contact the Group member's administrator. |
| %GDOI-1-KS_NO_RSA_KEYS : RSA Key - [chars] : Not found, Required for group [chars] | |
|---|---|
| Explanation | Rsa Keys were not found in Key Server and they are required for signing and verifying rekey messages |
| Recommended Action | Contact the Key Server's administrator and ask him to do create the RSA Key pair |
| %GDOI-4-RSA_KEYS_MODIFIED : WARNING: GMs for group [chars] will re-register due to signature verification failure | |
|---|---|
| Explanation | Rekeys will be dropped by GM as signature verification would fail due to modification of RSA Keys |
| Recommended Action | Informational message |
| %GDOI-3-KS_REKEY_AUTH_KEY_LENGTH_INSUFFICIENT : Rejected [chars] change: using sig-hash algorithm [chars] requires an authentication key length of at least [int] bits ([int] blocks in bytes) - [chars] [chars] key [chars] is only [int] blocks in bytes | |
|---|---|
| Explanation | Using a sig-hash algorithm for rekeys requires that the RSA key modulus length for the rekey authentication be at least the length of the hash generated by the sig-hash algorithm plus some padding bytes. If the RSA key modulus length is not large enough, the Key Server administrator needs to generate a new RSA key pair wit a sufficient length. |
| Recommended Action | Contact the Key Server's administrator to re-generate the RSA key pair with at least the modulus length given in the syslog. |
| %GDOI-3-COOP_CONFIG_MISMATCH : WARNING: Group [chars], [chars] configuration between Primary KS and Secondary KS are mismatched | |
|---|---|
| Explanation | The configuration between Primary KS and Secondary KS are mismatched |
| Recommended Action | Contact the Key Sever's administrator |
| %GDOI-3-GM_ACL_PERMIT : GM doesn't support permit configured under local access-list. Traffic from [chars] to [chars] will be dropped. | |
|---|---|
| Explanation | GM can only support ACL for deny. Any traffic matching the permit entry will be dropped. |
| Recommended Action | Remove the permit entry from the ACL used by GDOI crypto map |
| %GDOI-3-GM_NO_IPSEC_FLOWS : IPSec FLOW limit possibly reached | |
|---|---|
| Explanation | Hardware Limitation for IPSec Flow limit Reached. Cannot create any more IPSec SAs |
| Recommended Action | Contact the Group member's administrator. |
| %GDOI-3-GM_NO_CRYPTO_ENGINE : No crypto engine is found due to lack of resource or unsupported feature requested | |
|---|---|
| Explanation | Failed to select a suitable crypto engine because requested packet path not available, or requested feature not supported |
| Recommended Action | Check policy configured on KS |
| %GDOI-3-COOP_PACKET_DROPPED : Announcement message dropped due to packet size [dec] bytes. | |
|---|---|
| Explanation | Hard limit set on the driver buffer size prevents sending packets of this size or bigger |
| Recommended Action | Informational message |
| %GDOI-3-UNEXPECTED_SIGKEY : Unexpected Signature Key detected: freeing it | |
|---|---|
| Explanation | Unexpected Signature Key found: freeing the signature key |
| Recommended Action | Informational message |
| %GDOI-3-UNSUPPORTED_TEK_PROTO : Unexpected TEK Protocol : [dec] | |
|---|---|
| Explanation | Unexpected TEK PROTOCOL |
| Recommended Action | Informational message |
| %GDOI-4-GM_DELETE : GM [chars] deleted from group [chars]. | |
|---|---|
| Explanation | A group member has been deleted in a group from Key Server |
| Recommended Action | Informational message |
| %GDOI-5-KS_USING_DEFAULT_TRANSFORM : GETVPN is using default transforms for profile [chars] | |
|---|---|
| Explanation | Using default transformset |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-GM_REKEY_CIPHER_HASH_CHECK_FAIL : Rekey cipher/hash ([chars]) used in Group [chars] is unacceptable by this client. | |
|---|---|
| Explanation | The key-server has chosen KEK rekey cipher/hash algorithms which are not acceptable by this group-member |
| Recommended Action | Contact the Key server's administrator. |
| %GDOI-5-GM_REKEY_TRANSFORMSET_CHECK_FAIL : The transformset ([chars]) for data-protection in Group [chars] is unacceptable by this client. | |
|---|---|
| Explanation | The key-server has chosen a TEK transformset which is not acceptable by this group-member |
| Recommended Action | Contact the Key server's administrator. |
| %GDOI-3-COOP_ANN_SEQ_FAILURE : COOP Ann msg seq check failed for group [chars], ann seq# [int], sess seq# [int] | |
|---|---|
| Explanation | COOP Ann msg seq check failed |
| Recommended Action | Contact Administrator |
| %GDOI-4-GDOI_ANN_TIMESTAMP_TOO_OLD : COOP_KS ANN from KS [chars] in group [chars] is too old and fail PST check: my_pst is [int] sec, peer_pst is [int] sec, allowable_skew is [dec] sec | |
|---|---|
| Explanation | The KS has received an ANN msg from a primary KS in which the timestamp is too old |
| Recommended Action | |
| %GDOI-4-GDOI_ANN_TIMESTAMP_LARGE : COOP_KS ANN received from KS [chars] in group [chars] has PST bigger than myself. Adjust to new PST: my_old_pst is [int] sec, peer_pst is [int] sec | |
|---|---|
| Explanation | The KS receive an ANN from a KS in which the timestamp is bigger than expected; also update my PST to peer's |
| Recommended Action | |
| %GDOI-4-GDOI_ANN_TIMESTAMP_LARGE_NO_UPDATE : COOP_KS ANN received from KS [chars] in group [chars] has PST bigger than myself: my_pst is [int] sec, peer_pst is [int] sec | |
|---|---|
| Explanation | The KS receive an ANN from a KS in which the timestamp is bigger than expected; No update of my PST |
| Recommended Action | |
| %GDOI-4-GDOI_ANN_INCONSISTENT_TBAR : COOP_KS ANN received from [chars] in group [chars] has inconsistent TBAR setting inconsistent than mine | |
|---|---|
| Explanation | The KS has received an ANN msg from a secondary KS in which the timestamp is too old |
| Recommended Action | |
| %GDOI-5-COOP_KS_VALID_ANN_TIMER_EXPIRED : This sec-KS has NOT received an ANN with valid PST for an extended period in group [chars]. It will block new GMs registration temporarily until a valid ANN is received | |
|---|---|
| Explanation | No valid ANN message has been received in this secondary KS for a prolong period. Temporarily blocking new GM registrations until a valid ANN is received |
| Recommended Action | Informational message |
| %GDOI-5-COOP_KS_BLOCK_NEW_GM_REGISTER_ANN : This KS temporarily blocks GM with ip-addr [chars] from registering in group [chars] as it has not received an ANN with valid PST for prolonged period | |
|---|---|
| Explanation | No valid ANN message has been received in this secondary KS for a prolong period. Temporarily blocking new GM registrations until a valid ANN is received |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-COOP_KS_BLOCK_NEW_GM_REGISTER_ELECTION : This KS temporarily blocks GM with ip-addr [chars] from registering in group [chars] as the KS election is underway | |
|---|---|
| Explanation | The KS is in the process of electing a primary. Temporarily blocking new GM registrations until the election is complete |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-COOP_KS_BLOCK_NEW_GM_REGISTER_KSSID : This KS is blocking GM with ip-addr [chars] from registering in group [chars] as it has overlapping KS Sender Identifier(s) (KSSID) with another COOP-KS peer (MISCONFIG) | |
|---|---|
| Explanation | Another COOP-KS peer in the group has been configured with a KSSID value that is the same as one configured on this KS. GM registration is blocked as a result until the overlap is fixed. |
| Recommended Action | Check the configured KSSID(s) for all COOP-KS peers by issuing 'show crypto gdoi ks coop ident detail' on the primary KS |
| %GDOI-5-COOP_KS_RESUME_NEW_GM_REGISTER : This KS will now resume new GM registration functionality in group [chars] | |
|---|---|
| Explanation | This KS will now resume new GM registration functionality |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-SA_KEK_UPDATED : SA KEK was updated [hex][hex][hex][hex] | |
|---|---|
| Explanation | KEK was updated in the Registration/Rekey and a new KEK SA was created |
| Recommended Action | Informational message. |
| %GDOI-5-SA_PIP_UPDATED : SA PIP was updated 0x[chars] | |
|---|---|
| Explanation | PIP was updated in Registration/Rekey and a new PIP SA was created |
| Recommended Action | Informational message. |
| %GDOI-3-SA_KEK_INSATALL_FAILED : Failed to install KEK SA | |
|---|---|
| Explanation | KEK SA instalation has failed |
| Recommended Action | Informational message. |
| %GDOI-3-P2P_PEER_MIGRATE_FAILED : Failed to install P2P rekey SA with peer [chars] in group [chars] | |
|---|---|
| Explanation | Installation of P2P Rekey SA with an existing peer has failed |
| Recommended Action | Check the status of all peers using the command 'show crypto gdoi gm p2p peers' and wait for PIP initiation between the failed peers. Traffic distruption may occur. |
| %GDOI-5-SA_TEK_UPDATED : SA TEK was updated | |
|---|---|
| Explanation | TEK was updated in the Registration/Rekey and a new TEK IPSEC SA was created |
| Recommended Action | Informational message. |
| %GDOI-4-GM_MINOR_VERSION_MISMATCH : GM [IP_address] Minor Version mismatch. Use 'show crypto gdoi ks members' to see GM versions | |
|---|---|
| Explanation | GM has different minor version. |
| Recommended Action | show crypto gdoi ks members |
| %GDOI-3-GM_MAJOR_VERSION_MISMATCH : GM [IP_address] registration rejected due to major version mismatch. GM must be using major version [dec] in order to be compatible with this KS | |
|---|---|
| Explanation | GM has a non-compatible major version. |
| Recommended Action | Check GDOI version compatibility on KS and GMs |
| %GDOI-4-KS_MINOR_VERSION_MISMATCH : COOP-KS Minor Version mistmatch in group [chars]. My version is [dec].[dec].[dec], peer [chars] has version [dec].[dec].[dec] | |
|---|---|
| Explanation | Coop KS has different minor version. |
| Recommended Action | show crypto gdoi ks coop |
| %GDOI-3-KS_MAJOR_VERSION_MISMATCH : COOP-KS Major Version mismatch in group [chars]. My version is [dec].[dec].[dec], peer [chars] has version [dec].[dec].[dec] | |
|---|---|
| Explanation | COOP-KS has a non-compatible major version. |
| Recommended Action | Check GDOI version compatibility on KS |
| %GDOI-2-COOP_MINOR_VERSION_MISMATCH : COOP-KS Minor version mistmatch in group [chars]. My COOP version is [dec].[dec].[dec], peer [chars] has version [dec].[dec].[dec]. Upgrade [chars] [chars] to COOP version [dec].[dec].[dec] to prevent COOP outage. | |
|---|---|
| Explanation | Coop KS has different minor version. |
| Recommended Action | show crypto gdoi ks coop |
| %GDOI-3-COOP_MAJOR_VERSION_MISMATCH : COOP-KS Major Version mismatch in group [chars]. My version is [dec].[dec].[dec], peer [chars] has version [dec].[dec].[dec] | |
|---|---|
| Explanation | COOP-KS has a non-compatible major version. |
| Recommended Action | Check COOP version compatibility on KS |
| %GDOI-3-COOP_LIMIT_REACHED : Peer [chars] has reached COOP limit of maximum number of gms. COOP GM database sync fails. Upgrade to COOP version [dec].[dec].[dec] and above | |
|---|---|
| Explanation | COOP-KS has a non-compatible peer. |
| Recommended Action | Check COOP version compatibility on peer KS |
| %GDOI-5-POLICY_CHANGE : GDOI group [chars] policy has changed. Use 'crypto gdoi ks rekey' to send a rekey, or the changes will be send in the next scheduled rekey | |
|---|---|
| Explanation | Reminder message that GDOI configuration has changed. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-ESON_POLICY_CHANGE_RESTART1 : ESON group [chars] policy has changed. Must use 'clear crypto gdoi ks members now' to restart the group | |
|---|---|
| Explanation | Reminder message that ESON configuration has changed. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-ESON_POLICY_CHANGE_RESTART2 : ESON group [chars] policy has changed. Must use 'crypto gdoi ks replace now' to restart the group | |
|---|---|
| Explanation | Reminder message that ESON configuration has changed. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-GM_DELETE_EXPIRED_KEK : KEK expired for group [chars] and was deleted | |
|---|---|
| Explanation | Deleting Expired KEK |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-GM_DELETE_EXPIRED_PIP : PIP with SPI 0x[chars] expired for group [chars] and was deleted | |
|---|---|
| Explanation | Deleting Expired PIP |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-GM_DELETE_EXPIRED_P2P : P2P SA with epoch hash 0x[chars] expired for group [chars] and was deleted | |
|---|---|
| Explanation | Deleting Expired P2P |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-POLICY_CHANGE_TO_SUITEB : Group [chars] changed to Suite-B policy. Use 'crypto gdoi ks rekey' to generate the new Suite-B policy and cause all GMs to re-register to download SIDs, or this will happen in the next scheduled rekey | |
|---|---|
| Explanation | Migrating from non-Suite-B to Suite-B policy requires that the user issues 'crypto gdoi ks rekey' like any other POLICY_CHANGE, but this will cause a re-initialization rather than just a rekey. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-KS_REINIT_GROUP : [chars] for group [chars] and will re-initialize the group. | |
|---|---|
| Explanation | KS has reached one of the following conditions (indicated by the first part of the message) requiring re-initialization of the group: - Group Size configuration changed - Previously used KSSID removed from configured KSSID set - KS runs out of KSSIDs & GMSIDs - COOP SID client gets a re-initialization indication from COOP-KS - KSSID overlap detected by COOP is resolved - TEK policy is changed from non-CTR to CTR (SIDs required). |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-KS_REINIT_FINISH : Re-initialization of group [chars] completed. | |
|---|---|
| Explanation | A previously triggered re-initialization, as signified by a %GDOI-5-KS_REINIT_GROUP syslog, has completed after the expiry of the old TEK. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-3-KS_NO_SID_AVAILABLE : GMs for group [chars] need SIDs but this KS has no KS SIDs configured or no more SIDs available. | |
|---|---|
| Explanation | This KS has a counter-mode transform configured requiring SIDs and either has no KSSIDs configured or has run out of SIDs. Registering GMs will not be able to register successfully until more KSSIDs are configured on this KS. |
| Recommended Action | Check the configured KSSID(s) for this KS by issuing 'show crypto gdoi ks ident detail' and consider configuring more KSSIDs using the 'identifier' sub-mode under 'server local'. |
| %GDOI-3-COOP_KSSID_OVERLAP : Overlapping KS Sender Identifier(s) (KSSID) {[chars]} with COOP-KS peer [chars] in group [chars] blocking GM registration (MISCONFIG) | |
|---|---|
| Explanation | Another COOP-KS peer in the group has been configured with a KSSID value that is the same as one configured on this KS. GM registration is blocked as a result until the overlap is fixed. |
| Recommended Action | Check the configured KSSID(s) for all COOP-KS peers by issuing 'show crypto gdoi ks coop ident detail' on the primary KS |
| %GDOI-5-COOP_KSSID_OVERLAP_RESOLVED : Resolved overlapping KS Sender Identifier(s) (KSSID) with COOP-KS peer allowing GM registrations once again | |
|---|---|
| Explanation | Another COOP-KS peer in the group had been configured with a KSSID value that was the same as one configured on this KS, but has been resolved so that GM registration is allowed again. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-GM_IV_EXHAUSTED : GM for group [chars] exhausted its IV space for interface [chars] and will re-register. | |
|---|---|
| Explanation | One of the interfaces where a CTR transform (e.g. GCM-AES / GMAC-AES) has been installed as TEK policy with SIDs has exhausted its IV space & must re-register to receive new SIDs. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-GM_REKEY_IPV4_POLICY_CHECK_FAIL : Non-IPv4 policies is received in IPv4 Group [chars]; rekey is rejected | |
|---|---|
| Explanation | This GM is registering to an IPv4 group but erroneously receiving IPv6 policies in rekey |
| Recommended Action | Contact the Key server's administrator. |
| %GDOI-5-GM_REKEY_IPV6_POLICY_CHECK_FAIL : Non-IPv6 policies is received in IPv6 Group [chars]; rekey is rejected | |
|---|---|
| Explanation | This GM is registering to an IPv6 group but erroneously receiving IPv4 policies in rekey |
| Recommended Action | Contact the Key server's administrator. |
| %GDOI-4-UNKNOWN_GM_VERSION_REGISTER : WARNING: GM [IP_address] with unknown GDOI ver registered to group [chars] (e.g old-IOS or non-Cisco GM please check 'show crypto gdoi ks members' and 'show crypto gdoi feature' to ensure all your GMs can support the GETVPN features enabled. | |
|---|---|
| Explanation | A GM is registered with unknown GDOI SW version; cannot determine its feature capability. |
| Recommended Action | Check GMs can support all GETVPN features enabled in KS. Also check output of 'show crypto gdoi feature' and 'debug crypto gdoi ks infra detail' (note: high volume of debugs). msgdef_ddts_component(ipsec-getvpn) |
| %GDOI-4-NEWER_GM_VERSION_REGISTER : WARNING: GM [IP_address] registers to group [chars] with newer GDOI version than KS. Please check'show crypto gdoi ks members' and 'show crypto gdoi feature' to ensure all GMs can support the GETVPN features enabled. | |
|---|---|
| Explanation | A GM is registered with newer GDOI SW version; cannot determine its feature capability. |
| Recommended Action | Check GMs can support all GETVPN features enabled in KS. Also check output of 'show crypto gdoi feature' and 'debug crypto gdoi ks infra detail' (note: high volume of debugs). msgdef_ddts_component(ipsec-getvpn) |
| %GDOI-4-REJECT_GM_VERSION_REGISTER : Reject registration of GM [IP_address] (ver [hex]) in group [chars] as it cannot support these GETVPN features enabled: [chars] | |
|---|---|
| Explanation | Reject GM registration because it cannot support the GETVPN features enabled in the group. |
| Recommended Action | Check GMs can support all GETVPN features enabled in KS. Also check output of 'show crypto gdoi feature' and 'debug crypto gdoi ks infra detail' (note: high volume of debugs). msgdef_ddts_component(ipsec-getvpn) |
| %GDOI-4-GM_RECOVERY_REGISTRATION : GM recovery re-registration for group [chars] will start in a randomly chosen period of [dec] sec | |
|---|---|
| Explanation | GM recovery feature detects dataplane error and will re-register to KS to refresh keys and policy |
| Recommended Action | Informational message. |
| %GDOI-4-GM_RECOVERY_REGISTRATION_POSTPONED : Detects data error in group [chars] but the previous recovery/rekey has occured within the last recovery-check interval. Postpone recovery registration to start in [dec] sec | |
|---|---|
| Explanation | GM recovery feature detects dataplane error and will re-register to KS to refresh keys and policy |
| Recommended Action | Informational message. |
| %GDOI-4-GM_SA_TRACK_SET_EOT_ERROR : Group [chars] encountered error in setting EOT object ID [dec] to state [chars]. | |
|---|---|
| Explanation | GM SA TRACK state change occur but fail to update EOT object ID accordingly |
| Recommended Action | Informational message. Check to make sure the EOT object ID is configured properly |
| %GDOI-5-POLICY_CHANGE_ERROR_MULTIPLE_PORTS : Multiple ports detected for ACL [chars] which is not supported. WARNING: No TEK policy will be created. | |
|---|---|
| Explanation | Informs user that there is an error in the ACL with regards to the number of ports. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-6-COOP_KS_VER_TRANSIT : Coop KS [chars] protocol version transits from version 1.0.1 to 2.0.0 | |
|---|---|
| Explanation | The KS is transitioning to a new version. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-4-COOP_KS_RBLY_FAILED : Coop KS [chars] in group [chars] session Reassembly failed in TransID [int] | |
|---|---|
| Explanation | The KS COOP had an error reassmbling a packet from a peer KS |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-4-COOP_KS_CHECKPT_MISMATCH : Coop KS [chars] in group [chars] received Checkpoint Mismatch message. | |
|---|---|
| Explanation | The KS COOP had received a checkpoint mismatch from a KS COOP peer |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-3-COOP_KS_CANNOT_FIND_PROFILE : Coop KS in group [chars] has a configured IKEv2 profile '[chars]' that doesn't exist. The COOP will not come up until this error is fixed. | |
|---|---|
| Explanation | The KS COOP coniguration redunadancy ikve2-profile specifies a profile that doesn't exist. The COOP will not come up. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-IPSEC_INITIATE_GM_REGISTER : IPSEC initiate GDOI group [chars] to register | |
|---|---|
| Explanation | IPSEC initiate a GM registration for the group |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-3-IPSEC_INITIATE_GM_REGISTER_POSTPONE : IPSEC triggering registration for group [chars] too frequently. Postpone the registration to occur in [dec] msec. | |
|---|---|
| Explanation | GM detects IPSEC triggering registration for the group too frequently. GDOI will rate-limit and postpone the registration. |
| Recommended Action | Contact the Group member's administrator. |
| %GDOI-3-IPSEC_INITIATE_GM_REGISTER_IGNORE : IPSEC triggering registration for group [chars] too frequently. Ignore the request as registartion has already been scheduled to occur in [dec] msec. | |
|---|---|
| Explanation | GM detects IPSEC triggering registration for the group too frequently. GDOI will ignore the request as registration has already been scheduled. |
| Recommended Action | Contact the Group member's administrator. |
| %GDOI-3-COOP_KS_TOO_MANY_GROUPS_SHARE_IKE_SA : The COOP KS has too many groups sharing the same IKE SA for the peer addresses local [chars] remote [chars]. Connectivity could be compromised. Please reduce to [dec]. | |
|---|---|
| Explanation | There is a limit to the number of COOP KS groups that can share the. same IKE SA. This can lead to intermittent connectivity for the COOP KS in congested networks |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-3-COOP_KS_SEND_WINDOW_LIMIT_REACHED : The COOP KS has reached its window limit for the peer addresses local [chars] remote [chars]. This is due to connectivity issues between the key servers in question. | |
|---|---|
| Explanation | The COOP KS running over IKEv2 has a limit to the number of pending messages that can be sent. This limit has been reached which is an indication that there is a connectivity issue between the key servers |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-4-REJECT_GM_CKM_REGISTER : Reject registration of GM [IP_address] in group [chars] as it has CKM enabled but this secondaryKS has not sync up all KGS params yet | |
|---|---|
| Explanation | Reject GM registration because this is a secondaryKS and it has not received KGS seed and rekey-epoch from primaryKS yet |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-4-COOP_KS_CKM_INCOMPATIBLE : Found incompatible COOP-KS that cannot support CKM in group [chars]. Please check 'show crypto gdoi feature ckm'and upgrade the incompatible KS immediately. | |
|---|---|
| Explanation | Found incompatible COOP-KS that cannot support CKM in the group. Network administrator should check 'show crypto gdoi feature ckm'and upgrade the incompatible KS immediately |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-5-GM_REGISTER_UPDATE_TBAR : Platform HA forwarding-plane comes online, group [chars] gm-identity [chars] fvrf [chars] ivrf [chars] re-register to refresh TBAR info. | |
|---|---|
| Explanation | HA forwarding-plane comes online, group %s gm-identity %s fvrf %s ivrf %s is re-registering to refresh TBAR info. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GDOI-3-GM_IPD3P_NO_IPV6_SUPPORT : GETVPN group-member does not support IP-D3P for IPv6. | |
|---|---|
| Explanation | GETVPN group-member does not support IP-D3P for IPv6. |
| Recommended Action | Contact the Administrator(s) to correct the key server policy. |
| %GDOI-3-GM_IPD3P_NO_TRANSPORT_SUPPORT : GETVPN group-member does not support IPD3P transport mode | |
|---|---|
| Explanation | GETVPN group-member does not support IPD3P transport mode |
| Recommended Action | Contact the Administrator(s) to correct the key server policy. |
| %GDOI-3-GM_IPD3P_AND_CMD_CANT_COEXIST : GETVPN group-member does not support coexistance of IPD3P and Cisco-metadata features | |
|---|---|
| Explanation | GETVPN group-member does not support the enabling of IPD3P and Cisco-metadata features (e.g TBAR-PST, SGT) at the time |
| Recommended Action | Contact the Administrator(s) to correct the key server policy. |
GENERIC_SUBBLOCK
| %GENERIC_SUBBLOCK-2-LATE_REGISTER : Late registration of GSB type [chars], with id [dec] | |
|---|---|
| Explanation | An attempt to register a new generic subblock type was received after subblocks have already been allocated from the control structure with previously registered types |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GENERIC_SUBBLOCK-2-BUILDXDR : Failed to build message for GSB: [chars] | |
|---|---|
| Explanation | An attempt to build a message for distribution of generic subblock failed |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GENERIC_SUBBLOCK-2-UNPACKXDR : Unpacked [dec] bytes and attempted to consume [dec] bytes for GSB: [chars] | |
|---|---|
| Explanation | A discrepancy was detected between length of message expected versus length of message received |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GENERIC_SUBBLOCK-2-GSBNOTISSUAWARE : GSB [chars] is not ISSU aware. Cannot distribute it to ISSU-aware slots | |
|---|---|
| Explanation | This GSB is expected to be ISSU aware but it is not. It cannot be distributed safely to ISSU-aware slots as it may not be correctly interpreted |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case), or contact your Cisco technical support representative and provide the representative with the gathered information. |
GEN_DB
| %GEN_DB-3-NULL_TREE_NODE : Node is NULL [chars] | |
|---|---|
| Explanation | This message indicates that the tree node being examined is NULL |
| Recommended Action | Copy the error message exactly as it appears, and report it to your technical support representative. |
| %GEN_DB-3-INVALID_RECORD_KEY : [chars]: invalid record key * | |
|---|---|
| Explanation | This message indicates that the record key is invalid |
| Recommended Action | Copy the error message exactly as it appears, and report it to your technical support representative. |
| %GEN_DB-3-NO_KEY_FUNC : [chars]: [chars][chars] | |
|---|---|
| Explanation | This message indicates that key functions are missing from the database handle, or key function is a NULL Pointer |
| Recommended Action | Copy the error message exactly as it appears, and report it to your technical support representative. |
| %GEN_DB-3-KEY_FUNC_DOESNT_EXIST : [chars]: Key function does not exist | |
|---|---|
| Explanation | This message indicates that key function being considered does not exist in the database definition |
| Recommended Action | Copy the error message exactly as it appears, and report it to your technical support representative. |
| %GEN_DB-3-INVALID_CLIENT_TYPE : [chars]: Invalid client type, got [dec] (must be between 0 and [dec]) | |
|---|---|
| Explanation | This message indicates that client type is outside the expected range |
| Recommended Action | Copy the error message exactly as it appears, and report it to your technical support representative. |
| %GEN_DB-3-NULL_DB_HNDL : NULL Database Handle [chars] | |
|---|---|
| Explanation | This message indicates the database handle was NULL |
| Recommended Action | Copy the error message exactly as it appears, and report it to your technical support representative. |
| %GEN_DB-3-NULL_DB_HNDL_ELEMENT : [chars]: NULL Database Element [chars] | |
|---|---|
| Explanation | This message indicates the database handle element was NULL |
| Recommended Action | Copy the error message exactly as it appears, and report it to your technical support representative. |
| %GEN_DB-3-LIST_FAIL : [chars]:[chars] | |
|---|---|
| Explanation | This message indicates that a list operations such as enqueue, dequeu failed |
| Recommended Action | Copy the error message exactly as it appears, and report it to your technical support representative. |
| %GEN_DB-3-LIST_FAIL_FOR_RECORD : [chars]:[dec]:[chars] | |
|---|---|
| Explanation | This message indicates that a list operations such as enqueue, dequeu failed |
| Recommended Action | Copy the error message exactly as it appears, and report it to your technical support representative. |
| %GEN_DB-3-WAVL_FAIL : [chars]: [chars] | |
|---|---|
| Explanation | This message indicates that a wavl tree operation failed |
| Recommended Action | Copy the error message exactly as it appears, and report it to your technical support representative. |
| %GEN_DB-3-RECORD_DELETE_FAIL : [chars]:[chars] | |
|---|---|
| Explanation | This message indicates that a record could not be deleted |
| Recommended Action | Copy the error message exactly as it appears, and report it to your technical support representative. |
| %GEN_DB-3-PARSER_INIT_FAIL : [chars]:[dec]: Parser Could not be initialized | |
|---|---|
| Explanation | This message indicates that the IOS Parser command could not be initialized |
| Recommended Action | Copy the error message exactly as it appears, and report it to your technical support representative. |
| %GEN_DB-3-UNKNOWN_PARSER_CMD : [chars]:[dec]: Unknown Parser Command | |
|---|---|
| Explanation | This message indicates that the IOS Parser command was not recognized |
| Recommended Action | Copy the error message exactly as it appears, and report it to your technical support representative. |
GEN_PROXY
| %GEN_PROXY-3-IPC_UNHANDLED : failure | |
|---|---|
| Explanation | An unknown message type: %d was received by the Generic Client Proxy. |
| Recommended Action | LOG_STD_ACTION |
| %GEN_PROXY-3-REPLY_MSG : wrong version [dec] | |
|---|---|
| Explanation | An incorrect SBS message was received by the Generic Client Proxy. |
| Recommended Action | LOG_STD_ACTION |
| %GEN_PROXY-3-STACK_ALLOC_FAILED : Stack allocation for reply failed reply_size [hex] | |
|---|---|
| Explanation | Stack space could not be allocated for reply. |
| Recommended Action | LOG_STD_ACTION |
| %GEN_PROXY-3-GPM_ALLOC_FAILED : GPM allocation for reply failed pak_size [hex] reply_size [hex] | |
|---|---|
| Explanation | GPM could not be allocated for reply. |
| Recommended Action | LOG_STD_ACTION |
| %GEN_PROXY-3-IPC_SEND_FAILED : IPC send reply failed [chars] | |
|---|---|
| Explanation | GEN proxy failed to send of reply to IPC msg. |
| Recommended Action | LOG_STD_ACTION |
GLBP
| %GLBP-4-BADAUTH : Bad authentication received from [chars], group [dec] | |
|---|---|
| Explanation | Two routers participating in a Gateway Load Balancing Protocol group disagree on the valid authentication string. |
| Recommended Action | Use the glbp authentication interface command to repair the GLBP authentication discrepancy between the local system and the one whose IP address is reported. |
| %GLBP-3-MISCONFIG : Cannot add MAC address [enet] to interface [chars] - not supported | |
|---|---|
| Explanation | A software or hardware error occurred. |
| Recommended Action | Copy the error message exactly as it appears on the console or in the system log. Issue the show tech-support command to gather data that may help identify the nature of the error. Also perform a search of the Bug Toolkit (https://bst.cloudapps.cisco.com/bugsearch/). If you still require assistance, open a case with the Technical Assistance Center via the Internet (https://mycase.cloudapps.cisco.com/case) , or contact your Cisco technical support representative and provide the representative with the gathered information. |
| %GLBP-6-STATECHANGE : [chars] Grp [int] state [chars] -> [chars] | |
|---|---|
| Explanation | The GLBP gateway has changed state |
| Recommended Action | No action is required. |
| %GLBP-6-FWDSTATECHANGE : [chars] Grp [int] Fwd [int] state [chars] -> [chars] | |
|---|---|
| Explanation | The GLBP forwarder has changed state |
| Recommended Action | No action is required. |
| %GLBP-4-DUPADDR : Duplicate address [chars] on [chars], sourced by [enet] | |
|---|---|
| Explanation | The IP address in a GLBP message received on the interface is the same as the router's own IP address. This may be because of misconfiugration, or because of a malfunctioning switch |
| Recommended Action | Check the configurations on all the GLBP routers, and make sure that any switches you have are functioning properly. |
| %GLBP-4-DUPVIP1 : [chars] Grp [dec] address [chars] is already assigned to [chars] group [dec] | |
|---|---|
| Explanation | The GLBP virtual IP address contained in the Hello message cannot be learnt as it is already assigned to a different GLBP group. |
| Recommended Action | Check the configuration on all GLBP routers. |
| %GLBP-4-DUPVIP2 : [chars] Grp [dec] address [chars] is already assigned on this interface | |
|---|---|
| Explanation | The GLBP virtual IP address contained in the Hello message cannot be learnt as it is already assigned to this interface. |
| Recommended Action | Check the configuration on all GLBP routers. |
| %GLBP-4-DUPVIP3 : [chars] Grp [dec] address [chars] is already assigned to, or overlaps with, an address on another interface or application | |
|---|---|
| Explanation | The GLBP virtual IP address contained in the Hello message cannot be learnt as it is already assigned to, or overlaps with, an address on another interface or application. |
| Recommended Action | Check the configuration on all GLBP routers. |
| %GLBP-4-BADVIP : [chars] Grp [dec] address [chars] is in the wrong subnet for this interface | |
|---|---|
| Explanation | The GLBP virtual IP address contained in the Hello message cannot be learnt as it is not within a subnet configured on the interface. |
| Recommended Action | Check the configuration on all GLBP routers and ensure that the virtual IP address is within a configured subnet. |
| %GLBP-4-DIFFVIP1 : [chars] Grp [dec] active routers virtual IP address [chars] is different to the locally configured address [chars] | |
|---|---|
| Explanation | The GLBP virtual IP address contained in the Hello message from the Active router is different to that configured locally. |
| Recommended Action | Check the configuration on all GLBP routers. |
GRIP
| %GRIP-3-BADPATHS : Invalid number of paths ([dec]) for %q | |
|---|---|
| Explanation | An internal inconsistency was detected in the XNS routing table structure. |
| Recommended Action | Note the parameters associated with this message and call your technical support representative for assistance. |
| %GRIP-2-BADROUTE : Error [chars] route - null table | |
|---|---|
| Explanation | A hardware or software error occurred. |
| Recommended Action | Copy the error message exactly as it appears, and report it to your technical support representative. |
HA
| %HA-6-TOOBIG : Running config too big, config sync failed | |
|---|---|
| Explanation | The running config was too big to be synced |
| Recommended Action | No action is required. |
| %HA-6-SWITCHOVER : Route Processor switched from standby to being active | |
|---|---|
| Explanation | This RP switched to become the active RP |
| Recommended Action | No action is required. |
HAL_GENMEM
| %HAL_GENMEM-3-HAL_MISMATCHED_GENMEM : VADDR:[int] LINE: [dec] | |
|---|---|
| Explanation | Mismatched genmem. |
| Recommended Action | LOG_STD_ACTION |
Feedback