Firmware 6 x Log Events Ref

7/31/2019 Firmware 6 x Log Events Ref

1/26

COMPREHENSIVE INTERNET SECURITY

SonicWALL Internet Security Appliances

Log Event Reference Guide


2/26

Page 1

Log Event Messages

The messages explained in this book are generated by the SonicWALL as part of its loggingand notification feature. The messages are useful for system administrators when monitoring

and operating the SonicWALL. There are eight categories of events:

Dropped

Attacks

Blocked

Network Debug

System Errors

System Maintenance

User Activity

VPN Statistics

Event Logging automatically begins when the SonicWALL is powered on and configured. TheSonicWALL supports a traffic log containing entries with multiple fields.


3/26

Page 2 SonicWALL Internet Security Appliance Log Events Reference Guide

SonicWALL SonicOS Log View

Message

Source

Destination


4/26

Page 3

SonicWALL Firmware Log View

SonicWALL Log MessagesEach log entry contains the date and time of the event and a brief message describing the

event. It is also possible to copy the log entries from the management interface and paste intoa report. The SonicWALL manages log events in the following manner:

TCP, UDP, or ICMP packets dropped

When IP packets are dropped by the SonicWALL, dropped TCP, UDP and ICMP

messages are displayed. The messages include the source and destination IP addressesof the packet. The TCP or UDP port number or the ICMP code follows the IP address.Log messages usually include the name of the service in quotation marks.

Web, FTP, Gopher, orNewsgroupblocked

When a computer attempts to connect to the blocked site or newsgroup, a log event is

displayed. Blocked is defined as a Web site, connection, or event that is denied accessfrom the SonicWALL. The computers IP address, Ethernet address, the name of the

Time and Date Stamp

Event Message

Source IP Address

Destination IP Address

Additional Information

Rule Number (If Applicable)


5/26


blocked Web site, and the Content Filter List Code is displayed. Code definitions for the

12 Content Filter List categories are shown below.

Descriptions of the categories are available at .

ActiveX, Java, Cookieor Code Archive blockedWhen ActiveX, Java or Web cookies are blocked, messages with the source anddestination IP addresses of the connection attempt is displayed.

Pingof Death, IP Spoof, and SYN Flood Attacks

The IP address of the machine under attack and the source of the attack is displayed. In

most attacks, the source address shown is fake and does not reflect the real source ofthe attack.

Tip! Some network conditions can produce network traffic that appears to be an attack, evenwhen no one is deliberately attacking the LAN. To follow up on a possible attack, contact

your ISP to determine the source of the attack. Regardless of the nature of the attack, yourLAN is protected and no further steps are needed.

Log EventsThis section lists the log events by category. Each log event description includes anexplanation of its meaning, and if necessary, a recommended action.

Dropped Log Event MessagesDropped - A dropped event is a service that is denied entry into the SonicWALL because it

violates configured or default security policies. No response is returned to the sender of theevent. The SonicWALL logs these events as follows:

1. Violence 7. Cult

2. Intimate Apparel/Swimsuit 8. Drugs/Illegal Drugs

3. Nudism 9. Criminal Skills/Illegal Skills

4. Adult/Mature Content/Pornography

10. Sex Education

5. Weapns 11. Gambling

6. Hate/Racism 12. Alcohol & Tobacco

TCP Dropped - An unauthorized TCP packet was detected and refused.UDP Dropped - An unauthorized UDP packet was detected and refused.

Web access request dropped - An Web access request was detected and refused.


6/26

Page 5

Events Logged as AttacksAttacks - Events categorized by the SonicWALL as attacks are e-mailed to you if you haveconfigured the automation section of Logging. Attacks can be Smurf, Ripper, IP Spoof, or

other events. Attacks are logged as listed below:

Fragmented Packet Dropped - The SonicWALL refused a fragmented packet.

IPSec (ESP) packet dropped - An IPSec packet was dropped by the SonicWALL.Port configured to receive IPSEC Only. Drop packet received in the clear. - The

SonicWALL is configured to receive IPSec packets only, therefore, unencrypted packetsare dropped.

ICMPDropped - ICMP uses datagrams of various types for communicating between con-trol messages between hosts and routers on a TCP/IP network. In this case, the commu-

nication was dropped by the SonicWALL.

Denied TCP connection from LAN - The SonicWALL refused a TCP connection from

the LAN.

Unknown Protocol Dropped - The SonicWALL has detected and refused an unknown

protocol.

Internet Access restricted to authorized users. Drop packet received in the clear.

IPSec (AH) packet dropped - The SonicWALL has detected and refused an IPSecpacket encrypted using AH.

Ping of death blocked - The SonicWALL has detected an attempted Ping of Death attack

by detecting grossly oversized ICMP packets and rejecting them.

IP Spoof Detected - A packet with a source IP address and arriving at an interface that

conflicts with the SonicWALL route table was detected and rejected by the SonicWALL.

Possible Syn Flood Attack - The SonicWALL has detected and prevented a possible SYNattack, a type of denial of service attack.

Probable Syn Flood Attack - - The SonicWALL has detected and prevented a probableSYN attack, a form of denial of service attack.

Land Attack Dropped - The SonciWALL has detected and blocked SYN packets whosesource IP addresses are spoofed to be the same as the destination IP addresses.

Administrator login Failure - incorrect password - Someone attempted to log into the Son-icWALL using the wrong password.

Unknown IPSec SPI - The SonicWALL has detected and blocked an unknown IPSec SPIattempting to connect to the SonicWALL.

IPSec Authentication Failed - The parameters for an IPSec connection do not match andauthentication failed.

Senna Spy Attack Dropped - The SonicWALL has detected and prevented a trojan attack.


7/26


Priority Attack Dropped - The SonicWALL has detected and prevented a priority attack.

Ini Killer Attack Dropped - The SonicWALL has detected and prevented a trojan attack.Smurf Amplification Attack Dropped - The SonicWALL has detected and prevented a

Denial of Service attack.

Possible Port Scan Dropped - A possible port scan was detected and rejected by the Son-

icWALL.

Probable TCP NULL scan - The SonicWALL has detected TCP frames with a sequence

number of zero and all control bits set to zero and rejected them.

IPSEC Replay Detected - An IPSec Replay was detected and rejected by the SonicWALL.

Forbidden E-Mail attachment deleted - When enabled on the SonicWALL, the logging filerecords forbidden e-mail attachments received by the SonicWALL.

TCP Xmas Tree Blocked - The SonicWALL detected and blocked a TCP Xmas Tree scan.

User login failure rate exceeded - source address locked out - A user has attemptedlogging into the SonicWALL with incorrect credentials.

IPSec Decryption Failed - The SonicWALL was unable to decrypt the IPSec packets.

IPSec packet to or from an illegal host - The SonicWALL detected an IPSec packet with a

source or destination IP address that does not match any security policies configured on theSonicWALL.

Back Orifice Attack Dropped - Back Orifice is a two part application consisting of a clientand server piece. The client application running on one computer can be used to monitor

and control a second computer running the server application. The SonicWALL hasdetected and dropped this attack.

NetBus Attack Dropped - NetBus is a well-known back door Trojan attack. The Son-icWALL has detected and dropped this attack.

Net Spy Attack Dropped - The SonicWALL has detected and dropped a Net Spy attack.

Sub Seven Attack Dropped - The SonicWALL has detected and dropped the Trojan

attack, Sub Seven.

Ripper Attack Dropped - The SonicWALL has detected and dropped a Ripper Attack.

Striker Attack Dropped - The SonicWALL has detected and dropped a Striker Attack.

Probable Port Scan Dropped - The SonicWALL detected an excessive number of portscans and dropped the traffic.

Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. -

The SonicWALL Anti-Virus subscription has expired. Renew your subscription at http://www.mysonicwall.com.

Forbidden E-Mail attachment disabled - When configured on the SonicWALL, forbidden

e-mail attachments are disabled.


8/26

Page 7

Events Logged as BlockedIf an event is configured as blocked, a log message records the event when access is

attempted from the SonicWALL. Blocked events include ActiveX, Java, Newsgroups, or Websites.

Probable TCP FIN scan - The SonicWALL has detected and blocked traffic resembling a

TCP FIN scan.

Probable TCP XMAS scan - The SonicWALL has detected and blocked TCP traffic with a

sequence number of zero and the FIN, URG, and PUSH bits are set.

Probable TCP NULL scan - The SonicWALL has detected and blocked TCP traffic with a

sequence number of zero and all the control bits are set.

E-Mail fragment dropped - When configured on the SonicWALL, e-mail fragments are pre-

vented from accessing the SonicWALL.

Malformed IP packet dropped. - The SonicWALL has detected and blocked a malformed

IP packet.

FTP: PORT bounce attack dropped. - The SonicWALL has detected and blocked a Port

bounce attack.

FTP: PASV response bounce attack dropped. The SonicWALL has detected and blockeda PASV response bounce attack which is a Denial of Service attack.

Web site blocked - When an attempt is made by a user on the network to access a blockedWeb site, the computer IP address, Ethernet address, the name of the blocked Web site,

and the Content Filter code is displayed as the log message.

Newsgroup blocked - When an attempt is made by a user on the network to access a

blocked newsgroup, the computer IP address, Ethernet address, the name of the blockednewsgroup, and the Content Filter code is displayed as the log message.

Web site accessed - When a Web site is accessed by a user on the network, the computerIP address, Ethernet address, and the name of the Web site is displayed as the log mes-

sage.

Newsgroup accessed - When a newsgroup is accessed by a user on the network, the com-

puter IP address, Ethernet address, and the name of the Web site is displayed as the logmessage.

ActiveX blocked - When ActiveX is blocked, the log message displays the source and des-tination IP address of the attempted connection.

Java blocked - When Java is blocked, the log message displays the source and destination

IP address of the attempted connection.ActiveX or Java archive blocked - When ActiveX and Java archives are blocked, the logmessage displays the source and destination IP address of the attempted connection.


9/26


Events Logged as DebugWhen Network Debug is selected, events are logged on the SonicWALL to allow you totroubleshoot problematic connections or security policies.

Cookie removed - When cookies are blocked, the log message displays the source and

destination IP address of the attempted connection.

IPSec packet dropped; waiting for pending IPSec connection - Previous IPSec (ESP)

connection for pass-through is not complete. New IPSec connection cannot be started andthe IPSec (ESP) packet is dropped.

IPSec connection interrupt - The SonicWALL is not in an acceptable condition for IPSecpassthrough.

ARP timeout - The allowable time for a requested ARP response has expired.

Broadcast packet dropped - A nonallowed broadcast packet is dropped.No ICMP redirect sent - A nonallowed packet was received that generated an ICMP redi-rect, however, the source and destination is unknown. Therefore, no ICMP redirect was

sent.

Out-of-order command packet dropped - While processing an FTP connection, an out of

order packet was detected and dropped.

Failure to add data channel - While processing an FTP connection, the SonicWALL was

unable to create a new connection cache entry. Possibly, there are no more available con-nections.

RealAudio decode failure - While processing a RealAudio stream, a decode failureoccured.

NAT translated packet exceeds size limit, packet dropped - While performing NAT, apacked is larger than the allowable limit and was dropped.

IKE Responder: Mode %d - not transport mode. Xauth is required but not supported bypeer.- An IKE responder requires XAUTH, but it is not supported by the peer.

Source routed IP packet dropped - A packet with source route options was detected, butthe IP header was larger than the allowed size and was dropped.

DHCP DISCOVER received from local device - A local DHCP client on the SonicWALLnetwork is attempting to locate a DHCP server.

DHCP REQUEST received from local device - A local DHCP client on the SonicWALL isrequesting a DHCP lease.

Duplicate packet dropped - Two or more identical packets received. Any packets receivedafter the initial packet were dropped by the SonicWALL.

No HOST tag found in HTTP request - An HTTP request was received by the SonicWALLwithout the required HOST tag. The request was ignored.


10/26

Page 9

Received fragmented packet or fragmentation needed - A packet larger than the config-

ured MTU was received or a packet with a fragmented bit was received when fragmentation

support is not configured on the SonicWALL.

Log Debug - A state-specific log message used to assist SonicWALL technical support withunusual issues experienced by customers.

VPN Log Debug - A state-specific log message used to assist SonicWALL technical supportwith unusual issues experienced by customers.

Firewall access from LAN - The SonicWALL management interface was accessed from

the LAN.

DHCP RELEASE received from remote device - A DHCP Client has released its DHCPlease.

Issuer match failed - The certificate issuer information does not match the SonicWALL cer-

tificate information.DHCP lease relayed to remote device - A DHCP lease was sent to a remote device from alocal device.

DHCP REQUEST received from remote device - A DHCP lease was requested from the aremote device.

DHCP DISCOVER received from remote device - A remote DHCP client is trying to locatea DHCP server on the SonicWALL network.

DHCP DECLINE received from remote device - A remote DHCP client has refused theproposed DHCP lease.

DHCP OFFER received from server - The DHCP server has offered a DHCP lease to a cli-ent.

DHCP NAK received from server - The DHCP server has denied the DHCP servers leaserequest.

IPSec (ESP) packet dropped; waiting for pending IPSec connection - Previous IPSec(ESP) connection for pass-through is not complete. New IPSec connection cannot be

started and the IPSec (ESP) packet is dropped.

IPSec (AH) packet dropped; waiting for pending IPSec connection - Previous IPSec(AH) connection for pass-through is not complete. New IPSec connection cannot be startedand the IPSec (AH) packet is dropped.


11/26


Events Logged as System Errors

Events categorized as System Errors are logged by the SonicWALL. System errors caninclude hardware failures, high availability issues, expired subscription notification, and

diagnostic codes.

Problem sending log email; check log settings - When configured on the SonicWALL, log

files from the SonicWALL are e-mailed to the address configured on the Log Automationpage. Check the settings on your Log Automation page if you see this error message.

NAT could not remap incoming packet - The SonicWALL cannot remap an incomingpacket to the correct destination.

License exceeded: Connection dropped because too many IP addresses are in use onyour LAN - You have too many users on your network and not enough licenses to support

them.

Diagnostic Code D - Error detected during software encryption or decryption of IPSec pack-ets.

Primary missed heartbeats from Active Backup: Primary going Active - The Backup

SonicWALL became active when the Primary failed. Now the Backup is not sending heart-beats to the Primary causing a failback to the Primary SonicWALL.

Primary received error signal from Active Backup: Primary going Active - The BackupSonicWALL is in an error state causing it to send error signals to the Primary SonicWALL.

The Primary takes over as the main SonicWALL.

Backup firewall being preempted by Primary - The Primary firewall is taking over as the main

firewall.

Error setting the IP address of the backup, please manually set to backup LAN IP - The

Primary firewall encountered a problem trying to synchronize the LAN IP settings. You mustmanually configure the LAN IP address on the Backup SonicWALL.

Content filter subscription expired. - Your content filter subscription is no longer valid. Youmust renew it on http://www.mysonicwall.com.

Primary WAN link down, Backup going Active - For the TELE3 SP, the primary WAN linkis down, and the backup (modem) is going to be the primary WAN link.

Global VPN Client License Exceeded: Connection denied. - You do not have enoughlicenses for the Global VPN Clients on your network. You can get more licenses at

http://www.mysonicwall.com

Global VPN Client connection is not allowed. Appliance is not registered. - You must

register your SonicWALL appliance at http://www.mysonicwall.com in order to use your Glo-

bal VPN client.Probing failure on %s If probing is configured on the SonicWALL, probing has encountereda problem causing it to fail.

%s Ethernet Port Down - The Ethernet port is not able to send data.


12/26

Page 11

Illegal LAN address in use - An IP address outside of the configured scope is in use.

The cache is full; %d open connections; some will be dropped - The SonicWALL con-nection cache is full and some connections will be dropped.

Diagnostic Code A - The Watchdog detected a suspended task.

Diagnostic Code C - The Watchdog detected low memory resources.

Diagnostic Code E - Failed to allocate memory for Encryption or Authentication keys.

Primary firewall has transitioned to Idle - The Backup SonicWALL is now the active fire-wall and the Primary is now the Backup SonicWALL.

Backup missed heartbeats from Active Primary: Backup going Active - The Active Pri-mary firewall did not send heartbeats to the Backup, therefore the Backup is taking over asthe Primary Firewall.

Backup received error signal from Active Primary: Backup going Active - An error con-

dition exists on the Active Primary firewall and the Backup firewall is becoming the Primaryfirewall.

Primary firewall preempting Backup - The Primary firewall has become active again and istaking over as the Primary firewall.

Backup going Active in preempt mode after reboot - After rebooting the SonicWALL andHA is enabled, the Backup SonicWALL is configured to be active instead of the Primary Son-icWALL.

Error updating HA peer configuration - Configuration changes could not be updated on

the Primary and Backup firewalls.

Backup WAN link down, Primary going Active - The modem connection on the TELE3 SP

lost its dial-up connection and the WAN connection is becoming the primary connection.

Failed to synchronize Relay IP Table

Blocked Quick Mode for Client using Default KeyId - The SonicWALL blocked QuickMode negotiation with the Global VPN Client using the default keyID.

The current WAN interface is not ready to route packets.

%s Ethernet Port Up - The Ethernet Port has returned to active status.

The network connection in use is %s - The network connection is the specified source.

Requesting CRL From - A VPN Certificate Revocation List was received from the specifiedlocation.

CRL Loaded From - A Certificate Revocation List was loaded from the specified location.

Failed to get CRL From - The SonicWALL was unable to retrieve a Certificate RevocationList.

Not Enough Memory to hold the CRL - The SonicWALL did not have enough RAM availa-

ble when retrieving the Certificate Revocation List.


13/26


Events Logged as System Maintenance

Events relating to network connections such as PPPoE, PPTP, and L2TP as well as systemstart up are logged as system maintenance entries.

Connection Timed Out - A connection entry cache entry timed out. Connection has been

dropped.

Cant Connect to the CRL Server - The SonicWALL is unable to connect to the CRL server.

Unknown Reason - A state-specific log message used to assist Tech Support with diagnos-ing unusual customer issues.

Failed to Process CRL From - The SonicWALL was unable to process a retrieved CRLfrom the specified location.

Bad CRL Format - A CRL was received in an incorrect format.

Issuer Match Failed - A CRL list was received from an unauthorized provider.

Certificate on Revoked List - A VPN connection was attempted using an unauthorized cer-tificate.

No Certificate for - A VPN connection was attempted using an non-existent certificate.

SonicWALL activated - The SonicWALL is now up and actively managing your connec-tion.

Starting PPPoE discovery - The SonicWALL is looking for the PPoE connection.

PPPoE discovery process complete - The SonicWALL has located the PPoE connec-

tion.

PPPoE starting PAP Authentication - The SonicWALL is beginning to authenticate

with the remote PPoE connection using PAP (Password Authentication Protocol).PPPoE PAP Authentication success - The SonicWALL has successfully authenticated

to the remote PPoE connection.

PPPoE PAP Authentication Failed - The SonicWALL failed to authenticate to the

remote connection. Check your network settings.

PPPoE PAP Authentication Failed. Please verify PPPoE username and password.

The PPoE connection failed due to an incorrect username and password. Check the net-work settings on the SonicWALL for the correct username and password.

PPPoE starting CHAP Authentication - The SonicWALL is attempting to authenticateto the PPPoE connection using CHAP (Challenge Handshake Authentication Protocol).

PPPoE CHAP Authentication Failed - The PPPoE connection failed to authenticate

using CHAP.

Disconnecting PPPoE due to traffic timeout - The PPPoE connection timed outbecause there was not enough network traffic to keep it active.


14/26

Page 13

PPPoE Network Connected - The PPPoE connection is successfully connected.

PPPoE Network Disconnected - The PPPoE connections is disconnected.PPPoE LCP Link Up - LCP is used in conjunction with PAP or CHAP to establish the

connection. This link is up.

PPPoE LCP Link Down - LCP is used in conjunction with PAP or CHAP to establish the

connection. This link is down.

No response from ISP Disconnecting PPPoE. - The ISP did not respond to the con-

nection request. The negotiation is disconnected.

PPPoE terminated - The PPPoE connection is terminated.

L2TP Connect Initiated by the User - A request to connect to a L2TP server is initiated.

L2TP Session Negotiation Started - Negotiation for a L2TP session has started.

L2TP Tunnel Negotiation Started - Negotiation for a L2TP tunnel has started.L2TP Tunnel Established - The SonicWALL has established a L2TP tunnel.

L2TP PPP Negotiation Started - The SonicWALL has begun PPP negotiation over theL2TP connection.

L2TP PPP Authentication Failed - PPP Authentication failed. Check your L2TP set-tings.

L2TP Session Disconnect from Remote - The remote site has disconnected the L2TPsession.

L2TP LCP Down - LCP is a protocol used as part of the authentication process. LCP isunavailable.

L2TP LCP Up - LCP is a protocol used as part of the authentication process. LCP isavailable.

Disconnecting L2TP Tunnel due to traffic timeout. - The L2TP tunnel is disconnecteddue to inactivity on the connection.

L2TP Disconnect Initiated by the User - Disconnection from the remote L2TP connec-tion is requested by a user.

L2TP Max Retransmission Exceeded - Retransmission of data has exceeded the max-imum allowed retransmissions.

L2TP PPP link down - The PPP link is down.

PPTP Connect Initiated by the User - A user has initiated a PPTP connection.

PPTP Control Connection Negotiation Started - Negotiation has been initiated forPPTP Control Connection.

PPTP Control Connection Established - PPTP Control Connection has been success-fully established.


15/26


PPTP PPP Negotiation Started - The PPTP connection has begun PPP negotiations.

PPTP PPP Link Up - The PPP link is up.PPTP PPP Link down - The PPP link is down.

PPTP PPP Up - PPP callback is up.

PPTP PPP Down - PPP callback is down.

PPTP PPP Session Up - The PPTP Session is up.

PPTP PPP Authentication Failed - PPP authentication has failed.

PPTP starting PAP Authentication - The SonicWALL is establishing a PPTP connec-

tion using PAP for authentication.

PPTP PAP Authentication success. - PAP authentication is successful. Data can be

sent via the PPTP connection.

PPTP PAP Authentication Failed - PAP authentication failed. Check your SonicWALLnetwork settings.

PPTP PAP Authentication Failed. - Please verify PPTP username and password -Check your SonicWALL network settings to verify your username and password.

PPTP Max Retransmission Exceeded - Attempts to retransmit data has exceeded thenumber of allowed retransmissions.

PPTP Tunnel Disconnect from Remote - The PPTP tunnel is disconnected from theremote location.

PPTP Session Disconnect from Remote - The PPTP tunnel is disconnected from theremote location.

PPTP LCP Down - LCP is a protocol used as part of the authentication process. LCP isunavailable.

PPTP LCP Up - LCP is a protocol used as part of the authentication process. LCP isavailable.

PPTP starting CHAP Authentication - The PPTP connection is authenticating usingCHAP.

PPTP CHAP Authentication Failed. Please verify PPTP username and password -The authentication process failed. Check your network settings to verify that the informa-

tion is correct.

PPTP PPP Link Finished - The PPTP PPP link is complete.

Disconnecting PPTP Tunnel due to traffic timeout - Due to inactivity on the connec-

tion, the PPTP tunnel is disconnecting.

PPTP Session Negotiation Started - The SonicWALL is beginning to negotiate thePPTP sessions.


16/26

Page 15

Events Logged as User ActivityLog events generated as User Activity include user login success and failure, administratorlogin success and failure, XAUTH success and failure, Access Rules added and deleted,

remote user login success and failure, logout activity, modem events for the TELE3 SP, IKEevents, and IPSec events.

PPTP Session Established - The PPTP session is established by the SonicWALL.

PPTP Disconnect Initiated by the User - A user has initiated a PPTP disconnect on theSonicWALL.

HTTP management port has changed - The HTTP management port has changed.You must remember the port number to log into the SonicWALL.

Adminstrator name changed - The administrator name has been changed on the Son-icWALL. You need to remember the name in order to log into the SonicWALL.

VPN disabled by administrator - VPN has been disabled on the SonicWALL. No VPNSAs are in effect and disabling VPN interrupts any current VPN connections.

Log Cleared - The Log was cleared by clicking Clear Log on the Log View page.

Restarting SonicWALL; dumping log to email - The SonicWALL is restarting either at

a users request or after changing settings on the SonicWALL. The log file is e-mailed to

the address configured on the Log Automation page.

Access attempt from host without Anti-Virus agent installed - Anti-Virus is requiredto be installed on all computers on the network if Anti-Virus is enabled on the Son-

icWALL.

VPN enabled by administrator - VPN is enabled by the administrator by selecting Ena-

ble VPN on the VPN page.

Log successfully sent via email - When configured, the SonicWALL e-mails the log

files to the administrator.

HTTPS management port has changed - The HTTPS management port was changed.You must remember the port number when attempting to manage the SonicWALL usingHTTPS.

SonicWALL initializing - The SonicWALL is restarting after uploading new firmware orresetting the appliance.

Anti-Virus agent out-of-date on host - The Anti-Virus agent has not been updated.Update the agent for the latest virus information.

Successful local user login - A user in the local database logged into the SonicWALL

successfully.

Unknown user attempted to log in - A user not configured on the SonicWALL attemptedto log into the SonicWALL.


17/26


Login screen timed out - The login screen with the username and password fields timed

out.

Successful administrator login - An administrator successfully logged into the Son-

icWALL.

User login failed - RADIUS authentication failure - A user configured for RADIUS

Authentication failed to log into the SonicWALL.

User login failed - RADIUS configuration error - A user configured for RADIUS Authen-

tication is improperly configured on the SonicWALL.

Administrator logged out - A SonicWALL Administrator logged out of the SonicWALL.

User logged out - A user has logged out of the SonicWALL.

User logged out - inactivity timer expired - A user was logged out when the connection

did not detect data transmission.

Locked out user re-enabled by admin - A user attempted to log onto the SonicWALLbut was locked out when authentication failed. The administrator has re-enabled theusers account.

User login failed - incorrect password - A user attempted to log into the SonicWALLusing the wrong password.

Administrator login failed - incorrect password from the CLI - An administrator failedto log into the SonicWALL using the incorrect password over the CLI port.

Successful remote user login - A remote user successfully logged into the SonicWALL.

User login failed - RADIUS server timeout - A user could not log in because theRADIUS server timed out.

User login failed - User has no privileges for login from that location - The user doesnot have privileges to log in from a specified location.

Administrator logged out - inactivity timer expired - The SonicWALL did not detectany activity for specified time period and logged the Administrator out of the SonicWALL.

User logged out - max session time exceeded - A user was logged out after exceedingthe specified session time established for the user.

Locked out user re-enabled - lockout period expired - A user attempted log into theSonicWALL and failed resulting in the user becoming locked out of the SonicWALL. The

time period for the lockout has expired.

Administrator logged out from the CLI - The SonicWALL administrator logged out from

the SonicWALL while using the CLI interface.

VPN/IKE Log Events

Dynamic IPSec client connected - A VPN client has connected to the SonicWALL.

Incompatible IPSec Security Association - VPN SAs do not match each other.


18/26

Page 17

IKE Responder: IPSec proposal does not match (Phase 2) - The initiating SonicWALL

sent an IPSec proposal that does not match the responding SonicWALL during Phase 2

negotiations.

Starting IKE negotiation - The SonicWALL is beginning IKE negotiation by matchingencryption, hash, and authentication algorithms, as well as Diffe-Hellman keys and theSecurity Protocol.

IKE Responder: No matching Phase 1 ID found for proposed remote network -Phase 1 of the IKE negotiation failed because the information did not match on the

responding SonicWALLsnetwork.

IKE Responder: No match for proposed remote network address - The informationentered in the initiating SonicWALLs destination network field did not match the respond-

ing network information.

IKE Responder: Tunnel terminates outside firewall but proposed local network isnot NAT public address - The VPN tunnel is configured to terminate outside theresponding firewall but the IP address for the local network is not the public IP address.

IKE Responder: Tunnel terminates on DMZ but proposed local network is on LAN -The Security Association is configured to terminate on the responding DMZ but the IP

address is a LAN IP address.

IKE Responder: AH Perfect Forward Secrecy mismatch - Perfect Forward Secrecy is

configured but the authentication does not match on the responding SonicWALL.

IKE Responder: Algorithms and/or keys do not match - The responding SonicWALL

does not have matching algorithms or keys. Check the configuration on both appliances.

IKE Initiator: Start Quick Mode (Phase 2). - The initiating SonicWALL is beginning the

second phase of Quick Mode negotiation. Quick Mode is used in SAs configured usingAH or ESP.

IKE SA lifetime expired. - The Security Association has expired because it hasexceeded the configured lifetime.

IKE Responder: Received Quick Mode Request (Phase 2) - The responding Son-icWALL has received a request from the first SonicWALL to begin Phase 2 of Quick Mode

negotiation.

IKE Initiator: Aggressive Mode complete (Phase 1). The initiating SonicWALL has

completed Phase 1 of an Aggressive Mode negotiation.

IKE Responder: Received Aggressive Mode request (Phase 1) - The responding Son-

icWALL has received a request from the initiating SonicWALL to begin Aggressive Mode

(Phase 1) negotiations.

IKE Initiator: Start Aggressive Mode negotiation (Phase 1) - The initiating SonicWALLis beginning Aggressive Mode Negotiation (Phase 1).


19/26


IKE Responder: Aggressive Mode complete (Phase 1) - The responding SonicWALL

has completed Aggressive Mode (Phase 1) negotiations.

IKE Responder: IKE proposal does not match (Phase 1) - The responding SonicWALL

does not have a matching IKE proposal from the initiating SonicWALL.

IKE Responder: Proposed local network is 0.0.0.0 but SA has no LAN Default Gate-

way - The initiating SonicWALL has proposed a local network but the SA has no IPaddress in the Default LAN Gateway field.

Failed payload verification after decryption - The payload in the Authentication header

failed verification after it was decrypted.

SA is disabled. Check VPN SA settings - The VPN SA was disabled by the administra-tor.

Computed hash does not match hash received from peer - The hash algorithm for the

SA does not match the peer hash algorithm. Check the configuration on each Son-icWALL.

Received IPSEC SA delete request - The SonicWALL has received a request to delete

an IPSec Security Association.

Received notify: INVALID_COOKIES - The SonicWALL has received notification of

invalid cookies.

Received notify: INVALID_SPI - The SPI is invalid on the SonicWALL. The VPN tunnel

is not connected.

VPN Cleanup: Dynamic network settings change - The network settings have changed

and the SonicWALL is cleaning up the network information.

Illegal IPSec SPI - The SPI is not authorized for connecting the VPN tunnel.

IKE Responder: Accepting IPSec proposal (Phase 2) - The responding SonicWALL isaccepting the initiating SonicWALL IPSec proposal.

IKE negotiation complete. Adding IPSec SA. (Phase 2) - The initiating and respondingSonicWALL appliances have successfully negotiated the VPN SA.

IKE Responder: Mode %d - not tunnel mode - The responding SonicWALL is not in

tunnel mode.

IKE Responder: Proposed remote network is 0.0.0.0 but not DHCP relay nor default

route - The negotiating SonicWALL has proposed a network IP address but not theDHCP relay or default route IP address.

IKE Responder: Default LAN gateway is set but peer is not proposing to use this SAas a default route - The responding SonicWALL has determined that the initiating Son-icWALL was not configured to use the SA as the default route for Internet traffic.


20/26

Page 19

IKE Responder: Tunnel terminates inside firewall but proposed local network is not

inside firewall - The initiating SonicWALL is proposing a remote IP address that is not on

the local network inside the remote firewall.

IKE Responder: Tunnel terminates on LAN but proposed local network is on DMZ -The initiating SonicWALL is configured to terminate the VPN tunnel on the remote LANbut the IP address is on the remote DMZ.

IKE Responder: ESP Perfect Forward Secrecy mismatch - The responding Son-icWALL has a different authentication configured so the authentication doesnt match the

initiatingSonicWALL.

IKE Initiator: Start Main Mode negotiation (Phase 1) - The initiating SonicWALL isstarting Phase 1 of Main Mode negotiation and sending a request to the remote Son-

icWALL.

IKE Initiator: Main Mode complete (Phase 1) - Phase 1 Main Mode has successfullycompleted negotiations on the initiating SonicWALL.

IKE Responder: Received Main Mode request (Phase 1) - The responding SonicWALL

has received a request from the initiating SonicWALL to begin Phase 1 Main Mode nego-tiations.

IKE Responder: Main Mode complete (Phase 1) - The responding SonicWALL has com-pleted Phase 1 Main Mode negotiations.

IKE Initiator: Accepting IPSec proposal (Phase 2) - The initiating SonicWALL is in theprocess of accepting Phase 2 IPSec proposal.

IKE Initiator: Received notify. NO_PROPOSAL_CHOSEN - The initiating SonicWALLhas received a notification from the responding SonicWALL that no proposal was chosen.

Check the SA configuration on the initiating SonicWALL.

IKE negotiation aborted due to timeout - The SonicWALL could not complete the IKE

negotiation because the connection timed out.

Failed payload verification after decryption. Possible preshared key mismatch - ThePreshared Secret does not match and the SonicWALL cannot properly decrypt thepacket.

Received packet retransmission. Drop duplicate packet - The SonicWALL receivedtwo identical packets and dropped one of them.

Received notify: ISAKMP_AUTH_FAILED - The SonicWALL could not authenticate andthe VPN tunnel is not established.

Received notify: PAYLOAD_MALFORMED - The payload packet was malformed and

could not be decrypted.

Received IKE SA delete request - The responding SonicWALL received a Phase 1

delete request from the initiating SonicWALL.


21/26


Received notify: RESPONDER_LIFETIME - The initiating SonicWALL received notifica-

tion that the responding SonicWALL is using a lifetime different from the lifetime on the ini-

tiating SonicWALL.

IKE Initiator: Accepting peer lifetime. (Phase 1) - The initiating SonicWALL is accept-ing the SA lifetime configured on the responding SonicWALL.

Received notify: INVALID_ID_INFO - The SonicWALL received notification that itsPhase 1 ID is not correct.

Modem Log Events

PPP Dial-Up: Dialing: %s - The TELE3 SP is dialing the telephone number configured inits dial-up profile.

PPP Dial-Up: No link carrier detected - check phone number - The SP could not con-

nect because no phone carrier was detected.

PPP Dial-Up: Dialed number did not answer - The dialed number did not answer.PPP Dial-Up: Link carrier lost - The SP lost the connection to the phone carrier.

PPP: PAP Authentication failed - check username/password - Authentication with the

dial-up ISP failed due to incorrect username and/or password. Check your dial-up profile.

PPP: MS-CHAP authentication failed - check username/password - Authentication

with the dial-up ISP failed due to incorrect username and/or password. Check your dial-upprofile.

PPP: Starting CHAP authentication - The authentication process with the dial-up ISP isbeginning.

PPP Dial-Up: PPP negotiation failed - disconnecting - The SP failed PPP negotiationwith the dial-up ISP and is disconnecting from the ISP.

PPP Dial-Up: Failed to get IP address - The SP could not obtain an IP address from thedial-up ISP.

PPP Dial-Up: PPP link established - The SP has established a PPP link with the dial-upISP.

PPP Dial-Up: Shutting down link - The phone connection is shutting down.

PPP Dial-Up: User requested disconnect - A request to disconnect from the dial-up ISPhas been made by a user.

PPP Dial-Up: Connect request canceled - A manual connection request is canceled.

PPP Dial-Up: Trying to failover but Primary Profile is manual - The SP is attempting

to failover from the WAN port to the modem, but the Primary Dial-up profile is configured

for manual dialing.PPP Dial-Up: No dialtone detected - check phone-line connection - The SP did notdetect a dialtone when trying to dial the ISP using the modem.


22/26

Page 21

PPP Dial-Up: Dialed number is busy - The phone number configured in the dial-up pro-

file is busy.

PPP Dial-Up: Connected at %s bps - starting PPP - The modem has successfully

dialed the ISP and connected to it. The SP is now beginning PPP negotiations.

PPP: Authentication successful - The SP successfully authenticated with the dial-up

ISP. Data can now be transmitted using this connections.

PPP: CHAP authentication failed - check username/password - The SP could not

authenticate to the dial-up ISP with the configured username and/or password. Check the

dial-up profile information.

PPP: Starting MS-CHAP authentication - The SP is beginning authentication with thedial-up ISP.

PPP: Starting PAP authentication - The SP is beginning authentication with the dial-up

ISP.PPP Dial-Up: Idle time limit exceeded - disconnecting - No data has been transmittedfor a specified period of time, therefore, the SP is disconnecting from the ISP.

PPP Dial-Up: Received new IP address - The SP received a new IP address from thedial-up ISP.

PPP Dial-Up: PPP link down - The PPP link is down and the SP cannot connect to theISP.

PPP Dial-Up: Initialization : %s - The modem is initializing.

PPP Dial-Up: User requested connect - A user on the SP has requested a connectionvia the modem.

PPP Dial-Up: Manual intervention needed. Check Primary Profile or Profile details -Configuration of the dial-up profile may be incorrect. Check the profile and verify the infor-mation.

PPP Dial-Up: Startup without Ethernet cable, will try to dial on outbound traffic -The SP is not connect to the WAN with an Ethernet cable. The SP will dial the ISP when

outbound data is detected.

Other User Activity Log Events

XAUTH Succeeded with VPN client - The VPN Client successfully authenticated usingXAUTH.

XAUTH Failed with VPN client, Cannot Contact RADIUS Server - The VPN SA is con-

figured to require XAUTH using a RADIUS server, however, it cannot contact the RADIUSserver. Verify your RADIUS settings.

Received a path MTU icmp message from router/gateway - The SonicWALL received

a routing message from a router and/or gateway on the network.


23/26


NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device - NAT

Trarversal is enabled and the local SonicWALL discovered a NAT/NAPT device in front of

the remote SonicWALL.

NAT Discovery : No NAT/NAPT device detected between IPSec Security gateways -NAT Traversal is enabled on the SonicWALL and did not detect a NAT/NATPT device ona VPN tunnel between two SonicWALL appliances.

Access Rule added - An Access Rule was added to the SonicWALL. The type of rule isdescribed in the Notes section of the View Log page.

Access Rule deleted - An Access Rule was deleted from the SonicWALL. The type ofrule is described in the Notes section of the View Log page.

PPPoE user name changed by Administrator - The PPPoE user name was changed

by the Administrator.

Web access request received - The SonicWALL received a Web access request fromthe LAN.

XAUTH Failed with VPN client, Authentication failure - A remote user using VPN Cli-

ent to access the SonicWALL did not authenticate using XAUTH.

VPN Client Policy Provisioning - A VPN Client has received its VPN SA configuration

from the SonicWALL.

NAT Discovery : Local IPSec Security Gateway behind a NAT/NAPT Device - NAT

Traversal is enabled and has detected a NAT/NATP device between the SonicWALL andthe WAN.

NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal -NAT Traversal is enabled on the SonicWALL, but it is trying to connect to a VPN Gateway

that doesnt support NAT Traversal.Access Rule modified - An Access Rule has been modified on the SonicWALL. The type

of rule is described in the Notes section of the View Log page.

Access Rules restored to defaults - The SonicWALL has restored the default rule set.


24/26

Page 23

Events Logged as VPN Statistics

Three events are categorized as a VPN statistic: VPN TCP SYN, VPN TCP FIN, and VPNTCP PSH.

Wireless Log EventsFor the SOHO TZW, 802.11b authentication and association messages are recorded as LogEvents.

802.11b Management >Disassociated - Reason: A wireless client has disassociated fromthe SOHO TZW.

802.11b Management >Association Failed - Reason: The TZW has reached the maximumassociated wireless clients.

802.11b Management >Associated - Reason : A wireless client is associated on the TZW.

802.11b Management >Association Failed - Reason: The wireless client attempted to usean unsupported authentication algorithm.

802.11b Management > ACL Check Passed - Reason: The wireless client passed MAC

ACL check..

802.11b Management > ACL Check Failed - Reason: The wireless client failed MAC ACL

check.

802.11b Management > Authentication Failed - Reason: Wireless client authentication

failed because client authentication packet sequence is out of order.

802.11b Management > Authentication Failed -Reason: A wireless client attempted to

authenticate using Open System WEP encryption which is not allowed on the TZW.

802.11b Management > Authentication Failed - Reason - A wireless client attempted to

authenctiate using an unknown algorithm.

802.11b Management > Deauthenticated - An authenticated user has logged out of theTZW.

User Login Failed - User has no privileges for wlan guest services - A wireless userattempted to log into the WLAN but does not have privileges to do so.

wlan firmware image has been updated - The wireless radio card has been updated withnew firmware.

Packet dropped by wlan guest check - A packet did not match the guest check require-ments on the WLAN.

Packet dropped by wlan vpn traversal check - A packet did not meet WLAN VPN traver-

sal requirements and was dropped.WLAN disabled by administrator - The administrator disabled the WLAN port.

WLAN enabled by administrator - The administrator enabled the WLAN port.


25/26


Syslog Only EntriesThe following messages only appear in the syslog output. These messages do not appear inthe SonicWALL Management Interface Log>View page.

WiFiSec Enforcement disabled by administrator - The administrator has disabled

WiFiSec and VPN is no longer enforced on the WLAN.

WiFiSec Enforcement enabled by administrator - WiFiSec is enabled and VPN is

required to access the WLAN.

Wireless MAC Filter List enabled by administrator - Wireless MAC Filter List is enabled

and wireless cards access the WLAN using the MAC address as part of the authenticationprocess.

Wireless MAC Filter List disabled by administrator - Wireless card MAC addresses are

no longer required as part of the authentication process.

802.11b Management - Activity on 802.11b is listed in the Notes column.

wlan recovery - WLAN network has recovered from an error.

Connection Opened - The firewall has identified a TCP or UDP packet transfer through thefirewall; contains bytes sent, and IP addresses and port numbers for both source and desti-

nation.

Connection Closed - The firewall has identified a TCP or UDP packet transfer through the

firewall that has finished; contains bytes sent, and IP addresses and port numbers for bothsource and destination.

m=97 - Special type of connection closed entry for HTTP connections; also includesdstname and arg (which together form the URL), and the IP addresses and port numbers for

both source and destination.


26/26

2002 SonicWALL, Inc. SonicWALL is a registered trademark of SonicWALL, Inc. Other product and company names mentioned herein may be

trademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subjec t to change with out notice.

T: 408.745.9600

F: 408.745.9300

www.sonicwall.com

SonicWALL,Inc.

1143 Borregas Avenue

Sunnyvale,CA 94089-1306

P/ N 232- 000393- 01

Rev A2/ 04

Documents

Firmware 6 x Log Events Ref