Error occurs 110003

Error Message
%ASA-1-101001: (Primary) Failover cable OK.

Explanation The failover cable is present and functioning
correctly. Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required.

Error Message
%ASA-1-101002: (Primary) Bad failover cable.

Explanation The failover cable is present, but not functioning
correctly. Primary can also be listed as Secondary for the secondary unit.

Recommended Action Replace the failover cable.

Error Message
%ASA-1-101003: (Primary) Failover cable not connected (this unit).

Error Message %ASA-1-101004: (Primary) Failover cable not connected (other unit).

Explanation Failover mode is enabled, but the failover cable is
not connected to one unit of the failover pair. Primary can also be listed as
Secondary for the secondary unit.

Recommended Action Connect the failover cable to both units of
the failover pair.

Error Message
%ASA-1-101005: (Primary) Error reading failover cable status.

Explanation The failover cable is connected, but the primary unit
is unable to determine its status.

Recommended Action Replace the cable.

Error Message
%ASA-1-103001: (Primary) No response from other firewall (reason code = code).

Explanation The primary unit is unable to communicate with the
secondary unit over the failover cable. Primary can also be listed as Secondary
for the secondary unit. The following table lists the reason codes and the
descriptions to determine why the failover occurred.

Recommended Action Verify that the failover cable is connected
correctly and both units have the same hardware, software, and configuration.
If the problem persists, contact the Cisco TAC.

Error Message
%ASA-1-103002: (Primary) Other firewall network interface interface_number OK.

Explanation The primary unit has detected that the network
interface on the secondary unit is okay. Primary can also be listed as
Secondary for the secondary unit.

Recommended Action None required.

Error Message
%ASA-1-103003: (Primary) Other firewall network interface interface_number failed.

Explanation The primary unit has detected a bad network interface
on the secondary unit. Primary can also be listed as Secondary for the
secondary unit.

Recommended Action Check the network connections on the secondary
unit and the network hub connection. If necessary, replace the failed network
interface.

Error Message
%ASA-1-103004: (Primary) Other firewall reports this firewall failed. Reason: reason-string

Explanation The primary unit received a message from the
secondary unit indicating that the primary unit has failed. Primary can also be
listed as Secondary for the secondary unit. The reason can be one of the
following:

• Missed poll packets on
  failover command interface exceeded threshold.

• LAN failover interface
  failed.

• Peer failed to enter
  Standby Ready state.

• Failed to complete
  configuration replication. This firewall’s configuration may be out of sync.

• Failover message transmit
  failure and no ACK for busy condition received.

Recommended Action Verify the status of the primary unit.

Error Message
%ASA-1-103005: (Primary) Other firewall reporting failure. Reason: SSM card failure

Explanation The secondary unit has reported an SSM card failure to
the primary unit. Primary can also be listed as Secondary for the secondary
unit.

Recommended Action Verify the status of the secondary unit.

Error Message
%ASA-1-103006: (Primary|Secondary) Mate version ver_num is not compatible with ours ver_num


Explanation The ASA has detected a peer unit that is running a version that is different than the local unit and is not compatible with the HA
Hitless Upgrade feature.

• ver_num —Version number.

Recommended Action Install the same or a compatible version image
on both units.

Error Message
%ASA-1-103007: (Primary|Secondary) Mate version ver_num is not identical with ours ver_num


Explanation The ASA has detected that the peer unit is running a version that is not identical, but supports Hitless Upgrade and is compatible
with the local unit. The system performance may be degraded because the image version is not identical, and the ASA may develop a stability issue if the nonidentical image runs for an extended period.

• ver_num—Version
  number

Recommended Action Install the same image version on both units
as soon as possible.

Error Message
%ASA-1-103008: Mate hwdib index is not compatible

Explanation The number of interfaces on the active and standby units is not the same.

Recommended Action Verify that the units have the same number of interfaces. You might need to install additional interface modules, or use
different devices. After the physical interfaces match, force a configuration sync by entering the write standby command.

Error Message
%ASA-1-104001: (Primary) Switching to ACTIVE (cause: string ).

Error Message
%ASA-1-104002: (Primary) Switching to STANDBY (cause: string ).

Explanation You have forced the failover pair to switch roles,
either by entering the
failover active command on the standby unit, or
the
no failover active command on the active unit.
Primary can also be listed as Secondary for the secondary unit. Possible values
for the string variable are as follows:

• state check
• bad/incomplete config
• ifc [interface] check, mate
  is healthier

• the other side wants me to
  standby
• in failed state, cannot be active
• switch to failed state
• other unit set to active by CLI config command fail active

Recommended Action If the message occurs because of manual
intervention, no action is required. Otherwise, use the cause reported by the
secondary unit to verify the status of both units of the pair.

Error Message
%ASA-1-104003: (Primary) Switching to FAILED.

Explanation The primary unit has failed.

Recommended Action Check the messages for the primary unit for an
indication of the nature of the problem (see message 104001). Primary can also
be listed as Secondary for the secondary unit.

Error Message
%ASA-1-104004: (Primary) Switching to OK.

Explanation A previously failed unit reports that it is operating
again. Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required.

Error Message
%ASA-1-104500: (Primary|Secondary) Switching to ACTIVE (cause: reason)

Explanation

This HA unit is assuming the Active role for the Cloud HA pair. Possible values for the reason string are:

• no existing Active unit present

• unable to send message to Active unit

• no response to Hello message received from Active unit

• user initiated failover on this unit

• user initiated failover on peer unit

• invalid message received on failover connection

Recommended Action None required.

Error Message
%ASA-1-104501: (Primary|Secondary) Switching to BACKUP (cause: reason).

Explanation This HA unit is assuming the Backup role for the Cloud HA pair. Possible values for the reason string are:

• existing Active unit present

• user initiated failover on this unit

• user initiated failover on peer unit

Recommended Action None required.

Error Message
%ASA-1-104502: (Primary|Secondary) Becoming Backup unit failed.

Explanation This HA unit failed to assume the Backup role for the Cloud HA pair. The reason being the same as that of 104500 and 104501.

Recommended Action None required.

Error Message
%ASA-1-105001: (Primary) Disabling failover.

Explanation In version 7.x and later, this message may indicate
the following: failover has been automatically disabled because of a mode
mismatch (single or multiple), a license mismatch (encryption or context), or a
hardware difference (one unit has an IPS SSM installed, and its peer has a CSC
SSM installed). Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required.

Error Message
%ASA-1-105002: (Primary) Enabling failover.

Explanation You have used the
failover command with no arguments on the
console, after having previously disabled failover. Primary can also be listed
as Secondary for the secondary unit.

Recommended Action None required.

Error Message
%ASA-1-105003: (Primary) Monitoring on interface interface_name waiting

Explanation The ASA is testing the specified network interface with the other unit of the failover pair. Primary can also be listed as Secondary
for the secondary unit.

Recommended Action None required. The ASA monitors its network interfaces frequently during normal operation.

Error Message
%ASA-1-105004: (Primary) Monitoring on interface interface_name normal

Explanation The test of the specified network interface was
successful. Primary can also be listed as Secondary for the secondary unit.

Recommended Action None required.

Error Message
%ASA-1-105005: (Primary) Lost Failover communications with mate on interface interface_name.

Explanation One unit of the failover pair can no longer
communicate with the other unit of the pair. Primary can also be listed as
Secondary for the secondary unit.

Recommended Action Verify that the network connected to the
specified interface is functioning correctly.

Error Message%ASA-1-105006: (Primary) Link status Up on interface interface_name.

Error Message %ASA-1-105007: (Primary) Link status Down on interface interface_name.

Explanation The results of monitoring the link status of the
specified interface have been reported. Primary can also be listed as Secondary
for the secondary unit.

Recommended Action If the link status is down, verify that the
network connected to the specified interface is operating correctly.

Error Message
%ASA-1-105008: (Primary) Testing interface interface_name.

Explanation Testing of a specified network interface has occurred. This testing is performed only if the ASA fails to receive a message from the standby unit on that interface after the expected interval. Primary can also be listed
as Secondary for the secondary unit.

Recommended Action None required.

Error Message
%ASA-1-105009: (Primary) Testing on interface interface_name {Passed|Failed}.

Explanation The result (either Passed or Failed) of a previous
interface test has been reported. Primary can also be listed as Secondary for
the secondary unit.

Recommended Action None required if the result is Passed. If the
result is Failed, you should check the network cable connection to both
failover units, that the network itself is functioning correctly, and verify
the status of the standby unit.

Error Message
%ASA-3-105010: (Primary) Failover message block alloc failed.

Explanation Block memory was depleted. This is a transient message and the ASA should recover. Primary can also be listed as Secondary for the secondary unit.

Recommended Action Use the show blocks command to monitor the
current block memory.

Error Message
%ASA-1-105011: (Primary) Failover cable communication failure

Explanation The failover cable is not permitting communication
between the primary and secondary units. Primary can also be listed as
Secondary for the secondary unit.

Recommended Action Ensure that the cable is connected correctly.

Error Message
%ASA-1-105020: (Primary) Incomplete/slow config replication

Explanation When a failover occurs, the active ASA detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. Primary
can also be listed as Secondary for the secondary unit.

Recommended Action After the ASA detects the failover, the ASA automatically reboots and loads the configuration from flash memory and/or resynchronizes with another ASA. If failovers occurs continuously, check the failover configuration and make sure that both ASAs can communicate with each other.

Error Message
%ASA-1-105021: (failover_unit ) Standby unit failed to sync due to a locked context_name config. Lock held by lock_owner_name


Explanation During configuration synchronization, a standby unit will reload itself if some other process locks the configuration for
more than five minutes, which prevents the failover process from applying the new configuration. This can occur when an administrator
pages through a running configuration on the standby unit while configuration synchronization is in process. See also the
show running-config command in privileged EXEC mode and the pager lines
num command in global configuration mode in the Command Reference Guides .

Recommended Action Avoid viewing or modifying the configuration
on the standby unit when it first boots up and is in the process of
establishing a failover connection with the active unit.

Error Message
%ASA-1-105031: Failover LAN interface is up

Explanation The LAN failover interface link is up.

Recommended Action None required.

Error Message
%ASA-1-105032: LAN Failover interface is down

Explanation The LAN failover interface link is down.

Recommended Action Check the connectivity of the LAN failover
interface. Make sure that the speed or duplex setting is correct.

Error Message
%ASA-1-105033: LAN FO cmd Iface down and up again

Explanation LAN interface of failover gone down.

Recommended Action Verify the failover link, might be a communication problem.

Error Message
%ASA-1-105034: Receive a LAN_FAILOVER_UP message from peer.

Explanation The peer has just booted and sent the initial contact
message.

Recommended Action None required.

Error Message
%ASA-1-105035: Receive a LAN failover interface down msg from peer.

Explanation The peer LAN failover interface link is down. The unit
switches to active mode if it is in standby mode.

Recommended Action Check the connectivity of the peer LAN
failover interface.

Error Message
%ASA-1-105036: dropped a LAN Failover command message.

Explanation The ASA dropped an unacknowledged LAN failover command message, indicating a connectivity problem exists on the LAN failover interface.

Recommended Action Check that the LAN interface cable is
connected.

Error Message
%ASA-1-105037: The primary and standby units are switching back and forth as the active unit.

Explanation The primary and standby units are switching back and
forth as the active unit, indicating a LAN failover connectivity problem or
software bug exists.

Recommended Action Make sure that the LAN interface cable is
connected.

Error Message
%ASA-1-105038: (Primary) Interface count mismatch

Explanation When a failover occurs, the active ASA detects a partial configuration in memory. Normally, this is caused by an interruption in the replication service. Primary
can also be listed as Secondary for the secondary unit.

Recommended Action Once the failover is detected by the ASA, the ASA automatically reboots and loads the configuration from flash memory and/or resynchronizes with another ASA. If failovers occur continuously, check the failover configuration and make sure that both ASAs can communicate with each other.

Error Message
%ASA-1-105039: (Primary) Unable to verify the Interface count with mate. Failover may be disabled in mate.

Explanation Failover initially verifies that the number of interfaces configured on the primary and secondary ASAs are the same. This message indicates that the primary ASA is not able to verify the number of interfaces configured on the secondary ASA. This message indicates that the primary ASA is not able to communicate with the secondary ASA over the failover interface. Primary can also be listed as Secondary for the secondary unit.

Recommended Action Verify the failover LAN, interface configuration, and status on the primary and secondary ASAs. Make sure that the secondary ASA is running the ASA application and that failover is enabled.

Error Message
%ASA-1-105040: (Primary) Mate failover version is not compatible.

Explanation The primary and secondary ASAs should run the same failover software version to act as a failover pair. This message indicates that the secondary ASA failover software version is not compatible with the primary ASA. Failover is disabled on the primary ASA. Primary can also be listed as Secondary for the secondary ASA.

Recommended Action Maintain consistent software versions between the primary and secondary ASAs to enable failover.

Error Message
%ASA-1-105041: cmd failed during sync

Explanation Replication of the nameif command failed, because the number of interfaces on the active and standby units is not the same.

Recommended Action Verify that the units have the same number of interfaces. You might need to install additional interface modules, or use
different devices. After the physical interfaces match, force a configuration sync by entering the write standby command.

Error Message
%ASA-1-105042: (Primary) Failover interface OK

Explanation The interface that sends failover messages could go down when physical status of the failover link is down or when L2 connectivity
between the failover peers is lost resulting in dropping of ARP packets. This message is generated after restoring the L2
ARP connectivity.

Recommended Action None required.

Error Message
%ASA-1-105043: (Primary) Failover interface failed

Explanation This syslog is generated when physical status of the failover link is down or when L2 connectivity between the failover peers
is lost. The disconnection results in loss of ARP packets flowing between the units.

Recommended Action

• Check the physical status of the failover link, ensure its physical and operational status is functional.

• Ensure ARP packets flow through the transit path of the failover links between the failover pairs.

Error Message
%ASA-1-105044: (Primary) Mate operational mode mode is not compatible with my mode mode.

Explanation When the operational mode (single or multiple) does
not match between failover peers, failover will be disabled.

Recommended Action Configure the failover peers to have the same
operational mode, and then reenable failover.

Error Message
%ASA-1-105045: (Primary) Mate license (number contexts) is not compatible with my license (number contexts).

Explanation When the feature licenses do not match between
failover peers, failover will be disabled.

Recommended Action Configure the failover peers to have the same
feature license, and then reenable failover.

Error Message
%ASA-1-105046 (Primary|Secondary) Mate has a different chassis

Explanation Two failover units have a different type of chassis.
For example, one has a three-slot chassis; the other has a six-slot chassis.

Recommended Action Make sure that the two failover units are the
same.

Error Message %ASA-1-105047: Mate has a io_card_name1 card in slot slot_number which is different from my io_card_name2


Explanation The two failover units have different types of cards
in their respective slots.

Recommended Action Make sure that the card configurations for the
failover units are the same.

Error Message
%ASA-1-105048: (unit ) Mate’s service module (application ) is different from mine (application )

Explanation The failover process detected that different
applications are running on the service modules in the active and standby
units. The two failover units are incompatible if different service modules are
used.

• unit—Primary
  or secondary

• application—The name of the application,
  such as InterScan Security Card

Recommended Action Make sure that both units have identical
service modules before trying to reenable failover.

Error Message
%ASA-3-105050: ASAv ethernet interface mismatch

Explanation Number of Ethernet interfaces on standby unit is less than that on active unit.

Recommended Action
ASA with same number of interfaces should be paired up with each other. Verify that the units have the same number of interfaces.
You might need to install additional interface modules, or use different devices. After the physical interfaces match, force
a configuration sync by entering the write standby command.

Error Message
%ASA-5-105500: (Primary|Secondary) Started HA.

Explanation Cloud HA has been enabled on this ASAv.

Recommended Action None required.

Error Message
%ASA-5-105501: (Primary|Secondary) Stopped HA.

Explanation Cloud HA has been disabled on this ASAv.

Recommended Action None required.

Error Message
%ASA-1-105502: (Primary|Secondary) Restarting Cloud HA on this unit, reason: string.

Explanation An error occurred and caused this HA unit to restart Cloud HA. Possible values for the reason string are:

• failed to become Backup unit

• unable to create failover connection

Recommended Action None required.

Error Message
%ASA-5-105503: (Primary|Secondary) Internal state change from previous_state to new_state

Explanation There was a change to the internal HA state.

Recommended Action None required.

Error Message
%ASA-5-105504: (Primary|Secondary) Connected to peer peer-ip:port

Explanation This HA unit has established communication with its HA peer.

Recommended Action None required.

Error Message
%ASA-4-105505: (Primary|Secondary) Failed to connect to peer unit peer-ip:port

Explanation This HA unit has failed to establish communication with its HA peer.

Recommended Action

This may occur if there is no HA peer present. If there is an HA peer present with failover enabled there could be connectivity
issue between peers. Verify using the show failover command that:

• The peer IP address configured on each unit is matches an interface IP address on the peer

• The peer port number on each unit matches the failover control (server) port on the peer

• The interfaces used for the peer connection are not shutdown

• Any IP routes required for IP connectivity are present

Error Message
%ASA-2-105506: (Primary|Secondary) Unable to create socket on port port for (failover connection | load balancer probes),
error: error_string

Explanation An internal error occurred while attempting to create a socket needed for the failover connection or resonding to Azure load
balancer probes.

Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-2-105507: (Primary|Secondary) Unable to bind socket on port port for (failover connection | load balancer probes), error:
error_string

Explanation An internal error occurred while attempting to start a socket needed for the failover connection or resonding to Azure load
balancer probes.

Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-2-105508: (Primary|Secondary) Error creating failover connection socket on port port

Explanation An internal error occurred while attempting to create a socket on the Active unit for exchanging failover control messages
with the Backup unit.

Recommended Action This message is preceeded by a 104509 or 104510 message. Follow the Recommended Action for the message that precedes this
one.

Error Message
%ASA-3-105509: (Primary|Secondary) Error sending message_name message to peer unit peer-ip, error: error_string

Explanation An error occurred while attempting to send a failover control message to the peer unit.

Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about
the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-3-105510: (Primary|Secondary) Error receiving message from peer unit peer-ip, error: error_string

Explanation An error occurred while attempting to receive a failover control message to the peer unit.

Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about
the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-3-105511: (Primary|Secondary) Incomplete read of message header of message from peer unit peer-ip: bytes bytes read of
expected header_length header bytes.

Explanation An error occurred while attempting to receive a failover control message to the peer unit.

Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about
the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-3-105512: (Primary|Secondary) Error receiving message body of message from peer unit peer-ip, error: error_string

Explanation An error occurred while attempting to receive a failover control message to the peer unit.

Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about
the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-3-105513: (Primary|Secondary) Incomplete read of message body of message from peer unit peer-ip: bytes bytes read of
expected message_length message body bytes

Explanation An error occurred while attempting to receive a failover control message to the peer unit.

Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about
the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-3-105514: (Primary|Secondary) Error occurred when responding to message_name message received from peer unit peer-ip,
error: error_string

Explanation An error occurred while attempting to receive a failover control message to the peer unit.

Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about
the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-3-105515: (Primary|Secondary) Error receiving message_name message from peer unit peer-ip, error: error_string

Explanation An error occurred while attempting to receive a failover control message to the peer unit.

Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about
the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-3-105516: (Primary|Secondary) Incomplete read of message header of message_name message from peer unit peer-ip: bytes
bytes read of expected header_length header bytes

Explanation An error occurred while attempting to receive a failover control message to the peer unit.

Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about
the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-3-105517: (Primary|Secondary) Error receiving message body of message_name message from peer unit peer-ip, error: error_string

Explanation An error occurred while attempting to receive a failover control message to the peer unit.

Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about
the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-3-105518: (Primary|Secondary) Incomplete read of message body of message_name message from peer unit peer-ip: bytes bytes
read of expected message_length message body bytes

Explanation An error occurred while attempting to receive a failover control message to the peer unit.

Recommended Action If the error was not caused by the failure of the peer unit, copy the error message, the configuration, and any details about
the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-3-105519: (Primary|Secondary) Invalid response to message_name message received from peer unit peer-ip: type message_type,
version message_version, length message_length

Explanation An unexpected message was received in response to a failover control message.

Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-5-105520: (Primary|Secondary) Responding to Azure Load Balancer probes

Explanation The Active unit has begun responding to Azure Load Balancer probes.

Recommended Action None required

Error Message
%ASA-5-105521: (Primary|Secondary) No longer responding to Azure Load Balancer probes

Explanation The Backup unit has stopped responding to Azure Load Balancer probes.

Recommended Action None required

Error Message
%ASA-5-105522: (Primary|Secondary) Updating route route_table_name

Explanation The Active unit has started the process of updating an Azure route-table.

Recommended Action None required

Error Message
%ASA-5-105523: (Primary|Secondary) Updated route route_table_name

Explanation The Active unit has completed the process of updating an Azure route-table.

Recommended Action None required

Error Message
%ASA-4-105524: (Primary|Secondary) Transitioning to Negotiating state due to the presence of another Active HA unit.

Explanation Another Active HA unit was detected, transitioning unit to negotiating state.

Recommended Action None required

Error Message
%ASA-4-105524: (Primary|Secondary) Transitioning to Negotiating state due to the presence of another Active HA unit.

Explanation Another Active HA unit was detected, transitioning unit to negotiating state.

Recommended Action None required

Error Message
%ASA-2-105525: (Primary|Secondary) Incomplete configuration to initiate access token change request.

Explanation An attempt was made to acquire an access token but there was not enough configuration information need to initiate the request.

Recommended Action Ensure that an Azure authentication client ID, tenant ID and secret key are all present in the ASA configuration.

Error Message
%ASA-2-105526: (Primary|Secondary) Unexpected status in response to access token request: status_string.

Explanation A response to an Azure access token request was received but the HTTP status code in the response was not 200 (OK).

Recommended Action Ensure that the Azure authentication client ID, tenant ID and secret key are all correct in the ASA configuration.

Error Message
%ASA-2-105527: (Primary|Secondary) Failure reading response to access token request

Explanation An internal error occurred while receiving a response to an Azure access token request.

Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-2-105528: (Primary|Secondary) No access token in response to access token request

Explanation A response to an Azure route change request was received but it did not contain an access_token value.

Recommended Action Verify that the Azure authentication client ID, tenant ID and secret key are all correct in the ASA configuration.

Error Message
%ASA-2-105529: (Primary|Secondary) Error creating authentication header from access token

Explanation An internal error occurred while attempting to create an authentication header needed for changing Azure routes.

Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-2-105530: (Primary|Secondary) No response to access token request url

Explanation Azure route-table information was not able to be obtained for an Azure route-table change.

Recommended Action Verify route-table name is correct in ASA configuration and exists in Azure.

Error Message
%ASA-2-105531: (Primary|Secondary) Failed to obtain route-table information needed for change request for route-table route_table_name

Explanation Azure route-table information was not able to be obtained for an Azure route-table change.

Recommended Action Verify route-table name is correct in ASA configuration and exists in Azure.

Error Message
%ASA-2-105532: (Primary|Secondary) Unexpected status in response to route-table change request for route-table route_table_name:
status_string

Explanation A response to an Azure route-tablechange request was received but the HTTP status code in the response was not 200 (OK).

Recommended Action Verify that the configured Azure subscription ID, route-table name and route-table resource group are correct.

Error Message
%ASA-2-105533: (Primary|Secondary) Failure reading response to route-table change request for route-table route_table_name

Explanation An internal error occurred while receiving a response to an Azure route-table change request.

Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-2-105534: (Primary|Secondary) No provisioning state in response to route-table change request route-table route_table_name

Explanation A response to an Azure route-table change request was received but it did not contain a provisioningState value containing
the route-table change status.

Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-2-105535: (Primary|Secondary) No response to route-table change request for route-table route_table_name from url

Explanation No response was received to an Azure route-table change request.

Recommended Action Verify that management.azure.com is reachable from the ASAv.

Error Message
%ASA-2-105536: (Primary|Secondary) Failed to obtain Azure authentication header for route status request for route route_name

Explanation An Azure access token was not able to be obtained for an Azure route status query.

Recommended Action See the Recommended Action of access token related message that preceeds this message.

Error Message
%ASA-2-105537: (Primary|Secondary) Unexpected status in response to route state request for route route_name: status_string

Explanation A response to an Azure route state request was received but the HTTP status code in the response was not 200 (OK).

Recommended Action Verify that the configured Azure subscription ID, route table name and route table resource group are correct.

Error Message
%ASA-2-105538: (Primary|Secondary) Failure reading response to route state request for route route_name

Explanation An internal error occurred while receiving a response to an Azure route state request.

Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-2-105539: (Primary|Secondary) No response to route state request for route route_name from url

Explanation No response was received to an Azure route state request.

Recommended Action Verify that management.azure.com is reachable from the ASAv.

Error Message
%ASA-2-105540: (Primary|Secondary) No route-tables configured

Explanation No Azure route-tables were detected to change.

Recommended Action Confirm that route-tables are correctly configured in ASA configuration.

Error Message
%ASA-2-105541: (Primary|Secondary) Failed to update route-table route_table_name, provisioning state: state_string

Explanation A response to an Azure route-table state request was received that contained a provisioningState that indicated a failure
to update the route-table.

Recommended Action The Active unit will make three attempts to update an Azure route-table. If all three attempts fail, copy the error message,
the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-5-105542: (Primary|Secondary) Enabling load balancer probe responses

Explanation The Active unit is will now respond to probes from the Azure Load Balancer.

Recommended Action None required.

Error Message
%%ASA-5-105543: (Primary|Secondary) Disabling load balancer probe responses

Explanation The Active unit is no longer responding to probes from the Azure Load Balancer.

Recommended Action None required.

Error Message
%ASA-2-105544: (Primary|Secondary) Error creating load balancer probe socket on port port

Explanation An internal error occurred while attempting to create a socket for responding to probes from an Azure Load Balancer.

Recommended Action This message will be preceeded by a 104509 or 104510 message. Follow the Recommended Action for the message that precedes
this one.

Error Message
%ASA-3-105545: (Primary|Secondary) Error starting load balancer probe socket on port port, error code: error_code

Explanation An internal error occurred while attempting to start receiving probes from an Azure Load Balancer. The Active unit will continue
to attempt to enable the receiving of probes.

Recommended Action If this condition persists copy the error message, the configuration, and any details about the events leading up to the
error, and contact Cisco TAC.

Error Message
%ASA-3-105546: (Primary|Secondary) Error starting load balancer probe handler

Explanation An internal error occurred while attempting to create a process for receiving probes from an Azure Load Balancer.

Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-3-105547: (Primary|Secondary) Error generating encryption key for Azure secret key

Explanation An internal error occurred while attempting to generate the encryption key used for encrypting the Azure secret key in the
configuration.

Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-3-105548: (Primary|Secondary) Error storing encryption key for Azure secret key

Explanation An internal error occurred while attempting to store the encryption key used for encrypting the Azure secret key in the configuration.

Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-3-105549: (Primary|Secondary) Error retrieving encryption key for Azure secret key

Explanation An internal error occurred while attempting to retrieve the encryption key used for encrypting the Azure secret key in the
configuration.

Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-3-105550: (Primary|Secondary) Error encrypting Azure secret key

Explanation An internal error occurred while encrypting the Azure secret key in the configuration.

Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-3-105551: (Primary|Secondary) Error encrypting Azure secret key

Explanation An internal error occurred while decrypting the Azure secret key in the configuration.

Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-5-105552: (Primary|Secondary) Stopped HA

Explanation Cloud HA has been disabled on this ASAv.

Recommended Action None required.

Error Message
%ASA-4-105553: (Primary|Secondary) Detected another Active HA unit

Explanation Another Active HA unit was detected.

Recommended Action None required

Error Message
%ASA-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name

Explanation An attempt was made to connect to an inside address is denied by the security policy that is defined for the specified traffic
type. The IP address displayed is the real IP address instead of the IP address that appears through NAT. Possible tcp_flags
values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet
arrived for which no connection state exists in the ASA, and it was dropped. The tcp_flags in this packet are FIN and ACK.

The tcp_flags are as follows:

• ACK—The acknowledgment
  number was received

• FIN—Data was sent
• PSH—The receiver passed data to the application
• RST—The connection was reset
• SYN—Sequence numbers were synchronized to start a connection
• URG—The urgent pointer was declared valid

Recommended Action None required.

Error Message %ASA-2-106002: protocol Connection denied by outbound list acl_ID src inside_address dest outside_address

Explanation The specified connection failed because of an
outbound
deny command. The
protocol variable can be ICMP, TCP, or UDP.

Recommended Action Use the
show
outbound command to check outbound lists.

Error Message
%ASA-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.

Explanation An inbound UDP packet was denied by the security
policy that is defined for the specified traffic type.

Recommended Action None required.

Error Message
%ASA-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}.

Explanation A UDP packet containing a DNS query or response was
denied.

Recommended Action If the inside port number is 53, the inside
host probably is set up as a caching name server. Add an
access-list command statement to permit traffic
on UDP port 53 and a translation entry for the inside host. If the outside port
number is 53, a DNS server was probably too slow to respond, and the query was
answered by another server.

Error Message %ASA-3-106010: Deny inbound protocol
src [interface_name : source_address/source_port ] [([idfw_user | FQDN_string ], sg_info )] dst [interface_name : dest_address /dest_port }[([idfw_user | FQDN_string ], sg_info )]

Explanation An inbound connection was denied by your security
policy.

Recommended Action Modify the security policy if traffic should be
permitted. If the message occurs at regular intervals, contact the remote peer
administrator.

Error Message %ASA-3-106011: Deny inbound (No xlate) string

Explanation The message appears under normal traffic conditions if there are internal users that are accessing the Internet through a
web browser. Any time a connection is reset, when the host at the end of the connection sends a packet after the ASA receives the connection reset, this message appears. It can typically be ignored.

Recommended Action Prevent this message from getting logged to
the syslog server by entering the
no
logging
message
106011 command.

Error Message %ASA-6-106012: Deny IP from IP_address to IP_address , IP options hex.

Explanation An IP packet was seen with IP options. Because IP
options are considered a security risk, the packet was discarded.

Recommended Action Contact the remote host system administrator to
determine the problem. Check the local site for loose source routing or strict
source routing.

Error Message
%ASA-2-106013: Dropping echo request from IP_address to PAT address IP_address


Explanation The ASA discarded an inbound ICMP Echo Request packet with a destination address that corresponds to a PAT global address. The inbound
packet is discarded because it cannot specify which PAT host should receive the packet.

Recommended Action None required.

Error Message %ASA-3-106014: Deny inbound icmp src
interface_name : IP_address [([idfw_user | FQDN_string ], sg_info )] dst interface_name : IP_address [([idfw_user | FQDN_string ], sg_info )] (type dec , code dec )

Explanation The ASA denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically allowed.

Recommended Action None required.

Error Message
%ASA-6-106015: Deny TCP (no connection) from IP_address /port to IP_address /port flags tcp_flags on interface interface_name.

Explanation The ASA discarded a TCP packet that has no associated connection in the ASA connection table. The ASA looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set,
and there is no existing connection, the ASA discards the packet.

Recommended Action None required unless the ASA receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine
the reason these packets were sent.

Error Message %ASA-2-106016: Deny IP spoof from (IP_address ) to IP_address on interface interface_name.

Explanation A packet arrived at the ASA interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the ASA interface. In addition, this message is generated when the ASA discarded a packet with an invalid source address, which may include one of the following or some other invalid address:

• Loopback network
  (127.0.0.0)

• Broadcast (limited,
  net-directed, subnet-directed, and all-subnets-directed)

• The destination host (land.c)

To further enhance spoof packet detection, use the icmp command to configure the ASA to discard packets with source addresses belonging to the internal network, because the access-list command has been deprecated and is no longer guaranteed to work correctly.

Recommended Action Determine if an external user is trying to
compromise the protected network. Check for misconfigured clients.

Error Message %ASA-2-106017: Deny IP due to Land Attack from IP_address to IP_address


Explanation The ASA received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port.
This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.

Recommended Action If this message persists, an attack may be in
progress. The packet does not provide enough information to determine where the
attack originates.

Error Message %ASA-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_address

Explanation The outgoing ICMP packet with the specified ICMP from
local host (inside_address) to the foreign host (outside_address) was denied by
the outbound ACL list.

Recommended Action None required.

Error Message
%ASA-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_address


Explanation The ASA discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile
event that circumvents the ASA or an Intrusion Detection System.

Recommended Action Contact the remote peer administrator or
escalate this issue according to your security policy.

Error Message %ASA-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_name

Explanation An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. Unicast RPF, also known
as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it
is part of an attack on your ASA.

This message appears when you have enabled Unicast RPF with the ip verify reverse-path command. This feature works on packets
input to an interface; if it is configured on the outside, then the ASA checks packets arriving from the outside.

The ASA looks up a route based on the source_address. If an entry is not found and a route is not defined, then this message appears
and the connection is dropped.

If there is a route, the ASA checks which interface it corresponds to. If the packet arrived on another interface, it is either a spoof or there is an
asymmetric routing environment that has more than one path to a destination. The ASA does not support asymmetric routing.

If the ASA is configured on an internal interface, it checks static route command statements or RIP, and if the source_address is not
found, then an internal user is spoofing their address.

Recommended Action Even though an attack is in progress, if this feature is enabled, no user action is required. The ASA repels the attack.

Error Message
%ASA-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_name

Explanation A packet matching a connection arrived on a different
interface from the interface on which the connection began. In addition, the ip
verify reverse-path command is not configured.

For example, if a user starts a connection on the inside interface, but the ASA detects the same connection arriving on a perimeter interface, the ASA has more than one path to a destination. This is known as asymmetric routing and is not supported on the ASA.

An attacker also might be attempting to append packets from one connection to another as a way to break into the ASA. In either case, the ASA shows this message and drops the connection.

Recommended Action Check that the routing is not asymmetric.

Error Message%ASA-4-106023: Deny protocol src [interface_name :source_address /source_port ] [([idfw_user |FQDN_string ], sg_info )] dst interface_name :dest_address /dest_port [([idfw_user |FQDN_string ], sg_info )] [type {string }, code {code }] by access_group acl_ID [0x8ed66b60, 0xf8852875]

Explanation A real IP packet was denied by the ACL. This message appears even if you do not have the log option enabled for an ACL. The IP address is the real IP address instead of the values that display through NAT. Both user
identity information and FQDN information is provided for the IP addresses if a matched one is found. The ASA logs either identity information (domainuser) or FQDN (if the username is not available). If the identity information or
FQDN is available, the ASA logs this information for both the source and destination.

Recommended Action If messages persist from the same source
address, a footprinting or port scanning attempt might be occurring. Contact
the remote host administrator.

Error Message
%ASA-2-106024: Access rules memory exhausted

Explanation The access list compilation process has run out of memory. All configuration information that has been added since the last
successful access list was removed from the ASA, and the most recently compiled set of access lists will continue to be used.

Recommended Action Access lists, AAA, ICMP, SSH, Telnet, and other
rule types are stored and compiled as access list rule types. Remove some of
these rule types so that others can be added.

Error Message
%ASA-6-106025: Failed to determine the security context for the packet:sourceVlan:source_address dest_address source_port dest_port
protocol

Error Message %ASA-6-106026: Failed to determine the security context for the packet:sourceVlan:source_address dest_address source_port dest_port
protocol

Explanation The security context of the packet in multiple
context mode cannot be determined. Both messages can be generated for IP
packets being dropped in either router and transparent mode.

Recommended Action None required.

Error Message %ASA-4-106027:acl_ID: Deny src [source address] dst [destination address] by access-group “access-list name"

Explanation An non IP packet was denied by the ACL. This message
is displayed even if you do not have the log option enabled for an extended
ACL.

Recommended Action If messages persist from the same source
address, it might indicate a foot-printing or port-scanning attempt. Contact
the remote host administrator.

Error Message%ASA-6-106100: access-list acl_ID {permitted | denied | est-allowed} protocol
interface_name /source_address (source_port ) (idfw_user , sg_info ) interface_name /dest_address (dest_port ) (idfw_user , sg_info ) hit-cnt number ({first hit | number -second interval}) hash codes

Explanation The initial occurrence or the total number of
occurrences during an interval are listed. This message provides more
information than message 106023, which only logs denied packets, and does not
include the hit count or a configurable level.

When an access-list line has the log argument, it is expected that this message ID might be triggered because of a nonsynchronized packet reaching the ASA and being evaluated by the access list. For example, if an ACK packet is received on the ASA (for which no TCP connection exists in the connection table), the ASA might generate message 106100, indicating that the packet was permitted; however, the packet is later correctly dropped because
of no matching connection.

The following list describes the message values:

• permitted | denied |
  est-allowed—These values specify if the packet was permitted or denied by the
  ACL. If the value is est-allowed, the packet was denied by the ACL but was
  allowed for an already established session (for example, an internal user is
  allowed to accesss the Internet, and responding packets that would normally be
  denied by the ACL are accepted).

• protocol —TCP, UDP, ICMP, or an IP protocol number.

• interface_name —The interface name for the source or destination
  of the logged flow. The VLAN interfaces are supported.

• source_address —The source IP address of the logged flow. The IP
  address is the real IP address instead of the values that display through NAT.

• dest_address —The destination IP address of the logged flow. The
  IP address is the real IP address instead of the values that display through
  NAT.

• source_port —The source port of the logged flow (TCP or UDP).
  For ICMP, the number after the source port is the message type.

• idfw_user— The user identity username, including the domain name that is added to the existing syslog when the ASA can find the username for the IP address.
• sg_info— The security group tag that is added to the syslog when the ASA can find a security group tag for the IP address. The security group name is displayed with the security group tag, if available.

• dest_port —The destination port of the logged flow (TCP or UDP).
  For ICMP, the number after the destination port is the ICMP message code, which
  is available for some message types. For type 8, it is always 0. For a list of
  ICMP message types, see the following URL:
  http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml.

• hit-cnt number —The number of times this flow was permitted or denied by this ACL entry in the configured time interval. The value is 1
  when the ASA generates the first message for this flow.
• first hit—The first message generated for this flow.
• number -second interval—The interval in which the hit count is
  accumulated. Set this interval using the
  access-list command with the
  interval option.

• hash codes—Two are always printed for the object group ACE and the
  constituent regular ACE. Values are determined on which ACE that the packet
  hit. To display these hash codes, enter the
  show-access
  list command.

Recommended Action None required.

Error Message %ASA-1-106101 Number of cached deny-flows for ACL log has reached limit (number ).

Explanation If you configured the log option for an ACL deny statement (access-list id deny command), and a traffic flow matches the ACL statement, the ASA caches the flow information. This message indicates that the number of matching flows that are cached on the ASA exceeds the user-configured limit (using the access-list deny-flow-max command). This message might be generated as a result of a DoS attack.

• number— The limit configured using the
  access-list deny-flow-max command

Recommended Action None required.

Error Message %ASA-6-106102: access-list acl_ID {permitted|denied} protocol for user username
interface_name /source_address
source_port
interface_name /dest_address dest_port hit-cnt number {first hit|number -second interval} hash codes

Explanation A packet was either permitted or denied by an
access-list that was applied through a VPN filter. This message is the VPN/AAA
filter equivalent of message 106100.

Recommended Action None required.

Error Message%ASA-4-106103: access-list acl_ID denied protocol for user username
interface_name /source_address
source_port interface_name /dest_address dest_port hit-cnt number first hit hash codes

Explanation A packet was denied by an access-list that was
applied through a VPN filter. This message is the VPN/AAA filter equivalent of
message106023.

Recommended Action None required.

Error Message%ASA-1-107001: RIP auth failed from IP_address : version=number, type=string, mode=string, sequence=number on interface interface_name

Explanation The ASA received a RIP reply message with bad authentication. This message might be caused by a misconfiguration on the router or
the ASA or by an unsuccessful attempt to attack the routing table of the ASA.

Recommended Action This message indicates a possible attack and
should be monitored. If you are not familiar with the source IP address listed
in this message, change your RIP authentication keys between trusted entities.
An attacker might be trying to determine the existing keys.

Error Message%ASA-1-107002: RIP pkt failed from
IP_address : version=number on interface interface_name

Explanation A router bug, a packet with non-RFC values inside, or
a malformed entry may have caused this message to appear. This should not
happen, and may be an attempt to exploit the routing table of the ASA.

Recommended Action This message indicates a possible attack and
should be monitored. The packet has passed authentication, if enabled, and bad
data is in the packet. Monitor the situation and change the keys if there are
any doubts about the originator of the packet.

Error Message
%ASA-2-108002: SMTP replaced string: out source_address in
inside_address data: string

Explanation A Mail Guard (SMTP) message has been generated by the
inspect esmtp command. The ASA has replaced an invalid character in an e-mail
address with a space.

Recommended Action None required.

Error Message%ASA-2-108003: Terminating ESMTP/SMTP
connection; malicious pattern detected in the mail address from
source_interface:source_address/source_port to
dest_interface:dest_address/dset_port . Data:string


Explanation The ASA has detected a malicious pattern in an e-mail
address and drops the connection. An attack is in progress.

Recommended Action None required.

Error Message %ASA-4-108004:
action_class: action
ESMTP req_resp
from src_ifc:sip |sport
to dest_ifc:dip |dport;further_info


Explanation An ESMTP classification is performed on an ESMTP
message, and the specified criteria are satisfied. The configured action is
taken.

• action_class—The
  class of action: ESMTP Classification for ESMTP match commands; ESMTP Parameter
  for parameter commands

• action—Action taken: Dropped, Dropped
  connection for, Reset connection for, or Masked header flags for

• req_resp—Request or Response
• src_ifc—Source interface name
• sip|sport—Source IP address or source port
• dest_ifc—Destination interface name
• dip|dport—Destination IP address or
  destination port

• further
  info—One of the following:

For a single match command: matched Class
id :
match_command (for example, matched Class 1234: match body length
100).

For parameter commands:
parameter-command :
descriptive-message (for example, mail-relay: No Mail Relay
allowed)

Recommended Action None required.

Error Message%ASA-6-108005:
action_class:
Received
ESMTP req_resp
from src_ifc:sip |sport
to dest_ifc:dip |dport;further_info


Explanation An ESMTP classification is performed on an ESMTP
message, and the specified criteria are satisfied. The standalone log action is
taken.

• action_class—The
  class of action: ESMTP Classification for ESMTP match commands; ESMTP Parameter
  for parameter commands

• req_resp—Request or Response
• src_ifc—Source interface name
• sip|sport—Source IP address or source port
• dest_ifc—Destination interface name
• dip|dport—Destination IP address or
  destination port

• further
  info—One of the following:

For a single match command: matched Class
id :
match_command (for example, matched Class 1234: match body length
100)

For parameter commands (commands under the parameter section):
parameter-command :
descriptive-message (for example, mail-relay: No Mail Relay
allowed)

Recommended Action None required.

Error Message %ASA-7-108006: Detected ESMTP size violation
from src_ifc:sip |sport
to dest_ifc:dip |dport; declared size is:
decl_size,
actual size is act_size.


Explanation This event is generated when an ESMTP message size
exceeds the size declared in the RCPT command.

• src_ifc—Source
  interface name

• sip|sport—Source IP address or source port
• dest_ifc—Destination interface name
• dip|dport—Destination IP address or
  destination port

• decl_size—Declared size
• act_size—Actual size

Recommended Action None required.

Error Message
%ASA-6-108007: TLS started on ESMTP session between client
client-side interface-name :
client IP address /client port and server
server-side interface-name :
server IP address /server port


Explanation On an ESMTP connection, the server has responded with
a 220 reply code to the client STARTTLS command. The ESMTP inspection engine no
longer inspects the traffic on this connection.

• client-side interface-name —The name for the interface that
  faces the client side

• client IP address —The IP address of the client

• client port —The TCP port number for the client

• server-side interface-name —The name for the interface that
  faces the server side

• server IP address —The IP address of the server

• server port —The TCP port number for the server

Recommended Action Log and review the message. Check whether the
ESMTP policy map associated with this connection has the allow-tls action log
setting. If not, contact the Cisco TAC.

Error Message
%ASA-6-109001: Auth start for user user from
inside_address/inside_port to outside_address/outside_port


Explanation The ASA is configured for AAA and detects an
authentication request by the specified user.

Recommended Action None required.

Error Message
%ASA-6-109002: Auth from inside_address/inside_port to
outside_address/outside_port failed (server
IP_address failed) on interface interface_name.

Explanation An authentication request failed because the specified
authentication server cannot be contacted by the module.

Recommended Action Check that the authentication daemon is
running on the specified authentication server.

Error Message
%ASA-6-109003: Auth from inside_address to
outside_address/outside_port failed (all servers failed) on interface
interface_name, so marking all servers ACTIVE again.

Explanation No authentication server can be found.

Recommended Action Ping the authentication servers from the ASA.
Make sure that the daemons are running.

Error Message
%ASA-6-109005: Authentication succeeded for user user from
inside_address/inside_port to outside_address/outside_port on interface
interface_name.

Explanation The specified authentication request succeeded.

Recommended Action None required.

Error Message%ASA-6-109006: Authentication failed for user
user from inside_address/inside_port to outside_address/outside_port on
interface interface_name.

Explanation The specified authentication request failed, possibly
because of an incorrect password. The username is hidden when invalid or
unknown, but appears when valid or the
no
logging
hide
username command has been configured.

Recommended Action None required.

Error Message
%ASA-6-109007: Authorization permitted for user user from
inside_address/inside_port to outside_address/outside_port on interface
interface_name.

Explanation The specified authorization request succeeded.

Recommended Action None required.

Error Message
%ASA-6-109008: Authorization denied for user user from
outside_address/outside_port to inside_address/ inside_port on interface
interface_name.


Explanation A user is not authorized to access the specified
address, possibly because of an incorrect password.

Recommended Action None required.

Error Message
%ASA-3-109010: Auth from inside_address/inside_port to
outside_address/outside_port failed (too many pending auths) on interface
interface_name.

Explanation An authentication request cannot be processed because
the server has too many requests pending.

Recommended Action Check to see if the authentication server is
too slow to respond to authentication requests. Enable the Flood Defender
feature with the floodguard enable command.

Error Message
%ASA-2-109011: Authen Session Start: user 'user ', sid number

Explanation An authentication session started between the host and the ASA and has not yet completed.

Recommended Action None required.

Error Message
%ASA-5-109012: Authen Session End: user 'user', sid number, elapsed number seconds

Explanation The authentication cache has timed out. Users must
reauthenticate on their next connection. You can change the duration of this
timer with the timeout uauth command.

Recommended Action None required.

Error Message
%ASA-3-109013: User must authenticate before using this service

Explanation The user must be authenticated before using the
service.

Recommended Action Authenticate using FTP, Telnet, or HTTP before
using the service.

Error Message
%ASA-7-109014: A non-Telnet connection was denied to the
configured virtual Telnet IP address.

Explanation A request to authenticate did not have a
corresponding request for authorization.

Recommended Action Ensure that both the aaa authentication and
aaa authorization command statements are included in the configuration.

Error Message
%ASA-3-109016: Can't find authorization ACL acl_ID for user 'user '

Explanation The specified on the AAA server for this user does not exist on the ASA. This error can occur if you configure the AAA server before you configure the ASA. The Vendor-Specific Attribute (VSA) on your AAA server might be one of the following values:

• acl=acl_ID
• shell:acl=acl_ID
• ACS:CiscoSecured-Defined-ACL=acl_ID

Recommended Action Add the ACL to the ASA, making sure to use the same name specified on the AAA server.

Error Message
%ASA-4-109017: User at
IP_address exceeded auth proxy connection limit (max)

Explanation A user has exceeded the user authentication proxy
limit, and has opened too many connections to the proxy.

Recommended Action Increase the proxy limit by entering the
proxy-limit
proxy_limit command, or ask the user to close unused connections.
If the error persists, it may indicate a possible DoS attack.

Error Message %ASA-3-109018: Downloaded ACL acl_ID is empty

Explanation The downloaded authorization has no ACEs. This
situation might be caused by misspelling the attribute string
ip:inacl# or omitting the access-list command.

junk:junk# 1=permit tcp any any eq junk ip:inacl#1=”

Recommended Action Correct the ACL components that have the
indicated error on the AAA server.

Error Message
%ASA-3-109019: Downloaded ACL acl_ID has parsing error; ACE string


Explanation An error occurred during parsing the sequence number
NNN in the attribute string ip:inacl#NNN= of a downloaded authorization. The
reasons include: — missing = — contains nonnumeric, nonpace characters between
# and = — NNN is greater than 999999999.

ip:inacl# 1 permit tcp any any
ip:inacl# 1junk2=permit tcp any any
ip:inacl# 1000000000=permit tcp any any

Recommended Action Correct the ACL element that has the indicated
error on the AAA server.

Error Message
%ASA-3-109020: Downloaded ACL has config error; ACE

Explanation One of the components of the downloaded authorization
has a configuration error. The entire text of the element is included in the
message. This message is usually caused by an invalid access-list command
statement.

Recommended Action Correct the ACL component that has the
indicated error on the AAA server.

Error Message
%ASA-7-109021: Uauth null proxy error

Explanation An internal user authentication error has occurred.

Recommended Action None required. However, if this error appears
repeatedly, contact the Cisco TAC.

Error Message
%ASA-4-109022: exceeded HTTPS proxy process limit

ExplanationFor each HTTPS authentication, the ASA dedicates a
process to service the authentication request. When the number of concurrently
running processes exceeds the system-imposed limit, the ASA does not perform
the authentication, and this message appears.

Recommended Action None required.

Error Message
%ASA-3-109023: User from
source_address /source_port to
dest_address /dest_port on interface
outside_interface must authenticate before using this
service.

Explanation Based on the configured policies, you need to be
authenticated before you can use this service port.

Recommended Action Authenticate using Telnet, FTP, or HTTP before
attempting to use this service port.

Error Message
%ASA-6-109024: Authorization denied from
source_address /source_port to
dest_address /dest_port (not authenticated) on interface
interface_name using
protocol


Explanation The ASA is configured for AAA and a user attempted to
make a TCP connection across the ASA without prior authentication.

Recommended Action None required.

Error Message
%ASA-6-109025: Authorization denied
(acl=acl_ID) for user
'user' from
source_address /source_port to
dest_address /dest_port on interface
interface_name using
protocol


ExplanationThe check failed. The check either matched a deny or
did not match anything, such as an implicit deny. The connection was denied by
the user acl_ID, which was defined according to the AAA authorization policy on
the Cisco Secure Access Control Server (ACS).

Recommended Action None required.

Error Message
%ASA-3-109026: [aaa protocol ] Invalid reply digest received; shared server key may be mismatched.

Explanation The response from the AAA server cannot be validated.
The configured server key is probably incorrect. This message may be generated
during transactions with RADIUS or TACACS+ servers.

Verify that the server key, configured using the
aaa-server command, is correct.

Error Message
%ASA-4-109027: [aaa protocol] Unable to decipher response message Server = server_IP_address , User = user


Explanation The response from the AAA server cannot be validated.
The configured server key is probably incorrect. This message may be displayed
during transactions with RADIUS or TACACS+ servers. The server_IP_address is
the IP address of the relevant AAA server. The user is the user name associated
with the connection.

Recommended Action Verify that the server key, configured using
the
aaa-server command, is correct.

Error Message
%ASA-4-109028: aaa bypassed for same-security traffic from ingress_ interface:source_address/source_port to egress_interface:dest_address/dest_port

ExplanationAAA is being bypassed for same security traffic that
matches a configured AAA rule. This can only occur when traffic passes between
two interfaces that have the same configured security level, when the same
security traffic is permitted, and if the AAA configuration uses the include or
exclude syntax.

Recommended Action None required.

Error Message
%ASA-5-109029: Parsing downloaded ACL: string


Explanation A syntax error occurred while parsing an access list
that was downloaded from a RADIUS server during user authentication.

• string —An error message detailing the syntax error that
  prevented the access list from parsing correctly

Recommended Action Use the information presented in this message
to identify and correct the syntax error in the access list definition within
the RADIUS server configuration.

Error Message
%ASA-4-109030: Autodetect ACL convert wildcard did not convert ACL access_list source |dest netmask netmask .

ExplanationA dynamic ACL that is configured on a RADIUS server is
not converted by the mechanism for automatically detecting wildcard netmasks.
The problem occurs because this mechanism cannot determine if the netmask is a
wildcard or a normal netmask.

• access_list—The
  access list that cannot be converted

• source—The source IP address
• dest—The destination IP address
• netmask—The subnet mask for the destination
  or source address in dotted-decimal notation

Recommended Action Check the access list netmask on the RADIUS
server for the wildcard configuration. If the netmask is supposed to be a
wildcard, and if all access list netmasks on that server are wildcards, then
use the wildcard setting for
acl-netmask-convert for the AAA server.
Otherwise, change the netmask to a normal netmask or to a wildcard netmask that
does not contain holes (that is, where the netmask presents consecutive binary
1s. For example, 00000000.00000000.00011111.11111111 or hex 0.0.31.255). If the
mask is supposed to be normal and all access list netmasks on that server are
normal, then use the normal
setting for
acl-netmask-convert for the AAA server.

Error Message
%ASA-4-109031: NT Domain Authentication Failed: rejecting guest
login for
username .


Explanation A user has tried to authenticate to an NT domain that
was configured for guest account access and the username is not a valid
username on the NT server. The connection is denied.

Recommended Action If the user is a valid user, add an account to
the NT server. If the user is not allowed access, no action is required.

Error Message
%ASA-3-109032: Unable to install ACL access_list , downloaded for user username ; Error in ACE: ace .

Explanation The ASA received an access control list from a RADIUS server to apply to a user connection, but an entry in the list contains a syntax
error. Th euse of a list containing an error could result in the violation of a security policy, so the ASA failed to authenticate the user.

• access_list —The name assigned to the dynamic access list as it
  would appear in the output of the
  show
  access-list command

• username —The name of the user whose connection will be subject
  to this access list

• ace —The access list entry that was being processed when the
  error was detected

Recommended Action Correct the access list definition in the
RADIUS server configuration.

Error Message
%ASA-4-109033: Authentication failed for admin user user from src_IP . Interactive challenge processing is not supported for protocol connections

Explanation AAA challenge processing was triggered during authentication of an administrative connection, but the ASA cannot initiate interactive challenge processing with the client application. When this occurs, the authentication attempt
will be rejected and the connection denied.

• user —The name of the user being authenticated

• src_IP —The IP address of the client host

• protocol —The client connection protocol (SSH v1 or
  administrative HTTP)

Recommended Action Reconfigure AAA so that challenge processing
does not occur for these connection types. This generally means to avoid
authenticating these connection types to RSA SecurID servers or to any
token-based AAA server via RADIUS.

Error Message
%ASA-4-109034: Authentication failed for network user user from src_IP/port to dst_IP/port . Interactive challenge processing is not supported for protocol connections

Explanation AAA challenge processing was triggered during authentication of a network connection, but the ASA cannot initiate interactive challenge processing with the client application. When this occurs, the authentication attempt
will be rejected and the connection denied.

• user —The name of the user being authenticated

• src_IP/port —The IP address and port of the client host

• dst_IP/port —The IP address and port of the server to which the
  client is attempting to connect

• protocol —The client connection protocol (for example, FTP)

Recommended Action Reconfigure AAA so that challenge processing
does not occur for these connection types. This generally means to avoid
authenticating these connection types to RSA SecurID servers or to any
token-based AAA server via RADIUS.

Error Message
%ASA-3-109035: Exceeded maximum number (<max_num>) of DAP attribute instances for user <user>

Explanation This log is generated when the number of DAP attributes received from the RADIUS server exceeds the maximum number allowed
when authenticating a connection for the specified user.

Recommended Action Modify the DAP attribute configuration to reduce the number of DAP attributes below the maximum number allowed as specified
in the log so that the specified user can connect.

Error Message
%ASA-6-109036: Exceeded 1000 attribute values for the attribute name attribute for user username .

Explanation The LDAP response message contains an attribute that
has more than 1000 values.

• attribute_name —The LDAP attribute name

• username —The username at login

Recommended Action None required.

Error Message
%ASA-3-109037: Exceeded 5000 attribute values for the attribute name attribute for user username .

Explanation The ASA supports multiple values of the same attribute received from a AAA server. If the AAA server sends a response containing
more than 5000 values for the same attribute, then the ASA treats this response message as being malformed and rejects the authentication. This condition has only been seen in lab
environments using specialized test tools. It is unlikely that the condition would occur in a real-world production network.

• attribute_name —The LDAP attribute name

• username —The username at login

Recommended Action Capture the authentication traffic between the ASA and AAA server using a protocol sniffer (such as WireShark), then forward the trace file to the Cisco TAC for analysis.

Error Message
%ASA-3-109038: Attribute internal-attribute-name value string-from-server from AAA server could not be parsed as a type
internal-attribute-name string representation of the attribute name

Explanation The AAA subsystem tried to parse an attribute from
the AAA server into an internal representation and failed.

• string-from-server— String received from the AAA server,
  truncated to 40 characters.

• type —The type of the specified attribute

Recommended Action Verify that the attribute is being generated
correctly on the AAA server. For additional information, use the
debug
ldap and
debug
radius commands.

Error Message
%ASA-5-109039: AAA Authentication:Dropping an unsupported IPv6/IP46/IP64 packet from lifc :laddr to fifc :faddr


Explanation A packet containing IPv6 addresses or IPv4 addresses
translated to IPv6 addresses by NAT requires AAA authentication or
authorization. AAA authentication and authorization do not support IPv6
addresses. The packet is dropped.

• lifc —The ingress interface

• laddr —The source IP address

• fifc —The egress interface

• faddr —The destination IP address after NAT translation, if any

Recommended Action None required.

Error Message
%ASA-4-109040: User at
IP exceeded auth proxy rate limit of 10 connections/sec

Explanation A connection attempt has been rejected because the
ASA has detected a high frequency of HTTPS authentication requests from the
same host.

• IP —The IP address of the host from which the connection was
  initiated

Recommended Action Limit the number of cut-through proxy
authentication attempts from users.

Error Message
%ASA-6-109100: Received CoA update from coa-source-ip for user username , with session ID: audit-session-id , changing authorization attributes

Explanation The ASA has successfully processed the CoA policy update request from coa-source-ip for user username with session id audit-session-id . This syslog message is generated after a change of authorization policy update has been received by the ASA, validated and applied. In a non-error case, this is the only syslog message that is generated when a change of authorization
is received and processed.

• coa-source-ip —Originating IP address of the change of
  authorization request

• username —User whose session is being changed

• audit-session-id —The global ID of the session being modified

Recommended Action None required.

Error Message
%ASA-6-109101: Received CoA disconnect request from coa-source-ip for user username , with audit-session-id: audit-session-id


Explanation The ASA has received a correctly formatted Disconnect-Request for an active VPN session and has successfully terminated the connection.

• coa-source-ip —Originating IP address of the change of
  authorization request

• username —User whose session is being changed

• audit-session-id —The global ID of the session being modified

Recommended Action None required.

Error Message
%ASA-4-109102: Received CoA action-type from coa-source-ip , but cannot find named session audit-session-id


Explanation The ASA has received a valid change of authorization request, but the session ID specified in the request does not match any active
sessions on the ASA. This could be the result of the change of authorization server attempting to issue a change of authorization on a session
that has already been closed by the user.

• action-type —The requested change of authorization action
  (update or disconnect)

• coa-source-ip —Originating IP address of the change of
  authorization request

• audit-session-id —The global ID of the session being modified

Recommended Action None required.

Error Message
%ASA-3-109103: CoA action-type from coa-source-ip failed for user username , with session ID: audit-session-id .

Explanation The ASA has received a correctly formatted change of authorization request, but was unable to process it successfully.

• action-type —The requested change of authorization action
  (update or disconnect)

• coa-source-ip —Originating IP address of the change of
  authorization request

• username —User whose session is being changed

• audit-session-id —The global ID of the session being modified

Recommended Action Investigate the relevant VPN subsystem logs to
determine why the updated attributes could not be applied or why the session
could not be terminated.

Error Message
%ASA-3-109104: CoA action-type from coa-source-ip failed for user username , session ID: audit-session-id . Action not supported.

Explanation The ASA has received a correctly formatted change of authorization request, but did not process it because the indicated action is
not supported by the ASA.

• action-type —The requested change of authorization action
  (update or disconnect)

• coa-source-ip —Originating IP address of the change of
  authorization request

• username —User whose session is being changed

• audit-session-id —The global ID of the session being modified

Recommended Action None required.

Error Message
%ASA-3-109105: Failed to determine the egress interface for locally generated traffic destined to <protocol> <IP>:<port>.

Explanation It is necessary for ASA to log a syslog if no routes are present when the interface is BVI. Apparently, if default route is present and it does not
route packet to the correct interface then it becomes impossible to track it. In case of Firepower Threat Defense, management routes are looked first following the data interface. So if default route is routing packets to different destination,
then it is difficult to track it.

Recommended Action It is highly recommended to add default route for correct destination or add static routes.

Error Message
%ASA-6-110002: Failed to locate egress interface for protocol from src interface :src IP/src port to dest IP/dest port


Explanation An error occurred when the ASA tried to find the interface through which to send the packet.

• protocol —The protocol of the packet

• src interface —The interface from which the packet was received

• src IP —The source IP address of the packet

• src port —The source port number

• dest IP —The destination IP address of the packet

• dest port —The destination port number

Recommended Action Copy the error message, the configuration, and
any details about the events leading up to the error, and contact Cisco TAC.

Error Message
%ASA-6-110003: Routing failed to locate next-hop for protocol from src interface :src IP/src port to dest interface :dest IP/dest port


Explanation An error occurred when the ASA tried to find the next hop on an interface routing table.

• protocol —The protocol of the packet

• src interface —The interface from which the packet was received

• src IP —The source IP address of the packet

• src port —The source port number

• dest IP —The destination IP address of the packet

• dest port —The destination port number

Recommended Action Copy the error message, the configuration, and
any details about the events leading up to the error, and contact Cisco TAC.
During debugging, use the
show
asp
table
routing command to view the routing table details.

Error Message
%ASA-6-110004: Egress interface changed from old_active_ifc to new_active_ifc on ip_protocol connection conn_id for outside_zone /parent_outside_ifc :outside_addr /outside_port (mapped_addr /mapped_port ) to inside_zone /parent_inside_ifc :inside_addr /inside_port (mapped_addr /mapped_port )

Explanation A flow changed on the egress interface.

Recommended Action None required.

Error Message
%ASA-5-111001: Begin configuration: IP_address writing to device


Explanation You have entered the
write command to store your configuration on a
device (either floppy, flash memory, TFTP, the failover standby unit, or the
console terminal). The
IP_address indicates whether the login was made
at the console port or with a Telnet connection.

Recommended Action None required.

Error Message
%ASA-5-111002: Begin configuration: IP_address reading from device

Explanation You have entered the
read
command to read your configuration from a device (either floppy
disk, flash memory, TFTP, the failover standby unit, or the console terminal).
The
IP_address indicates whether the login was made
at the console port or with a Telnet connection.

Recommended Action None required.

Error Message
%ASA-5-111003: IP_address Erase configuration

Explanation You have erased the contents of flash memory by
entering the
write
erase command at the console. The
IP_address value indicates whether the login
was made at the console port or through a Telnet connection.

Recommended Action After erasing the configuration, reconfigure the ASA and save the new configuration. Alternatively, you can restore information from a configuration that was previously saved,
either on a floppy disk or on a TFTP server elsewhere on the network.

Error Message
%ASA-5-111004: IP_address end configuration: {FAILED|OK}

Explanation You have entered the
config
floppy/memory/
network command or the
write
floppy/memory/network/standby command. The
IP_address value indicates whether the login
was made at the console port or through a Telnet connection.

Recommended Action None required if the message ends with OK. If
the message indicates a failure, try to fix the problem. For example, if
writing to a floppy disk, ensure that the floppy disk is not write protected;
if writing to a TFTP server, ensure that the server is up.

Error Message
%ASA-5-111005: IP_address end configuration: OK

Explanation You have exited the configuration mode. The
IP_address value indicates whether the login
was made at the console port or through a Telnet connection.

Recommended Action None required.

Error Message
%ASA-5-111007: Begin configuration: IP_address reading from device.

Explanation You have entered the
reload or
configure command to read in a configuration.
The device text can be floppy, memory, net, standby, or terminal. The
IP_address value indicates whether the login
was made at the console port or through a Telnet connection.

Recommended Action None required.

Error Message
%ASA-5-111008: User user executed the command string


Explanation The user entered any command, with the exception of a
show command.

Recommended Action None required.

Error Message %ASA-7-111009:User user executed cmd:string


Explanation The user entered a command that does not modify the
configuration. This message appears only for
show commands.

Recommended Action None required.

Error Message
%ASA-5-111010: User username , running application-name from IP ip addr , executed cmd


Explanation A user made a configuration change.

• username —The user making the configuration change

• application-name —The application that the user is running

• ip addr —The IP address of the management station

• cmd —The command that the user has executed

Recommended Action None required.

Error Message
% ASA-1-111111 error_message


Explanation A system or infrastructure error has occurred.

Recommended Action If the problem persists, contact the Cisco TAC.

Error Message %ASA-2-112001: (string :dec ) Clear complete.

Explanation A request to clear the module configuration was
completed. The source file and line number are identified.

Recommended Action None required.

Error Message
%ASA-3-113001: Unable to open AAA session. Session limit [limit ] reached.

Explanation The AAA operation on an IPsec tunnel or WebVPN
connection cannot be performed because of the unavailability of AAA resources.
The
limit value indicates the maximum number of
concurrent AAA transactions.

Recommended Action Reduce the demand for AAA resources, if
possible.

Error Message
%ASA-6-113003: AAA group policy for user user is being set to policy_name .

Explanation The group policy that is associated with the tunnel
group is being overridden with a user-specific policy,
policy_name . The
policy_name is specified using the
username command when LOCAL authentication is
configured or is returned in the RADIUS CLASS attribute when RADIUS
authentication is configured.

Recommended Action None required.

Error Message
%ASA-6-113004: AAA user aaa_type Successful: server = server_IP_address , User = user


Explanation The AAA operation on an IPsec or WebVPN connection has
been completed successfully. The AAA types are authentication, authorization,
or accounting. The
server_IP_address is the IP address of the
relevant AAA server. The
user is the user name associated with the
connection.

Recommended Action None required.

Error Message
%ASA-6-113005: AAA user authentication Rejected: reason = AAA failure: server = ip_addr : user = *****: user IP = ip_addr


Explanation The AAA authentication on a connection has failed. The
username is hidden when invalid or unknown, but appears when valid or the
no
logging
hide
username command has been configured.

Recommended Action Retry the authentication.

Error Message
%ASA-6-113005: AAA user authentication Rejected: reason = AAA failure: server = ip_addr : user = *****: user IP = ip_addr


Explanation The AAA authentication on a connection has failed. The
username is hidden when invalid or unknown, but appears when valid or the
no
logging
hide
username command has been configured.

Recommended Action Retry the authentication.

Error Message
%ASA-6-113006: User user locked out on exceeding number successive failed authentication attempts

Explanation A locally configured user is being locked out. This
happens when a configured number of consecutive authentication failures have
occurred for this user and indicates that all future authentication attempts by
this user will be rejected until an administrator unlocks the user using the
clear
aaa
local
user
lockout command. The
user is the user that is now locked, and the
number is the consecutive failure threshold
configured using the
aaa
local
authentication
attempts
max-fail
command.

Recommended Action Try unlocking the user using the
clear_aaa_local_user_lockout command or
adjusting the maximum number of consecutive authentication failures that are
tolerated.

Error Message
%ASA-6-113007: User user unlocked by administrator


Explanation A locally configured user that was locked out after
exceeding the maximum number of consecutive authentication failures set by
using the
aaa
local
authentication
attempts
max-fail
command has been unlocked by the indicated administrator.

Recommended Action None required.

Error Message
%ASA-6-113008: AAA transaction status ACCEPT: user = user


Explanation The AAA transaction for a user associated with an
IPsec or WebVPN connection was completed successfully. The user is the username
associated with the connection.

Recommended Action None required.

Error Message
%ASA-6-113009: AAA retrieved default group policy policy for user user


Explanation The authentication or authorization of an IPsec or
WebVPN connection has occurred. The attributes of the group policy that were
specified with the
tunnel-group or
webvpn commands have been retrieved.

Recommended Action None required.

Error Message
%ASA-6-113010: AAA challenge received for user user from server server_IP_address


Explanation The authentication of an IPsec connection has
occurred with a SecurID server. The user will be prompted to provide further
information before being authenticated.

• user—The
  username associated with the connection

• server
  _IP_address—The IP address of the relevant AAA
  server

Recommended Action None required.

Error Message %ASA-6-113011: AAA retrieved user specific group policy policy for user user


Explanation The authentication or authorization of an IPsec or
WebVPN connection has occurred. The attributes of the group policy that was
specified with the
tunnel-group or
webvpn commands have been retrieved.

Recommended Action None required.

Error Message
%ASA-6-113012: AAA user authentication Successful: local database: user = user


Explanation The user associated with a IPsec or WebVPN connection
has been successfully authenticated to the local user database.

• user—The
  username associated with the connection

Recommended Action None required.

Error Message
%ASA-6-113013: AAA unable to complete the request Error: reason = reason : user = user


Explanation The AAA transaction for a user associated with an
IPsec or WebVPN connection has failed because of an error or has been rejected
because of a policy violation.

• reason—The
  reason details

• user—The username associated with the
  connection

Recommended Action None required.

Error Message
%ASA-6-113014: AAA authentication server not accessible: server = server_IP_address : user = user


Explanation The device was unable to communicate with the
configured AAA server during the AAA transaction associated with an IPsec or
WebVPN connection. This may or may not result in a failure of the user
connection attempt depending on the backup servers configured in the
aaa-server group and the availability of those
servers. The username is hidden when invalid or unknown, but appears when valid
or the
no
logging
hide
username command has been configured.

Recommended Action Verify connectivity with the configured AAA
servers.

Error Message
%ASA-6-113015: AAA user authentication Rejected: reason = reason : local database: user = user: user IP = xxx.xxx.xxx.xxx


Explanation A request for
authentication to the local user database for a user associated with an IPsec
or WebVPN connection has been rejected. The username is hidden when invalid or
unknown, but appears when valid or the
no logging
hide username command has been configured.

• reason—The
  details of why the request was rejected

• user—The username
  associated with the connection

• user_ip —The IP address of the user who
  initiated the authentication or authorization request<915CLI>

Recommended Action None
required.

Error Message
%ASA-6-113016: AAA credentials rejected: reason = reason : server = server_IP_address : user = user<915CLI>: user IP = xxx.xxx.xxx.xxx


Explanation The AAA transaction for a user associated with an
IPsec or WebVPN connection has failed because of an error or rejected due to a
policy violation. The username is hidden when invalid or unknown, but appears
when valid or the
no
logging
hide
username command has been configured.

• reason—The
  details of why the request was rejected

• server_IP_address—The IP address of the
  relevant AAA server

• user—The username associated with the
  connection

• <915CLI>user_ip —The IP address of the user who initiated
  the authentication or authorization request

Recommended Action None required.

Error Message
%ASA-6-113017: AAA credentials rejected: reason = reason : local database: user = user: user IP = xxx.xxx.xxx.xxx


Explanation The
AAA transaction for a user associated with an IPsec or WebVPN connection has
failed because of an error or rejected because of a policy violation. This
event only appears when the AAA transaction is with the local user database
rather than with an external AAA server.

• reason—The
  details of why the request was rejected

• user—The username
  associated with the connection

• user_ip —The IP address of the user who
  initiated the authentication or authorization request

Recommended Action None
required.

Error Message
%ASA-3-113018: User: user , Unsupported downloaded ACL Entry: ACL_entry , Action: action


Explanation An ACL entry in unsupported format was downloaded from
the authentication server. The following list describes the message values:

• user—User
  trying to log in

• ACL_entry—Unsupported ACL entry downloaded
  from the authentication server

• action—Action taken when encountering the
  unsupported ACL entry

Recommended Action The ACL entry on the authentication server has
to be changed by the administrator to conform to the supported ACL entry
formats.

Error Message
%ASA-4-113019: Group = group , Username = username , IP = peer_address , Session disconnected. Session Type: type , Duration: duration , Bytes xmt: count , Bytes rcv: count , Reason: reason


Explanation An indication of when and why the longest idle user
is disconnected.

• group—Group
  name

• username—Username
• IP—Peer address
• Session
  Type—Session type (for example, IPsec or UDP)

• duration—Connection duration in hours,
  minutes, and seconds

• Bytes
  xmt—Number of bytes transmitted

• Bytes rcv —Number of bytes received

• reason—Reason for disconnection

User Requested

Lost Carrier

Lost Service

Idle Timeout

Max time exceeded

Administrator Reset

Administrator Reboot

Administrator Shutdown

Port Error

NAS Error

NAS Request

NAS Reboot

Port unneeded

Connection preempted. Indicates that the allowed number of simultaneous
(same user) logins has been exceeded. To resolve this problem, increase the
number of simultaneous logins or have users only log in once with a given
username and password.

Port Suspended

Service Unavailable

Callback

User error

Host Requested

SA Expired

IKE Delete

Bandwidth Management Error

Certificate Expired

Phase 2 Mismatch

Firewall Mismatch

Peer Address Changed

ACL Parse Error

Phase 2 Error

Configuration Error

Peer Reconnected

Internal Error

Crypto map policy not found

L2TP initiated

VLAN Mapping Error

NAC-Policy Error

Dynamic Access Policy terminate

Client type not supported

Unknown

Recommended Action Unless the reason indicates a problem, then no
action is required.

Error Message
%ASA-3-113020: Kerberos error: Clock skew with server ip_address greater than 300 seconds

Explanation Authentication for an IPsec or WebVPN user through a Kerberos server has failed because the clocks on the ASA and the server are more than five minutes (300 seconds) apart. When this occurs, the connection attempt is rejected.

• ip_address —The IP address of the Kerberos server

Recommended Action Synchronize the clocks on the ASA and the Kerberos server.

Error Message
%ASA-3-113021: Attempted console login failed. User username did NOT have appropriate Admin Rights.

Explanation A user has tried to access the management console and
was denied.

• username —The username entered by the user

Recommended Action If the user is a newly added admin rights
user, check that the service type (LOCAL or RADIUS authentication server) for
that user is set to allow access:

• nas-prompt—Allows login to the console and exec privileges at the
  required level, but not enable (configuration modification) access

• admin—Allows all access and can be further constrained by command
  privileges

Otherwise, the user is inappropriately trying to access the management
console; the action to be taken should be consistent with company policy for
these matters.

Error Message
%ASA-2-113022: AAA Marking RADIUS server servername in aaa-server group AAA-Using-DNS as FAILED

Explanation The ASA has tried an authentication, authorization, or accounting request to the AAA server and did not receive a response within
the configured timeout window. The AAA server will be marked as failed and has been removed from service.

• protocol —The type of authentication protocol, which can be one
  of the following:

— RADIUS

— TACACS+

— NT

— RSA SecurID

— Kerberos

— LDAP

• ip-addr —The IP address of the AAA server

• tag —The server group name

Recommended Action Verify that the AAA server is online and is accessible from the ASA.

Error Message
%ASA-2-113023: AAA Marking protocol server ip-addr in server group tag as ACTIVE

Explanation The ASA has reactivated the AAA server that was previously marked as failed. The AAA server is now available to service AAA requests.

• protocol —The type of authentication protocol, which can be one
  of the following:

— RADIUS

— TACACS+

— NT

— RSA SecurID

— Kerberos

— LDAP

• ip-addr —The IP address of the AAA server

• tag —The server group name

Recommended Action None required.

Error Message
%ASA-5-113024: Group tg : Authenticating type connection from ip with username, user_name , from client certificate

Explanation The prefill username feature overrides the username
with one derived from the client certificate for use in AAA.

• tg —The tunnel group

• type —The type of connection (ssl-client or clientless)

• ip —The IP address of the connecting user

• user_name —The name extracted from the client certificate for
  use in AAA

Recommended Action None required.

Error Message
%ASA-5-113025: Group tg : fields Could not authenticate connection type connection from ip


Explanation A username cannot be successfully extracted from the
certificate.

• tg —The tunnel group

• fields —The DN fields being searched for

• connection type —The type of connection (SSL client or
  clientless)

• ip —The IP address of the connecting user

Recommended Action The administrator should check that the
authentication
aaa
certificate,
ssl
certificate-authentication, and
authorization-dn-attributes keywords have been
set correctly.

Error Message
%ASA-4-113026: Error error while executing Lua script for group tunnel group


Explanation An error occurred while extracting a username from
the client certificate for use in AAA. This message is only generated when the
username-from-certificate use-script option is enabled.

• error —Error string returned from the Lua environment

• tunnel group —The tunnel group attempting to extract a username
  from a certificate

Recommended Action Examine the script being used by the
username-from-certificate use-script option for errors.

Error Message
%ASA-2-113027: Error activating tunnel-group scripts

Explanation The script file cannot be loaded successfully. No
tunnel groups using the username-from-certificate use-script option work
correctly.

Recommended Action The administrator should check the script file
for errors using ASDM. Use the
debug
aaa command to obtain a more detailed error message
that may be useful.

Error Message
%ASA-7-113028: Extraction of username from VPN client certificate has string. [Request num ]

Explanation The processing request of a username from a
certificate is running or has finished.

• num —The ID of the request (the value of the pointer to the
  fiber), which is a monotonically increasing number.

• string —The status message, which can one of the following:
  • been requested
  • started
  • finished with error
  • finished successfully
  • completed

Recommended Action None required.

Error Message %ASA-4-113029: Group group User user IP ipaddr Session could not be established: session limit of num reached

Explanation The user session cannot be established because the
current number of sessions exceeds the maximum session load.

Recommended Action Increase the configured limit, if possible, to
create a load-balanced cluster.

Error Message
%ASA-4-113030: Group group User user IP ipaddr User ACL acl from AAA doesn't exist on the device, terminating connection.

Explanation The specified ACL was not found on the ASA.

• group—The
  name of the group

• user—The name of the user
• ipaddr—The IP address
• acl—The name of the ACL

Recommended Action Modify the configuration to add the specified
ACL or to correct the ACL name.

Error Message %ASA-4-113031: Group group User user IP ipaddr AnyConnect vpn-filter filter is an IPv6 ACL; ACL not applied.

Explanation The type of ACL to be applied is incorrect. An IPv6
ACL has been configured as an IPv4 ACL through the
vpn-filter command.

• group —The group policy name of the user

• user —The username

• ipaddr —The public (not assigned) IP address of the user

• filter —The name of the VPN filter

Recommended Action Validate the VPN filter and IPv6 VPN filter configurations on the ASA, and the filter parameters on the AAA (RADIUS) server. Make sure that the correct type of ACL is specified.

Error Message %ASA-4-113032: Group group User user IP ipaddr AnyConnect ipv6-vpn-filter filter is an IPv4 ACL; ACL not applied.

Explanation The type of ACL to be applied is incorrect. An IPv4
ACL has been configured as an IPv6 ACL through the
ipv6-vpn-filter command.

• group —The group policy name of the user

• user —The username

• ipaddr —The public (not assigned) IP address of the user

• filter —The name of the VPN filter

Recommended Action Validate the VPN filter and IPv6 VPN filter configurations on the ASA and the filter parameters on the AAA (RADIUS) server. Make sure that the correct type of ACL is specified.

Error Message %ASA-6-113033: Group group User user IP ipaddr AnyConnect session not allowed. ACL parse error.

Explanation The WebVPN session for the specified user in this
group is not allowed because the associated ACL did not parse. The user will
not be allowed to log in via WebVPN until this error has been corrected.

• group —The group policy name of the user

• user —The username

• ipaddr —The public (not assigned) IP address of the user

Recommended Action Correct the WebVPN ACL.

Error Message %ASA-4-113034: Group group User user IP ipaddr User ACL acl from AAA ignored, AV-PAIR ACL used instead.

Explanation The specified ACL was not used because a Cisco
AV-PAIR ACL was used.

• group—The
  name of the group

• user—The name of the user
• ipaddr—The IP address
• acl—The name of the ACL

Recommended Action Determine the correct ACL to use and correct
the configuration.

Error Message
%ASA-4-113035: Group group User user IP ipaddr Session terminated: AnyConnect not enabled or invalid AnyConnect image on the ASA.

Explanation The user logged in via the AnyConnect client. The SVC
service is not enabled globally, or the SVC image is invalid or corrupted. The
session connection has been terminated.

• group —The name of the group policy with which the user is
  trying to connect

• user —The name of the user who is trying to connect

• iaddrp —The IP address of the user who is trying to connect

Recommended Action Enable the SVC globally using the
svc-enable command. Validate the integrity and
versions of the SVC images by reloading new images using the
svc
image command.

Error Message %ASA-4-113036: Group group User user IP ipaddr AAA parameter name value invalid.

Explanation The given parameter
has a bad value. The value is not shown because it might be very
long.

• group—The
  name of the group

• user—The name of the user
• ipadddr—The IP address
• name—The name of the parameter

Recommended Action Modify the configuration to correct the
indicated parameter.

Error Message %ASA-6-113037: Reboot pending, new sessions disabled. Denied user login.

Explanation A user was unable to log in to WebVPN because the ASA is in the process of rebooting.

Recommended Action None required.

Error Message
%ASA-4-113038: Group group User user IP ipaddr Unable to create AnyConnect parent session.

Explanation The AnyConnect session was not created for the user
in the specified group because of resource issues. For example, the user may
have reached the maximum login limit.

• group—The
  name of the group

• user—The name of the user
• ipadddr—The IP address

Recommended Action None required.

Error Message
%ASA-6-113039: Group group User user IP ipaddr AnyConnect parent session started.

Explanation The AnyConnect session has started for the user in
this group
at the specified IP address. When the user logs in via the
AnyConnect login page, the AnyConnect session starts.

• group—The
  name of the group

• user—The name of the user
• ipadddr—The IP address

Recommended Action None required.

Error Message %ASA-4-113040: Terminating the VPN connection attempt from attempted
group . Reason: This connection is group locked to locked group.


Explanation The tunnel group over which the connection is
attempted is not the same as the tunnel group set in the group lock.

• attempted group —The tunnel group over which the connection came
  in

• locked group —The tunnel group for which the connection is
  locked or restricted

Recommended Action Check the group-lock value in the group policy
or the user attributes.

Error Message
%ASA-4-113041: Redirect ACL configured for assigned IP does not exist on the device.

Explanation An error occurred when the redirect URL was installed and the ACL was received from the ISE, but the redirect ACL does not
exist on the ASA.

• assigned IP —The IP address that is assigned to the client

Recommended Action Configure the redirect ACL on the ASA.

Error Message %ASA-4-113042: CoA: Non-HTTP connection from src_if :src_ip /src_port to dest_if :dest_ip /dest_port for user username at client_IP denied by redirect filter; only HTTP connections are supported for redirection.

Explanation For the CoA feature, the redirect ACL filter drops the
matching non-HTTP traffic during the redirect processing and provides
information about the terminated traffic flow.

• src_if ,
  src_ip ,
  src_port —The source interface, IP address, and port of the flow

• dest_if ,
  dest_ip ,
  dest_port —The destination interface, IP address, and port of
  the flow

• username —The name of the user

• client_IP —The IP address of the client

Recommended Action Validate the redirect ACL configuration on the ASA. Make sure that the correct filter is used to match the traffic to redirect and does not block the flow that is intended
to be allowed through.

Error Message %ASA-6-113045: AAA SDI server IP_address in aaa-server group group_name: status changed from previous-state to current-state

Explanation

When servers are administratively added to or removed from SDI cluster, a new state⏤REMOVED is added to the status transition
message.

Example

During initial transition:

%ASA-6-113045: AAA SDI server 10.x.x.x in aaa-server group test-SDI-group: status changed from REMOVED to OK

When server fails to respond after several attempts:

%ASA-6-113045: AAA SDI server 10.x.x.x in aaa-server group test-SDI-group: status changed from OK to SUSPENDED

When server finally responds:

%ASA-6-113045: AAA SDI server 10.x.x.x in aaa-server group test-SDI-group: status changed from SUSPENDED to OK

When server is administratively removed from the SDI cluster:

%ASA-6-113045: AAA SDI server 10.x.x.x in aaa-server group test-SDI-group: status changed from OK to REMOVED

Recommended Action None required.

Error Message
%ASA-1-114001: Failed to initialize 4GE SSM I/O card (error error_string ).

Explanation The system failed to initialize a 4GE SSM I/O card
because of an I2C error or a switch initialization error.

• syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are I2C serial bus errors:
  • I2C_BUS_TRANSACTION_ERROR
  • I2C_CHKSUM_ERROR
  • I2C_TIMEOUT_ERROR
  • I2C_BUS_COLLISION_ERROR
  • I2C_HOST_BUSY_ERROR
  • I2C_UNPOPULATED_ERROR
  • I2C_SMBUS_UNSUPPORT
  • I2C_BYTE_COUNT_ERROR
  • I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the
   event.

2. Reboot the software running on the ASA.
3. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-1-114002: Failed to initialize SFP in 4GE SSM I/O card (error error_string ).

Explanation The system failed to initialize an SFP connector in a
4GE SSM I/O card because of an I2C error or a switch initialization error.

• >syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are the I2C serial bus
  errors:
  • I2C_BUS_TRANSACTION_ERROR
  • I2C_CHKSUM_ERROR
  • I2C_TIMEOUT_ERROR
  • I2C_BUS_COLLISION_ERROR
  • I2C_HOST_BUSY_ERROR
  • I2C_UNPOPULATED_ERROR
  • I2C_SMBUS_UNSUPPORT
  • I2C_BYTE_COUNT_ERROR
  • I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the
   event.

2. Reboot the software running on the ASA.
3. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-1-114003: Failed to run cached commands in 4GE SSM I/O card (error error_string ).

Explanation The system failed to run cached commands in a 4GE SSM
I/O card because of an I2C error or a switch initialization error.

• >syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are the I2C serial bus
  errors:
  • I2C_BUS_TRANSACTION_ERROR
  • I2C_CHKSUM_ERROR
  • I2C_TIMEOUT_ERROR
  • I2C_BUS_COLLISION_ERROR
  • I2C_HOST_BUSY_ERROR
  • I2C_UNPOPULATED_ERROR
  • I2C_SMBUS_UNSUPPORT
  • I2C_BYTE_COUNT_ERROR
  • I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the
   event.

2. Reboot the software running on the ASA.
3. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-6-114004: 4GE SSM I/O Initialization start.

Explanation The user has been notified that a 4GE SSM I/O
initialization is starting.

• >syslog_id —Message identifier

Recommended Action None required.

Error Message
%ASA-6-114005: 4GE SSM I/O Initialization end.

Explanation The user has been notified that an 4GE SSM I/O
initialization is finished.

• >syslog_id —Message identifier

Recommended Action None required.

Error Message
%ASA-3-114006: Failed to get port statistics in 4GE SSM I/O card (error error_string ).

Explanation The ASA failed to obtain port statistics in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

• >syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are the I2C serial bus
  errors:
  • I2C_BUS_TRANSACTION_ERROR
  • I2C_CHKSUM_ERROR
  • I2C_TIMEOUT_ERROR
  • I2C_BUS_COLLISION_ERROR
  • I2C_HOST_BUSY_ERROR
  • I2C_UNPOPULATED_ERROR
  • I2C_SMBUS_UNSUPPORT
  • I2C_BYTE_COUNT_ERROR
  • I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the
   event.

2. Reboot the software running on the ASA.
3. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-3-114007: Failed to get current msr in 4GE SSM I/O card (error error_string ).

Explanation The ASA failed to obtain the current module status register information in a 4GE SSM I/O card because of an I2C error or a switch
initialization error.

• >syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are the I2C serial bus
  errors:
  • I2C_BUS_TRANSACTION_ERROR
  • I2C_CHKSUM_ERROR
  • I2C_TIMEOUT_ERROR
  • I2C_BUS_COLLISION_ERROR
  • I2C_HOST_BUSY_ERROR
  • I2C_UNPOPULATED_ERROR
  • I2C_SMBUS_UNSUPPORT
  • I2C_BYTE_COUNT_ERROR
  • I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the
   event.

2. Reboot the software running on the ASA.
3. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-3-114008: Failed to enable port after link is up in 4GE SSM I/O card due to either I2C serial bus access error or switch
access error.

Explanation The ASA failed to enable a port after the link transition to Up state is detected in a 4GE SSM I/O card because of either an I2C
serial bus access error or a switch access error.

• >syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are I2C serial bus errors:
  • I2C_BUS_TRANSACTION_ERROR
  • I2C_CHKSUM_ERROR
  • I2C_TIMEOUT_ERROR
  • I2C_BUS_COLLISION_ERROR
  • I2C_HOST_BUSY_ERROR
  • I2C_UNPOPULATED_ERROR
  • I2C_SMBUS_UNSUPPORT
  • I2C_BYTE_COUNT_ERROR
  • I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the
   event.

2. Reboot the software running on the ASA.
3. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-3-114009: Failed to set multicast address in 4GE SSM I/O card (error error_string ).

Explanation The ASA failed to set the multicast address in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

• >syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are I2C serial bus errors:
  • I2C_BUS_TRANSACTION_ERROR
  • I2C_CHKSUM_ERROR
  • I2C_TIMEOUT_ERROR
  • I2C_BUS_COLLISION_ERROR
  • I2C_HOST_BUSY_ERROR
  • I2C_UNPOPULATED_ERROR
  • I2C_SMBUS_UNSUPPORT
  • I2C_BYTE_COUNT_ERROR
  • I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the
   event.

2. Reboot the software running on the ASA.
3. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-3-114010: Failed to set multicast hardware address in 4GE SSM I/O card (error error_string ).

Explanation The ASA failed to set the multicast hardware address in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

• >syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are I2C serial bus errors:
  • I2C_BUS_TRANSACTION_ERROR
  • I2C_CHKSUM_ERROR
  • I2C_TIMEOUT_ERROR
  • I2C_BUS_COLLISION_ERROR
  • I2C_HOST_BUSY_ERROR
  • I2C_UNPOPULATED_ERROR
  • I2C_SMBUS_UNSUPPORT
  • I2C_BYTE_COUNT_ERROR
  • I2C_DATA_PTR_ERROR
  • I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the
   event.

2. Reboot the software running on the ASA.
3. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-3-114011: Failed to delete multicast address in 4GE SSM I/O card (error error_string ).

Explanation The ASA failed to delete the multicast address in a 4GE SSM I/O card because of either an I2C error or a switch initialization error.

• >syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are I2C serial bus errors:
  • I2C_BUS_TRANSACTION_ERROR
  • I2C_CHKSUM_ERROR
  • I2C_TIMEOUT_ERROR
  • I2C_BUS_COLLISION_ERROR
  • I2C_HOST_BUSY_ERROR
  • I2C_UNPOPULATED_ERROR
  • I2C_SMBUS_UNSUPPORT
  • I2C_BYTE_COUNT_ERROR
  • I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the
   event.

2. Reboot the software running on the ASA.
3. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-3-114012: Failed to delete multicast hardware address in 4GE SSM I/O card (error error_string ).

Explanation The ASA failed to delete the multicast hardware address in a 4GE SSM I/O card because of an I2C error or a switch initialization
error.

• >syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are I2C serial bus errors:
  • I2C_BUS_TRANSACTION_ERROR
  • I2C_CHKSUM_ERROR
  • I2C_TIMEOUT_ERROR
  • I2C_BUS_COLLISION_ERROR
  • I2C_HOST_BUSY_ERROR
  • I2C_UNPOPULATED_ERROR
  • I2C_SMBUS_UNSUPPORT
  • I2C_BYTE_COUNT_ERROR
  • I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the
   event.

2. Reboot the software running on the ASA.
3. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-3-114013: Failed to set mac address table in 4GE SSM I/O card (error error_string ).

Explanation The ASA failed to set the MAC address table in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

• >syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are I2C serial bus errors:

— I2C_BUS_TRANSACTION_ERROR

— I2C_CHKSUM_ERROR

— I2C_TIMEOUT_ERROR

— I2C_BUS_COLLISION_ERROR

— I2C_HOST_BUSY_ERROR

— I2C_UNPOPULATED_ERROR

— I2C_SMBUS_UNSUPPORT

— I2C_BYTE_COUNT_ERROR

— I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the
   event.

2. Reboot the software running on the ASA.
3. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-3-114014: Failed to set mac address in 4GE SSM I/O card (error error_string ).

Explanation The ASA failed to set the MAC address in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

• >syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are I2C serial bus errors:

— I2C_BUS_TRANSACTION_ERROR

— I2C_CHKSUM_ERROR

— I2C_TIMEOUT_ERROR

— I2C_BUS_COLLISION_ERROR

— I2C_HOST_BUSY_ERROR

— I2C_UNPOPULATED_ERROR

— I2C_SMBUS_UNSUPPORT

— I2C_BYTE_COUNT_ERROR

— I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the
   event.

2. Reboot the software running on the ASA.
3. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-3-114015: Failed to set mode in 4GE SSM I/O card (error error_string ).

Explanation The ASA failed to set individual or promiscuous mode in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

• >syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are I2C serial bus errors:

— I2C_BUS_TRANSACTION_ERROR

— I2C_CHKSUM_ERROR

— I2C_TIMEOUT_ERROR

— I2C_BUS_COLLISION_ERROR

— I2C_HOST_BUSY_ERROR

— I2C_UNPOPULATED_ERROR

— I2C_SMBUS_UNSUPPORT

— I2C_BYTE_COUNT_ERROR

— I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the
   event.

2. Reboot the software running on the ASA.
3. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-3-114016: Failed to set multicast mode in 4GE SSM I/O card (error error_string ).

ExplanationThe ASA failed to set the multicast mode in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

• >syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are the I2C serial bus
  errors:

— I2C_BUS_TRANSACTION_ERROR

— I2C_CHKSUM_ERROR

— I2C_TIMEOUT_ERROR

— I2C_BUS_COLLISION_ERROR

— I2C_HOST_BUSY_ERROR

— I2C_UNPOPULATED_ERROR

— I2C_SMBUS_UNSUPPORT

— I2C_BYTE_COUNT_ERROR

— I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the
   event.

2. Reboot the software running on the ASA.
3. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-3-114017: Failed to get link status in 4GE SSM I/O card (error error_string ).

ExplanationThe ASA failed to obtain link status in a 4GE SSM I/O card because of an I2C serial bus access error or a switch access error.

• >syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are the I2C serial bus
  errors:

— I2C_BUS_TRANSACTION_ERROR

— I2C_CHKSUM_ERROR

— I2C_TIMEOUT_ERROR

— I2C_BUS_COLLISION_ERROR

— I2C_HOST_BUSY_ERROR

— I2C_UNPOPULATED_ERROR

— I2C_SMBUS_UNSUPPORT

— I2C_BYTE_COUNT_ERROR

— I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Notify the system administrator.
2. Log and review the messages and the errors associated with the
   event.

3. Reboot the software running on the ASA.
4. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

5. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-3-114018: Failed to set port speed in 4GE SSM I/O card (error error_string ).

Explanation The ASA failed to set the port speed in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

• >syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are the I2C serial bus
  errors:

— I2C_BUS_TRANSACTION_ERROR

— I2C_CHKSUM_ERROR

— I2C_TIMEOUT_ERROR

— I2C_BUS_COLLISION_ERROR

— I2C_HOST_BUSY_ERROR

— I2C_UNPOPULATED_ERROR

— I2C_SMBUS_UNSUPPORT

— I2C_BYTE_COUNT_ERROR

— I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the
   event.

2. Reboot the software running on the ASA.
3. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-3-114019: Failed to set media type in 4GE SSM I/O card (error error_string ).

ExplanationThe ASA failed to set the media type in a 4GE SSM I/O card because of an I2C error or a switch initialization error.

• >syslog_id —Message identifier

• >error_string —An I2C serial bus error or a switch access
  error, which is a decimal error code. The following are the I2C serial bus
  errors:

— I2C_BUS_TRANSACTION_ERROR

— I2C_CHKSUM_ERROR

— I2C_TIMEOUT_ERROR

— I2C_BUS_COLLISION_ERROR

— I2C_HOST_BUSY_ERROR

— I2C_UNPOPULATED_ERROR

— I2C_SMBUS_UNSUPPORT

— I2C_BYTE_COUNT_ERROR

— I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages and the errors associated with the
   event.

2. Reboot the software running on the ASA.
3. Power cycle the device. When you turn off the power, make sure you
   wait several seconds before turning the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-3-114020: Port link speed is unknown in 4GE SSM I/O card.

ExplanationThe ASA cannot detect the port link speed in a 4GE SSM I/O card.

Recommended Action Perform the following steps:

1. Log and review the messages
   associated with the event.

2. Reset the 4GE SSM I/O card and observe whether or not the software
   automatically recovers from the event.

3. If the software does not recover automatically, power cycle the
   device. When you turn off the power, make sure you wait several seconds before
   you turn the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-3-114021: Failed to set multicast address table in 4GE SSM I/O card due to error .

ExplanationThe ASA failed to set the multicast address table in the 4GE SSM I/O card because of either an I2C serial bus access error or a switch
access error.

• error—A
  switch access error (a decimal error code) or an I2C serial bus error. Possible
  I2C serial bus errors include:

— I2C_BUS_TRANSACTION_ERROR

— I2C_CHKSUM_ERROR

— I2C_TIMEOUT_ERROR

— I2C_BUS_COLLISION_ERROR

— I2C_HOST_BUSY_ERROR

— I2C_UNPOPULATED_ERROR

— I2C_SMBUS_UNSUPPORT

— I2C_BYTE_COUNT_ERROR

— I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log and review the messages associated with the event.
2. Try to reboot the ASA.
3. If the software does not recover automatically, power cycle the
   device. When you turn off the power, make sure you wait several seconds before
   you turn the power on.

4. If the problem persists, contact the Cisco TAC.

Error Message
%ASA-3-114022: Failed to pass broadcast traffic in 4GE SSM I/O card due to error_string


ExplanationThe ASA failed to pass broadcast traffic in the 4GE SSM I/O card because of a switch access error.

• error_string —A switch access error, which will be a decimal
  error code

Recommended Action Perform the following steps:

1. Log the message and errors surrounding the event.
2. Retrieve the ssm4ge_dump file from the compact flash, and send it to
   Cisco TAC.

3. Contact Cisco TAC with the information collected in Steps 1 and 2.

Note	The 4GE SSM will be automatically reset and recover.

Error Message
%ASA-3-114023: Failed to cache/flush mac table in 4GE SSM I/O card due to error_string .

Explanation A failure to cache or flush the MAC table in a 4GE
SSM I/O card occurred because of an I2C serial bus access error or a switch
access error. This message rarely occurs.

• error_string—
  Either an I2C serial bus error (see the second bullet for possible values) or a
  switch access error (which is a decimal error code).

• I2C serial bus errors are as follows:

I2C_BUS_TRANSACTION_ERROR

I2C_CHKSUM_ERROR

I2C_TIMEOUT_ERROR

I2C_BUS_COLLISION_ERROR

I2C_HOST_BUSY_ERROR

I2C_UNPOPULATED_ERROR

I2C_SMBUS_UNSUPPORT

I2C_BYTE_COUNT_ERROR

I2C_DATA_PTR_ERROR

Recommended Action Perform the following steps:

1. Log the syslog message and the errors surrounding the event.
2. Try to software reboot the ASA.
3. Power cycle the ASA.

Note	When you turn off the power, make sure that you wait several seconds before powering on again. After you complete steps 1-3, if the problem persists, contact the Cisco TAC and provide the information described in step 1. You may need to RMA the ASA.

Error Message
%ASA-2-115000: Critical assertion in process: process name fiber: fiber name , component: component name , subcomponent: subcomponent name , file: filename , line: line number , cond: condition


ExplanationThe critical assertion has gone off and is used during
development in checked builds only, but never in production builds.

• process
  name— The name of the process

• fiber name —The name of the fiber

• component name —The name of the specified component

• subcomponent name —The name of the specified subcomponent

• filename —The name of the specified file

• line number —The line number for the specified line

• condition —The specified condition

Recommended Action A high priority defect should be filed, the
reason for the assertion should be investigated, and the problem corrected.

Error Message
%ASA-3-115001: Error in process: process name fiber: fiber name , component: component name , subcomponent: subcomponent name , file: filename , line: line number , cond: condition


Explanation An error assertion has gone off and is used during
development in checked builds only, but never in production builds.

• process
  name— The name of the process

• fiber name —The name of the fiber

• component name —The name of the specified component

• subcomponent name —The name of the specified subcomponent

• filename —The name of the specified file

• line number —The line number for the specified line

• condition —The specified condition

Recommended Action A defect should be filed, the reason for the
assertion should be investigated, and the problem fixed.

Error Message
%ASA-4-115002: Warning in process: process name fiber: fiber name , component: component name , subcomponent: subcomponent name , file: filename , line: line number , cond: condition


Explanation A warning assertion has gone off and is used during
development in checked builds only, but never in production builds.

• process
  name— The name of the process

• fiber name —The name of the fiber

• component name —The name of the specified component

• subcomponent name —The name of the specified subcomponent

• filename —The name of the specified file

• line number —The line number for the specified line

• condition —The specified condition

Recommended Action The reason for the assertion should be
investigated and if a problem is found, a defect should be filed, and the
problem corrected.

Error Message %ASA-5-120001: Smart Call-Home Module is started.

Explanation The Smart Call-Home module started successfully after
system bootup and failover in a stable state, and is ready to process
Smart-Call Home events.

Recommended Action None required.

Error Message
%ASA-5-120002: Smart Call-Home Module is terminated.

Explanation When the Smart Call-Home module is disabled, it is
then terminated.

Recommended Action None required.

Error Message
%ASA-6-120003: Process event group
title


Explanation The Smart Call-Home module retrieved an event from
the queue to process.

• group —The event group, which may be the following: inventory,
  configuration, diagnostic, environment, snapshot, telemetry, threat, and test.

• title —The event title

Recommended Action None required.

Error Message
%ASA-4-120004: Event group
title is dropped. Reason reason


Explanation A Smart Call-Home event was dropped. The event may
have been dropped because of an internal error, the event queue is full, or the
Smart Call-Home module was disabled after the message was generated, but before
it was processed.

• group —The event group, which can be any of the following:
  inventory, configuration, diagnostic, environment, snapshot, telemetry, threat,
  and test.

• title —The event title

• reason —The drop reason, which can any of the following:

Internal Error—Various internal system errors occurred, such as being
out of memory or parsing a CLI failed.

Queue Full—The number of events reached the configured limit.

Cancelled—The event was cancelled because the Smart Call-Home module is
disabled.

Recommended Action If the drop reason is Queue Full, try to
increase the event queue size and the rate-limit configuration to avoid event
queue buildup. If the drop reason is Internal Error, turn on debugging by
entering the
debug
sch
fail command to obtain more detailed debugging
information.

Error Message
%ASA-4-120005: Message group to destination is dropped. Reason reason


Explanation A Smart Call-Home message was dropped. The message
may have been dropped because of an internal error, a network error, or the
Smart Call-Home module was disabled after the message was generated, but before
it was delivered.

• group —The event group, which can be any of the following:
  inventory, configuration, diagnostic, environment, snapshot, telemetry, threat,
  and test.

• destination— The e-mail or URL destination

• reason —The drop reason, which can any of the following:

Internal Error—Various internal system errors occurred.

Delivery Failed—The packets cannot be delivered because a network error
occurred.

Cancelled—The event was cancelled because the Smart Call-Home module is
disabled.

Recommended Action If the drop reason is Delivery Failed, the
message is dropped after three unsuccessful retransmissions, or because the
error is local (such as no route to destination). Search message 120006 for the
delivery failure reason, or turn on debugging by entering the
debug
sch
fail command to obtain more detailed debugging
information.

Error Message
%ASA-4-120006: Delivering message group to destination failed. Reason reason


Explanation An error occurred while the Smart Call Home module
tried to deliver a message. The error may be transient. The message is not
dropped when message 120006 is generated. The message may be queued for
retransmission. The message is only dropped when message 120005 is generated.

• group —The event group, which can be any of the following:
  inventory, configuration, diagnostic, environment, snapshot, telemetry, threat,
  and test

• destination— The e-mail or URL destination

• reason —The failure reason

Recommended Action Check the error reason in the message. If the
reason is NO_ROUTE, INVALID_ADDRESS, or INVALID_URL, check the system
configuration, DNS, and the name setting.

Error Message
%ASA-6-120007: Message group to destination delivered.

Explanation A Smart Call Home message was successfully delivered.

• group —The event group, which can be any of the following:
  inventory, configuration, diagnostic, environment, snapshot, telemetry, threat,
  and test

• destination— The e-mail or URL destination

Recommended Action None required.

Error Message
%ASA-5-120008: SCH client client is activated.

Explanation The Smart Call Home module is enabled, an event group
is also enabled, and that event group is subscribed to by at least one active
profile. If these conditions are met, then all clients of that group will be
activated.

• client —The name of the Smart Call Home client

Recommended Action None required.

Error Message
%ASA-5-120009: SCH client client is deactivated.

Explanation The Smart Call Home module is disabled, an event
group is enabled, or an event group is no longer subscribed to by any active
profile. If these conditions are met, clients of that event group will be
deactivated.

• client —The name of the Smart Call Home client

Recommended Action None required.

Error Message
%ASA-3-120010: Notify command command to SCH client client failed. Reason reason .

Explanation The Smart Call Home module notified Smart Call Home
clients of certain events through the callback function. If the client does not
interpret the command correctly, does not understand the command, or cannot
process the command, an error will be returned.

• command— ENABLE, DISABLE, or READY

• client —The name of the Smart Call Home client

• reason —The reason for failure

Recommended Action Turn on debugging by entering the
debug
sch
fail command to obtain more detailed debugging
information.

Error Message
%ASA-4-120011: To ensure Smart Call Home can properly communicate with Cisco, use the command dns name-server to configure at least one DNS server.

Recommended Action Once this syslog is generated, run the
dns
name-server command to configure at least one DNS
server. Otherwise, network-local DNS server or Cisco DNS server will be used.

Error Message
%ASA-5-120012: User username chose to choice call-home anonymous reporting at the prompt.

Explanation The administrator was notified that a user has
responded to the Smart Call Home prompt to enable, disable, or postpone
anonymous reporting.

• username —The user who responded to the prompt

• choice —The available entries are enable, disable, or postpone

Recommended Action To enable anonymous reporting in the future,
enter the
call-home
reporting
anonymous command. To disable anonymous reporting,
enter the
no
call-home
reporting
anonymous command.

Error Message
%ASA-5-121001: msgId id. Telemetry support on the chassis: status.


Explanation Whenever telemetry support is enabled or disabled on the chassis, this message is displayed.

• id—The message identifier as in the appAG-appAgent message
• status— The available values are enabled or disabled

Example

%ASA-5-121001: msgId 1. Telemetry support on the chassis: disabled

Recommended Action None required.

Error Message
%ASA-5-121002: Telemetry support on the blade: status.


Explanation Whenever telemetry support is enabled or disabled on the blade, this message is displayed.

• status—The available entries are enable or disable

Example

%ASA-5-121002: Telemetry support on the blade: enabled
%ASA-5-121002: Telemetry support on the blade: disabled

Recommended Action None required.

Error Message
%ASA-6-121003: msgId id. Telemetry request from the chassis received. SSE connector status: connector status. Telemetry config on the blade: blade status. Telemetry data data status.

Explanation The message is displayed whenever ASA receives a telemetry request from FXOS. The message displays the SSE connector status,
telemetry support status on the blade, and whether the telemetry data was sent to FXOS.

• id—The message identifier as in the appAG-appAgent message
• connector status—Whether telemetry support is enabled or disabled on the chassis
• blade status—Whether telemetry support is enabled or disabled on the blade
• data status—Whether telemetry data is sent or not

Example

%ASA-6-121003: msgId 2. Telemetry request from the chassis received. SSE connector status: enabled. Telemetry config on the blade: enabled. Telemetry data Sent
%ASA-6-121003: msgId 1. Telemetry request from the chassis received. SSE connector status: enabled. Telemetry config on the blade: enabled. Telemetry data Sent

Recommended Action None required.

Error Message
%ASA-5-199001: Reload command executed from Telnet (remote IP_address ).

Explanation The address of the host that is initiating an ASA reboot with the reload command has been recorded.

Recommended Action None required.

Error Message
%ASA-6-199002: startup completed. Beginning operation.

Explanation The ASA finished its initial boot and the flash memory reading sequence, and is ready to begin operating normally.

Note	You cannot block this message by using the no logging message command.

Recommended Action None required.

Error Message
%ASA-6-199003: Reducing link MTU dec .

Explanation The ASA received a packet from the outside network that uses a larger MTU than the inside network. The ASA then sent an ICMP message to the outside host to negotiate an appropriate MTU. The log message includes the sequence number
of the ICMP message.

Recommended Action None required.

Error Message
%ASA-6-199005: Startup begin

Explanation The ASA started.

Recommended Action None required.

Error Message
%ASA-1-199010: Signal 11 caught in process/fiber(rtcli async executor process)/(rtcli async executor) at address 0xf132e03b, corrective
action at 0xca1961a0

Explanation The system has recovered from a serious error.

Recommended Action Contact the Cisco TAC.

Error Message
%ASA-2-199011: Close on bad channel in process/fiber process/fiber , channel ID p , channel state s process/fiber name of the process/fiber that caused the bad channel close operation.

Explanation An unexpected channel close condition has been
detected.

• p—The
  channel ID

• process/fiber —The name of the process/fiber that caused the bad
  channel close operation

• s—The channel state

Recommended Action Contact the Cisco TAC and attach a log file.

Error Message
%ASA-1-1199012: Stack smash during new_stack_call in process/fiber process/fiber , call target f , stack size s , process/fiber name of the process/fiber that caused the stack smash

Explanation A stack smash condition has been detected.

• f—The target
  of the new_stack_call

• process/fiber —The name of the process/fiber that caused the
  stack smash

• s—The new stack size specified in
  new_stack_call

Recommended Action Contact the Cisco TAC and attach a log file.

Error Message
%ASA-1-199013: syslog


Explanation A variable syslog was generated by an assistive
process.

• syslog—The
  alert syslog passed verbatim from an external process

Recommended Action Contact the Cisco TAC.

Error Message
%ASA-2-199014: syslog


Explanation A variable syslog was generated by an assistive
process.

• syslog—The
  critical syslog passed verbatim from an external process

Recommended Action Contact the Cisco TAC.

Error Message
%ASA-3-199015: syslog


Explanation A variable syslog was generated by an assistive
process.

• syslog—The
  error syslog passed verbatim from an external process

Recommended Action Contact the Cisco TAC.

Error Message
%ASA-4-199016:
syslog

Explanation A variable syslog was generated by an assistive
process.

• syslog—The
  warning syslog passed verbatim from an external process

Recommended Action Contact the Cisco TAC.

Error Message
%ASA-5-199017: syslog


Explanation A variable syslog was generated by an assistive
process.

• syslog—The
  notification syslog passed verbatim from an external process

Recommended Action None required.

Error Message
%ASA-6-199018: syslog


Explanation A variable syslog was generated by an assistive
process.

• syslog—The
  informational syslog passed verbatim from an external process

Recommended Action None required.

Error Message
%ASA-7-199019: syslog


Explanation A variable syslog was generated by an assistive
process.

• syslog—The
  debugging syslog passed verbatim from an external process

Recommended Action None required.

Error Message
%ASA-2-199020: System memory utilization has reached X %. System will reload if memory usage reaches the configured trigger level of Y %.

Explanation The system memory utilization has reached 80% of the
system memory watchdog facility’s configured value.

Recommended Action Reduce system memory utilization by reducing
traffic load, removing traffic inspections, reducing the number of ACL entries,
and so on. If a memory leak is suspected, contact Cisco TAC.

Error Message
%ASA-1-199021: System memory utilization has reached the configured watchdog trigger level of Y %. System will now reload

Explanation The system memory utilization has reached 100% of the
system memory watchdog facility’s configured value. The system will
automatically reload.

Recommended Action Reduce system memory utilization by reducing
traffic load, removing traffic inspections, reducing the number of ACL entries,
and so on. If a memory leak is suspected, contact Cisco TAC.

Error Message
%ASA-5-199027: Restore operation was aborted at <HH:MM:SS> UTC <DD:MM:YY>

Explanation This message indicates that the backup restoration failed while using the ‘restore’ command.

Recommended Action None