Chapter 23 Log
Table 120 System Maintenance Logs (continued)
LOG MESSAGE | DESCRIPTION |
Too large ICMP packet has | The device dropped an ICMP packet that was too large. |
been dropped |
|
Configuration Change: PC = | The device is saving configuration changes. |
0x%x, Task ID = 0x%x |
|
Table 121 Access Control Logs
LOG MESSAGE | DESCRIPTION |
Firewall default policy: [ TCP | Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access |
UDP IGMP ESP GRE OSPF ] | matched the default policy and was blocked or forwarded |
<Packet Direction> | according to the default policy’s setting. |
Firewall rule [NOT] match:[ TCP | Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access |
UDP IGMP ESP GRE OSPF | matched (or did not match) a configured firewall rule |
] <Packet Direction>, <rule:%d> | (denoted by its number) and was blocked or forwarded |
| according to the rule. |
Triangle route packet forwarded: | The firewall allowed a triangle route session to pass |
[ TCP UDP IGMP ESP GRE | through. |
OSPF ] |
|
Packet without a NAT table entry | The router blocked a packet that didn't have a |
blocked: [ TCP UDP IGMP | corresponding NAT table entry. |
ESP GRE OSPF ] |
|
Router sent blocked web site | The router sent a message to notify a user that the router |
message: TCP | blocked access to a web site that the user requested. |
Exceed maximum sessions per host | The device blocked a session because the host's |
(%d). | connections exceeded the maximum sessions per host. |
Table 122 TCP Reset Logs
LOG MESSAGE | DESCRIPTION |
Under SYN flood attack, | The router sent a TCP reset packet when a host was under a SYN |
sent TCP RST | flood attack (the TCP incomplete count is per destination host.) |
Exceed TCP MAX | The router sent a TCP reset packet when the number of TCP |
incomplete, sent TCP RST | incomplete connections exceeded the user configured threshold. |
| (the TCP incomplete count is per destination host.) |
Peer TCP state out of | The router sent a TCP reset packet when a TCP connection state |
order, sent TCP RST | was out of order.Note: The firewall refers to RFC793 Figure 6 to |
| check the TCP state. |
Firewall session time | The router sent a TCP reset packet when a dynamic firewall |
out, sent TCP RST | session timed out. |
| The default timeout values are as follows: |
| ICMP idle timeout: 3 minutes |
| UDP idle timeout: 3 minutes |
| TCP connection (three way handshaking) timeout: 270 seconds |
| TCP |
| the TCP header). |
| TCP idle (established) timeout (s): 150 minutes |
| TCP reset timeout: 10 seconds |
|
|
274 |
| |
| ||
|
|
|