COMPREHENSIVE INTERNET SECURITY ™

SonicWALL Internet Security Appliances

Log Event Reference Guide
Log Event Messages
The messages explained in this book are generated by the SonicWALL as part of its logging and
notification feature. The messages are useful for system administrators when monitoring and
operating the SonicWALL. There are eight categories of events:
• Dropped
• Attacks
• Blocked
• Network Debug
• System Errors
• System Maintenance
• User Activity
• VPN Statistics
Event Logging automatically begins when the SonicWALL is powered on and configured. The
SonicWALL supports a traffic log containing entries with multiple fields. An example of an entry is
displayed here:

Time and Date Stamp Source IP Address Additional Information

Event Message Destination IP Address Rule Number (If Applicable)

Page 1
SonicWALL Log Messages
Each log entry contains the date and time of the event and a brief message describing the event. It
is also possible to copy the log entries from the management interface and paste into a report. The
SonicWALL manages log events in the following manner:
• TCP, UDP, or ICMP packets dropped
When IP packets are dropped by the SonicWALL, dropped TCP, UDP and ICMP messages are
displayed. The messages include the source and destination IP addresses of the packet. The
TCP or UDP port number or the ICMP code follows the IP address. Log messages usually include
the name of the service in quotation marks.
• Web, FTP, Gopher, or Newsgroup blocked
When a computer attempts to connect to the blocked site or newsgroup, a log event is
displayed. Blocked is defined as a Web site, connection, or event that is denied access from the
SonicWALL. The computer’s IP address, Ethernet address, the name of the blocked Web site,
and the Content Filter List Code is displayed. Code definitions for the 12 Content Filter List
categories are shown below.

a=Violence/Profanity g=Satanic/Cult

b=Partial Nudity h=Drug Culture

c=Full Nudity i=Militant/Extremist

d=Sexual Acts j=Sex Education

e=Gross Depictions k=Gambling/Illegal

f=Intolerance l=Alcohol/Tobacco

Descriptions of the categories are available at <http://www.sonicwall.com/Content-Filter/

categories.html>.
• ActiveX, Java, Cookie or Code Archive blocked
When ActiveX, Java or Web cookies are blocked, messages with the source and destination IP
addresses of the connection attempt is displayed.
• Ping of Death, IP Spoof, and SYN Flood Attacks
The IP address of the machine under attack and the source of the attack is displayed. In most
attacks, the source address shown is fake and does not reflect the real source of the attack.
TIP! Some network conditions can produce network traffic that appears to be an attack, even when
no one is deliberately attacking the LAN. To follow up on a possible attack, contact your ISP to
determine the source of the attack. Regardless of the nature of the attack, your LAN is protected
and no further steps are needed.

Page 2 SonicWALL Internet Security Appliance Administrator’s Guide

Log Events
This section lists the log events by category. Each log event description includes an explanation of
its meaning, and if necessary, a recommended action.

Dropped Log Event Messages

Dropped - A dropped event is a service that is denied entry into the SonicWALL because it
violates configured or default security policies. No response is returned to the sender of the event.
The SonicWALL logs these events as follows:
TCP Dropped - An unauthorized TCP packet was detected and refused.
UDP Dropped - An unauthorized UDP packet was detected and refused.
Web access request dropped - An Web access request was detected and refused.
Fragmented Packet Dropped - The SonicWALL refused a fragmented packet.
IPSec (ESP) packet dropped - An IPSec packet was dropped by the SonicWALL.
Port configured to receive IPSEC Only. Drop packet received in the clear. - The SonicWALL is con-
figured to receive IPSec packets only, therefore, unencrypted packets are dropped.
ICMP Dropped - ICMP uses datagrams of various types for communicating between control mes-
sages between hosts and routers on a TCP/IP network. In this case, the communication was
dropped by the SonicWALL.
Denied TCP connection from LAN - The SonicWALL refused a TCP connection from the LAN.
Unknown Protocol Dropped - The SonicWALL has detected and refused an unknown protocol.
Internet Access restricted to authorized users. Drop packet received in the clear.
IPSec (AH) packet dropped - The SonicWALL has detected and refused an IPSec packet encrypted
using AH.

Events Logged as Attacks

Attacks - Events categorized by the SonicWALL as attacks are e-mailed to you if you have configured
the automation section of Logging. Attacks can be Smurf, Ripper, IP Spoof, or other events. Attacks
are logged as listed below:
Ping of death blocked - The SonicWALL has detected an attempted Ping of Death attack by
detecting grossly oversized ICMP packets and rejecting them.
IP Spoof Detected - A packet with a source IP address and arriving at an interface that conflicts
with the SonicWALL route table was detected and rejected by the SonicWALL.
Possible Syn Flood Attack - The SonicWALL has detected and prevented a possible SYN attack, a
type of denial of service attack.
Probable Syn Flood Attack - - The SonicWALL has detected and prevented a probably SYN attack,
a form of denial of service attack.

Page 3
 Land Attack Dropped - The SonciWALL has detected and blocked SYN packets whose source IP
addresses are spoofed to be the same as the destination IP addresses.
Administrator login Failure - incorrect password - Someone attempted to log into the SonicWALL
using the wrong password.
Unknown IPSec SPI - The SonicWALL has detected and blocked an unknown IPSec SPI attempt-
ing to connect to the SonicWALL.
IPSec Authentication Failed - The parameters for an IPSec connection do not match and authen-
tication failed.
Senna Spy Attack Dropped - The SonicWALL has detected and prevented a trojan attack.
Priority Attack Dropped - The SonicWALL has detected and prevented a priority attack.
Ini Killer Attack Dropped - The SonicWALL has detected and prevented a trojan attack.
Smurf Amplification Attack Dropped - The SonicWALL has detected and prevented a Denial of
Service attack.
Possible Port Scan Dropped - A possible port scan was detected and rejected by the SonicWALL.
Probable TCP NULL scan - The SonicWALL has detected TCP frames with a sequence number of
zero and all control bits set to zero and rejected them.
IPSEC Replay Detected - An IPSec Replay was detected and rejected by the SonicWALL.
Forbidden E-Mail attachment deleted - When enabled on the SonicWALL, the logging file records
forbidden e-mail attachments received by the SonicWALL.
TCP Xmas Tree Blocked - The SonicWALL detected and blocked a TCP Xmas Tree scan.
User login failure rate exceeded - source address locked out - A user has attempted logging into
the SonicWALL with incorrect credentials.
IPSec Decryption Failed - The SonicWALL was unable to decrypt the IPSec packets.
IPSec packet to or from an illegal host - The SonicWALL detected an IPSec packet with a source
IP address that does not match any security policies configured on the SonicWALL.
Back Orifice Attack Dropped - Back Orifice is an attack that exploits the vulnerability of Microsoft
Back Office. The SonicWALL has detected and dropped this attack.
NetBus Attack Dropped - NetBus is a well-known back door Trojan attack. The SonicWALL has
detected and dropped this attack.
Net Spy Attack Dropped - The SonicWALL has detected and dropped a Net Spy attack.
Sub Seven Attack Dropped - The SonicWALL has detected and dropped the Trojan attack, Sub
Seven.
Ripper Attack Dropped - The SonicWALL has detected and dropped a Ripper Attack.
Striker Attack Dropped - The SonicWALL has detected and dropped a Striker Attack.

Page 4 SonicWALL Internet Security Appliance Administrator’s Guide

 Probable Port Scan Dropped - The SonicWALL detected an excessive number of port scans and
dropped the traffic.
Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. - The SonicWALL
Anti-Virus subscription has expired. Renew your subscription at http://www.mysonicwall.com.
Forbidden E-Mail attachment disabled - When configured on the SonicWALL, forbidden e-mail
attachments are disabled.
Probable TCP FIN scan - The SonicWALL has detected and blocked traffic resembling a TCP FIN
scan.
Probable TCP XMAS scan - The SonicWALL has detected and blocked TCP traffic with a sequence
number of zero and the FIN, URG, and PUSH bits are set.
Probable TCP NULL scan - The SonicWALL has detected and blocked TCP traffic with a sequence
number of zero and all the control bits are set.
E-Mail fragment dropped - When configured on the SonicWALL, e-mail fragments are prevented
from accessing the SonicWALL.
Malformed IP packet dropped. - The SonicWALL has detected and blocked a malformed IP
packet.
FTP: PORT bounce attack dropped. - The SonicWALL has detected and blocked a Port bounce
attack.
FTP: PASV response bounce attack dropped. The SonicWALL has detected and blocked a PASV
response bounce attack which is a Denial of Service attack.

Events Logged as Blocked

If an event is configured as blocked, a log message records the event when access is attempted
from the SonicWALL. Blocked events include ActiveX, Java, Newsgroups, or Web sites.
Web site blocked - When an attempt is made by a user on the network to access a blocked Web
site, the computer IP address, Ethernet address, the name of the blocked Web site, and the Con-
tent Filter code is displayed as the log message.
Newsgroup blocked - When an attempt is made by a user on the network to access a blocked
newsgroup, the computer IP address, Ethernet address, the name of the blocked newsgroup, and
the Content Filter code is displayed as the log message.
Web site accessed - When a Web site is accessed by a user on the network, the computer IP
address, Ethernet address, and the name of the Web site is displayed as the log message.
Newsgroup accessed - When a newsgroup is accessed by a user on the network, the computer IP
address, Ethernet address, and the name of the Web site is displayed as the log message.
ActiveX blocked - When ActiveX is blocked, the log message displays the source and destination
IP address of the attempted connection.

Page 5
 Java blocked - When Java is blocked, the log message displays the source and destination IP
address of the attempted connection.
ActiveX or Java archive blocked - When ActiveX and Java archives are blocked, the log message
displays the source and destination IP address of the attempted connection.
Cookie removed - When cookies are blocked, the log message displays the source and destina-
tion IP address of the attempted connection.

Events Logged as Debug

When Network Debug is selected, events are logged on the SonicWALL to allow you to troubleshoot
problematic connections or security policies.
IPSec packet dropped; waiting for pending IPSec connection - Previous IPSec (ESP) connection
for pass-through is not complete. New IPSec connection cannot be started and the IPSec (ESP)
packet is dropped.
IPSec connection interrupt - The SonicWALL is not in an acceptable condition for IPSec pass-
through.
ARP timeout - The allowable time for a requested ARP response has expired.
Broadcast packet dropped - A nonallowed broadcast packet is dropped.
No ICMP redirect sent - A nonallowed packet was received that generated an ICMP redirect, how-
ever, the source and destination is unknown. Therefore, no ICMP redirect was sent.
Out-of-order command packet dropped - While processing an FTP connection, an out of order
packet was detected and dropped.
Failure to add data channel - While processing an FTP connection, the SonicWALL was unable to
create a new connection cache entry. Possibly, there are no more available connections.
RealAudio decode failure - While processing a RealAudio stream, a decode failure occured.
NAT translated packet exceeds size limit, packet dropped - While performing NAT, a packed is
larger than the allowable limit and was dropped.
IKE Responder: Mode %d - not transport mode. Xauth is required but not supported by peer.- An
IKE responder requires XAUTH, but it is not supported by the peer.
Source routed IP packet dropped - A packet with source route options was detected, but the IP
header was larger than the allowed size and was dropped.
DHCP DISCOVER received from local device - A local DHCP client on the SonicWALL network is
attempting to locate a DHCP server.
DHCP REQUEST received from local device - A local DHCP client on the SonicWALL is requesting a
DHCP lease.
Duplicate packet dropped - Two or more identical packets received. Any packets received after
the initial packet were dropped by the SonicWALL.

Page 6 SonicWALL Internet Security Appliance Administrator’s Guide

No HOST tag found in HTTP request - An HTTP request was received by the SonicWALL without
the required HOST tag. The request was ignored.
Received fragmented packet or fragmentation needed - A packet larger than the configured MTU
was received or a packet with a fragmented bit was received when fragmentation support is not
configured on the SonicWALL.
Log Debug - A state-specific log message used to assist SonicWALL technical support with unu-
sual issues experienced by customers.
VPN Log Debug - A state-specific log message used to assist SonicWALL technical support with
unusual issues experienced by customers.
Firewall access from LAN - The SonicWALL management interface was accessed from the LAN.
DHCP RELEASE received from remote device - A DHCP Client has released its DHCP lease.
Issuer match failed - The certificate issuer information does not match the SonicWALL certificate
information.
DHCP lease relayed to remote device - A DHCP lease was sent to a remote device from a local
device.
DHCP REQUEST received from remote device - A DHCP lease was requested from the a remote
device.
DHCP DISCOVER received from remote device - A remote DHCP client is trying to locate a DHCP
server on the SonicWALL network.
DHCP DECLINE received from remote device - A remote DHCP client has refused the proposed
DHCP lease.
DHCP OFFER received from server - The DHCP server has offered a DHCP lease to a client.
DHCP NAK received from server - The DHCP server has denied the DHCP server’s lease request.
IPSec (ESP) packet dropped; waiting for pending IPSec connection - Previous IPSec (ESP) connec-
tion for pass-through is not complete. New IPSec connection cannot be started and the IPSec
(ESP) packet is dropped.
IPSec (AH) packet dropped; waiting for pending IPSec connection - Previous IPSec (AH) connec-
tion for pass-through is not complete. New IPSec connection cannot be started and the IPSec
(AH) packet is dropped.

Page 7
Events Logged as System Errors
Events categorized as System Errors are logged by the SonicWALL. System errors can include
hardware failures, high availability issues, expired subscription notification, and diagnostic codes.
Problem sending log email; check log settings - When configured on the SonicWALL, log files from
the SonicWALL are e-mailed to the address configured on the Log Automation page. Check the
settings on your Log Automation page if you see this error message.
NAT could not remap incoming packet - The SonicWALL cannot remap an incoming packet to the
correct destination.
License exceeded: Connection dropped because too many IP addresses are in use on your LAN -
You have too many users on your network and not enough licenses to support them.
Diagnostic Code D - Error detected during software encryption or decryption of IPSec packets.
Primary missed heartbeats from Active Backup: Primary going Active - The Backup SonicWALL
became active when the Primary failed. Now the Backup is not sending heartbeats to the Primary
causing a failback to the Primary SonicWALL.
Primary received error signal from Active Backup: Primary going Active - The Backup SonicWALL is
in an error state causing it to send error signals to the Primary SonicWALL. The Primary takes over
as the main SonicWALL.
Backup firewall being preempted by Primary - The Primary firewall is taking over as the main fire-
wall.
Error setting the IP address of the backup, please manually set to backup LAN IP - The Primary
firewall encountered a problem trying to synchronize the LAN IP settings. You must manually con-
figure the LAN IP address on the Backup SonicWALL.
Content filter subscription expired. - Your content filter subscription is no longer valid. You must
renew it on http://www.mysonicwall.com.
Primary WAN link down, Backup going Active - For the TELE3 SP, the primary WAN link is down,
and the backup (modem) is going to be the primary WAN link.
Global VPN Client License Exceeded: Connection denied. - You do not have enough licenses for
the Global VPN Clients on your network. You can get more licenses at
http://www.mysonicwall.com
Global VPN Client connection is not allowed. Appliance is not registered. - You must register your
SonicWALL appliance at http://www.mysonicwall.com in order to use your Global VPN client.
Probing failure on %s If probing is configured on the SonicWALL, probing has encountered a prob-
lem causing it to fail.
%s Ethernet Port Down - The Ethernet port is not able to send data.
Illegal LAN address in use - An IP address outside of the configured scope is in use.
The cache is full; %d open connections; some will be dropped - The SonicWALL connection cache
is full and some connections will be dropped.

Page 8 SonicWALL Internet Security Appliance Administrator’s Guide

Diagnostic Code A - The Watchdog detected a suspended task.
Diagnostic Code C - The Watchdog detected low memory resources.
Diagnostic Code E - Failed to allocate memory for Encryption or Authentication keys.
Primary firewall has transitioned to Idle - The Backup SonicWALL is now the active firewall and the
Primary is now the Backup SonicWALL.
Backup missed heartbeats from Active Primary: Backup going Active - The Active Primary firewall
did not send heartbeats to the Backup, therefore the Backup is taking over as the Primary Fire-
wall.
Backup received error signal from Active Primary: Backup going Active - An error condition exists
on the Active Primary firewall and the Backup firewall is becoming the Primary firewall.
Primary firewall preempting Backup - The Primary firewall has become active again and is taking
over as the Primary firewall.
Backup going Active in preempt mode after reboot - After rebooting the SonicWALL and HA is ena-
bled, the Backup SonicWALL is configured to be active instead of the Primary SonicWALL.
Error updating HA peer configuration - Configuration changes could not be updated on the Pri-
mary and Backup firewalls.
Backup WAN link down, Primary going Active - The modem connection on the TELE3 SP lost its
dial-up connection and the WAN connection is becoming the primary connection.
Failed to synchronize Relay IP Table
Blocked Quick Mode for Client using Default KeyId - The SonicWALL blocked Quick Mode negotia-
tion with the Global VPN Client using the default keyID.
The current WAN interface is not ready to route packets.
%s Ethernet Port Up - The Ethernet Port has returned to active status.
The network connection in use is %s - The network connection is the specified source.
Requesting CRL From - A VPN Certificate Revocation List was received from the specified location.
CRL Loaded From - A Certificate Revocation List was loaded from the specified location.
Failed to get CRL From - The SonicWALL was unable to retrieve a Certificate Revocation List.
Not Enough Memory to hold the CRL - The SonicWALL did not have enough RAM available when
retrieving the Certificate Revocation List.
Connection Timed Out - A connection entry cache entry timed out. Connection has been dropped.
Cant Connect to the CRL Server - The SonicWALL is unable to connect to the CRL server.
Unknown Reason - A state-specific log message used to assist Tech Support with diagnosing unu-
sual customer issues.
Failed to Process CRL From - The SonicWALL was unable to process a retrieved CRL from the
specified location.

Page 9
 Bad CRL Format - A CRL was received in an incorrect format.
Issuer Match Failed - A CRL list was received from an unauthorized provider.
Certificate on Revoked List - A VPN connection was attempted using an unauthorized certificate.
No Certificate for - A VPN connection was attempted using an non-existent certificate.

Events Logged as System Maintenance

Events relating to network connections such as PPPoE, PPTP, and L2TP as well as system start up
are logged as system maintenance entries.
SonicWALL activated - The SonicWALL is now up and actively managing your connection.
Starting PPPoE discovery - The SonicWALL is looking for the PPoE connection.
PPPoE discovery process complete - The SonicWALL has located the PPoE connection.
PPPoE starting PAP Authentication - The SonicWALL is beginning to authenticate with the
remote PPoE connection using PAP (Password Authentication Protocol).
PPPoE PAP Authentication success - The SonicWALL has successfully authenticated to the
remote PPoE connection.
PPPoE PAP Authentication Failed - The SonicWALL failed to authenticate to the remote con-
nection. Check your network settings.
PPPoE PAP Authentication Failed. Please verify PPPoE username and password. The PPoE
connection failed due to an incorrect username and password. Check the network settings on
the SonicWALL for the correct username and password.
PPPoE starting CHAP Authentication - The SonicWALL is attempting to authenticate to the
PPPoE connection using CHAP (Challenge Handshake Authentication Protocol).
PPPoE CHAP Authentication Failed - The PPPoE connection failed to authenticate using CHAP.
Disconnecting PPPoE due to traffic timeout - The PPPoE connection timed out because there
was not enough network traffic to keep it active.
PPPoE Network Connected - The PPPoE connection is successfully connected.
PPPoE Network Disconnected - The PPPoE connections is disconnected.
PPPoE LCP Link Up - LCP is used in conjunction with PAP or CHAP to establish the connection.
This link is up.
PPPoE LCP Link Down - LCP is used in conjunction with PAP or CHAP to establish the connec-
tion. This link is down.
No response from ISP Disconnecting PPPoE. - The ISP did not respond to the connection
request. The negotiation is disconnected.
PPPoE terminated - The PPPoE connection is terminated.
L2TP Connect Initiated by the User - A request to connect to a L2TP server is initiated.

Page 10 SonicWALL Internet Security Appliance Administrator’s Guide

L2TP Session Negotiation Started - Negotiation for a L2TP session has started.
L2TP Tunnel Negotiation Started - Negotiation for a L2TP tunnel has started.
L2TP Tunnel Established - The SonicWALL has established a L2TP tunnel.
L2TP PPP Negotiation Started - The SonicWALL has begun PPP negotiation over the L2TP con-
nection.
L2TP PPP Authentication Failed - PPP Authentication failed. Check your L2TP settings.
L2TP Session Disconnect from Remote - The L2TP session has disconnected.
L2TP LCP Down - LCP is a protocol used as part of the authentication process. LCP is unavail-
able.
L2TP LCP Up - LCP is a protocol used as part of the authentication process. LCP is available.
Disconnecting L2TP Tunnel due to traffic timeout. The L2TP tunnel is disconnected due to
inactivity on the connection.
L2TP Disconnect Initiated by the User - Disconnection from the remote L2TP connection is
requested by a user.
L2TP Max Retransmission Exceeded - Retransmission of data has exceeded the maximum
allowed retransmissions.
L2TP PPP link down - The PPP link is down.
PPTP Connect Initiated by the User - A user has initiated a PPTP connection.
PPTP Control Connection Negotiation Started - Negotiation has been initiated for PPTP Con-
trol Connection.
PPTP Control Connection Established - PPTP Control Connection has been successfully estab-
lished.
PPTP PPP Negotiation Started - The PPTP connection has begun PPP negotiations.
PPTP PPP Link Up - The PPP link is up.
PPTP PPP Link down - The PPP link is down.
PPTP PPP Up - PPP callback is up.
PPTP PPP Down - PPP callback is down.
PPTP PPP Session Up - The PPTP Session is up.
PPTP PPP Authentication Failed - PPP authentication has failed.
PPTP starting PAP Authentication - The SonicWALL is establishing a PPTP connection using
PAP for authentication.
PPTP PAP Authentication success. PAP authentication is successful. Data can be sent via the
PPTP connection.

Page 11
 PPTP PAP Authentication Failed - PAP authentication failed. Check your SonicWALL network
settings.
PPTP PAP Authentication Failed. Please verify PPTP username and password - Check your
SonicWALL network settings to verify your username and password.
PPTP Max Retransmission Exceeded - Attempts to retransmit data has exceeded the number
of allowed retransmissions.
PPTP Tunnel Disconnect from Remote - The PPTP tunnel is disconnected from the remote
location.
PPTP Session Disconnect from Remote - The PPTP tunnel is disconnected from the remote
location.
PPTP LCP Down - LCP is a protocol used as part of the authentication process. LCP is unavail-
able.
PPTP LCP Up - LCP is a protocol used as part of the authentication process. LCP is available.
PPTP starting CHAP Authentication - The PPTP connection is authenticating using CHAP.
PPTP CHAP Authentication Failed. Please verify PPTP username and password - The authenti-
cation process failed. Check your network settings to verify that the information is correct.
PPTP PPP Link Finished - The PPTP PPP link is complete.
Disconnecting PPTP Tunnel due to traffic timeout - Due to inactivity on the connection, the
PPTP tunnel is disconnecting.
PPTP Session Negotiation Started - The SonicWALL is beginning to negotiate the PPTP ses-
sions.
PPTP Session Established - The PPTP session is established by the SonicWALL.
PPTP Disconnect Initiated by the User - A user has initiated a PPTP disconnect on the Son-
icWALL.
HTTP management port has changed - The HTTP management port has changed. You must
remember the port number to log into the SonicWALL.
Adminstrator name changed - The administrator name has been changed on the SonicWALL.
You need to remember the name in order to log into the SonicWALL.
VPN disabled by administrator - VPN has been disabled on the SonicWALL. No VPN SAs are in
effect and disabling VPN interrupts any current VPN connections.
Log Cleared - The Log was cleared by clicking Clear Log on the Log View page.
Restarting SonicWALL; dumping log to email - The SonicWALL is restarting either at a user’s
request or after changing settings on the SonicWALL. The log file is e-mailed to the address
configured on the Log Automation page.
Access attempt from host without Anti-Virus agent installed - Anti-Virus is required to be
installed on all computers on the network if Anti-Virus is enabled on the SonicWALL.

Page 12 SonicWALL Internet Security Appliance Administrator’s Guide

 VPN enabled by administrator - VPN is enabled by the administrator by selecting Enable VPN
on the VPN page.
Log successfully sent via email - When configured, the SonicWALL e-mails the log files to the
administrator.
HTTPS management port has changed - The HTTPS management port was changed. You
must remember the port number when attempting to manage the SonicWALL using HTTPS.
SonicWALL initializing - The SonicWALL is restarting after uploading new firmware or resetting
the appliance.
Anti-Virus agent out-of-date on host - The Anti-Virus agent has not been updated. Update the
agent for the latest virus information.

Events Logged as User Activity

Log events generated as User Activity include user login success and failure, administrator login
success and failure, XAUTH success and failure, Access Rules added and deleted, remote user login
success and failure, logout activity, modem events for the TELE3 SP, IKE events, and IPSec events.
Successful local user login - A user in the local database logged into the SonicWALL success-
fully.
Unknown user attempted to log in - A user not configured on the SonicWALL attempted to log
into the SonicWALL.
Login screen timed out - The login screen with the username and password fields timed out.
Successful administrator login - An administrator successfully logged into the SonicWALL.
User login failed - RADIUS authentication failure - A user configured for RADIUS Authentication
failed to log into the SonicWALL.
User login failed - RADIUS configuration error - A user configured for RADIUS Authentication is
improperly configured on the SonicWALL.
Administrator logged out - A SonicWALL Administrator logged out of the SonicWALL.
User logged out - A user has logged out of the SonicWALL.
User logged out - inactivity timer expired - A user was logged out when the connection did not
detect data transmission.
Locked out user re-enabled by admin - A user attempted to log onto the SonicWALL but was
locked out when authentication failed. The administrator has re-enabled the user’s account.
User login failed - incorrect password - A user attempted to log into the SonicWALL using the
wrong password.
Administrator login failed - incorrect password from the CLI - An administrator failed to log into
the SonicWALL using the incorrect password over the CLI port.
Successful remote user login - A remote user successfully logged into the SonicWALL.

Page 13
 User login failed - RADIUS server timeout - A user could not log in because the RADIUS server
timed out.
User login failed - User has no privileges for login from that location - The user does not have
privileges to log in from a specified location.
Administrator logged out - inactivity timer expired - The SonicWALL did not detect any activity
for specified time period and logged the Administrator out of the SonicWALL.
User logged out - max session time exceeded - A user was logged out after exceeding the spec-
ified session time established for the user.
Locked out user re-enabled - lockout period expired - A user attempted log into the SonicWALL
and failed resulting in the user becoming locked out of the SonicWALL. The time period for the
lockout has expired.
Administrator logged out from the CLI - The SonicWALL administrator logged out from the Son-
icWALL while using the CLI interface.

VPN/IKE Log Events

Dynamic IPSec client connected - A VPN client has connected to the SonicWALL.
Incompatible IPSec Security Association - VPN SAs do not match each other.
IKE Responder: IPSec proposal does not match (Phase 2) - The initiating SonicWALL sent an
IPSec proposal that does not match the responding SonicWALL during Phase 2 negotiations.
Starting IKE negotiation - The SonicWALL is beginning IKE negotiation by matching encryption,
hash, and authentication algorithms, as well as Diffe-Hellman keys and the Security Protocol.
IKE Responder: No matching Phase 1 ID found for proposed remote network - Phase 1 of the
IKE negotiation failed because the information did not match on the responding SonicWALL’s
network.
IKE Responder: No match for proposed remote network address - The information entered in
the initiating SonicWALL’s destination network field did not match the responding network
information.
IKE Responder: Tunnel terminates outside firewall but proposed local network is not NAT pub-
lic address - The VPN tunnel is configured to terminate outside the responding firewall but the
IP address for the local network is not the public IP address.
IKE Responder: Tunnel terminates on DMZ but proposed local network is on LAN - The Security
Association is configured to terminate on the responding DMZ but the IP address is a LAN IP
address.
IKE Responder: AH Perfect Forward Secrecy mismatch - Perfect Forward Secrecy is configured
but the authentication does not match on the responding SonicWALL.
IKE Responder: Algorithms and/or keys do not match - The responding SonicWALL does not
have matching algorithms or keys. Check the configuration on both appliances.

Page 14 SonicWALL Internet Security Appliance Administrator’s Guide

IKE Initiator: Start Quick Mode (Phase 2). - The initiating SonicWALL is beginning the second
phase of Quick Mode negotiation. Quick Mode is used in SAs configured using AH or ESP.
IKE SA lifetime expired. - The Security Association has expired because it has exceeded the
configured lifetime.
IKE Responder: Received Quick Mode Request (Phase 2) - The responding SonicWALL has
received a request from the first SonicWALL to begin Phase 2 of Quick Mode negotiation.
IKE Initiator: Aggressive Mode complete (Phase 1). The initiating SonicWALL has completed
Phase 1 of an Aggressive Mode negotiation.
IKE Responder: Received Aggressive Mode request (Phase 1) - The responding SonicWALL has
received a request from the initiating SonicWALL to begin Aggressive Mode (Phase 1) negotia-
tions.
IKE Initiator: Start Aggressive Mode negotiation (Phase 1) - The initiating SonicWALL is begin-
ning Aggressive Mode Negotiation (Phase 1).
IKE Responder: Aggressive Mode complete (Phase 1) - The responding SonicWALL has com-
pleted Aggressive Mode (Phase 1) negotiations.
IKE Responder: IKE proposal does not match (Phase 1) - The responding SonicWALL does not
have a matching IKE proposal from the initiating SonicWALL.
IKE Responder: Proposed local network is 0.0.0.0 but SA has no LAN Default Gateway - The ini-
tiating SonicWALL has proposed a local network but the SA has no IP address in the Default
LAN Gateway field.
Failed payload verification after decryption - The payload in the Authentication header failed
verification after it was decrypted.
SA is disabled. Check VPN SA settings - The VPN SA was disabled by the administrator.
Computed hash does not match hash received from peer - The hash algorithm for the SA does
not match the peer hash algorithm. Check the configuration on each SonicWALL.
Received IPSEC SA delete request - The SonicWALL has received a request to delete an IPSec
Security Association.
Received notify: INVALID_COOKIES - The SonicWALL has received notification of invalid cook-
ies.
Received notify: INVALID_SPI - The SPI is invalid on the SonicWALL. The VPN tunnel is not con-
nected.
VPN Cleanup: Dynamic network settings change - The network settings have changed and the
SonicWALL is cleaning up the network information.
Illegal IPSec SPI - The SPI is not authorized for connecting the VPN tunnel.
IKE Responder: Accepting IPSec proposal (Phase 2) - The responding SonicWALL is accepting
the initiating SonicWALL IPSec proposal.

Page 15
 IKE negotiation complete. Adding IPSec SA. (Phase 2) - The initiating and responding Son-
icWALL appliances have successfully negotiated the VPN SA.
IKE Responder: Mode %d - not tunnel mode - The responding SonicWALL is not in tunnel
mode.
IKE Responder: Proposed remote network is 0.0.0.0 but not DHCP relay nor default route - The
negotiating SonicWALL has proposed a network IP address but not the DHCP relay or default
route IP address.
IKE Responder: Default LAN gateway is set but peer is not proposing to use this SA as a
default route - The responding SonicWALL has determined that the initiating SonicWALL was
not configured to use the SA as the default route for Internet traffic.
IKE Responder: Tunnel terminates inside firewall but proposed local network is not inside fire-
wall - The initiating SonicWALL is proposing a remote IP address that is not on the local net-
work inside the remote firewall.
IKE Responder: Tunnel terminates on LAN but proposed local network is on DMZ - The initiat-
ing SonicWALL is configured to terminate the VPN tunnel on the remote LAN but the IP address
is on the remote DMZ.
IKE Responder: ESP Perfect Forward Secrecy mismatch - The responding SonicWALL has a dif-
ferent authentication configured so the authentication doesn’t match the initiating
SonicWALL.
IKE Initiator: Start Main Mode negotiation (Phase 1) - The initiating SonicWALL is starting
Phase 1 of Main Mode negotiation and sending a request to the remote SonicWALL.
IKE Initiator: Main Mode complete (Phase 1) - Phase 1 Main Mode has successfully completed
negotiations on the initiating SonicWALL.
IKE Responder: Received Main Mode request (Phase 1) - The responding SonicWALL has
received a request from the initiating SonicWALL to begin Phase 1 Main Mode negotiations.
IKE Responder: Main Mode complete (Phase 1) - The responding SonicWALL has completed
Phase 1 Main Mode negotiations.
IKE Initiator: Accepting IPSec proposal (Phase 2) - The initiating SonicWALL is in the process of
accepting Phase 2 IPSec proposal.
IKE Initiator: Received notify. NO_PROPOSAL_CHOSEN - The initiating SonicWALL has received
a notification from the responding SonicWALL that no proposal was chosen. Check the SA con-
figuration on the initiating SonicWALL.
IKE negotiation aborted due to timeout - The SonicWALL could not complete the IKE negotia-
tion because the connection timed out.
Failed payload verification after decryption. Possible preshared key mismatch - The Preshared
Secret does not match and the SonicWALL cannot properly decrypt the packet.
Received packet retransmission. Drop duplicate packet - The SonicWALL received two identi-
cal packets and dropped one of them.

Page 16 SonicWALL Internet Security Appliance Administrator’s Guide

Received notify: ISAKMP_AUTH_FAILED - The SonicWALL could not authenticate and the VPN
tunnel is not established.
Received notify: PAYLOAD_MALFORMED - The payload packet was malformed and could not be
decrypted.
Received IKE SA delete request - The responding SonicWALL received a Phase 1 delete
request from the initiating SonicWALL.
Received notify: RESPONDER_LIFETIME - The initiating SonicWALL received notification that
the responding SonicWALL is using a lifetime different from the lifetime on the initiating Son-
icWALL.
IKE Initiator: Accepting peer lifetime. (Phase 1) - The initiating SonicWALL is accepting the SA
lifetime configured on the responding SonicWALL.
Received notify: INVALID_ID_INFO - The SonicWALL received notification that its Phase 1 ID is
not correct.

Modem Log Events

PPP Dial-Up: Dialing: %s - The TELE3 SP is dialing the telephone number configured in its dial-
up profile.
PPP Dial-Up: No link carrier detected - check phone number - The SP could not connect
because no phone carrier was detected.
PPP Dial-Up: Dialed number did not answer - The dialed number did not answer.
PPP Dial-Up: Link carrier lost - The SP lost the connection to the phone carrier.
PPP: PAP Authentication failed - check username/password - Authentication with the dial-up
ISP failed due to incorrect username and/or password. Check your dial-up profile.
PPP: MS-CHAP authentication failed - check username/password - Authentication with the
dial-up ISP failed due to incorrect username and/or password. Check your dial-up profile.
PPP: Starting CHAP authentication - The authentication process with the dial-up ISP is begin-
ning.
PPP Dial-Up: PPP negotiation failed - disconnecting - The SP failed PPP negotiation with the
dial-up ISP and is disconnecting from the ISP.
PPP Dial-Up: Failed to get IP address - The SP could not obtain an IP address from the dial-up
ISP.
PPP Dial-Up: PPP link established - The SP has established a PPP link with the dial-up ISP.
PPP Dial-Up: Shutting down link - The phone connection is shutting down.
PPP Dial-Up: User requested disconnect - A request to disconnect from the dial-up ISP has
been made by a user.
PPP Dial-Up: Connect request canceled - A manual connection request is canceled.

Page 17
 PPP Dial-Up: Trying to failover but Primary Profile is manual - The SP is attempting to failover
from the WAN port to the modem, but the Primary Dial-up profile is configured for manual dial-
ing.
PPP Dial-Up: No dialtone detected - check phone-line connection - The SP did not detect a dial-
tone when trying to dial the ISP using the modem.
PPP Dial-Up: Dialed number is busy - The phone number configured in the dial-up profile is
busy.
PPP Dial-Up: Connected at %s bps - starting PPP - The modem has successfully dialed the ISP
and connected to it. The SP is now beginning PPP negotiations.
PPP: Authentication successful - The SP successfully authenticated with the dial-up ISP. Data
can now be transmitted using this connections.
PPP: CHAP authentication failed - check username/password - The SP could not authenticate
to the dial-up ISP with the configured username and/or password. Check the dial-up profile
information.
PPP: Starting MS-CHAP authentication - The SP is beginning authentication with the dial-up
ISP.
PPP: Starting PAP authentication - The SP is beginning authentication with the dial-up ISP.
PPP Dial-Up: Idle time limit exceeded - disconnecting - No data has been transmitted for a
specified period of time, therefore, the SP is disconnecting from the ISP.
PPP Dial-Up: Received new IP address - The SP received a new IP address from the dial-up ISP.
PPP Dial-Up: PPP link down - The PPP link is down and the SP cannot connect to the ISP.
PPP Dial-Up: Initialization : %s - The modem is initializing.
PPP Dial-Up: User requested connect - A user on the SP has requested a connection via the
modem.
PPP Dial-Up: Manual intervention needed. Check Primary Profile or Profile details - Configura-
tion of the dial-up profile may be incorrect. Check the profile and verify the information.
PPP Dial-Up: Startup without Ethernet cable, will try to dial on outbound traffic - The SP is not
connect to the WAN with an Ethernet cable. The SP will dial the ISP when outbound data is
detected.

Other User Activity Log Events

XAUTH Succeeded with VPN client - The VPN Client successfully authenticated using XAUTH.
XAUTH Failed with VPN client, Cannot Contact RADIUS Server - The VPN SA is configured to
require XAUTH using a RADIUS server, however, it cannot contact the RADIUS server. Verify
your RADIUS settings.
Received a path MTU icmp message from router/gateway - The SonicWALL received a routing
message from a router and/or gateway on the network.

Page 18 SonicWALL Internet Security Appliance Administrator’s Guide

 NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device - NAT Trarversal is
enabled and the local SonicWALL discovered a NAT/NAPT device in front of the remote Son-
icWALL.
NAT Discovery : No NAT/NAPT device detected between IPSec Security gateways - NAT Traver-
sal is enabled on the SonicWALL and did not detect a NAT/NATPT device on a VPN tunnel
between two SonicWALL appliances.
Access Rule added - An Access Rule was added to the SonicWALL. The type of rule is described
in the Notes section of the View Log page.
Access Rule deleted - An Access Rule was deleted from the SonicWALL. The type of rule is
described in the Notes section of the View Log page.
PPPoE user name changed by Administrator - The PPPoE user name was changed by the
Administrator.
Web access request received - The SonicWALL received a Web access request from the LAN.
XAUTH Failed with VPN client, Authentication failure - A remote user using VPN Client to access
the SonicWALL did not authenticate using XAUTH.
VPN Client Policy Provisioning - A VPN Client has received its VPN SA configuration from the
SonicWALL.
NAT Discovery : Local IPSec Security Gateway behind a NAT/NAPT Device - NAT Traversal is
enabled and has detected a NAT/NATP device between the SonicWALL and the WAN.
NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal - NAT Traversal
is enabled on the SonicWALL, but it is trying to connect to a VPN Gateway that doesn’t support
NAT Traversal.
Access Rule modified - An Access Rule has been modified on the SonicWALL. The type of rule
is described in the Notes section of the View Log page.
Access Rules restored to defaults - The SonicWALL has restored the default rule set.

Events Logged as VPN Statistics

Three events are categorized as a VPN statistic: VPN TCP SYN, VPN TCP FIN, and VPN TCP PSH.

Page 19
Wireless Log Events
For the SOHO TZW, 802.11b authentication and association messages are recorded as Log Events.
802.11b Management >Disassociated - Reason: A wireless client has disassociated from the
SOHO TZW.
802.11b Management >Association Failed - Reason: The TZW has reached the maximum associ-
ated wireless clients.
802.11b Management >Associated - Reason : A wireless client is associated on the TZW.
802.11b Management >Association Failed - Reason: The wireless client attempted to use an
unsupported authentication algorithm.
802.11b Management > ACL Check Passed - Reason: The wireless client passed MAC ACL
check..
802.11b Management > ACL Check Failed - Reason: The wireless client failed MAC ACL check.
802.11b Management > Authentication Failed - Reason: Wireless client authentication failed
because client authentication packet sequence is out of order.
802.11b Management > Authentication Failed -Reason: A wireless client attempted to authenti-
cate using Open System WEP encryption which is not allowed on the TZW.
802.11b Management > Authentication Failed - Reason - A wireless client attempted to authenc-
tiate using an unknown algorithm.
802.11b Management > Deauthenticated - An authenticated user has logged out of the TZW.

Page 20 SonicWALL Internet Security Appliance Administrator’s Guide

SonicWALL,Inc.
1143 Borregas Avenue T: 408.745.9600 www.sonicwall.com
Sunnyvale,CA 94089-1306 F: 408.745.9300

© 2002 SonicWALL, Inc. SonicWALL is a registered trademark of SonicWALL, Inc. Other product and company names mentioned herein may be
trademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.

P/ N 232- 000393- 00
Rev A 06/03