Log Messages

Here is a presentation of many common log messages that can be found in the firewall log.

In many messages, information about IP addresses, usernames and other changing parameters will be displayed in the log messages. In the listing, such information will be presented contained in angle brackets. The listed log message "<Username> logged on" will mean that the real message in your log will look like "admin logged on" or "Charlie logged on", that is, the <Username> will be replaced by a username on your system.

SIP errors

These log messages can appear when the SIP errors box has been checked on the Display Log page.

SIP send failure -1 on socket -1 <event number>

Something went wrong when the firewall tried to send a SIP packet to another SIP device. Maybe there was no TLS connection (if TLS should be used), or the device is known not to reply, or the firewall has no network connection at all on the interface facing the other device. The event number is an internal parameter to keep track of different SIP events.

Destination <IP address>:<port> is known bad. Skipping.

The SIP device on <IP address> has been blacklisted by the firewall. This happens when the other SIP device has sent an ICMP type 3 packet in response to a SIP packet, or when the other SIP device has not responded at all to previous SIP signaling. For the latter event, you can avoid the blacklisting by setting the SIP blacklist interval on the Sessions and Media page to 0.

Parse error at '<character>' in message from <IP address>, at line: <SIP line>

Something on the referred line in the SIP message does not comply with the SIP standard or is something else that the firewall does not recognize as valid SIP syntax.

No answer from destination <IP address>:<port>

The firewall sent a SIP packet to the IP address, but it hasn't responded before the message timed out. If this was a message to a SIP domain, the firewall will try next server handling this domain.

sipfw: SIP <response code> response from <IP address> rejected, no state

Something in the received SIP response was unexpected. It could be a very late response to a SIP request, or a message where the topmost Via header does not indicate the firewall, or something else that does not make it an invalid SIP packet in itself, but it doesn't match what has happened in the firewall.

Starting SIP TCP server at port 5060

This message will be shown when the SIP module is started. This can happen when you apply settings where the SIP module just has been activated, or when you boot the firewall or after you have pressed the Restart the SIP module button on the Restart page. It means that the firewall is now ready to receive SIP signaling over TCP.

Starting SIP UDP server at port 5060

This message will be shown when the SIP module is started. This can happen when you apply settings where the SIP module just has been activated, or when you boot the firewall or after you have pressed the Restart the SIP module button on the Restart page. It means that the firewall is now ready to receive SIP signaling over UDP.

Stopped SIP TCP server

This message will be shown when the SIP module is stopped. This can happen when you apply settings where the SIP module just has been deactivated, or when you boot the firewall or after you have pressed the Restart the SIP module button on the Restart page. It means that the firewall can no longer receive SIP signaling over TCP.

Stopped SIP UDP server

This message will be shown when the SIP module is stopped. This can happen when you apply settings where the SIP module just has been deactivated, or when you boot the firewall or after you have pressed the Restart the SIP module button on the Restart page. It means that the firewall can no longer receive SIP signaling over UDP.

IPsec key negotiations

These log messages can appear when the IPsec key negotiations box has been checked on the Display Log page.

IPsec: "<peer name>-<tunnel number>" #<event number>: ignoring informational payload, type <payload type>

The IPsec peer <peer name> sent a message during negotiation which the firewall ignores, because it can't use it. The payload type (like IPSEC_RESPONDER_LIFETIME) will give you a hint about what is the matter. The event number is a counter for how many negotiation attempts has been performed for this peer.

IPsec: "<peer name>-<tunnel number>" <IP address> #<event number>: Issuer CRL not found

The firewall has no Certification Revocation List for the CA of the peer's certificate. This is not an error, but is perfectly normal. You only need a Certification Revocation List when you want to make some certificates invalid.

Configuration server logins

These log messages can appear when the Configuration server logins box has been checked on the Display Log page.

<Username> [<IP address>] (<privileges>) logged on to the configuration server using local password

The user <Username> logged on to the web user interface. You can also see the IP address the user came from and which privileges this user has in the web interface.

<Username> [<IP address>] (<privileges>) was logged out from the configuration server due to inactivity

The user <Username> has not saved any configuration, changed page in the web interface or done any other changes for the last ten minutes. Next time this user tries to do anything in the web interface, he will be prompted for his password again.