Pix syslog meldingen ( Messages 202001 to 209002 )

In Cisco , Pix Firewall , door: Martin Gepubliceerd op




Messages 202001 to 209002

Log Message %PIX-3-202001: Out of address translation slots!

 

Explanation This is a connection-related message. This message is logged if the PIX Firewall has no more address translation slots available.



Recommended Action:
Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of xlates and connections. This could also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory.

Log Message %PIX-3-202002: getxlate failed int_name.

Explanation The PIX Firewall was unable to find a translation slot for an incoming packet. The error could occur because the translation slot timeout is set too low, and the slot resource was freed; or because the specified inside address is not a valid NAT address; or because of a routing problem (possibly an asymmetric routing loop).



Recommended Action:
Use the show timeout command to display the translation timeout. Use the show nat command to determine whether the inside address is a valid destination. Use the show route command to display the PIX Firewall unit's routing table.

Log Message %PIX-3-202003: Couldn't find xlate gaddr laddr dest_addr
int_name.

Explanation This is a connection-related message, and applies to outbound connections. This message can occur if an outbound list blocks connections to the specified address, or if the inside address is not part of a NAT group. A less likely possibility is that there are too many current PAT connections, and the PIX Firewall cannot allocate a PAT address for the connection.



Recommended Action:
Use the show outbound command to verify that connections to the specified address are blocked. Use the show nat command to determine if the inside address is included in a NAT group. Make sure the global pool is not running out of addresses.

Log Message %PIX-3-202004: Couldn't find xlate gaddr laddr dest_addr
int_name

Explanation This is a connection-related message. This message is logged when a request for a PAT address failed.



Recommended Action:
Use the show xlate command to determine if all PAT translation slots are used up.

Log Message %PIX-3-203001: ESP Error: No Key SPI hex SRC IP_addr DEST
IP_addr

Explanation This is Private Link message. This message is logged if no encryption key could be found to match the key specified by the remote Private Link unit.



Recommended Action:
Use the show link command to display information about the keys. If you recently changed keys, you must change keys on both PIX Firewall units, and you should reboot both units to activate the new keys.

Log Message %PIX-3-208005: (chars:dec) pix clear command return return_code

Explanation This is a PIX Firewall management message. The PIX Firewall received a non-zero value (an internal error) when attempting to clear a configuration from Flash memory. The message includes the reporting subroutine's filename and line number.



Recommended Action:
For performance reasons, the end host should be configured to not inject IP fragments. This is most likely due to NFS. Set the read and write size to be the interface MTU for NFS.

Log Message %PIX-3-209001: IPFRAG: Unable to allocate frag record for
src_addr/src_port to dest_addr/dest_port

Explanation More than 1024 IP fragment packets were received within 10 seconds. PIX Firewall was unable to allocate a record for each fragment. This could be an indication of a fragment attack or a host injecting IP fragments, which can occur with NFS when the MTU is set incorrectly.



Recommended Action:
For performance reasons, the end host should be configured not to inject IP fragments. Set the read and write size to be the interface MTU for NFS.

Log Message %PIX-3-209002: IPFRAG: First Frag have not been seen
source_host to dest_host

Explanation A noninitial IP fragment was found because either a denial of service attack is occurring or a remote host is injecting out of order IP fragments, which can occur with NFS. The source_host is the IP address of the host sending the packet and the dest_host is the host to which the packet was sent.



Recommended Action:
For performance reasons, the end host should be configured to not inject IP fragments. Set the read and write size to be the interface MTU for NFS.

 

RSS Twitter e-mail