This chapter describes Policy Database and Search Engine (PLCY) messages. For information on message content and how to use the message, refer to the Introduction.
| PLCY.001 |
Level: UE-ERROR
Short Syntax: PLCY.001 Generic Error: errorString
Long Syntax: PLCY.001 Generic Error: errorString
Description: PLCY: An error during the policy search. The error string will signify the type of error that occurred.
Action: Please contact your place of purchase and report the error message
| PLCY.002 |
Level: U-INFO
Short Syntax: PLCY.002 Begin building policy database, default rule configuration is defaultConfig
Long Syntax: PLCY.002 Begin building policy database, default rule configuration is defaultConfig
Description: PLCY: Policy search engine has been started, step 1 is to create the rules for the default configuration
| PLCY.003 |
Level: U-INFO
Short Syntax: PLCY.003 number policies read from local configuration
Long Syntax: PLCY.003 number policies read from local configuration
Description: PLCY: X number of policies read locally from SRAM
| PLCY.004 |
Level: U-INFO
Short Syntax: PLCY.004 Next refresh of policy DB in hour hour(s), min min(s) second second(s)
Long Syntax: PLCY.004 Next refresh of policy DB in hour hour(s), min min(s) second second(s)
Description: PLCY: A database refresh will automatically occur in the when the shown time has elapsed.
| PLCY.005 |
Level: U-INFO
Short Syntax: PLCY.005 Automatic refresh of policy database is disabled
Long Syntax: PLCY.005 Automatic refresh of policy database is disabled
Description: PLCY: Policy Refresh has been disabled by the user
| PLCY.006 |
Level: U-INFO
Short Syntax: PLCY.006 Marked list of valid policies, next check in seconds seconds
Long Syntax: PLCY.006 Marked list of valid policies, next check in seconds seconds
Description: PLCY: Performed check of valid policies and marked policy either valid or invalid based on the current time and the policy validity period. Will perform check again when the next policy is scheduled to become invalid or valid or an hour later, whichever time is smaller.
| PLCY.007 |
Level: U-INFO
Short Syntax: PLCY.007 LDAP Policy Search FSM State state/Event event
Long Syntax: PLCY.007 LDAP Policy Search FSM State state/Event event
Description: PLCY: Information about events and the corresponding state changes that drive the policy state machine
| PLCY.008 |
Level: UE-ERROR
Short Syntax: PLCY.008 DeviceProfile deviceProfileDN, objectClassType in LDAP Directory does not have a DeviceRulesReference
Long Syntax: PLCY.008 DeviceProfile deviceProfileDN, objectClassType in LDAP Directory does not have a DeviceRulesReference
Description: PLCY: The deviceprofile object in the directory does not have a attribute for DeviceRulesReference. This attribute must be present as it specifies the list of rules that should be fetched for this device.
Action: Update the deviceprofile object for this device with the reference to the device rules object.
| PLCY.009 |
Level: UE-ERROR
Short Syntax: PLCY.009 Error occured during LDAP processing, error msg: errorMsg
Long Syntax: PLCY.009 Error occured during LDAP processing, error msg: errorMsg
Description: PLCY: An error occurred connect to, binding to, searching from or retrieving results from the LDAP directory. Please review the specific error message for more information.
| PLCY.010 |
Level: U-INFO
Short Syntax: PLCY.010 Completed bind to LDAP server successfully
Long Syntax: PLCY.010 Completed bind to LDAP server successfully
Description: PLCY: Successfully completed the bind to the ldap server, can now begin to search directory for policy information
| PLCY.011 |
Level: UE-ERROR
Short Syntax: PLCY.011 Cannot access LDAP Server, route not available to IP Address ipAddr
Long Syntax: PLCY.011 Cannot access LDAP Server, route not available to IP Address ipAddr
Description: PLCY: Cannot perform a TCP connect for LDAP Connection until a route to destination address for LDAP Server is available. Will continue to try periodically. Note this is normal when a net is first trying to pass selftest or when the routing protocols have not yet come up. Also try to add a static route to the ldap server in the IP Configuration
| PLCY.012 |
Level: U-INFO
Short Syntax: PLCY.012 Attempting connection to LDAP server at IP Address ipAddr, port number portnum
Long Syntax: PLCY.012 Attempting connection to LDAP server at IP Address ipAddr, port number portnum
Description: PLCY: Attempting to open a TCP connection to the LDAP Server on the specified port number
| PLCY.013 |
Level: UE-ERROR
Short Syntax: PLCY.013 Error searching for policy info from LDAP, performing default action
Long Syntax: PLCY.013 Error searching for policy info from LDAP, performing default action
Description: PLCY: Some error occurred searching the directory for policy information. Since an error occuring, the policy search algorithm will perform the configured error handling procedure
| PLCY.014 |
Level: UE-ERROR
Short Syntax: PLCY.014 Referring object not found in the directory, Referring DN errorMsg, Error msg:
Long Syntax: PLCY.014 Referring object not found in the directory, Referring DN errorMsg, Error msg:
Description: PLCY: A referring object specified by a reference attribute was not found in the directory. Check to make sure the reference is type correctly and is indeed populated in the directory
| PLCY.015 |
Level: U-INFO
Short Syntax: PLCY.015 Searching LDAP for Object with dn: refDn
Long Syntax: PLCY.015 Searching LDAP for Object with dn: refDn
Description: PLCY: Informational message about the next object being searched for from LDAP Directory
| PLCY.016 |
Level: UE-ERROR
Short Syntax: PLCY.016 DeviceRules object (DN = deviceRuleDN) not found in the directory, Error msg: errorMsg
Long Syntax: PLCY.016 DeviceRules object (DN = deviceRuleDN) not found in the directory, Error msg: errorMsg
Description: PLCY: The device rules object was not found in the directory. Please make sure this is configured in feature policy under talk 6 and that the object does indeed exist in the directory
| PLCY.017 |
Level: UE-ERROR
Short Syntax: PLCY.017 No PolicyRuleReference attribute found in DeviceRule object deviceRuleDN
Long Syntax: PLCY.017 No PolicyRuleReference attribute found in DeviceRule object deviceRuleDN
Description: PLCY: The device rules object did not specify any policy rule references. There must be PolicyRuleReference attributes defined in the DeviceRules. This multi-valued attribute specifies which rules the device should fetch and load into the policy database for the device.
| PLCY.018 |
Level: UE-ERROR
Short Syntax: PLCY.018 objectType ( objectName) retrieved from the LDAP server was in error
Long Syntax: PLCY.018 objectType ( objectName) retrieved from the LDAP server was in error
Description: PLCY: A policy object in the LDAP Directory had an error associated with it. Please check the object with the displayed name and make sure that the information it contains is correct
| PLCY.019 |
Level: UE-ERROR
Short Syntax: PLCY.019 Value( value) out of range for LDAP Attribute attrString, valid range is lowVal to highVal
Long Syntax: PLCY.019 Value( value) out of range for LDAP Attribute attrString, valid range is lowVal to highVal
Description: PLCY: An attribute of an object being fetched from the directory was out of range. The valid range should have been displayed in the event log message. Please check this attribute and modify its value to be in this range.
| PLCY.020 |
Level: UE-ERROR
Short Syntax: PLCY.020 Error occured while parsing attribute attrName, objectclass objName, value was value
Long Syntax: PLCY.020 Error occured while parsing attribute attrName, objectclass objName, value was value
Description: PLCY: An attribute of an object being fetched from the directory was in error. Either it was out of range, had an invalid value or some other error. Please check this attribute and modify its value to be correct.
| PLCY.021 |
Level: U-INFO
Short Syntax: PLCY.021 Ignoring Attribute attrName in Class objName since it is not a recognized attribute
Long Syntax: PLCY.021 Ignoring Attribute attrName in Class objName since it is not a recognized attribute
Description: PLCY: An object was retrieved from the directory with an unrecognized attribute. This is not necessary an error since not all attributes are supported or recognized in a given object class and class definitions may have changed since this release of code. However, please check this attribute definition and make sure that it is indeed unnecessary for this device's operation. If you feel it is necessary please contact the place of purchase with the information and have someone look into the problem.
| PLCY.022 |
Level: U-INFO
Short Syntax: PLCY.022 Found object (DN: dn), parse using class def objName
Long Syntax: PLCY.022 Found object (DN: dn), parse using class def objName
Description: PLCY: An object was retrieved from the directory and the search algorithm is about to begin parsing the attributes for this class.
| PLCY.023 |
Level: U-INFO
Short Syntax: PLCY.023 Query( queryType,), src: srcIPAddr,/ srcPortNum,,dst: dstIPAddr,/ dstPortNum,,prot: protocol,,DS: DiffServByte
Long Syntax: PLCY.023 Query( queryType,), src: srcIPAddr,/ srcPortNum,,dst: dstIPAddr,/ dstPortNum,,prot: protocol,,DS: DiffServByte
Description: PLCY: Received an Policy query of the indicated type, with packet information specified via the parameters
| PLCY.024 |
Level: U-INFO
Short Syntax: PLCY.024 Result: Rule: ruleName,, Action: actionName,, Handle: moduleHandle
Long Syntax: PLCY.024 Result: Rule: ruleName,, Action: actionName,, Handle: moduleHandle
Description: PLCY: The policy query returned the decisions shown.
| PLCY.025 |
Level: U-INFO
Short Syntax: PLCY.025 qType Rule matched: ruleName
Long Syntax: PLCY.025 qType Rule matched: ruleName
Description: PLCY: A specific rule has been matched. This message has been deprecated
| PLCY.026 |
Level: U-INFO
Short Syntax: PLCY.026 Completed building policy DB, numRules rules loaded
Long Syntax: PLCY.026 Completed building policy DB, numRules rules loaded
Description: PLCY: Finished building the policy database with numRules
| PLCY.027 |
Level: UE-ERROR
Short Syntax: PLCY.027 Not enough memory to build tree for policy database
Long Syntax: PLCY.027 Not enough memory to build tree for policy database
Description: PLCY: If this error message is encountered then the user must upgrade to more memory or substantially reduce the number of policies this device is attempting to enforce.
| PLCY.028 |
Level: UE-ERROR
Short Syntax: PLCY.028 Dropping pkt, did not arrive in a secure ipsec tunnel, rule matched ruleName
Long Syntax: PLCY.028 Dropping pkt, did not arrive in a secure ipsec tunnel, rule matched ruleName
Description: PLCY: A packet should have arrived in a secure tunnel but the policy has detected the packet came in the clear. The packet will be dropped as a result. This could result from someone attempting to get into the protected network.
| PLCY.029 |
Level: U-INFO
Short Syntax: PLCY.029 Phase 1 QueryType, Query returning no match for Phase 1 Rule RuleName, ( ConfiguredPolicyRole)
Long Syntax: PLCY.029 Phase 1 QueryType, Query returning no match for Phase 1 Rule RuleName, ( ConfiguredPolicyRole)
Description: PLCY: A match was found for the phase 1 rule but we can not return the match because the configured phase 1 action only supported being an initiator or responder and this query is the opposite.
| PLCY.030 |
Level: U-INFO
Short Syntax: PLCY.030 Proxy does not match selectors. Will not create neg item.
Long Syntax: PLCY.030 Proxy does not match selectors. Will not create neg item.
Description: PLCY: The first packet of a flow matches a profile in rule but does not match proxy values in IPSEC action. The CPE acts as if there was no match to the any IKE rule.
| PLCY.031 |
Level: U-INFO
Short Syntax: PLCY.031 Created IKE Phase2 negotiated item.
Long Syntax: PLCY.031 Created IKE Phase2 negotiated item.
Description: PLCY: The first packet of a flow matches a profile in rule and the correspondig proxy values in IPSEC action. A new IKE Phase negotiated item is created to hold tunnel ID info.
| PLCY.032 |
Level: U-INFO
Short Syntax: PLCY.032 Cannot Access LDAP Server, set the dflt tunnel endpoint info (set default)
Long Syntax: PLCY.032 Cannot Access LDAP Server, set the dflt tunnel endpoint info (set default)
Description: PLCY: The user must configure the tunnel endpoint (local and remote) information using the set default command in talk 6, feature policy. This is only necessary when the default rule behavior is drop all but LDAP or secure LDAP.
| PLCY.033 |
Level: U-INFO
Short Syntax: PLCY.033 Phase 1 query, checked rule ruleName, for remote ID remoteId,, matchFound
Long Syntax: PLCY.033 Phase 1 query, checked rule ruleName, for remote ID remoteId,, matchFound
Description: PLCY: Informational message about the remote Id check during either the AGGRESSIVE MODE responder, MSG5 Responder, or MSG6 initiator case during the phase 1 ISAKMP negotiations. The match may fail for the rule being checked. If no match is found in any rule in the policy database, then this user is indeed not allowed access to the network or the user should be allowed access to the network and must be added to the user group for a policy.
| PLCY.034 |
Level: U-INFO
Short Syntax: PLCY.034 Created IKE Phase1 negotiated item, cpeP1Handle 0x cpeP1Handle
Long Syntax: PLCY.034 Created IKE Phase1 negotiated item, cpeP1Handle 0x cpeP1Handle
Description: PLCY: A new IKE Phase negotiated item is created to hold Phase 1 negotiated information.
| PLCY.035 |
Level: UE-ERROR
Short Syntax: PLCY.035 Phase2 IDCi/IDCr Proxy match failed, error: mismatchReason
Long Syntax: PLCY.035 Phase2 IDCi/IDCr Proxy match failed, error: mismatchReason
Description: PLCY: The IDci and IDcr match that is performed as a ISAKMP Phase2 responder failed. The information in this message will tell the user what failed. If there is no match then make sure the proxy configuration on the remote side matches the proxy configuration on the local side.
| PLCY.036 |
Level: U-INFO
Short Syntax: PLCY.036 QuickMode Proxy Information: PeerIDci= remoteIDci, RuleIDci= ruleIDci, PeerIDcr= remoteIDcr, RuleIDcr= ruleIDCr
Long Syntax: PLCY.036 QuickMode Proxy Information: PeerIDci= remoteIDci, RuleIDci= ruleIDci, PeerIDcr= remoteIDcr, RuleIDcr= ruleIDCr
Description: PLCY: Displayes the remote ISAKMP peer's value for Proxy local and remote informtion. Also displays idci and idcr configured in the policy being checked against. If these values dont match, an additional ELS message will be displayed. If they do not match, please ensure that both policies for each end of the tunnel are configured to match each other. A typical mistake is to configure different protocols or ports to put into the tunnel, they should match.
| PLCY.037 |
Level: UE-ERROR
Short Syntax: PLCY.037 Encryption Algorithm encrAlgorithm for objectName not supported in this image
Long Syntax: PLCY.037 Encryption Algorithm encrAlgorithm for objectName not supported in this image
Description: PLCY: The message will be displayed whenever the policy database is being built and a configured encryption algorithm is detected that is not supported in the load. This can occur when you configure the box with a policy that contains an encryption algorithm that is supported in the current load image but then at a later point load the box with an image that does not support the configured encryption algorithm.
| PLCY.038 |
Level: UE-ERROR
Short Syntax: PLCY.038 Object objectName, IP Address ipaddr is not a configured IP Address
Long Syntax: PLCY.038 Object objectName, IP Address ipaddr is not a configured IP Address
Description: PLCY: This message will be displayed whenever the policy engine detects a configuration that includes an IP Address that is not a valid IP Address on the box. This includes the tunnelStart in the default policy, in the IPSEC Action, and the interface pairs that are part of the profile.
| PLCY.039 |
Level: U-INFO
Short Syntax: PLCY.039 Maximum number of IPSEC phase 2 tunnels reached, limit = limit
Long Syntax: PLCY.039 Maximum number of IPSEC phase 2 tunnels reached, limit = limit
Description: PLCY: This message will be displayed whenever the policy engine has a request to bringup a new tunnel and the number of active IKE negotiated IPSEC tunnels is already at the maximum
| PLCY.040 |
Level: U-INFO
Short Syntax: PLCY.040 Request to addOrDelete, an IKE phase phase1or2, tunnel, totals active totalActiveForPhase1or2
Long Syntax: PLCY.040 Request to addOrDelete, an IKE phase phase1or2, tunnel, totals active totalActiveForPhase1or2
Description: PLCY: This message will be displayed whenever the policy engine has a request to add or delete a phase 1 or phase 2 ike tunnel. The number of active tunnels of that type is also displayed.
| PLCY.041 |
Level: UE-ERROR
Short Syntax: PLCY.041 Key Lookup Failed, No User with ID Type idType, and Name userName
Long Syntax: PLCY.041 Key Lookup Failed, No User with ID Type idType, and Name userName
Description: PLCY: This message will be displayed whenever the policy engine has a request to lookup the pre-shared key for an IKE Peer and the user is not found. If this error is encountered then make sure this is a user that should be allowed access and if so make sure a user is added in the feature policy with the id type and name matching this message.
| PLCY.042 |
Level: U-INFO
Short Syntax: PLCY.042 Key Lookup Success, Found User with ID Type idType, and Name userName
Long Syntax: PLCY.042 Key Lookup Success, Found User with ID Type idType, and Name userName
Description: PLCY: This message will be displayed whenever the policy engine has a request to lookup the pre-shared key for an IKE Peer and the user is found. The user information will be displayed as part of this message.
| PLCY.043 |
Level: U-INFO
Short Syntax: PLCY.043 Policy Time Event, Marked Policy ( policyName,) validOrInvalid, on Month,- date,- year, at hour,: minute,: second
Long Syntax: PLCY.043 Policy Time Event, Marked Policy ( policyName,) validOrInvalid, on Month,- date,- year, at hour,: minute,: second
Description: PLCY: This message will be displayed whenever the policy engine has detects a time event that causes a policy to become valid or invalid.