You are on page 1of 22

COMPREHENSIVE INTERNET SECURITY ™

Log Event Reference Guide

SonicWALL Internet Security Appliances

Log Event Messages
The messages explained in this book are generated by the SonicWALL as part of its logging and notification feature. The messages are useful for system administrators when monitoring and operating the SonicWALL. There are eight categories of events: • Dropped • Attacks • Blocked • Network Debug • System Errors • System Maintenance • User Activity • VPN Statistics Event Logging automatically begins when the SonicWALL is powered on and configured. The SonicWALL supports a traffic log containing entries with multiple fields. An example of an entry is displayed here:

Time and Date Stamp

Source IP Address

Additional Information Rule Number (If Applicable)

Event Message

Destination IP Address

Page 1

or Newsgroup blocked When a computer attempts to connect to the blocked site or newsgroup. Java or Web cookies are blocked. Code definitions for the 12 Content Filter List categories are shown below. your LAN is protected and no further steps are needed. Ping of Death. • TIP! Some network conditions can produce network traffic that appears to be an attack. The messages include the source and destination IP addresses of the packet. or event that is denied access from the SonicWALL. Regardless of the nature of the attack. the name of the blocked Web site. UDP and ICMP messages are displayed. Java. dropped TCP. Ethernet address. Page 2 SonicWALL Internet Security Appliance Administrator’s Guide . Blocked is defined as a Web site. connection.sonicwall. and SYN Flood Attacks The IP address of the machine under attack and the source of the attack is displayed. contact your ISP to determine the source of the attack. a log event is displayed. • ActiveX. and the Content Filter List Code is displayed. In most attacks.html>. It is also possible to copy the log entries from the management interface and paste into a report. To follow up on a possible attack. Log messages usually include the name of the service in quotation marks. UDP.SonicWALL Log Messages Each log entry contains the date and time of the event and a brief message describing the event. IP Spoof. FTP. even when no one is deliberately attacking the LAN. the source address shown is fake and does not reflect the real source of the attack. Web. Gopher.com/Content-Filter/ categories. Cookie or Code Archive blocked When ActiveX. or ICMP packets dropped When IP packets are dropped by the SonicWALL. a=Violence/Profanity b=Partial Nudity c=Full Nudity d=Sexual Acts e=Gross Depictions f=Intolerance g=Satanic/Cult h=Drug Culture i=Militant/Extremist j=Sex Education k=Gambling/Illegal l=Alcohol/Tobacco • Descriptions of the categories are available at <http://www. The computer’s IP address. The SonicWALL manages log events in the following manner: • TCP. The TCP or UDP port number or the ICMP code follows the IP address. messages with the source and destination IP addresses of the connection attempt is displayed.

or other events. Probable Syn Flood Attack . Page 3 .An Web access request was detected and refused.Log Events This section lists the log events by category. Events Logged as Attacks Attacks . . Each log event description includes an explanation of its meaning. IPSec (ESP) packet dropped .An unauthorized UDP packet was detected and refused. Attacks are logged as listed below: Ping of death blocked . Drop packet received in the clear. therefore. Denied TCP connection from LAN . a recommended action.An unauthorized TCP packet was detected and refused.ICMP uses datagrams of various types for communicating between control messages between hosts and routers on a TCP/IP network.A dropped event is a service that is denied entry into the SonicWALL because it violates configured or default security policies. Internet Access restricted to authorized users. unencrypted packets are dropped. Unknown Protocol Dropped . Dropped Log Event Messages Dropped . No response is returned to the sender of the event. a type of denial of service attack.. Possible Syn Flood Attack .Events categorized by the SonicWALL as attacks are e-mailed to you if you have configured the automation section of Logging. ICMP Dropped . Web access request dropped . IPSec (AH) packet dropped . and if necessary. Drop packet received in the clear. Attacks can be Smurf. the communication was dropped by the SonicWALL. Fragmented Packet Dropped .The SonicWALL has detected and refused an IPSec packet encrypted using AH. IP Spoof.An IPSec packet was dropped by the SonicWALL. UDP Dropped .The SonicWALL has detected and refused an unknown protocol. Port configured to receive IPSEC Only. In this case.The SonicWALL has detected an attempted Ping of Death attack by detecting grossly oversized ICMP packets and rejecting them.A packet with a source IP address and arriving at an interface that conflicts with the SonicWALL route table was detected and rejected by the SonicWALL.The SonicWALL is configured to receive IPSec packets only.The SonicWALL refused a fragmented packet.The SonicWALL has detected and prevented a possible SYN attack. a form of denial of service attack. IP Spoof Detected .The SonicWALL has detected and prevented a probably SYN attack. The SonicWALL logs these events as follows: TCP Dropped .The SonicWALL refused a TCP connection from the LAN. Ripper.

Net Spy Attack Dropped . IPSec Authentication Failed . Page 4 SonicWALL Internet Security Appliance Administrator’s Guide . Forbidden E-Mail attachment deleted . Smurf Amplification Attack Dropped .Someone attempted to log into the SonicWALL using the wrong password. Possible Port Scan Dropped .The SonciWALL has detected and blocked SYN packets whose source IP addresses are spoofed to be the same as the destination IP addresses. Sub Seven.The SonicWALL has detected and dropped a Striker Attack.The SonicWALL has detected and prevented a Denial of Service attack. Administrator login Failure . Unknown IPSec SPI .A user has attempted logging into the SonicWALL with incorrect credentials. User login failure rate exceeded .The SonicWALL detected and blocked a TCP Xmas Tree scan.The SonicWALL has detected and dropped a Ripper Attack.The SonicWALL detected an IPSec packet with a source IP address that does not match any security policies configured on the SonicWALL. the logging file records forbidden e-mail attachments received by the SonicWALL. Striker Attack Dropped . Priority Attack Dropped .The parameters for an IPSec connection do not match and authentication failed. Ripper Attack Dropped . IPSec packet to or from an illegal host .The SonicWALL has detected TCP frames with a sequence number of zero and all control bits set to zero and rejected them.source address locked out .NetBus is a well-known back door Trojan attack.The SonicWALL has detected and dropped a Net Spy attack. Probable TCP NULL scan .incorrect password . Ini Killer Attack Dropped . NetBus Attack Dropped . IPSec Decryption Failed .The SonicWALL was unable to decrypt the IPSec packets. Sub Seven Attack Dropped .Back Orifice is an attack that exploits the vulnerability of Microsoft Back Office.Land Attack Dropped . Back Orifice Attack Dropped . Senna Spy Attack Dropped .The SonicWALL has detected and blocked an unknown IPSec SPI attempting to connect to the SonicWALL.A possible port scan was detected and rejected by the SonicWALL. The SonicWALL has detected and dropped this attack. IPSEC Replay Detected .The SonicWALL has detected and dropped the Trojan attack.When enabled on the SonicWALL.The SonicWALL has detected and prevented a priority attack.The SonicWALL has detected and prevented a trojan attack. TCP Xmas Tree Blocked .The SonicWALL has detected and prevented a trojan attack.An IPSec Replay was detected and rejected by the SonicWALL. The SonicWALL has detected and dropped this attack.

the name of the blocked newsgroup.The SonicWALL Anti-Virus subscription has expired. Ethernet address.mysonicwall.Probable Port Scan Dropped . Newsgroup accessed . Web site accessed .When an attempt is made by a user on the network to access a blocked newsgroup. Forbidden E-Mail attachment disabled . FTP: PASV response bounce attack dropped. Newsgroups.When configured on the SonicWALL. the name of the blocked Web site. and the Content Filter code is displayed as the log message. the computer IP address. Probable TCP XMAS scan . Ethernet address. a log message records the event when access is attempted from the SonicWALL. Renew your subscription at http://www. the log message displays the source and destination IP address of the attempted connection. or Web sites. Ethernet address.When configured on the SonicWALL. Newsgroup blocked . The SonicWALL has detected and blocked a PASV response bounce attack which is a Denial of Service attack. Java.The SonicWALL has detected and blocked a Port bounce attack.The SonicWALL has detected and blocked TCP traffic with a sequence number of zero and all the control bits are set. Blocked events include ActiveX. the computer IP address. Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. FTP: PORT bounce attack dropped.The SonicWALL has detected and blocked traffic resembling a TCP FIN scan. . forbidden e-mail attachments are disabled. .When a Web site is accessed by a user on the network. ActiveX blocked . URG. Probable TCP FIN scan . e-mail fragments are prevented from accessing the SonicWALL. and the name of the Web site is displayed as the log message. . Probable TCP NULL scan .The SonicWALL has detected and blocked TCP traffic with a sequence number of zero and the FIN. the computer IP address. Web site blocked .When ActiveX is blocked. Ethernet address. Page 5 . and the name of the Web site is displayed as the log message.The SonicWALL detected an excessive number of port scans and dropped the traffic.When a newsgroup is accessed by a user on the network. E-Mail fragment dropped . and the Content Filter code is displayed as the log message.The SonicWALL has detected and blocked a malformed IP packet.com.When an attempt is made by a user on the network to access a blocked Web site. Events Logged as Blocked If an event is configured as blocked. Malformed IP packet dropped. the computer IP address. and PUSH bits are set.

When cookies are blocked. No ICMP redirect sent .When ActiveX and Java archives are blocked.An IKE responder requires XAUTH. DHCP REQUEST received from local device . ActiveX or Java archive blocked . Possibly.The allowable time for a requested ARP response has expired. there are no more available connections.not transport mode. the SonicWALL was unable to create a new connection cache entry. packet dropped . RealAudio decode failure . NAT translated packet exceeds size limit. the log message displays the source and destination IP address of the attempted connection. events are logged on the SonicWALL to allow you to troubleshoot problematic connections or security policies. however.While processing an FTP connection. Events Logged as Debug When Network Debug is selected.When Java is blocked. ARP timeout . IPSec connection interrupt .A nonallowed packet was received that generated an ICMP redirect.A nonallowed broadcast packet is dropped. no ICMP redirect was sent.Two or more identical packets received.Previous IPSec (ESP) connection for pass-through is not complete. New IPSec connection cannot be started and the IPSec (ESP) packet is dropped.While processing a RealAudio stream.While performing NAT. Failure to add data channel ..While processing an FTP connection. Any packets received after the initial packet were dropped by the SonicWALL. Cookie removed . but it is not supported by the peer. the source and destination is unknown. waiting for pending IPSec connection .A packet with source route options was detected. Broadcast packet dropped . Therefore.Java blocked . DHCP DISCOVER received from local device . a packed is larger than the allowable limit and was dropped. a decode failure occured. Xauth is required but not supported by peer.A local DHCP client on the SonicWALL is requesting a DHCP lease.The SonicWALL is not in an acceptable condition for IPSec passthrough. the log message displays the source and destination IP address of the attempted connection.A local DHCP client on the SonicWALL network is attempting to locate a DHCP server. an out of order packet was detected and dropped. but the IP header was larger than the allowed size and was dropped. IKE Responder: Mode %d . Source routed IP packet dropped . IPSec packet dropped. the log message displays the source and destination IP address of the attempted connection. Out-of-order command packet dropped . Page 6 SonicWALL Internet Security Appliance Administrator’s Guide . Duplicate packet dropped .

waiting for pending IPSec connection .A DHCP Client has released its DHCP lease.Previous IPSec (AH) connection for pass-through is not complete.A remote DHCP client is trying to locate a DHCP server on the SonicWALL network. The request was ignored.The DHCP server has denied the DHCP server’s lease request.A packet larger than the configured MTU was received or a packet with a fragmented bit was received when fragmentation support is not configured on the SonicWALL. waiting for pending IPSec connection .An HTTP request was received by the SonicWALL without the required HOST tag.The SonicWALL management interface was accessed from the LAN. New IPSec connection cannot be started and the IPSec (ESP) packet is dropped.A state-specific log message used to assist SonicWALL technical support with unusual issues experienced by customers. DHCP DISCOVER received from remote device .No HOST tag found in HTTP request . DHCP lease relayed to remote device . DHCP DECLINE received from remote device . DHCP OFFER received from server .A remote DHCP client has refused the proposed DHCP lease. Log Debug .A DHCP lease was sent to a remote device from a local device.A DHCP lease was requested from the a remote device. DHCP NAK received from server . VPN Log Debug .A state-specific log message used to assist SonicWALL technical support with unusual issues experienced by customers. Issuer match failed . IPSec (AH) packet dropped.The certificate issuer information does not match the SonicWALL certificate information.The DHCP server has offered a DHCP lease to a client. DHCP RELEASE received from remote device . Page 7 . IPSec (ESP) packet dropped. Firewall access from LAN . New IPSec connection cannot be started and the IPSec (AH) packet is dropped. DHCP REQUEST received from remote device .Previous IPSec (ESP) connection for pass-through is not complete. Received fragmented packet or fragmentation needed .

.Events Logged as System Errors Events categorized as System Errors are logged by the SonicWALL. .The SonicWALL connection cache is full and some connections will be dropped. the primary WAN link is down.The Primary firewall encountered a problem trying to synchronize the LAN IP settings. Content filter subscription expired.You must register your SonicWALL appliance at http://www. Probing failure on %s If probing is configured on the SonicWALL.The Primary firewall is taking over as the main firewall. The cache is full.The Backup SonicWALL is in an error state causing it to send error signals to the Primary SonicWALL. log files from the SonicWALL are e-mailed to the address configured on the Log Automation page. License exceeded: Connection dropped because too many IP addresses are in use on your LAN You have too many users on your network and not enough licenses to support them. Diagnostic Code D . System errors can include hardware failures. Now the Backup is not sending heartbeats to the Primary causing a failback to the Primary SonicWALL.For the TELE3 SP. and the backup (modem) is going to be the primary WAN link. %s Ethernet Port Down . please manually set to backup LAN IP . . expired subscription notification.com Global VPN Client connection is not allowed. You must manually configure the LAN IP address on the Backup SonicWALL. some will be dropped . Appliance is not registered. Primary WAN link down. Backup going Active .You do not have enough licenses for the Global VPN Clients on your network. and diagnostic codes.com in order to use your Global VPN client. high availability issues. check log settings . Check the settings on your Log Automation page if you see this error message. Illegal LAN address in use . You can get more licenses at http://www.An IP address outside of the configured scope is in use. probing has encountered a problem causing it to fail. Page 8 SonicWALL Internet Security Appliance Administrator’s Guide .Error detected during software encryption or decryption of IPSec packets. Primary missed heartbeats from Active Backup: Primary going Active . Global VPN Client License Exceeded: Connection denied. Error setting the IP address of the backup. The Primary takes over as the main SonicWALL.The SonicWALL cannot remap an incoming packet to the correct destination.The Ethernet port is not able to send data. Primary received error signal from Active Backup: Primary going Active .The Backup SonicWALL became active when the Primary failed. Problem sending log email.Your content filter subscription is no longer valid. Backup firewall being preempted by Primary . You must renew it on http://www. %d open connections. NAT could not remap incoming packet .mysonicwall.When configured on the SonicWALL.mysonicwall.mysonicwall.com.

Backup missed heartbeats from Active Primary: Backup going Active .The SonicWALL blocked Quick Mode negotiation with the Global VPN Client using the default keyID. Page 9 .The Backup SonicWALL is now the active firewall and the Primary is now the Backup SonicWALL.The Active Primary firewall did not send heartbeats to the Backup. Connection has been dropped. Unknown Reason . CRL Loaded From . %s Ethernet Port Up . therefore the Backup is taking over as the Primary Firewall.A connection entry cache entry timed out.The Watchdog detected low memory resources. The current WAN interface is not ready to route packets.The SonicWALL is unable to connect to the CRL server. the Backup SonicWALL is configured to be active instead of the Primary SonicWALL. Requesting CRL From .A Certificate Revocation List was loaded from the specified location.Diagnostic Code A .A VPN Certificate Revocation List was received from the specified location.The SonicWALL did not have enough RAM available when retrieving the Certificate Revocation List. Failed to get CRL From . Primary firewall preempting Backup .The SonicWALL was unable to process a retrieved CRL from the specified location.Configuration changes could not be updated on the Primary and Backup firewalls.A state-specific log message used to assist Tech Support with diagnosing unusual customer issues.The Primary firewall has become active again and is taking over as the Primary firewall.The Watchdog detected a suspended task. Connection Timed Out .Failed to allocate memory for Encryption or Authentication keys.The modem connection on the TELE3 SP lost its dial-up connection and the WAN connection is becoming the primary connection.The Ethernet Port has returned to active status. The network connection in use is %s .An error condition exists on the Active Primary firewall and the Backup firewall is becoming the Primary firewall. Cant Connect to the CRL Server . Diagnostic Code E . Failed to synchronize Relay IP Table Blocked Quick Mode for Client using Default KeyId . Not Enough Memory to hold the CRL . Primary firewall has transitioned to Idle . Backup WAN link down. Error updating HA peer configuration . Primary going Active . Failed to Process CRL From .The network connection is the specified source.After rebooting the SonicWALL and HA is enabled. Backup received error signal from Active Primary: Backup going Active . Backup going Active in preempt mode after reboot . Diagnostic Code C .The SonicWALL was unable to retrieve a Certificate Revocation List.

The PPPoE connections is disconnected. Check the network settings on the SonicWALL for the correct username and password.The SonicWALL is attempting to authenticate to the PPPoE connection using CHAP (Challenge Handshake Authentication Protocol). This link is down.The SonicWALL is beginning to authenticate with the remote PPoE connection using PAP (Password Authentication Protocol).The PPPoE connection is successfully connected.The SonicWALL is now up and actively managing your connection.The SonicWALL has located the PPoE connection.The ISP did not respond to the connection request. SonicWALL activated . PPPoE Network Disconnected . PPPoE discovery process complete . PPPoE Network Connected . Check your network settings. PPPoE CHAP Authentication Failed . Issuer Match Failed .The SonicWALL has successfully authenticated to the remote PPoE connection. PPPoE starting PAP Authentication . PPPoE PAP Authentication Failed . Please verify PPPoE username and password.The SonicWALL is looking for the PPoE connection.A VPN connection was attempted using an non-existent certificate. PPPoE terminated .LCP is used in conjunction with PAP or CHAP to establish the connection. PPPoE LCP Link Down . PPPoE PAP Authentication Failed. The PPoE connection failed due to an incorrect username and password.The SonicWALL failed to authenticate to the remote connection.LCP is used in conjunction with PAP or CHAP to establish the connection. Page 10 SonicWALL Internet Security Appliance Administrator’s Guide . Starting PPPoE discovery . L2TP Connect Initiated by the User . PPPoE LCP Link Up .A CRL was received in an incorrect format. Disconnecting PPPoE due to traffic timeout . The negotiation is disconnected. PPPoE PAP Authentication success .A CRL list was received from an unauthorized provider.The PPPoE connection timed out because there was not enough network traffic to keep it active.A request to connect to a L2TP server is initiated.Bad CRL Format . Certificate on Revoked List . Events Logged as System Maintenance Events relating to network connections such as PPPoE. and L2TP as well as system start up are logged as system maintenance entries. This link is up. No Certificate for . PPPoE starting CHAP Authentication . No response from ISP Disconnecting PPPoE.A VPN connection was attempted using an unauthorized certificate.The PPPoE connection is terminated. PPTP.The PPPoE connection failed to authenticate using CHAP. .

PPP Authentication failed.PPP callback is down. L2TP Session Disconnect from Remote .The PPTP connection has begun PPP negotiations. L2TP LCP Up .The PPP link is down. L2TP PPP Authentication Failed .Disconnection from the remote L2TP connection is requested by a user. PPTP PPP Link Up .The L2TP session has disconnected. Check your L2TP settings. L2TP Tunnel Negotiation Started .PPP authentication has failed. PPTP PPP Up . L2TP PPP Negotiation Started .The SonicWALL has begun PPP negotiation over the L2TP connection. Data can be sent via the PPTP connection.Negotiation for a L2TP session has started. L2TP Max Retransmission Exceeded . L2TP PPP link down . PPTP PAP Authentication success. PPTP Connect Initiated by the User . PPTP PPP Negotiation Started .A user has initiated a PPTP connection. LCP is available. PPTP PPP Down .The SonicWALL is establishing a PPTP connection using PAP for authentication. PPTP Control Connection Negotiation Started .The PPP link is down. LCP is unavailable. PPTP PPP Authentication Failed .Retransmission of data has exceeded the maximum allowed retransmissions. PPTP starting PAP Authentication . L2TP Tunnel Established .The SonicWALL has established a L2TP tunnel.The PPP link is up. PPTP PPP Session Up .Negotiation for a L2TP tunnel has started. Page 11 . PPTP PPP Link down . L2TP LCP Down .LCP is a protocol used as part of the authentication process.LCP is a protocol used as part of the authentication process.Negotiation has been initiated for PPTP Control Connection.PPP callback is up.PPTP Control Connection has been successfully established.The PPTP Session is up.L2TP Session Negotiation Started . L2TP Disconnect Initiated by the User . Disconnecting L2TP Tunnel due to traffic timeout. PPTP Control Connection Established . PAP authentication is successful. The L2TP tunnel is disconnected due to inactivity on the connection.

The SonicWALL is beginning to negotiate the PPTP sessions. Page 12 SonicWALL Internet Security Appliance Administrator’s Guide .LCP is a protocol used as part of the authentication process. dumping log to email . VPN disabled by administrator . PPTP Max Retransmission Exceeded . PPTP Session Disconnect from Remote . Check your network settings to verify that the information is correct. PPTP PPP Link Finished .PPTP PAP Authentication Failed . Restarting SonicWALL.The administrator name has been changed on the SonicWALL. You must remember the port number to log into the SonicWALL. PPTP Tunnel Disconnect from Remote .The PPTP session is established by the SonicWALL. Please verify PPTP username and password . PPTP LCP Down . Access attempt from host without Anti-Virus agent installed .VPN has been disabled on the SonicWALL. PPTP Disconnect Initiated by the User . Log Cleared .Due to inactivity on the connection.A user has initiated a PPTP disconnect on the SonicWALL.The SonicWALL is restarting either at a user’s request or after changing settings on the SonicWALL.The Log was cleared by clicking Clear Log on the Log View page. HTTP management port has changed .Attempts to retransmit data has exceeded the number of allowed retransmissions.The authentication process failed.The HTTP management port has changed.LCP is a protocol used as part of the authentication process. No VPN SAs are in effect and disabling VPN interrupts any current VPN connections.Anti-Virus is required to be installed on all computers on the network if Anti-Virus is enabled on the SonicWALL. The log file is e-mailed to the address configured on the Log Automation page. You need to remember the name in order to log into the SonicWALL.The PPTP tunnel is disconnected from the remote location. LCP is available.PAP authentication failed. Please verify PPTP username and password . Adminstrator name changed . Check your SonicWALL network settings.The PPTP PPP link is complete. PPTP CHAP Authentication Failed. Disconnecting PPTP Tunnel due to traffic timeout . PPTP LCP Up .The PPTP connection is authenticating using CHAP. LCP is unavailable. the PPTP tunnel is disconnecting.Check your SonicWALL network settings to verify your username and password. PPTP Session Established . PPTP Session Negotiation Started . PPTP starting CHAP Authentication . PPTP PAP Authentication Failed.The PPTP tunnel is disconnected from the remote location.

RADIUS authentication failure . administrator login success and failure. Events Logged as User Activity Log events generated as User Activity include user login success and failure. IKE events. the SonicWALL e-mails the log files to the administrator. Access Rules added and deleted.A user was logged out when the connection did not detect data transmission.The SonicWALL is restarting after uploading new firmware or resetting the appliance. HTTPS management port has changed . Administrator login failed .A SonicWALL Administrator logged out of the SonicWALL. Anti-Virus agent out-of-date on host . logout activity.When configured. The administrator has re-enabled the user’s account. Page 13 .incorrect password from the CLI .A user attempted to log into the SonicWALL using the wrong password.A user configured for RADIUS Authentication failed to log into the SonicWALL.An administrator failed to log into the SonicWALL using the incorrect password over the CLI port. Unknown user attempted to log in .The HTTPS management port was changed.A user has logged out of the SonicWALL.VPN is enabled by the administrator by selecting Enable VPN on the VPN page. XAUTH success and failure. User login failed . and IPSec events. User logged out . User login failed . Login screen timed out . modem events for the TELE3 SP.A user in the local database logged into the SonicWALL successfully.A remote user successfully logged into the SonicWALL.inactivity timer expired . User login failed .An administrator successfully logged into the SonicWALL.incorrect password . User logged out .A user configured for RADIUS Authentication is improperly configured on the SonicWALL. remote user login success and failure. Locked out user re-enabled by admin .The Anti-Virus agent has not been updated. Log successfully sent via email . Administrator logged out . You must remember the port number when attempting to manage the SonicWALL using HTTPS. Successful remote user login .A user not configured on the SonicWALL attempted to log into the SonicWALL.The login screen with the username and password fields timed out.A user attempted to log onto the SonicWALL but was locked out when authentication failed.VPN enabled by administrator . SonicWALL initializing .RADIUS configuration error . Successful administrator login . Update the agent for the latest virus information. Successful local user login .

Administrator logged out from the CLI . User logged out . IKE Responder: Tunnel terminates outside firewall but proposed local network is not NAT public address .A VPN client has connected to the SonicWALL.max session time exceeded . Administrator logged out . and authentication algorithms.A user was logged out after exceeding the specified session time established for the user. The time period for the lockout has expired.VPN SAs do not match each other.User has no privileges for login from that location .The user does not have privileges to log in from a specified location. IKE Responder: Algorithms and/or keys do not match . Check the configuration on both appliances. IKE Responder: No matching Phase 1 ID found for proposed remote network .The Security Association is configured to terminate on the responding DMZ but the IP address is a LAN IP address.The information entered in the initiating SonicWALL’s destination network field did not match the responding network information.The VPN tunnel is configured to terminate outside the responding firewall but the IP address for the local network is not the public IP address.A user could not log in because the RADIUS server timed out.The SonicWALL did not detect any activity for specified time period and logged the Administrator out of the SonicWALL.A user attempted log into the SonicWALL and failed resulting in the user becoming locked out of the SonicWALL. IKE Responder: Tunnel terminates on DMZ but proposed local network is on LAN .The SonicWALL administrator logged out from the SonicWALL while using the CLI interface.Perfect Forward Secrecy is configured but the authentication does not match on the responding SonicWALL.The responding SonicWALL does not have matching algorithms or keys. User login failed .inactivity timer expired . IKE Responder: No match for proposed remote network address . IKE Responder: AH Perfect Forward Secrecy mismatch . as well as Diffe-Hellman keys and the Security Protocol. Page 14 SonicWALL Internet Security Appliance Administrator’s Guide .The initiating SonicWALL sent an IPSec proposal that does not match the responding SonicWALL during Phase 2 negotiations. IKE Responder: IPSec proposal does not match (Phase 2) . Starting IKE negotiation .Phase 1 of the IKE negotiation failed because the information did not match on the responding SonicWALL’s network. hash. Incompatible IPSec Security Association . VPN/IKE Log Events Dynamic IPSec client connected .RADIUS server timeout .User login failed .The SonicWALL is beginning IKE negotiation by matching encryption. Locked out user re-enabled .lockout period expired .

IKE Initiator: Aggressive Mode complete (Phase 1). IKE SA lifetime expired. SA is disabled.The SPI is not authorized for connecting the VPN tunnel. Received IPSEC SA delete request . Quick Mode is used in SAs configured using AH or ESP.The payload in the Authentication header failed verification after it was decrypted. Computed hash does not match hash received from peer . IKE Responder: Received Aggressive Mode request (Phase 1) .The responding SonicWALL has completed Aggressive Mode (Phase 1) negotiations. Failed payload verification after decryption . Received notify: INVALID_COOKIES . Check VPN SA settings . IKE Responder: Aggressive Mode complete (Phase 1) . Illegal IPSec SPI .0 but SA has no LAN Default Gateway .The Security Association has expired because it has exceeded the configured lifetime.The network settings have changed and the SonicWALL is cleaning up the network information.The responding SonicWALL has received a request from the first SonicWALL to begin Phase 2 of Quick Mode negotiation.The VPN SA was disabled by the administrator.The responding SonicWALL does not have a matching IKE proposal from the initiating SonicWALL.The SonicWALL has received notification of invalid cookies. IKE Responder: Received Quick Mode Request (Phase 2) . IKE Responder: Accepting IPSec proposal (Phase 2) .The SonicWALL has received a request to delete an IPSec Security Association.0. Received notify: INVALID_SPI . IKE Responder: IKE proposal does not match (Phase 1) . Check the configuration on each SonicWALL.0.The responding SonicWALL is accepting the initiating SonicWALL IPSec proposal.IKE Initiator: Start Quick Mode (Phase 2). IKE Responder: Proposed local network is 0.The initiating SonicWALL is beginning Aggressive Mode Negotiation (Phase 1). VPN Cleanup: Dynamic network settings change . IKE Initiator: Start Aggressive Mode negotiation (Phase 1) . The initiating SonicWALL has completed Phase 1 of an Aggressive Mode negotiation.The initiating SonicWALL has proposed a local network but the SA has no IP address in the Default LAN Gateway field.The responding SonicWALL has received a request from the initiating SonicWALL to begin Aggressive Mode (Phase 1) negotiations. The VPN tunnel is not connected.The hash algorithm for the SA does not match the peer hash algorithm.The initiating SonicWALL is beginning the second phase of Quick Mode negotiation. Page 15 . . .The SPI is invalid on the SonicWALL.

0 but not DHCP relay nor default route . IKE Initiator: Main Mode complete (Phase 1) .The SonicWALL received two identical packets and dropped one of them. Adding IPSec SA. Check the SA configuration on the initiating SonicWALL.0.The initiating and responding SonicWALL appliances have successfully negotiated the VPN SA.IKE negotiation complete.Phase 1 Main Mode has successfully completed negotiations on the initiating SonicWALL. IKE Responder: Proposed remote network is 0. (Phase 2) . Drop duplicate packet .The initiating SonicWALL has received a notification from the responding SonicWALL that no proposal was chosen. IKE Responder: ESP Perfect Forward Secrecy mismatch . Page 16 SonicWALL Internet Security Appliance Administrator’s Guide . IKE Responder: Tunnel terminates on LAN but proposed local network is on DMZ . IKE Responder: Tunnel terminates inside firewall but proposed local network is not inside firewall .The responding SonicWALL has determined that the initiating SonicWALL was not configured to use the SA as the default route for Internet traffic. IKE Initiator: Accepting IPSec proposal (Phase 2) .The Preshared Secret does not match and the SonicWALL cannot properly decrypt the packet. IKE Responder: Mode %d . Received packet retransmission.The SonicWALL could not complete the IKE negotiation because the connection timed out. IKE Responder: Default LAN gateway is set but peer is not proposing to use this SA as a default route . Failed payload verification after decryption. NO_PROPOSAL_CHOSEN .The negotiating SonicWALL has proposed a network IP address but not the DHCP relay or default route IP address. IKE Responder: Main Mode complete (Phase 1) . IKE negotiation aborted due to timeout .The responding SonicWALL has a different authentication configured so the authentication doesn’t match the initiating SonicWALL. IKE Responder: Received Main Mode request (Phase 1) . Possible preshared key mismatch .The initiating SonicWALL is proposing a remote IP address that is not on the local network inside the remote firewall.not tunnel mode .0.The initiating SonicWALL is configured to terminate the VPN tunnel on the remote LAN but the IP address is on the remote DMZ.The initiating SonicWALL is in the process of accepting Phase 2 IPSec proposal. IKE Initiator: Received notify.The responding SonicWALL is not in tunnel mode.The responding SonicWALL has completed Phase 1 Main Mode negotiations.The responding SonicWALL has received a request from the initiating SonicWALL to begin Phase 1 Main Mode negotiations. IKE Initiator: Start Main Mode negotiation (Phase 1) .The initiating SonicWALL is starting Phase 1 of Main Mode negotiation and sending a request to the remote SonicWALL.

Page 17 . PPP Dial-Up: Dialed number did not answer .The SP lost the connection to the phone carrier. PPP Dial-Up: Shutting down link . PPP Dial-Up: Failed to get IP address .check username/password .The SP failed PPP negotiation with the dial-up ISP and is disconnecting from the ISP.The payload packet was malformed and could not be decrypted.The SonicWALL could not authenticate and the VPN tunnel is not established.The phone connection is shutting down.The TELE3 SP is dialing the telephone number configured in its dialup profile.A request to disconnect from the dial-up ISP has been made by a user. Received notify: RESPONDER_LIFETIME .The dialed number did not answer. PPP Dial-Up: PPP negotiation failed .The authentication process with the dial-up ISP is beginning. PPP: PAP Authentication failed .The responding SonicWALL received a Phase 1 delete request from the initiating SonicWALL.Authentication with the dial-up ISP failed due to incorrect username and/or password. Received notify: INVALID_ID_INFO . PPP Dial-Up: Connect request canceled . PPP Dial-Up: PPP link established .The initiating SonicWALL is accepting the SA lifetime configured on the responding SonicWALL.Authentication with the dial-up ISP failed due to incorrect username and/or password. Check your dial-up profile. Modem Log Events PPP Dial-Up: Dialing: %s . PPP Dial-Up: User requested disconnect .The SP could not connect because no phone carrier was detected.disconnecting . PPP: Starting CHAP authentication . (Phase 1) . IKE Initiator: Accepting peer lifetime. Check your dial-up profile.check username/password .The SP could not obtain an IP address from the dial-up ISP.check phone number .The initiating SonicWALL received notification that the responding SonicWALL is using a lifetime different from the lifetime on the initiating SonicWALL.A manual connection request is canceled.Received notify: ISAKMP_AUTH_FAILED .The SP has established a PPP link with the dial-up ISP. PPP Dial-Up: No link carrier detected . PPP Dial-Up: Link carrier lost . Received notify: PAYLOAD_MALFORMED .The SonicWALL received notification that its Phase 1 ID is not correct. PPP: MS-CHAP authentication failed . Received IKE SA delete request .

PPP Dial-Up: PPP link down . PPP: Authentication successful .The modem is initializing.The SonicWALL received a routing message from a router and/or gateway on the network.PPP Dial-Up: Trying to failover but Primary Profile is manual .check username/password .check phone-line connection .The modem has successfully dialed the ISP and connected to it.The VPN Client successfully authenticated using XAUTH.The VPN SA is configured to require XAUTH using a RADIUS server.The SP successfully authenticated with the dial-up ISP. Received a path MTU icmp message from router/gateway . Verify your RADIUS settings. PPP: Starting MS-CHAP authentication .The SP is beginning authentication with the dial-up ISP.starting PPP . PPP: Starting PAP authentication . Cannot Contact RADIUS Server .The SP received a new IP address from the dial-up ISP. Check the dial-up profile information. Other User Activity Log Events XAUTH Succeeded with VPN client .The SP is beginning authentication with the dial-up ISP.The phone number configured in the dial-up profile is busy. The SP will dial the ISP when outbound data is detected.A user on the SP has requested a connection via the modem.Configuration of the dial-up profile may be incorrect. the SP is disconnecting from the ISP. Check the profile and verify the information. PPP Dial-Up: Idle time limit exceeded .No data has been transmitted for a specified period of time. PPP Dial-Up: Initialization : %s . PPP Dial-Up: Received new IP address .The SP could not authenticate to the dial-up ISP with the configured username and/or password. Page 18 SonicWALL Internet Security Appliance Administrator’s Guide . Data can now be transmitted using this connections.The SP is not connect to the WAN with an Ethernet cable. but the Primary Dial-up profile is configured for manual dialing. PPP Dial-Up: Connected at %s bps .disconnecting . therefore. however. PPP Dial-Up: Manual intervention needed. PPP Dial-Up: No dialtone detected . PPP: CHAP authentication failed . PPP Dial-Up: User requested connect .The PPP link is down and the SP cannot connect to the ISP.The SP did not detect a dialtone when trying to dial the ISP using the modem. The SP is now beginning PPP negotiations. PPP Dial-Up: Startup without Ethernet cable. Check Primary Profile or Profile details . it cannot contact the RADIUS server. will try to dial on outbound traffic . XAUTH Failed with VPN client. PPP Dial-Up: Dialed number is busy .The SP is attempting to failover from the WAN port to the modem.

but it is trying to connect to a VPN Gateway that doesn’t support NAT Traversal. The type of rule is described in the Notes section of the View Log page. and VPN TCP PSH. Access Rule modified .NAT Traversal is enabled and has detected a NAT/NATP device between the SonicWALL and the WAN.A remote user using VPN Client to access the SonicWALL did not authenticate using XAUTH. PPPoE user name changed by Administrator .An Access Rule has been modified on the SonicWALL. The type of rule is described in the Notes section of the View Log page.The SonicWALL received a Web access request from the LAN.NAT Traversal is enabled on the SonicWALL. Access Rules restored to defaults .The SonicWALL has restored the default rule set. Access Rule added . NAT Discovery : Local IPSec Security Gateway behind a NAT/NAPT Device . VPN TCP FIN. Access Rule deleted . NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal . Authentication failure . XAUTH Failed with VPN client. Events Logged as VPN Statistics Three events are categorized as a VPN statistic: VPN TCP SYN.An Access Rule was deleted from the SonicWALL.NAT Traversal is enabled on the SonicWALL and did not detect a NAT/NATPT device on a VPN tunnel between two SonicWALL appliances. Web access request received .NAT Trarversal is enabled and the local SonicWALL discovered a NAT/NAPT device in front of the remote SonicWALL. NAT Discovery : No NAT/NAPT device detected between IPSec Security gateways .An Access Rule was added to the SonicWALL.NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device .The PPPoE user name was changed by the Administrator. The type of rule is described in the Notes section of the View Log page.A VPN Client has received its VPN SA configuration from the SonicWALL. Page 19 . VPN Client Policy Provisioning .

802. 802.Reason: Wireless client authentication failed because client authentication packet sequence is out of order.An authenticated user has logged out of the TZW. 802..11b authentication and association messages are recorded as Log Events. 802.11b Management > Authentication Failed -Reason: A wireless client attempted to authenticate using Open System WEP encryption which is not allowed on the TZW.11b Management > Authentication Failed .Wireless Log Events For the SOHO TZW. 802.11b Management > Authentication Failed .11b Management >Association Failed . 802.Reason : A wireless client is associated on the TZW.Reason: The wireless client failed MAC ACL check.Reason: The wireless client attempted to use an unsupported authentication algorithm.11b Management >Associated .11b Management > Deauthenticated . 802.Reason: The wireless client passed MAC ACL check.11b Management >Association Failed .11b Management > ACL Check Failed . Page 20 SonicWALL Internet Security Appliance Administrator’s Guide .Reason: The TZW has reached the maximum associated wireless clients. 802.11b Management >Disassociated .A wireless client attempted to authenctiate using an unknown algorithm. 802. 802.11b Management > ACL Check Passed .Reason: A wireless client has disassociated from the SOHO TZW. 802.Reason .

SonicWALL is a registered trademark of SonicWALL. P/ N 232. Specifications and descriptions subject to change with out notice. Other product and company names mentioned herein may be trademarks and/ or registered trademarks of their respective companies.745. Inc.9300 www. Inc.9600 F: 408. 1143 Borregas Avenue Sunnyvale.000393.sonicwall.CA 94089-1306 T: 408.00 Rev A 06/03 .745.SonicWALL.com © 2002 SonicWALL.Inc.