Document
Survey
IBM
Software Technical
Document
__________________________________________________________________
Document Information
__________________________________________________________________
Document
Title
ICAxxxxx Error
Messages Logged by the Firewall
Document
Description
Firewall
Error Messages
This
document contains a list of firewall error messages, an
explanation of their meaning, and how you should respond to each
one. This will help you to resolve error messages that appear on
your screen.
ICA0A01i
Archival and deletion of log files started.
Explanation: All log files older than one day will be archived; all log files older than the configured deletion value will be deleted.
ICA0A02a
Configuration for log archiving is not valid.
Explanation: The value that specifies the number of days after which log files should be archived is not valid. This is either the result of tampering or a software problem.
User Response: Update the firewall configuration to specify a valid value.
ICA0A03e
Log archiving failed.
Explanation: Error occurred during log file archiving. The log file was not archived.
User Response: Ensure that QFIREWALL profile has the appropriate authority to create files in the /QIBM/UserData/Firewall/Logs directory. if the problem persists, contact your service representative.
ICA0A04a
Configuration for log deletion is not valid.
Explanation: The value that specifies the number of days after which log files should be deleted is not valid. This is either the result of tampering or a software problem.
User Response: Update the firewall configuration to specify a valid value.
ICA0A05e
Deletion of log file failed.
Explanation: Error occurred during log file deletion. The log file was not deleted.
User Response: Attempt to delete the log file using the administration interface. If the file cannot be deleted, or if the problem persists, contact your service representative.
ICA1004i
Filter logging started. Level: %version%.%release%
Explanation: IP packet logging has been started.
ICA1005e
%failed message count% packet filter message(s) not logged due to buffer overflow.
Explanation: The IP packet filter log buffer has overflowed.
User Response: Check the log. Your firewall may be under a denial-of-service attack or you may be logging messages which are not required. For example, broadcast messages should have a deny rule with log control set to no (l=n) to prevent filling up the log.
ICA1012a
Packet filter device driver not loaded.
Explanation: The IP packet filter device driver is not loaded.
User Response: Contact your service representative.
ICA1015a
Packet filter logging failed: %errno%.
Explanation: During startup of IP packet filter logging, the indicated system error was encountered.
User Response: Contact your service representative.
ICA1016i
Cannot get current deferred log queue.
Explanation: Additional information associated with immediately preceding log message.
ICA1017a
Error on packet filter logging startup.
Explanation: During startup of IP packet filter logging, a system error was encountered.
User Response: Contact your service representative.
ICA1019a
Unexpected error exit in packet filter logging with return code %system return code%.
Explanation: During startup of IP packet filter logging, the indicated system error was encountered.
User Response: Contact your service representative.
ICA1032i
Packet filter started or restarted.
Explanation: IP packet filtering has been started or restarted.
ICA1033i
Packet filter started. Level: %version%.%release%
Explanation: IP packet filter support has been started.
ICA1034i
Packet filter using default rules.
Explanation: IP packet filtering now using default filter rules rather than the user-defined filter rules. These rules no not allow any packets into or out of the firewall.
ICA1035i
Status of packet logging changed.
Explanation: Status of IP packet logging may have changed.
ICA1038i
Permitted packet out. Rule: %rule number% Source addr: %source address% Destination addr: %destination address% Protocol: %protocol% Source port: %source port% Destination Port: %destination port% Routing: %routing% Interface: %interface% Adapter: %adapter address% Fragment: %fragment flag% VPN: %VPN number% Encryption: %encryption% Size: %packet size%.
Explanation: Log record indicating a processed outbound IP packet was permitted by a filter rule it matched. For this record to be written, the matched filter rule must have log control set to yes. If the IP packet which matched this rule is a fragment, the port information appears for the header packet but is shown as zero for packets other than the header packet.
ICA1039i
Permitted packet in. Rule: %rule number% Source addr: %source address% Destination addr: %destination address% Protocol: %protocol% Source port: %source port% Destination Port: %destination port% Routing: %routing% Interface: %interface% Adapter: %adapter address% Fragment: %fragment flag% VPN: %VPN number% Encryption: %encryption% Size: %packet size%.
Explanation: Log record indicating a processed inbound IP packet was permitted by a filter rule it matched. For this record to be written, the matched filter rule must have log control set to yes. If the IP packet which matched this rule is a fragment, the port information appears for the header packet but is shown as zero for packets other than the header packet.
ICA1040w
Denied packet out. Rule: %rule number% Source addr: %source address% Destination addr: %destination address% Protocol: %protocol% Source port: %source port% Destination Port: %destination port% Routing: %routing% Interface: %interface% Adapter: %adapter address% Fragment: %fragment flag% VPN: %VPN number% Encryption: %encryption% Size: %packet size%.
Explanation: Log record indicating a processed outbound IP packet was denied by a filter rule it matched. For this record to be written, the matched filter rule must have log control set to yes. If the IP packet which matched this rule is a fragment, the port information appears for the header packet but is shown as zero for packets other than the header packet.
User Response: If this packet should be allowed, update the filter rules. If not, you may wish to investigate further the source of this packet.
Denied packet in. Rule: %rule number% Source addr: %source address% Destination addr: %destination address% Protocol: %protocol% Source port: %source port% Destination Port: %destination port% Routing: %routing% Interface: %interface% Adapter: %adapter address% Fragment: %fragment flag% VPN: %VPN number% Encryption: %encryption% Size: %packet size%.
Explanation: Log record indicating a processed inbound IP packet was denied by a filter rule it matched. For this record to be written, the matched filter rule must have log control set to yes. If the IP packet which matched this rule is a fragment, the port information appears for the header packet but is shown as zero for packets other than the header packet.
User Response: If this packet should be allowed, update the filter rules. If not, you may wish to investigate further the source of this packet.
ICA1042i
Permitted packet out. Rule: %rule number% Source addr: %source address% Destination addr: %destination address% Protocol: %protocol% ICMP type: %source port% ICMP code: %destination port% Routing: %routing% Interface: %interface% Adapter: %adapter address% Fragment: %fragment flag% VPN: %VPN number% Encryption: %encryption% Size: %packet size%.
Explanation: Log record indicating a processed outbound IP packet was permitted by a filter rule it matched. For this record to be written, the matched filter rule must have log control set to yes. If the IP packet which matched this rule is a fragment, the ICMP type/code information appears for the header packet but is shown as zero for packets other than the header packet.
ICA1043i
Permitted packet in. Rule: %rule number% Source addr: %source address% Destination addr: %destination address% Protocol: %protocol% ICMP type: %source port% ICMP code: %destination port% Routing: %routing% Interface: %interface% Adapter: %adapter address% Fragment: %fragment flag% VPN: %VPN number% Encryption: %encryption% Size: %packet size%.
Explanation: Log record indicating a processed inbound IP packet was permitted by a filter rule it matched. For this record to be written, the matched filter rule must have log control set to yes. If the IP packet which matched this rule is a fragment, the ICMP type/code information appears for the header packet but is shown as zero for packets other than the header packet.
ICA1044w
Denied packet out. Rule: %rule number% Source addr: %source address% Destination addr: %destination address% Protocol: %protocol% ICMP type: %source port% ICMP code: %destination port% Routing: %routing% Interface: %interface% Adapter: %adapter address% Fragment: %fragment flag% VPN: %VPN number% Encryption: %encryption% Size: %packet size%.
Explanation: Log record indicating a processed outbound IP packet was denied by a filter rule it matched. For this record to be written, the matched filter rule must have log control set to yes. If the IP packet which matched this rule is a fragment, the ICMP type/code information appears for the header packet but is shown as zero for packets other than the header packet.
User Response: If this packet should be allowed, update the filter rules. If not, you may wish to investigate further the source of this packet.
ICA1045w
Denied packet in. Rule: %rule number% Source addr: %source address% Destination addr: %destination address% Protocol: %protocol% ICMP type: %source port% ICMP code: %destination port% Routing: %routing% Interface: %interface% Adapter: %adapter address% Fragment: %fragment flag% VPN: %VPN number% Encryption: %encryption% Size: %packet size%.
Explanation: Log record indicating a processed inbound IP packet was denied by a filter rule it matched. For this record to be written, the matched filter rule must have log control set to yes. If the IP packet which matched this rule is a fragment, the ICMP type/code information appears for the header packet but is shown as zero for packets other than the header packet.
User Response: If this packet should be allowed, update the filter rules. If not, you may wish to investigate further the source of this packet.
ICA1050w
IP forwarding enabled.
Explanation: IP packet forwarding was enabled. Packets may now pass through the firewall without using the SOCKS server or a proxy server.
User Response: The effectiveness of the firewall may be reduced by enabling IP packet forwarding. If your firewall policy does not require that forwarding be enabled, IBM recommends that it be disabled.
ICA1051i
IP forwarding disabled.
Explanation: IP Packet forwarding was disabled. Packets will not pass through the firewall without using the SOCKS server or a proxy server.
ICA1200i
Terminating packet filter logging due to errors.
Explanation: Due to errors recorded prior to this message, IP packet filter logging is terminating.
System Action: IP Packet filter logging will not be activated.
ICA2001e
Authentication failed for user %user name% from host %host%.
Explanation: Login from host with userid and password are not correct.
User Response: Ensure AS/400 userid/password is correct, then retry operation.
ICA2024i
User %user name% from host %host% logged in using password authentication.
Explanation: The indicated user from the specified host is authorized using the password authentication method.
ICA2036i
Telnet session started, process ID %process id%.
Explanation: Telnet session started.
ICA2077i
Telnet session ended for process ID %process id%.
Explanation: Message generated at the end of each Telnet session.
ICA2A00i
Request received on server port(%server port%) from remote address(%client IP address%) using method(%method type%) for document(%URL%) of length(%content length%) generated response(%response code%).
Explanation: The specified request was received and the specified response was returned.
ICA2A01e
Request rejected, user not authorized, request received on server port(%server port%) from remote address(%client IP address%) using method(%method type%) for document(%URL%) of length(%content length%); generated response(%response code%).
Explanation: The specified request was not returned due to authorization failure.
System Action: The request is rejected.
User Response: A valid userid and password with both *SECADM and *IOSYSCFG special authorities must be specified.
ICA2A03e
Request forbidden by rule, request received on server port(%server port%) from remote address(%client IP address%) using method(%method type%) for document(%URL%) of length(%content length%); generated response(%response code%).
Explanation: The specified request was rejected as forbidden by a configuration rule.
System Action: The request is rejected.
User Response: If the URL was entered by the user, correct the URL and try again. If this request was generated by a hyper-text link, a software error exists. Contact your service representative.
ICA2A04e
Requested document not found, request received on server port(%server port%) from remote address(%client IP address%) using method(%method type%) for document(%URL%) of length(%content length%); generated response(%response code%).
Explanation: The specified request was rejected as the document was not found.
System Action: The request is rejected.
User Response: If the URL was entered by the user, correct the URL and try again. If this request was generated by a hyper-text link, a software error exists. Contact your service representative.
ICA2B00a
Server error, request received on server port(%server port%) from remote address(%client IP address%) using method(%method type%) for document(%URL%) of length(%content length%) generated response(%response code%).
Explanation: An internal server error detected while servicing specified request.
System Action: The request is rejected.
User Response: Contact your service representative.
ICA2B01e
Service not implemented, request received on server port(%server port%) from remote address(%client IP address%) using method(%method type%) for document(%URL%) of length(%content length%) generated response(%response code%).
Explanation: The server does not support the requested service.
System Action: The request is rejected.
User Response: If the URL was entered by the user, correct the URL and try again. If this request was generated by a hyper-text link, a software error exists. Contact your service representative.
ICA2B02e
Invalid gateway, request received on server port(%server port%) from remote address(%client IP address%) using method(%method type%) for document(%URL%) of length(%content length%) generated response(%response code%).
Explanation: The server returned an invalid gateway response for the specified request.
System Action: The request is rejected.
User Response: Contact your service representative.
ICA2B03e
Service unavailable, request received on server port(%server port%) from remote address(%client IP address%) using method(%method type%) for document(%URL%) of length(%content length%) generated response(%response code%).
Explanation: The requested service is unavailable.
System Action: The request is rejected.
User Response: Contact your service representative.
ICA2B04e
Request incorrect, request received on server port(%server port%) from remote address(%client IP address%) using method(%method type%) for document(%URL%) of length(%content length%) generated response(%response code%).
Explanation: The server determined the request was incorrect.
System Action: The request is rejected.
User Response: If the URL was entered by the user, correct the URL and try again. If this request was generated by a hyper-text link, a software error exists. Contact your service representative.
ICA2B05e
Request rejected, proxy authentication failed, request received on server port(%server port%) from remote address(%client IP address%) using method(%method type%) for document(%URL%) of length(%content length%) generated response(%response code%).
Explanation: The proxy authentication failed for the specified request.
System Action: The request is rejected.
User Response: The userid and password provided failed authentication. Enter a correct userid and password.
ICA2B06e
Unrecognized response from server, request received on server port(%server port%) from remote address(%client IP address%) using method(%method type%) for document(%URL%) of length(%content length%) generated response(%response code%).
Explanation: While processing the specified request, an unrecognized response code was generated by the server.
System Action: The request is rejected.
User Response: Contact your service representative.
ICA2C00i
Proxy request received on server port(%server port%) from remote address(%client IP address%) using method(%method type%) for document(%URL%) of length(%content length%) generated response(%response code%).
Explanation: The specified request was received and the specified response was returned.
ICA3010i
Connection established for user %source user ID% (%ident user ID%) at host %source address% port %source port% from host %destination address% port %destination port%.
Explanation: The SOCKS client at the specified source address requested that a connection be allowed from the destination address by sending a SOCKS bind command. The connection has been successfully established.
ICA3011i
Connection established for user %source user ID% (%ident user ID%) at host %source address% port %source port% to host %destination address% port %destination port%.
Explanation: The SOCKS client at the specified source address requested a connection to the destination address by sending a SOCKS connect command. The connection has been successfully established.
ICA3012w
Connect command denied for user %source user ID% (%ident user ID%) at host %source address% port %source port% to host %destination address% port %destination port%.
Explanation: A SOCKS connect command from the source address to the target address has been denied. Either a rule explicitly denied the request, or no rule was found.
User Response: Examine the source and destination addresses and compare with your firewall policies. If the connection request was valid, add an appropriate rule to the SOCKS configuration.
ICA3014i
Connection ended for user %source user ID% (%ident user ID%) at host %source address% port %source port% from host %destination address% port %destination port%. %bytes sent by source% bytes were sent by source host %source address% and %bytes sent by destination% bytes were sent by destination host %destination hostname%.
Explanation: The connection established by a bind command from the source address has ended normally.
ICA3015i
Connection ended for user %source user ID% (%ident user ID%) at host %source address% port %source port% to host %destination address% port %destination port%. %bytes sent by source% bytes were sent by source host %source address% and %bytes sent by destination% bytes were sent by destination host %destination hostname%.
Explanation: The connection established by a connect command from the source address has ended normally.
ICA3016e
A bind command requested that a connection be allowed from destination host %destination address%, but the SOCKS server could not find an interface on which to listen for the anticipated connection.
Explanation: The bind command successfully passed rule validation and any host authentication required. The SOCKS server then failed to find a route in the SOCKS route configuration file. The most common cause of this message is a SOCKS client that is not capable of determining when to use the SOCKS server and when to establish a direct connection to the destination address. Such a client requires the user of the SOCKS server to access internal servers as well as external servers, which can degrade the performance of the firewall system. The routing file is not updated to support this configuration unless you use the advanced configuration options.
User Response: If your firewall policy is to allow clients to request that connections be allowed from the destination address, add an appropriate route to the SOCKS route configuration file. If the destination address is an internal address, it is recommended that you use a versatile client that is capable of establishing direct connections to internal servers.
ICA3019w
The host %source address% connected to the SOCKS server port, and then an error (%error code%) occurred while receiving the command or the destination address.
Explanation: The SOCKS server was not able to successfully receive or interpret a request from the source address. This could be the result of many different user actions. For example, the user could have canceled the request before it had time to complete.
User Response: If this happens consistently for the same source address, you may need to contact your service representative for help in tracing the communications line and determining why the specified host is not completing the SOCKS connection request.
ICA3030e
Unable to open SOCKS configuration file %SOCKS configuration file%: error code %error code%.
Explanation: The SOCKS server was not able to open the specified configuration file.
User Response: Restore the server storage from a backup copy. If the problem persists, contact your service representative.
ICA3031e
Unable to open SOCKS routing configuration file %SOCKS routing configuration file%: error code %error code%.
Explanation: The SOCKS server was not able to open the specified configuration file.
User Response: Restore the server storage from a backup copy. If the problem persists, contact your service representative.
ICA3042w
An unknown SOCKS command (0x%hexadecimal command received%) has been received from source host %source address%.
Explanation: The specified source address connected to the SOCKS server and then sent an unknown command. The supported commands are connect(0x01), bind(0x02), and UDPAssociate(0x03).
User Response: Look for client application configuration errors, use a different SOCKS client, or contact your service representative for possible upgrades to the SOCKS server.
ICA3043w
An unsupported SOCKS protocol version (0x%hexadecimal version number%) has been received from source host %source address%.
Explanation: The client application at the source address is using an unsupported SOCKS protocol. The SOCKS server supports SOCKS protocol versions 4.2 and 4.3 (0x04) , and 5.0 (0x05). The client application may not be configured correctly.
User Response: Look for client application configuration errors, use a different SOCKS client, or contact your service representative for possible upgrades to the SOCKS server.
ICA3044e
The system call %system call% failed with an error code of %errno% at %point of failure% for a connect command for user %source userID%(%ident userID%) at host %source address% port %source port% to host %destination address% port %destination port%.
Explanation: While processing the connection, the SOCKS server encountered a failure on a system call at the specified point of failure.
User Response: If the problem persists, contact your service representative.
ICA3045e
Unexpected connection from host %wrong host address% port %wrong host port% denied for bind command for user %source userID%(%ident userID%) at host %source address% port %source port% for intended host %destination address% port %destination port%.
Explanation: The user at the specified source address requested a connection be allowed from the destination address by sending a SOCKS bind command. However, a connection was then received from a host or port other than the specified destination host and port. The connection was denied. If this happens repeatedly, you may be experiencing a penetration attempt.
User Response: If this message is persistent, attempt to determine the owner of the host specified by the wrong host address and take appropriate action.
ICA3049i
Wait time exceeded while establishing a connection for a SOCKS connect command from user %source userID% (%ident userID%) at host %source address% port %source port% to host %destination address% port %destination port%.
Explanation: The connection establishment for the connection has exceeded the time allowed for completion. The network may be busy or the destination host may not be active.
ICA3109e
The rule entry at line %line number% in file %configuration filename% is not valid.
Explanation: The specified rule contains syntax that is not valid, or contains an incorrect number of fields. This may be the result of tampering or of a software problem.
User Response: Contact your service representative.
ICA3110e
The interface field at line %line number% in file %configuration filename% is not valid.
Explanation: The specified rule contains syntax that is not valid for the specified field. This may be the result of tampering or of a software problem.
User Response: Contact your service representative.
ICA3111e
The destination address at line %line number% in file %configuration filename% is not valid.
Explanation: The specified rule contains syntax that is not valid for the specified field. This may be the result of tampering or of a software problem.
User Response: Contact your service representative.
ICA3112e
The destination mask at line %line number% in file %configuration filename% is not valid.
Explanation: The specified rule contains syntax that is not valid for the specified field. This may be the result of tampering or of a software problem.
User Response: Contact your service representative.
ICA3114e
The SOCKS server did not find any rules in configuration file %configuration filename%.
Explanation: The specified configuration file is empty or contains only comments. This may be the result of incorrect configuration, tampering, or of a software problem.
User Response: You must configure the SOCKS server before starting it. If you believe that you have configured the SOCKS server correctly, contact your service representative.
ICA3115e
The action field ("permit" or "deny") at line %line number% in file %configuration filename% is not valid.
Explanation: The specified rule contains a value that is not valid for the specified field. This may be the result of tampering or of a software problem.
User Response: Contact your service representative.
ICA3116e
The authentication ("?=") field at line %line number% in file %configuration filename% is not valid.
Explanation: The specified rule contains syntax that is not valid for the specified field. This may be the result of tampering or of a software problem.
User Response: Contact your service representative.
ICA3117e
The source address at line %line number% in file %configuration filename% is not valid.
Explanation: The specified rule contains syntax that is not valid for the specified field. This may be the result of tampering or of a software problem.
User Response: Contact your service representative.
ICA3118e
The source mask at line %line number% in file %configuration filename% is not valid.
Explanation: The specified rule contains syntax that is not valid for the specified field. This may be the result of tampering or of a software problem.
User Response: Contact your service representative.
ICA3119e
The comparison field at line %line number% in file %configuration filename% is not valid.
Explanation: The specified rule contains syntax that is not valid for the specified field. This may be the result of tampering or of a software problem.
User Response: Contact your service representative.
ICA3120e
The port number at line %line number% in file %configuration filename% is not valid.
Explanation: The specified rule contains syntax that is not valid for the specified field. This may be the result of tampering or of a software problem.
User Response: Contact your service representative.
ICA3123i
The SOCKS server has started successfully.
Explanation: The SOCKS server has successfully processed the configuration files and is waiting for SOCKS client commands.
ICA3124e
The SOCKS server encountered a bind() call failure (error code %error code%) while starting.
Explanation: The SOCKS server encountered an error while starting.
User Response: The error might be temporary. Wait a few minutes and try the request again. If the problem persists, contact your service representative.
ICA3A01a
The SOCKS server failed to start or failed to restart because of previously logged errors.
Explanation: The SOCKS server encountered errors while starting or while restarting. The previous errors may indicate a software problem.
User Response: Inspect the previously logged errors for an indication of why the SOCKS server did not start. Try the start request again. If the problem persists, contact your service representative.
ICA3A02e
The command ("cmd=") field at line %line number% in file %configuration filename% is not valid.
Explanation: The specified rule contains syntax that is not valid for the specified field. This may be the result of tampering or of a software problem.
User Response: Contact your service representative.
ICA3A03i
The SOCKS server has ended normally.
Explanation: The SOCKS server has ended normally at the request of the administrator.
ICA3A04i
The SOCKS server has successfully reloaded configuration files.
Explanation: The system administrator has requested that the SOCKS server be restarted. The SOCKS server has successfully reloaded and processed the SOCKS configuration files.
ICA3A05e
The SOCKS server could not create a new thread to process a SOCKS client request.
Explanation: The SOCKS server encountered an error while creating a new thread to process a client request.
User Response: Contact your service representative.
ICA3A06a
The SOCKS server encountered an internal locking error at %point of failure%.
Explanation: An internal locking failure was encountered. This indicates a possible software problem.
User Response: If the problem persists, contact your service representative.
ICA3A07e
The SOCKS server could not allocate sufficient storage at %point of failure%.
Explanation: The SOCKS server encountered an insufficient storage condition.
User Response: If the problem persists, contact your service representative.
ICA3A08i
The SOCKS server is starting.
Explanation: The SOCKS server is starting. Message ICA3A04i or ICA3A01a will follow, indicating success or failure of this startup attempt.
ICA3A09e
The system call %system call% has failed at %point of failure% with error code %errno%.
Explanation: The SOCKS server encountered the specified system call failure.
User Response: If the problem persists, contact your service representative.
ICA3A10w
Bind command denied for user %source userID% (%ident userID%) at host %source address% port %source port% from host %destination address% port %destination port%.
Explanation: A SOCKS bind command was received from the source address, requesting that a connection be allowed from the destination address. The request was denied. Either a rule explicitly denied the request, or no rule was found.
User Response: Examine the source and destination addresses and compare with your firewall policies. If the connection request was valid, add an appropriate rule to the SOCKS configuration.
ICA3A11w
A UDP datagram for user %source user% at client host %source address% port %source UDP port% was discarded because it failed rule validation. The address % destination address% port %destination UDP port% was used for the destination address.
Explanation: A UDP datagram was received by the SOCKS server for the association created by the client host at the source address. Regardless of whether the client sent the datagram or was the intended target destination of the datagram, the client address is always used as the source address during rule validation.
User Response: Inspect all messages and your firewall policy to determine if the source IP address, destination IP address, and destination port are a valid combination. If valid, update the firewall configuration rules.
ICA3A12e
The system call %system call% failed with an error code of %errno% at %point of failure% for a bind command for user %source userID% (%ident userID%) at host %source address% port %source port% from host %destination address% port %destination port%.
Explanation: While processing the connection, the SOCKS server encountered a failure on a system call at the specified point of failure.
User Response: If the problem persists, contact your service representative.
ICA3A13e
The system call %system call% failed with an error code of %errno% at %point of failure% for a UDP association created by user %source user% at host %source address% port %source port%.
Explanation: While processing the UDP association, the SOCKS server encountered a failure on a system call at the specified point of failure.
User Response: If the problem persists, contact your service representative.
ICA3A14i
Wait time exceeded while establishing a connection for a SOCKS bind command for user %source userID% (%ident userID%) at host %source address% port %source port% from host %destination address% port %destination port%.
Explanation: The connection establishment for the connection has exceeded the time allowed for completion. The network may be busy or the destination host may not be active.
ICA3A15w
User authentication protocol version (0x%hexadecimal version number%) from host %source address% is not valid.
Explanation: The client application on the specified source address is using an unsupported version of the user ID and password authentication protocol defined by RFC 1929. The SOCKS server only supports version 0x01. The client application may not be configured correctly.
User Response: Look for client application configuration errors, use a different SOCKS client, or contact your service representative for possible upgrades to the SOCKS server.
ICA3A16w
User ID length %user ID length% from host %source address% is not valid.
Explanation: During RFC 1929 user authentication, a user ID length was received that was not valid. The AS/400 requires that the user ID length be 1 to 10 characters inclusive.
User Response: Use a user ID that is no longer than 10 characters.
ICA3A17w
Password length %password length% from host %client address% is not valid.
Explanation: During RFC 1929 user authentication, a user ID length was received that was not valid. The AS/400 password length must be 1 to 10 characters inclusive.
User Response: Use a password length that is no longer than 10 characters.
ICA3A18w
Number of authentication methods %number of authentication methods% from host %source address% is not valid.
Explanation: The authentication field (a one byte unsigned character) must be 1 to 255, inclusive. Zero is not a valid value. The specifications for authentication methods are defined by RFC 1928.
User Response: This error indicates a software error in the client application. Contact the service representative of the client software.
ICA3A19w
No acceptable method of authentication could be negotiated with %client address%.
Explanation: No supported authentication method was found in the client list while processing a SOCKS version 5 request. From the methods defined by RFC 1928, the SOCKS server supports a method of none or of user ID and password authentication as defined by the RFC 1929. The client application may not be configured correctly.
User Response: Look for client application configuration errors, use a different SOCKS client, or contact your service representative for possible upgrades to the SOCKS server.
ICA3A20w
Length %DNS hostname length% of a qualified hostname from host %client address% is not valid.
Explanation: A SOCKS version 5 request was received with a requested address type of 0x03, indicating that a Domain Name Service (DNS) hostname would follow. The length of the hostname was not valid. It must be between 1 and 255 inclusive. The client application may not be configured correctly, or this may indicate a software error in the client application.
User Response: Look for configuration errors for the client application, use a different SOCKS client, or contact your service representative.
ICA3A21w
Unsupported address type (0x%hexadecimal address type%) received from host %client address% for SOCKS version 5 RFC 1928 protocol.
Explanation: Only version 0x01 (IP version 4 addresses) or 0x03 (qualified DNS host names) are supported. If the value is 0x04, the client requested support for 16 byte IP version 6 addresses and this SOCKS server does not support IP version 6. The client application may not be configured correctly.
User Response: Look for client application configuration errors, use a different SOCKS client, or contact your service representative for possible upgrades to the SOCKS server.
ICA3A22w
A reserved field was not 0x00 in a SOCKS version 5 request received from host %client address%.
Explanation: All reserved fields must be 0x00. This indicates a software problem in the client application. See RFC 1928 for the format of a SOCKS version 5 protocol request.
User Response: Contact the service representative of the client software.
ICA3A23e
A SOCKS authentication request for user ID %source userID% failed with error code 0x%error code%.
Explanation: The authentication of a user ID and password failed.
User Response: Check if the specified user profile exists or if it has been disabled. Check the client configuration to ensure the user ID and password are spelled correctly. Attempt a manual signon with the specified user ID and password. If the problem persists, and no problem can be found with the user ID and password supplied, contact your service representative.
ICA3A24e
A UDP associate command was received specifying a client address of %UDP associate specified source address%. However, the command was received from a source address of %originating address%. The request was denied.
Explanation: A UDP associate command was received (see RFC 1928). The IP address that was specified as the client's address from which UDP datagrams will be sent did not match the originating address for the TCP connection on which the UDP associate command was received. The UDP association request is denied.
User Response: Look for client application configuration errors, or contact the service representative of the client software.
ICA3A25i
A UDP association for host %client IP address% port %client UDP port number% has been idle for too long.
Explanation: A UDP association has been idle for the maximum time allowed. The connection has been ended. If the client UDP port number is 0, then the port number was not received on the association request, and no UDP packets have been received from the client.
ICA3A26i
UDP association ended for user %client user profile% at host %source address% port %source UDP port%. The source host %source hostname% sent %bytes sent by source% bytes and received %bytes received by source% bytes on this association.
Explanation: A UDP association (see RFC 1928) has ended normally.
ICA3A27w
A UDP datagram received from %datagram source IP address% was discarded because it was from port %datagram source UDP port% instead of port %client UDP port%.
Explanation: A UDP datagram was received from the client that created the UDP association, and it was discarded, since it did not originate from the client UDP port that was identified by the client for the association. RFC 1928 states that a server may optionally filter based on the client IP address and port number, and the SOCKS server discarded the datagram. This may indicate a client application software problem or an unauthorized attempt to use the firewall.
User Response: Determine what application at the source address is sending the datagram, and take appropriate action, such as contacting the service representative of the client software.
ICA3A28w
A UDP datagram was received from %datagram source IP address% port %datagram source UDP port%, but the length %UDP datagram length% of the SOCKS version 5 UDP request header was not valid.
Explanation: A UDP datagram was received on a UDP association as defined by RFC 1928. The UDP request header was not long enough to determine a destination address for the datagram. The datagram was discarded, and the association was ended. This indicates an error in the client application software.
User Response: Contact the service representative of the client software.
ICA3A29w
A UDP datagram was received from %source address% port %source UDP port%, but the length %length% of user data was too large to be successfully sent to %destination address%.
Explanation: A UDP datagram was received on a UDP association, and the SOCKS server attempted to forward it to the specified destination address. The length of the user data plus the length of a UDP header was greater than the Maximum Transmission Unit (MTU) defined for the interface used to send the datagram to the destination. The datagram was discarded.
User Response: This indicates a network configuration problem or a client configuration problem. If possible, decrease the size of the UDP datagrams created by the client application, or increase the MTU size specified for the target interface.
ICA3A30w
A UDP datagram was received from %datagram source address% port %datagram source UDP port% for the client address %source address%, but it was discarded because no client UDP port has yet been identified for the association.
Explanation: The client specified by source address has created a UDP association, but has yet to identify a client UDP port. A UDP datagram was received by the SOCKS server for this partially established association, and it was discarded. This may indicate an unauthorized attempt to use the firewall.
User Response: If this message appears frequently, attempt to identify the owner of the host specified as the datagram source address, and to determine why these datagrams are being sent.
ICA3A31w
A datagram received from host %datagram source address% was discarded because it was not from host %source address% which established the UDP association.
Explanation: A UDP datagram was received on a UDP association and it was not from the host that created the association. RFC 1928 states that a server may optionally filter based on the client source address and port number, and the SOCKS server discarded the datagram. The client application may not be configured correctly, there may be a client application software error, or this may be an unauthorized attempt to access the firewall.
User Response: Locate the machine associated with the datagram source address, determine which application sent the datagram, and take appropriate action to correct the problem.
ICA3A32i
Idle connection ended for user %source userID% (%ident userID%) at host %source address% port %source port% from host %destination address% port %destination port%. %bytes sent by source% bytes were sent by source host %source address% and %bytes sent by destination% bytes were sent by destination host %destination hostname%.
Explanation: The connection established by a bind command from the client at the source address has been idle for too long. The connection has been ended.
ICA3A33i
Idle connection ended for user %source userID%(%ident userID%) at host %source address% port %source port% to host %destination address% port %destination port%. %bytes sent by source% bytes were sent by source host %source address% and %bytes sent by destination% bytes were sent by destination host %destination hostname%.
Explanation: The connection established by a connect command from the client at the source address has been idle for too long. The connection has been ended.
ICA3A34i
Not able to resolve hostname %destination hostname% for client at host %source IP address% port %source port%.
Explanation: The SOCKS server was not able to resolve the specified hostname as requested by the SOCKS client. Either the hostname does not exist, a name server is not active, or a name server configuration problem exists.
ICA3A35w
Fragmented UDP datagram from host %source IP address% port %source port% discarded.
Explanation: The SOCKS server received a UDP datagram from the specified UDP association, and the SOCKS UDP request header in the datagram specified fragmentation. RFC 1928 states that support for fragmentation in the SOCKS UDP request header is optional, and since this SOCKS server does not support fragmentation, the packet was discarded.
User Response: Determine if the client application can be configured to send smaller datagrams. If this is not possible, contact your service representative for possible upgrades to the SOCKS server.
ICA3A99d
%debug text% .
Explanation: The SOCKS server is logging a debug message. This message is for IBM developer debug purposes only. The logging of this message can impact firewall system performance. Do not leave the logging level set to debug.
ICA9A00e
Internal error occurred in a firewall component.
Explanation: Internal component failure occurred. Detailed error messages have been written to the error log.
System Action: The server or service will continue if possible.
User Response: Contact your service representative.
ICA9A01a
The server program %server% ended abnormally, process ID %process ID%.
Explanation: A firewall program unintentionally ended. This could be due to software failure or tampering.
System Action: The server has ended.
User Response: End the firewall application, ENDNWSAPP. Contact your service representative.
ICA9A02a
A critical firewall process has ended abnormally. The firewall is shutting down.
Explanation: A failure of a critical software component of the firewall has forced the firewall to end.
System Action: The firewall has ended.
User Response: Contact your service representative.
ICA9A03i
%server% started.
Explanation: The indicated server has been started.
ICA9A04i
%server% restarted.
Explanation: The indicated server has been restarted.
ICA9A05i
%server% stopped.
Explanation: The indicated server has been stopped.
ICA9B00i
The VPN policy cache is being loaded.
Explanation: The following lines show the new contents of the VPN policy cache.
ICA9B01e
There are no VPN policy entries.
Explanation: There are no entries in VPN policy file.
User Response: Contact your service representative.
ICA9B02i
VPN policy: %local_firewall_address remote_firewall_address VPN_ID encrypt_flag/authenticate_flag%
Explanation: This message lists the attributes of a policy that has been loaded into the VPN policy cache.
ICA9B03i
The VPN context cache is being loaded.
Explanation: The following lines show the contexts that are being added to the VPN context cache.
ICA9B04i
VPN context - VPN_ID:%number%, local_firewall_address:%IP_address%, remote_firewall_address:%IP_address%, encryption:%algorithm%
Explanation: This message lists the attributes of a context that has been loaded into the VPN context cache.
ICA9B05a
VPN:%VPN_ID% has stopped.
Explanation: The VPN is no longer operational.
User Response: Before starting the VPN, you and your partner may want to change keys.
ICA9B06i
The VPN context cache is being loaded.
Explanation: The following lines show the contexts that are being added to the VPN context cache.
ICA9B07i
The VPN Auto Key Refresh feature has started, using session socket port:%port_no% and master socket port:%port_no%
Explanation: The VPN Auto Key Refresh session key engine has started using the specified UDP port numbers.
ICA9032i
NAT configuration updated.
Explanation: NAT configuration have been updated.
ICA9033i
NAT support initialized.
Explanation: NAT support has been initialized.
ICA9034i
NAT support deactivated.
Explanation: NAT now is disabled.
ICA9035i
NAT unable to allocate Registered Address for Secured Address %Secured IP Address%
Explanation: Registered Address not translated.
ICA9036i
NAT released Registered Address %Registered IP Address% to address pool.
Explanation: Registered Address is released to registered IP address pool.
__________________________________________________________________
PMR Number:
Related APARs:
Related Public Documents:
IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright (c) 1996,1997,1998, 1999, 2000, 2001, 2002, 2003 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Legal link, and select the Copyright and trademark information link from the left navigation bar for trademark information.