Supplemental Document : Log Messages Reference

Applies To:

Show Versions Show Versions

BIG-IP FPS

  • 15.0.0, 14.1.0, 14.0.0, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP DNS

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0

BIG-IP Analytics

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP AFM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP PEM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP ASM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP AAM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP Link Controller

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP APM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP GTM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP LTM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP Advanced WAF

  • 13.1.1, 13.1.0
Original Publication Date: 04/10/2019



Log Messages List



ID Number Description
00020000 Resuming log processing at this invocation; held %d messages.
01010001 %s starting
01010004 Memory allocation failed: %s
01010007 "Config error: %s"
01010011 Persistence cookie hash failed
01010013 database size increased by %d bytes, %d total
01010019 Caught signal %d, exiting
01010020 MCP Connection %s, exiting
01010027 Unable to attach to PCI device %02x:%02x.%02x
01010028 No members available for pool %s
01010029 Clock advanced by %u ticks
01010038 Syncookie counter %d exceeded vip threshold %u for virtual = %A:%d
01010040 Clock has unexpectedly adjusted by %lld ms
01010044 "%s feature %s licensed"
01010045 Bandwidth utilization is %d Mbps, exceeded %d%% of Licensed %d Mbps
01010054 tmrouted connection %s
01010056 Syncookie counter %d exceeded vip threshold %u for virtual = %s
01010201 Inet port exhaustion on %*A to %*A%c%d (proto %d)
01010213 L3 Address LB method deprecated; using 'Least Connections' for pool %s
01010216 DNSSEC: Signature failed (%s) for RRSET (%s, %lu) with key %s, generation %llu.
01010221 Pool %s now has available members
01010225 Failure to query dns-express db (%s)
01010231 DNSSEC: Did not add RRSIGs to response RR set (owner: %s).
01010235 Inet port find called for pg %d with invalid cmp state %x
01010239 LSN error: %s
01010240 Syncookie HW mode activated, server = %A:%d, HSB modId = %d
01010241 Syncookie HW mode exited, server = %A:%d, HSB modId = %d from %s
01010250 Pool member %A:%u exceeded configured rate limit.
01010251 Virtual %s exceeded configured rate limit.
01010259 External Datagroup (%s) %s.
01010260 Hardware Error(%s): %s %s
01010273 Access policy Configuration object: [%s] not found
01010274 Access Policy and Access Policy Item join failed: [%s] not found
01010276 FTPS warning: Security policy disabled for %A%%%u:%u due to explicit FTPS mode negotiation
01010290 TCP: Memory pressure activated
01010291 TCP: Memory pressure deactivated. Dropped %llu packets, %llu bytes
01010300 BDoS: (TMM) Histogram (%p) %s for context %s (ref cnt %d).
01010301 BDoS: (TMM) %s failure for context %s - %s (error %s).
01010302 BDoS: (TMM) %s signature (%s) for context %s at idx %u (detection=%u mitigation=%u state=%s transient=%s retired=%s).
01010303 BDoS: (TMM) signature (%s) removed (at idx %u of signature table) from context %s.
01010305 BDoS: (TMM) afm_provisioned=%s dos_provisioned=%s l4_bdos_licensed=%s bdos_feature_enabled=%s detection=%s
01010307 Memory allocation failed: %s %s
01010308 Access Policy update: %s End Txn Failed (%d)
01010309 Access Policy(%s) update: Subroutine properties can be only assigned to Access policy of type subroutine
01010310 Incomplete hud chain for listener: %s
01010311 Failed to configure VDI-enabled listener %s: %En
01010313 Profile %s create failed.
01010314 profile %s update: bad profile
01010315 Agent [%s] update: Invalid event validate
01010316 Agent [%s] update: agent clone failed
01010317 Agent [%s] update: agent store failed
01010318 Agent [%s] update: agent construct failed
01010322 pem protocol profile gx modify {%s}: invalid
01010323 {%s, %s}: protocol message cannot be deleted, error %E
01010324 {%s, %s}: not found, cannot modify.
01010325 pem protocol profile radius modify {%s}: invalid
01010326 {%s, %s}: protocol message cannot be deleted, error %E
01010327 {%s, %s}: not found, cannot modify.
01010328 BDoS: (TMM) afm_provisioned=%s dos_provisioned=%s dns_bdos_licensed=%s detection=%s
01010329 BDoS: (TMM) Signature %s: threshold_mode=%s detection=%u mitigation_curr=%llu
01010330 Failed to register the Neuron App %s with the Neuron client
01010331 Neuron client %s failed with %s(%s)
01010332 Neuron application %s registered
01010334 DNS Express will not be initialized because TMM has more than 32 threads.
01010336 listener binding ERR=%d %s listener %s %A:%d FAIL
01010337 NOTE: avoid common IPsec v1 and v2 tunnel local addr
01010342 Disabled TCP HW checksum offloading automatically disables TCP Segmentation Offload (TSO)
01010343 Syncookie SW mode activated, server = %A:%d
01010344 Syncookie SW mode exited, server = %A:%d
01010346 [LTM LB][%C]%s
01010347 DynaD activated
01010348 DynaD inactivated
01010348 Access Policy(%s) update: Customization group set can be only assigned to Access policy of type per-request
01010349 DNSSEC: Failed to parse DS record string (%s): %s
01010355 DNS: Awaiting full DNSSEC Key %s Generation %llu from MCP
01010356 %s: filter '%s' init failed.
01010364 Hybrid fixed-policy setting change: from %d to %d.
01020037 The requested %s (%s) already exists
01020066 The requested %s (%s) already exists in partition %s
0102006e IP Address %s is invalid with netmask %s, must not be the same as network address.
0102006f The string does not contain only space separated integers between 0 and 4294967295
01060001 Service detected %s for %s:%u monitor %s.
01060002 Node address detected %s for %s monitor %s.
01060110 Lost connection to mcpd with error %d, will reinit connection.
01060111 Open SSL error - %s
01060136 Received links up - monitoring starts.
01060145 Pool %s member %s monitor status %s. [ %s ] [ %s ]
01060156 Bigd PID %d, instance %d, fail to serialize 'bigd=>mcpd' message (exceed msg-length limit?): %s.
01060157 Receive string cannot be empty for reverse monitor '%s'
01060158 Disable string must be empty for reverse monitor '%s'
01070007 Received shutdown signal %d
01070043 Monitor %s parent not found.
0107004e LTM configuration is not allowed when VCMP is provisioned. Virtual server %s conflicts with VCMP.
01070069 Subscription not found in mcpd for subscriber Id %s.
01070147 Snatpool %s must reference at least one translation address.
01070151 Rule [%s] error: %s
01070165 "License file stat fails: %s."
01070259 Requested member (%s) is untagged on another VLAN
0107025d Nameserver for Wide IP Zones (%s) is not a fully qualified domain name or contains invalid characters.
0107025e Nameserver for Wide IP Zones is empty. A valid, fully qualified domain name must be specified.
01070261 Can't create a home directory for username %s (%s)
01070265 The %s (%s) cannot be deleted because it is in use by a %s (%s)
01070277 The requested %s (%s) was not found
0107028a The source address (%s) for virtual server (%s) must have a prefix length.
01070301 Pool (%s) is referenced by one or more virtual servers
0107030c Host persistence requires an HTTP profile to be associated with the virtual server
01070315 profile %s requires a key
01070318 The requested media %s for interface %s is invalid.
01070320 Snatpool %s is still referenced by a virtual server.
0107032f The vlan (%s) associated with the static route %s/%d must have a Self IP using the IPv%u protocol.
01070340 %s (%s) is referenced by one or more rules
01070341 Virtual server %s references rule %s which does not exist.
01070354 Self IP %s / %s: This network is defined on two vlans (%s and %s)
01070356 %s feature not licensed
01070392 Self IP %s / %s: This IP shares a network with %s (%s / %s).
01070394 %s in rule (%s) requires an associated %s profile on the virtual server (%s)
01070404 Add a new Publication for publisherID %s and filterType %p
01070406 Removed publication with publisher id %s
01070407 Removed information for Publication %s and filterType %p
01070408 Deleting abandoned subscriber connection for %s
01070410 Removed subscription with subscriber id %s
01070413 Updated existing subscriber %s with new filter class %llx
01070417 AUDIT - user %s - transaction #%u-%u - object %u - %s
01070418 connection %p (user %s) was closed with active requests
01070419 Platform initialization phase triggered
01070421 Base configuration initialization phase triggered.
01070424 Full configuration initialization phase triggered.
01070427 Initialization complete. The MCP is up and running
01070465 DB changed: %s, configsync needed
01070466 Received end of platform data
01070468 %s
01070596 An unexpected failure has occurred, %s, exiting...
01070599 Current management-ip (%s) has to be deleted before adding a new management-ip (%s) with the same address family.
01070604 Cannot delete IP %s because it would leave a route unreachable.
01070608 License is not operational (expired or digital signature does not match contents)
01070622 The monitor %s has a wildcard destination service and cannot be associated with a node that has a zero service
01070638 "Pool %s member %s:%u monitor status %s."
01070639 Pool %s member %s:%u session status %s.
01070640 Node %s address %s monitor status %s.
01070690 Port mirroring is not supported on this platform.
0107070e Software version not covered by service agreement. Reactivate license before continuing.
01070712 "Caught configuration exception (%d), %s."
01070727 "Pool %s member %s:%u monitor status up."
01070728 Node %saddress %s monitor status up.
01070730 Configuration restored from binary image
01070734 Configuration error: %s
01070736 Couldn't write to the user/role/partition file, %s (%d)
01070807 Monitor %s instance %s:%u has been %s.
01070822 "Access Denied: %s"
01070823 Read Access Denied: %s
01070827 User login disallowed: %s
01070921 Virtual Server '%s' on partition '%s' %s by user '%s'.
01070927 Request failed, data provider (%s) disconnected from mcpd
01070931 Clustering quorum reached
01070933 License blob received from primary.
01070967 The specified vlan, vlangroup or tunnel (%s) cannot be removed from its default route domain (%s).
01070978 The vlan (%s) for the specified self IP (%s) must be one of the vlans in the associated route domain (%s). For example: 192.168.0.1%1234 for self IP in route-domain 1234.
01070979 The specified vlan (%s) for route domain (%s) is in use by a self IP.
01070995 get_tmstat: tmstat_sample not ready. Statsd may not be running.
01071027 Master key OpenSSL error: %s
01071029 %s
0107102d Cannot load master key file. Updating to a new master key.
01071031 %s
01071038 %s
01071047 Removing %d %s local objects from slot %d
01071070 Failed to %s file %s with error %d
01071138 The access policy (%s) has an action/macrocall item (%s) that is referenced by any rule's next item for %d time(s). Exactly one reference is allowed.
01071246 "Unable to reload the dns cache\n"
010712a5 Ha_group %s unknown %s %s.
01071321 Vlan allowed mismatch found: hypervisor (%s:%s), guest (%s:%s) and (%s:%s).
01071392 Background command '%s' failed. %s
010713b1 Cannot delete IP (%s) because it is used by the system state-mirroring (%s) setting.
010713b8 Propose change to system hostname (%s).
010713ba Propose change to default gateway (%s).
010713bc Propose change to management IP address (%s/%s).
010713c0 System state ready for hypervisor mgmt settings: (%s)
010713c1 Initial management network proposals triggered (%s)
010713c2 No new proposal values detected
010713c3 Hypervisor updating %s. Old value: (%s) New value: (%s).
010713f6 CentMgmt objects must be in the '/Common' folder
01071412 Cannot delete IP (%s) because it is used by the system config-sync setting.
0107142f Can't connect to CMI peer %s, %s
01071430 Cannot create CMI listener socket on address %s, port %d, %s
01071431 Attempting to connect to CMI peer %s port %d
01071432 CMI peer connection established to %s port %d after %d retries
01071434 No CMI peer devices configured
01071435 Disconnecting from CMI peer %s as a result of a reconfiguration
01071436 CMI listener established at %s port %d
0107143a CMI reconnect timer: %s
0107143b CMI connection debug info: %s
0107143c Connection to CMI peer %s has been removed
01071451 Received CMI hello from %s
0107146f Self-device %s address cannot reference the non-existent Self IP (%s); Create it in the /Common folder first.
01071470 Disconnecting from CMI device %s, the device is not in a trust domain
0107147f Could not read certificate file (%s)
01071485 %s (%s) content does not match the signature.
01071488 Remote transaction for device group %s to commit id %llu %llu %s %llu failed with error %s
0107149c Virtual server %s has more than one clientssl/serverssl profile but none of them is default for SNI.
010714a0 Sync of device group %s to commit id %llu %llu %s %llu from device %s complete
01071515 Unclassified domain logging on %s requires log publisher to be set.
01071528 Device group '%s' sync inconsistent, %s.
01071539 Mcpd is starting. The BIG-IP version is %s
01071587 Commit ID message ignored, %s
010715bc "The application service (%s) has strict updates enabled, the object (%s) must be updated using an application management interface."
0107167d Data publisher not found or not implemented when processing request %s.
01071681 SNMP_TRAP: Virtual %s has become available
01071682 SNMP_TRAP: Virtual %s has become unavailable
0107168c Incremental sync complete: This system is updating the configuration on device group %s device %s from commit id { %llu %llu %s } to commit id { %llu %llu %s }.
0107168e Unable to do incremental sync, reverting to full load for device group %s device %s from commit id { %llu %llu %s } to commit id { %llu %llu %s }.
010716b3 A draft policy (%s) can not be applied to a ACL rule.
010716b4 Policy %s cannot be assigned to %s, because %s.
010716e3 Policy '%s'; an action occurs before conditions in another rule. For best-match, all actions must happen later than all conditions.
0107172d Policy '%s' can't be applied to virtual server '%s' because it has no rules
01071764 HA order list in traffic group (%s) cleared because there is no self failover device group.
0107179a Setting DB variable %s to %s. Reboot is required for changes to take effect.
010717b3 Setting DHCP request-option to none can result in management-ip misconfiguration and loss of management connectivity.
010717b6 %s can only be used in one LSN pool or security nat source translation object. The PCP Server %s (%s) is in use by lsn pool %s.
010717dc VXLAN tunnel remote address can be configured only as any(0.0.0.0) with flooding types none and multipoint.
010717e2 Client SSL profile (%s): must have at least one set of %s.
0107183b Cannot disable LDNS cache when a Wide IP has persistence enabled.
01071860 Cannot enable feed list %s. Maximum number of enabled feed list allowed is %d.
01071863 OCSP cert-validator (%s): DNS resolver and proxy server pool can not be both empty.
01071864 OCSP cert-validator (%s): The certificate (%s) can not be used by an OCSP cert-validator as a %s, because it is currently using some cert-validator (%s) to monitor its status.
01071865 Unable to find an HTTP-based OCSP responder URL that is configured in the OCSP cert-validator (%s) or in the AIA (Authority Information Access) extension of the certificate (%s).
01071866 OCSP cert-validator (%s): Please specify a HTTP-based absolute URL for the OCSP responder.
01071867 OCSP cert-validator (%s): Both key and certificate should be specified for signing the OCSP request.
01071868 OCSP cert-validator (%s): Only prime256v1 named curve is supported for signer key.
01071869 OCSP cert-validator (%s): Security type %s is not supported for signer key.
0107186a OCSP cert-validator (%s): Signer key (%s) and signer certificate (%s) do not match.
010718e1 Only the standard-balanced-fpga firmware type is permitted in vCMP mode.
010718e3 Certificate (%s) has enabled OCSP at cert-validation-option but is not associated with any OCSP cert-validator.
010718e4 OCSP cert-validator (%s): can not use both DNS resolver and proxy server pool. Please ensure that only one of them is configured.
01071909 Log publisher '%s' used by the Anti-Fraud profile '%s' must have a single destination of type '%s'.
0107190a Field '%s' cannot be empty in the Anti-Fraud profile '%s'.
01071911 %s in rule (%s) are not allowed under %s event on the %s (%s).
01071912 %s in rule (%s) requires an associated %s profile on the %s (%s).
01071913 %s in rule (%s) under %s event at %s (%s) does not satisfy cmd/event/profile requirement.
01071918 CMI device (%s) has a different version (%s) from this device (%s).
010719a8 URL parameters can be %s only when %s is enabled in the Anti-Fraud profile '%s'.
010719ac Anti-Fraud parameter '%s' is invalid. Parameter cannot be %s while it is %s in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').
010719b7 URL whitelist words can be selected only from malware blacklist words in the Anti-Fraud profile '%s'.
010719b7 Anti-Fraud DOM signature '%s'(hash ID) cannot be deleted as it appears in the DOM signatures whitelist in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').
010719c9 Unicast address warning (FAILOVER MAY NOT WORK): %s should be a mgmt (blade) address or non-floating self IP.
010719d6 The location '%s' cannot have empty path between leading '/' and file extension or trailing '/', and also cannot contain only '/' and '.' in the Anti-Fraud profile '%s'.
010719e7 Virtual Address %s general status changed from %s to %s.
010719e8 Virtual Address %s monitor status changed from %s to %s.
010719ea GTM changed state from %s to %s.
010719fd No IPv%s self IP exists on VLAN (%s) for static route (%s)
01071a01 Anti-Fraud parameter '%s' is invalid. URL parameters can appear only in POST request when URL Application Type is Mobile in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').
01071a14 device_trust_group: Requesting device data from device %s.
01071a15 device_trust_group: Sending device data to device %s.
01071a37 Anti-Fraud %s '%s' was created as %s and this setting cannot be changed.
01071a38 Wildcard %ss must have unique priorities in the Anti-Fraud profile '%s'.
01071a39 Cannot %s of explicit %s in the Anti-Fraud profile '%s'.
01071a6e Incompatible options - traffic group %s cannot have both auto-failback-enabled and the failover-method set to ha-score
01071a85 Anti-Fraud URL '%s' is invalid. Wildcard URL cannot have %s enabled in the Anti-Fraud profile '%s'.
01071a95 Admin IP (%s/%s): Gateway (%s) for management route (%s) is not in a connected network.
01071a9a The '%s' for interface %s has been adjusted to '%s'.
01071aa6 %s bad actor cannot be enabled if per-source detection/limit pps is less than 1% of the DoS vector (%s) %s setting for %s.
01071aa7 %s bad actor per-source detection/limit pps cannot be greater than the Dos vector (%s) %s setting for %s.
01071acc Cannot enable maintenance mode when device is forced offline.
01071acd The requested device (%s) was not found in self failover device group (%s).
01071ad3 The requested provision module (%s) is not compatible with already provisioned module (%s).
01071ad4 LSN pool %s shares the same name as security nat source translation object. LSN iRules that take in 'pool name' as an argument would default to LSN objects
01071ad9 Security NAT Source Translation object %s shares the same name as LSN pool. LSN iRules that take in 'pool name' as an argument would default to LSN objects.
01071af3 Anti-Fraud parameter '%s' is invalid. URL parameters cannot be entangled for Mobile while no parameter is encrypted for Mobile in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').
01071af8 The firewall rule UUID cannot be modified by user once it's created.
01071af8 The firewall rule UUID (%s) already exists in other rules.
01071af9 The specified firewall rule UUID (%s) is diffrent from exists rule UUID.
01071aff AOM webui is not available in this release.
01071b00 AOM vkvm is not available in this release.
01071b27 Scope name cannot be empty for OAuth Authorization agent %s.
01071b28 Scope name (%s) associated with OAuth Authorization agent (%s) is not defined under OAuth scope. If this error appears during import access profile, then the scope-name in the scope already exists on this BIG-IP as part of another scope object. You may want to edit the existing scope and retry importing access profile.
01071b29 %s entry refers to invalid OAuth Authorization agent %s, entry %d.
01071b2c The client app (%s) that is associated with the %s (%s) does not exist.
01071b3b Notice: Purging initiated for OAuth DB Instance (%s). Time taken for DB purging depends on the amount of data; BIG-IP performance may be affected during this time. Only expired tokens will be removed.
01071bad The certificate (%s) can not simultaneously use a cert-validator (%s) and be configured as the %s of a cert-validator (%s).
01071bbd SSL profile (%s): When CRL configuration name (%s) is specified, both static CRL file (%s) and Allow-Expired-CRL settings are not allowed.
01071bcd Security NAT Source Translation object (%s) cannot use both Self IP and DSLITE tunnel for PCP configuration.
01071bd1 Inbound CMI connection from IP (%s) denied because it came from VLAN (%s), not from expected VLAN (%s).
01071bd6 %s (%s): Cannot enable Device-ID without enabling Bot Signatures and the 'Search Engine' Bot Signature Category.
01071bd8 The tag-mode for requested member %s has to be 'none' on platforms that do not support QinQ.
01071be4 port-fwd-mode value of interface (%s) is not compatible with vlan (%s) member interface (%s).
01071be5 Member interface (%s) of trunk (%s) not found.
01071be6 port-fwd-mode value of interface (%s) is not compatible with trunk (%s) member interface (%s).
01071bed The URL (%s) belongs to Custom Category (%s) has invalid type as regex-match and not supported yet.
01071bee SSLv2 is no longer supported and has been removed. The 'sslv2' keyword in the cipher string has been ignored.
01071bf0 Vlan %s c-tag %s is out of range.
01071bf1 Vlan %s tag %d is out of range.
01071bf6 Cannot change FIPS name on busy guest: %s.
01071bf7 Invalid URL format %s in CA-bundle manager %s. Check help page.
01071bf8 Bundle manager %s cannot use a certificate file object %s that depends on itself. This would cause a cyclic dependency.
01071bf9 CA-bundle management trace: CA-bundle %s depends on %s.
01071bfa CA-bundle manager %s does not exist.
01071bfb The default CA-bundle manager %s cannot be deleted.
01071bfc The default CA-bundle manager %s cannot be changed.
01071bfd The default CA-bundle manager %s cannot change the exclude-url or exclude-bundle sets.
01071bfe The port number must be removed from %s, and set separately.
01071bfe %s: %s can't be deleted because %s.
01071bff The trusted CA-bundle must be provided in CA-bundle manager %s in order to download from URLs.
01071c00 The requested certificate file object %s for %s was not found.
01071c01 Object %s cannot be used in both include and exclude sets in CA-bundle manager %s.
01071c02 CA-bundle URL %s in CA-bundle manager %s only supports HTTPS.
01071c03 F5 CA-bundle %s cannot be dynamically managed.
01071c04 Cannot find device group (%s).
01071c05 Cannot find Policy Sync object definition file (%s).
01071c06 Cannot find Policy Sync object list file (%s).
01071c07 Cannot find Policy Sync data file (%s).
01071c08 Cannot determine whether agent type %s is appropriate for access policy (%s) of type %s because it is not attached to apm profile access using access-policy property.
01071c09 Cannot determine whether agent type %s is appropriate for access policy (%s) of type %s because visibility is not properly defined.
01071c0a Cannot determine whether agent type %s is appropriate for access policy (%s) of type %s parent of access policy (%s) of type %s because it is not attached to apm profile access using access-policy property.
01071c0b Cannot determine whether agent type %s is appropriate for access policy (%s) of type %s parent of access policy (%s) of type %s because visibility is not properly defined.
01071c0c Categories can't be assigned without selecting dynamic bwc policy.
01071c0d Default attribute consuming service (%s) must be present in the list 'attribute-consuming-services' of apm saml aaa (%s)
01071c0e Attribute consuming service session and object cannot variable be configured at the same time in agent (%s)
01071c0f Attribute consuming service variable (%s) in agent (%s) is not in session variable format
01071c10 'attribute-name' must be configured for attribute (%s) in attribute-consuming-service (%s)
01071c11 All attribute names must be unique within attribute-consuming-service (%s). Provided attribute name (%s) is not unique
01071c12 attribute-consuming-service (%s) must specify at least one attribute
01071c13 attribute-consuming-service-index (%d) in aaa saml server (%s) conflicts with index of existing service (%s). Please provide unique index.
01071c14 'service-name' value must be configured in attribute-consuming-service (%s)
01071c15 aaa saml server must be configured before attribute consuming service can be specified
01071c16 SAML agent (%s) specifies attribute consuming service (%s) that is not configured in aaa saml server (%s)
01071c18 Attribute consuming service (%s) cannot be removed from aaa saml server (%s) because service is set as default
01071c19 The requested username source (%s) is not a valid session variable.
01071c1a The requested password source (%s) is not a valid session variable.
01071c1b Virtuals Servers in the same listener group can have different profiles. Modifying the profiles in the listener will not update the profiles in the Virtual Servers. To update the profiles in Virtual servers, modify the Virtual Servers individually.
01071c1c You cannot delete the nodejs version (%s).
01071c1d You cannot modify the nodejs version (%s).
01071c1e Cannot perform Protocol inspection update: %s
01071c1f Protocol Inspection compliance inspection %s requires valid value: %s
01071c20 Too many Protocol Inspection profiles. Up to %d supported.
01071c22 Modifying predefined Protocol Inspection profiles are not allowed.
01071c23 Creating predefined Protocol Inspection profiles are not allowed.
01071c24 Deleting predefined Protocol Inspection inspections are not allowed.
01071c25 Modifying predefined Protocol Inspection inspections are not allowed.
01071c27 Protocol Inspection internal error: %s.
01071c28 Invalid Protocol Inspection snort signature: %s.
01071c2a Creating/Modifying Protocol Inspection compliance enums are not allowed.
01071c2b Deleting Protocol Inspection services are not allowed.
01071c2c Creating/Modifying Protocol Inspection services are not allowed.
01071c2d The VLAN (%s) tag is %u. The port-fwd-mode value of %s (%s) must be set to (%s).
01071c2e The VLAN (%s) can have at most %u member because member (%s) port-fwd-mode value is (%s).
01071c2f The requested VLANGROUP (%s) can have at most %u member(s) because VLAN members have virtual-wire members.
01071c30 Vlan (%s) is not compatible with member vlan in VLANGROUP (%s).
01071c31 The VLANGROUP (%s) mode and the VLAN (%s) member (%s) port-fwd-mode are not compatible.
01071c32 The VLANs must have the same tag in VLANGROUP (%s) when they have l2wire member.
01071c32 The VLANs must have the same tag in VLANGROUP (%s) when they have virtual-wire member.
01071c33 The VLAN (%s) tag (%u) cannot be modified %s '4096'.
01071c34 The requested member (%s) is already configured as a member of VLAN (%s) with tag (%d). A member can belong to only one VLAN for a given tag.
01071c34 The requested member (%s) is already configured as a member of VLAN (%s) with tag (%u). A member can belong to only one VLAN for a given tag.
01071c35 The VLAN (%s) has %s interface while the VLAN (%s) has %s interface. Interfaces of VLANs that are in the same 'virtual-wire' VLANGROUP (%s) must have the same taggedness.
01071c36 The SelfIP (%s) cannot associate with %s (%s) with (%s) interface.
01071c37 %s: %s is not supported on this platform (%s).
01071c38 Rule Profiler object %s requires log publisher to be specified.
01071c38 Modify of ephemeral %s (%s) is not permitted.
01071c3a Route MTU for (%s) below minimum %u.
01071c52 Routing object (%s) cannot have both items: %s.
01071c55 Invalid as-path (%s): %s.
01071c56 Invalid as-path entry (%s) for as-path (%s): %s.
01071c58 Virtual server %s is in ALG mode. Must not use static source translation, as used by attached profile %s.
01071c5c Cannot disable AJAX encryption for URL '%s' while parameter '%s' has AJAX mapping enabled in the Anti-Fraud profile '%s'.
01071c5c AJAX encryption or both AJAX integrity and strong integrity must be enabled for URL '%s' while parameter '%s' has AJAX mapping enabled in the Anti-Fraud profile '%s'.
01071c5d Anti-Fraud parameter '%s' is invalid. AJAX mapping '%s' for parameter cannot start or end with a '.' in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').
01071c5e Anti-Fraud parameter '%s' is invalid. Enabling AJAX mapping for parameter requires that either 1. AJAX encryption and either value substitution or Real-Time Encryption or parameter encryption enabled 2. Full and Enhanced AJAX Data Manipulation Check enabled in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').
01071c60 DynaD private key generation failed ('%s').
01071c61 DynaD public key generation failed ('%s').
01071c62 DynaD failed to decrypt private key. Re-generating.
01071c63 DynaD development mode requires an F5 development license.
01071c64 DynaD signature verification failed ('%s').
01071c65 DynaD cannot activate unsigned instrumentation.
01071c66 The VLAN (%s) member (%s) must be tagged when the tag is '4096'.
01071c67 The PEM rating group id needs to be greater than Zero. Rating group %s cannot use rating group id %d because it is invalid.
01071c68 Profile %s's SSL client certificate constrained delegation CA key is missing.
01071c69 Profile %s's SSL client certificate constrained delegation CA cert is missing.
01071c6a Profile %s's SSL client certificate constrained delegation peer-cert-mode is invalid.
01071c6b Profile %s supports only RSA key and certificate for SSL client certificate constrained delegation.
01071c6c Profile %s's SSL client certificate constrained delegation key is missing.
01071c6d Profile %s's SSL client certificate constrained delegation CA key and certificate do not match
01071c6e PKCS11d (re)initialized. Re-connecting to network-HSM PKCS11d.
01071c72 Policy '%s', rule '%s'; %s SSL server profile %s not found.
01071c73 F5 Service Connector %s validation error: %s.
01071c74 F5 MFA Configuration %s validation error: %s.
01071c75 F5 MFA User Verification Agent %s validation error: %s.
01071c76 F5 MFA Device Registration Agent %s validation error: %s.
01071c77 Issuer is required for JWT config (%s).
01071c78 Invalid %s (%s) in JWT config (%s). The value %s.
01071c79 Self-issued token is not allowed (%s) for JWT config (%s).
01071c7a In JWT config (%s), same signing algorithm is present in both allowed signing algorithms and blocked signing algorithms. This is not allowed.
01071c7b OAuth Provider (%s) references OAuth JWT Config (%s) that does not exist.
01071c7c When key-type is '%s', '%s' must be present for jwk-config (%s).
01071c7d The JWK config (%s) with key-type '%s' cannot contain an empty '%s'.
01071c7e The field (%s) is not relevant to key-type '%s' and thus cannot be present for jwk-config (%s).
01071c7f Certificate key file must be referenced when passphrase is present for jwk-config (%s).
01071c80 JWT access token lifetime (%u) for %s (%s) must be in range of (%u-%u).
01071c81 JWT refresh token lifetime (%u) for %s (%s) must be in range of (%u-%u).
01071c82 OpenID Connect Configuration Endpoint URL (%s) for %s (%s) must end with (%s).
01071c83 (%s) (%s) load failed due to %s
01071c85 (%s) key-type (%u) does not match certificate (%s) type (%u).
01071c86 The %s must be provided in base64url encoded format for jwk-config (%s).
01071c87 The claim name (%s) of claim (%s) cannot contain spaces.
01071c88 The word (%s) is a reserved word and cannot be used as claim name for the claim (%s).
01071c89 The %s claim name (%s) is already in use by agent %s for this entry.
01071c8a The %s claim (%s) that is associated with the %s (%s) does not exist. If this error appears during import access profile, then the claim-name in the claim already exists on this BIG-IP as part of another claim object. You may want to edit the existing claim and retry importing access profile.
01071c8b The %s claim name cannot be empty for OAuth Authorization agent %s.
01071c8c %s claim name (%s) associated with OAuth Authorization agent (%s) is not defined under OAuth claim. If this error appears during import access profile, then the claim-name in the claim already exists on this BIG-IP as part of another claim object. You may want to edit the existing claim and retry importing access profile.
01071c8d %s cannot be empty because %s for %s (%s).
01071c8e %s in %s (%s) is not an allowed URL: %s
01071c8f The %s (%s) associated to %s (%s) is not a valid %s.
01071c90 JWT config %s to be associated with JWK config (allowed keys) %s does not exist.
01071c91 In JWT config %s, allowed keys '%s' do not exist. Use a valid JWK config for allowed keys.
01071c92 In JWT config (%s), the same JWK config (%s) is present in both allowed keys and blocked keys. This is not allowed.
01071c93 JWT config %s to be associated with JWK config (blocked keys) %s does not exist.
01071c94 In JWT config (%s), blocked keys '%s' do not exist. Use a valid JWK config for blocked keys
01071c95 JWT Provider List %s to be associated with OAuth Provider %s does not exist.
01071c96 In JWT Provider List %s, OAuth Provider %s does not exist. Use a valid OAuth Provider for providers attribute.
01071c97 Error generating JWT encryption key using secret.
01071c98 The JWK config (%s) associated to %s (%s) can contain public key types only (such as, rsa, elliptic-curve).
01071c99 The OAuth profile (%s) does not allow JWK config (%s) with duplicate key-id (%s) of type (%s).
01071c9a The JWK config (%s) containing algorithm (%s) does not match key type (%s).
01071c9b The JWK config (%s) associated to %s (%s) contains an invalid signing algorithm.
01071c9c The JWK config (%s) associated to %s (%s) can only be used for signing.
01071c9d The JWK config (%s) associated to %s (%s) requires certificate key configuration.
01071c9e The encryption secret is needed to generate an encryption key for OAuth profile (%s).
01071c9f Allowed signing algorithms list cannot be empty in JWT config (%s) for Issuer (%s).
01071ca0 When the %s flag is enabled, OAuth Provider (%s) must have %s JWT config attached for the JWT provider list (%s)
01071ca1 The JWK config (%s) associated to %s (%s) was auto-generated and is meant for Client/Resource Server purposes only.
01071ca2 When jwt-token is enabled, a JWK config must be assigned as the JWT Primary Key for OAuth Profile (%s).
01071ca3 Error loading cert-chain (%s) associated to JWK config (%s)%s
01071ca4 Invalid certificate order within cert-chain (%s) associated to JWK config (%s).
01071ca5 The JWK config (%s) associated to OAuth %s (%s) failed trust verification with trusted CA bundle (%s).
01071ca6 Only '%s' token validation mode is allowed for OAuth %s agent '%s'.
01071ca7 JSON web token '%s' already exists in Provider List '%s'. The change you are trying to make is not allowed because it would result in a provider list that contains more than one instance of the same JSON web token.
01071ca8 JSON web key '%s' already exists in Provider List '%s'. The change you are trying to make is not allowed because it would result in a provider list that contains more than one instance of the same JSON web key.
01071ca9 OAuth parent profile's jwt-refresh-token-enc-secret attribute cannot be modified.
01071caa The encryption key for OAuth profile (%s) cannot be specified directly. Use encryption secret to generate a new encryption key and make sure that jwt-token is enabled.
01071cab The JWK config (%s) associated to %s (%s) requires key ID configuration.
01071cac When more than one JWK config of key-type '%s' is present in a JWT config, all the keys of that key-type must have key-id or cert-thumbprint-sha1 or cert-thumbprint-sha256 present.
01071cad All the JWK configs in a JWT config must have unique key-id for each key-type. The key-id '%s' for key-type '%s' is already present in JWT config '%s'.
01071cae %s (%s) for OAuth profile (%s) should be unique across other OAuth Authorization Server endpoints.
01071caf The issuer cannot be modified for autodiscovered JWT config '%s'.
01071cb0 Cannot enable Real-Time Encryption when a custom encryption function is specified in the Anti-Fraud URL '%s'.
01071cb0 For autodiscovered JWT config '%s', you can move algorithms between the allowed and blocked lists only.
01071cb1 JWK config '%s' is autodiscovered, JWT config '%s' is not. An autodiscovered JWK config can be added to an autodiscovered JWT config only.
01071cb2 For autodiscovered JWT config '%s', you can move autodiscovered keys between the allowed and blocked lists only.
01071cb3 Autodiscovered JWK config '%s' cannot be modified.
01071cb4 Autodiscovered JWT config cannot be modified for OAuth Provider '%s'.
01071cb5 Autodiscovered JWT config '%s' is associated with OAuth Provider '%s'. It cannot be added to Provider '%s'.
01071cb6 Support for at least Opaque or JWT token should be enabled for OAuth profile (%s).
01071cb7 The auto-generated attribute for %s '%s' cannot be modified.
01071cb8 The auto-generated attribute for %s '%s' cannot be specified.
01071cb9 Claim value cannot be empty for OAuth claim (%s).
01071cba %s claim value associated with OAuth claim (%s) cannot be empty for OAuth Authorization agent %s, entry %d.
01071cbb The JWK config (%s) containing algorithm (%s) does not match curve (%s) for elliptic-curve.
01071cbc The last-discovery-time cannot be specified while creating Provider '%s'.
01071cbd The last-discovery-time cannot be modified for Provider '%s'.
01071cbe When use auto JWT config is enabled, OAuth Provider (%s) must have trusted CA present.
01071cbf The JWK Config (%s) cert field cannot be empty if cert-key (%s) is specified.
01071cc0 %s (%s): Traffic Scrubbing Advertisement Duration must be more than zero.
01071cc1 %s (%s): RTBH Advertisement Duration must be more than zero.
01071cc2 Anti-Fraud parameter '%s' is invalid. Cannot enable both %s and %s for same parameter in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').
01071cca Dos Signature (%s): %s is not user settable field.
01071ccb %s (%s): Attacked dst can not be enabled if per-destination detection/limit pps is less than 0.1%% of the corresponding vector setting.
01071ccc %s (%s): Attacked dst per-destination detection/limit pps cannot be greater than the corresponding vector setting.
01071cd4 %s: %s can't be deleted because %s.
01071cd5 %s: %s can't be modified because %s.
01071cd6 Dos Signature (%s): %s is not allowed to be reset by user once it is specified.
01071cd9 Field-list contains an invalid/duplicate value.
01071cdc Security static PAT %s translation object '%s' address (%s) is overlapping with another address (%s) located in '%s' PAT %s translation object.
01071cdd Traffic-group (%s) is referenced by security NAT Policy (%s) and cannot be deleted.
01071cde Traffic-group (%s) is referenced by security source translation (%s) and cannot be deleted.
01071cdf %s (%s): Dos vector (%s) does not support Attacked destination DOS attack detection.
01071ce3 %s (%s) cannot be set to (%s) when %s (%s) is set to (%s)
01071ce4 %s (%s): %s feature is not supported for %s attack type.
01071ce5 %s (%s): %s cannot be enabled if %s is not enabled for %s attack type.
01071ce6 The value (%s) is invalid. Valid TTL is %s.
01071ce7 Cannot configure Advertisement TTL while scrubbing is in progress.
01071ce8 The VLAN %s has the same tag %u as VLAN %s. So the port-fwd-mode of the interface associated with the VLAN must be set to l2wire.
01071ce8 The VLAN (%s) has the same tag %u as VLAN (%s). So the port-fwd-mode of the interface associated with the VLAN must be set to virtual-wire.
01071ce9 The Scrubber Route Domain (%s) has a destination IP (%s) that overlaps with (%s).
01071ceb Operation failed for CA bundle manager %s due to other pending operation.
01071ced MQTT monitor '%s' must have a username when password is configured.
01071cef Policy (%s) of type %s cannot have subroutine-properties attached, policy type must be %s.
01071cf0 DNS resolver must be configured for SAML metadata automation object (%s).
01071cf1 SAML metadata automation object (%s) should have only one 'connection-properties' attribute configured.
01071cf3 Authorize redirect request (%s) must always use 'GET' method.
01071cf4 Invalid %s for Monitor Test (%s) conflicts with monitor value (%s)
01071cf5 Invalid state (%s) for Monitor Test target (%s) marked for cleanup
01071cf6 The current provisioning does not support the TurboFlex profile. Please provision LTM first or choose another profile suggested on the help page.
01071cf7 The chosen turboflex is not licensed, therefore the change cannot be made.
01071cf9 The provision module %s requires TurboFlex profile %s. Please either un-provision the module or choose the required profile. For more information, please see 'tmsh help sys turboflex' on the command line, or look at the 'Help' tab on the TurboFlex page under Resource Provisioning.
01071cfb Please get the Advanced Protocols or FIX add-on license to enable FIX features.
01071cfc %s changing OpenSSL FIPS flag from (%d) to (%d). Reboot is required for changes to take full effect.
01071cfc %s changing OpenSSL FIPS flag from (%d) to (%d). Reboot is required for changes to take full effect.
01071cfd The VLAN (%s) tag %u cannot be modified to %u once the VLAN is created. Please delete and re-create it.
01071cfe %s (%s): AutoMitigate %s %u must be lower than AutoMitigate ceiling %u.
01071cff %s (%s): AutoMitigate %s 'infinite' must be lower than AutoMitigate ceiling %u.
01071d00 Maximum response size (%u) for OAuth provider (%s) must be in range of (%u-%u).
01071d01 Invalid value (%s) for profile %s field %s. Only integers between 0 and 4294967295 are permitted.
01071d02 Size of field '%s' for monitor '%s' exceeds allowed maximum of %d bytes.
01071d03 Encryption object is too big.
01071d04 Encryption failed.
01071d05 %s is not a valid IP address or hostname.
01071d06 Overlapping %s IP addresses (%s) is in NAT policy '%s', rule '%s'.
01071d07 The VLANGROUP (%s) is composed of VLAN (%s) of tag %u with %s member (%s). A similar VLANGROUP must be created first and be composed of VLAN of tag '4096' with member (%s).
01071d08 Connectivity profile (%s) does not exist.
01071d09 Management auto-lasthop (%s) can't be disabled on a 1-NIC platform.
01071d09 Invalid multicast address '%s' specified for multicast-ip.
01071d0a adm: %s
01071d0a Policy (%s) of type %s cannot have per-req-policy-properties attached, policy type must be %s.
01071d0b adm: %s
01071d0b Configuration error: Virtual Server (%s) with Access Profile of type sslo is not compatible with profile of type (%s).
01071d0c adm: %s
01071d0c Configuration error: Access Profile of type sslo is not compatible with exchange profile.
01071d0d adm: %s
01071d0d Configuration error: Virtual server (%s) cannot be used for connector profile (%s), type must be internal.
01071d0e Global ASM health alerts configurations error: %s
01071d0e Configuration error: Connector profile (%s) cannot be attached to virtual server (%s) when per-request policy (%s) is attached to this virtual server. Attach service connect agent to the per-request policy instead.
01071d0f Configuration error: Virtual server (%s) used by connector profile (%s) must have a service profile attached.
01071d10 Configuration error: Virtual server (%s) used by connector profile (%s) with inline service profile (%s) must have a splitsession client profile attached.
01071d12 Cannot delete the Anti-Fraud URL '%s' since it is referenced by the Anti-Fraud View '%s' in the Anti-Fraud Profile '%s'.
01071d13 Anti-Fraud Base URL '%s' must exist before creating the Anti-Fraud View '%s' in the Anti-Fraud Profile '%s'.
01071d14 '%s' can be modified only for a 'Base URL', while the Anti-Fraud URL '%s#%s' is a 'View URL' in the Anti-Fraud Profile '%s'.
01071d15 Configuration error: access log configuration (%s) is part of system configuration, so it cannot be deleted.
01071d16 DNS profile (%s) cannot have both edns0 client subnet insertion and the DNS cache enabled simultaneously.
01071d16 Configuration error: sslo log configuration (%s) is part of system configuration, so it cannot be deleted.
01071d17 DNS profile (%s) inherits options from DNS profile (%s) and cannot have both edns0 client subnet insertion and the DNS cache enabled simultaneously.
01071d18 The IP::port(%s:%d) to be dedicated, can't be shared. Refer pools(%s, %s)
01071d19 The IP(%s) to be dedicated, can't be shared.
01071d1a The dedicated snatpool member address (%s) matches a selfip address (%s)
01071d1b The VIP(%s) needs pool(%s) or snatpool(%s) as dedicated for Accelerated traffic only
01071d1b Virtual server (%s) requires clientssl profile when the ftps-mode in FTP profile (%s) is require.
01071d1c The VIP(%s) in DSR mode, expect source-address-translation type(%d) as none
01071d1d The TrafficAcceleration profile(%s) does not support persist-mode(%d)
01071d1e The VIP(%s) does not support persistence profiles(%s) because it is dedicated for traffic-acceleration
01071d1f The VIP(%s) does not support last hop pools because it is dedicated for traffic-acceleration
01071d20 The Pool(%s) does not support load-balancing mode(%u) because it is in use for traffic-acceleration
01071d23 MQTT multiple peers on %s %s not supported.
01071d24 MQTT %s %s refers to non-existing %s %s.
01071d25 \'%s\' at rule %s is %s by virtual server %s of type %s.
01071d25 Error configuring Virtual Server (%s). Connection mirroring is not supported in combination with an IMAP profile.
01071d26 Error configuring Virtual Server (%s). Connection mirroring is not supported in combination with an POP3 profile.
01071d27 Error parsing SAML assertion consumer service url: (%s) in SAML SP connector (%s)
01071d28 'sp-location' in SAML SP connector (%s) is set to internal-multi-domain, but the virtual server where SP is located is not specified in 'multi-domain-location' property.
01071d28 Virtual server (%s) requires clientssl profile (%s) to enable SSL forward proxy when FTP profile (%s) is present.
01071d29 Multidomain location (%s) of SAML SP connector (%s) is invalid: (%s). Location must begin with http or https and must contain hostname with no path.
01071d29 Virtual server (%s) requires clientssl profile (%s) to enable SSL verified handshake when FTP profile (%s) is present.
01071d2a Cipher rule (%s): '%s' is not a valid %s.
01071d2a When OpenID Connect is enabled for OAuth profile (%s) and the alg type for %s primary key (%s) is 'HS512', the client secret for all associated Client apps with OpenID Connect enabled should be of size 64 bytes. Please re-generate the client secret for Client app (%s).
01071d2b ID token lifetime (%u) for %s (%s) must be in range of (%u-%u).
01071d2b Virtual server (%s) cannot have connector profiles when allow-active-mode in FTP profile (%s) is enabled.
01071d2c When OpenID Connect is enabled, a JWK config must be assigned as the ID Token Primary Key for OAuth Profile (%s).
01071d2d When OpenID Connect is enabled, support for JWT token should be enabled for OAuth profile(%s).
01071d2f The OAuth profile (%s) does not allow JWK config (%s) with duplicate key-id (%s) of type (%s) within UserInfo Primary Key and Rotation Keys.
01071d30 OAuth claim (%s) has invalid value (%s). For '%s' claim, allowed value is a numeric value or a valid session variable.
01071d31 Authentication type for Client app (%s) is not valid. When OpenID Connect is enabled for OAuth profile (%s) and the key type for %s primary key (%s) is 'octet', then all associated Client apps with OpenID Connect enabled should have the authentication type as 'Secret'.
01071d32 The OAuth profile (%s) does not allow JWK config with duplicate key-id (%s) of type (%s) within %sPrimary Key (%s) and %sPrimary Key (%s).
01071d33 JWK config (%s) cannot be configured to use both client secret and shared secret for key type octet.
01071d34 In JWT config (%s), the %s JWK config (%s) cannot be configured to use client secret when key type is octet.
01071d36 JWK config (%s) is %sconfigured to use client secret for key type octet. Hence, this cannot be used as %s primary key in %s (%s).
01071d36 The prefix (%s) is a reserved word and claim name (%s) cannot be used for the claim (%s). Please remove or change the prefix to continue.
01071d37 %s claim (%s) cannot be associated with %s (%s) since the claim name is 'address'. Please create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.
01071d38 %s claim (%s) cannot be associated with OAuth Authorization agent (%s), entry (%d) since the claim name is 'address'. Please create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.
01071d39 The claim name of the Claim (%s) cannot be changed to 'address' because this claim is part of %s claims that is associated with %s (%s). Please create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.
01071d3a The claim name of the Claim (%s) cannot be changed to 'address' because this claim is part of %s claims that is associated with OAuth Authorization agent (%s), entry (%d). Please create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.
01071d3b %s claim (%s) cannot be associated with %s (%s). The claim value must be set to 'true', 'false' or a valid session variable.
01071d3c %s claim (%s) cannot be associated with OAuth Authorization agent (%s), entry (%d). The claim value must be set to 'true', 'false' or a valid session variable.
01071d3d The claim value must be set to 'true', 'false' or a valid session variable for Claim (%s) when it is attached to %s claims on %s (%s).
01071d3e The claim value must be set to 'true', 'false' or a valid session variable for Claim (%s) when it is attached to %s claims on OAuth Authorization agent (%s), entry (%d).
01071d3f Can't find prime AVR-profile.
01071d40 Can't generate more than %d %s when collecting AVR statistics.
01071d41 Can't generate a list of %s because 'collect_%s' flag is disabled.
01071d41 Anti-Fraud View '%s' is invalid. View must be non-empty string with size less than %u and should contain only valid characters in the Anti-Fraud Profile '%s'.
01071d42 Can't generate list of counties because the '%s' is invalid.
01071d43 Can't generate list of urls because the '%s' URL's length is exceeded maximum %1d.
01071d44 The Traffic Matching Criteria (%s) is already in use by another Netflow Protected Server (%s).
01071d44 Invalid type %s for %s %s. All the %s should be the same type (IPv4 ot IPv6).
01071d45 Invalid Netflow Protected Server [%s] name for stopping redirection
01071d45 Discovery interval (%u) for OAuth provider (%s) must be greater than (%u) minutes.
01071d46 Netflow Protected Server (%s) cannot have a Traffic Matching Criteria that references a route domain.
01071d47 (%s) has an invalid mask %u.
01071d49 Specified compatibility level-%d is too high. That level includes feature settings that are not supported for this platform.
01071d4a Security FlowSpec: %s: router-id(%s) is not a valid IPv4 address.
01071d4b Security FlowSpec: %s: %s (%s) has mis-matched route domain (%d).
01071d4c Route domain (%s) can not have both 'Security Flowspec BGP' and 'Zebos BGP' routing planes enabled at the same time.
01071d4d Security FlowSpec: %s: missing required field(s) %s.
01071d4e Security FlowSpec: %s: must have at least one 'neighbor' specified.
01071d4f Security FlowSpec: %s: The datatype (%d) for inherited fields is missing.
01071d50 Security FlowSpec: %s: %s is non-mutable field.
01071d51 Security FlowSpec: %s: %s doesn't have matched address family.
01071d52 The attribute (%s) for (%s) cannot be none.
01071d54 The value (%lld) for attribute (%s) for (%s) must be within range %s.
01071d55 Security FlowSpec: %s: can not refer route domain (%s) which is neither in the same partition as profile nor in /Common partition.
01071d56 Limit on the number of extended white list entries (%u) has been reached. Please modify the value of dos.maxewlsize to allow more entries.
01071d57 The %s (%s) attribute %s can only reference objects in partition %s.
01071d59 Cannot modify scrubber config property %s
01071d5a IPv4/IPv6 Next hop must be configured.
01071d5b Not a valid %s Address.
01071d5c Cannot lower compatibility level. Whitelist address-list (%s) configured on this system requires current compatibility level.
01071d5f Entry already exist in extened white list(%s).
01071d60 %s failed with an I/O error: %s.
01071d61 Failed to allocate memory at %s:%d.
01071d62 CMI device (%s) attempted to connect but is running an incompatibly old version of TMOS.
01071d62 Unsupported route-type (%d) seen for mgmt-route (%s).
01071d63 CMI device (%s) attempted to connect but is running a version of TMOS with incompatible version (%s) (expected %s).
01071d63 No value specified for supersede-option: %s
01071d65 DNSSEC External Zone (%s) must be a descendant of DNSSEC Zone (%s).
01071d65 Invalid name value (%s) specified for URL Category %s.
01071d66 DNSSEC External Zone (%s:%s) duplicates existing DNSSEC zone (%s) with the same name (case-insensitive and unique across folders).
01071d66 System iRule (%s) cannot be associated to oauth server (%s).
01071d67 DNSSEC External Zone (%s:%s) duplicates existing external zone (%s:%s) with the same name (case-insensitive).
01071d67 Provider type F5 only supports introspect endpoint.
01071d68 DNSSEC External Zone (%s) references a nonexistent DNSSEC zone (%s)
01071d68 EntityID attribute of %s (%s) contains a session variable. SAML metadata exported by this object must be edited manually to replace session variables with valid hostnames before metadata is shared with external parties.
01071d69 DNSSEC Zone %s duplicates existing external zone (%s:%s) with the same name (case-insensitive).
01071d69 Frequency for SAML IdP automation (%s) cannot be zero.
01071d6a Unable to parse DNSSEC secure delegation record (%s:%s):%s (%s).
01071d6a At least one metadata URL must be configured for SAML SP metadata automation (%s).
01071d6a Client SSL profile (%s): Configured certificates are incompatible with TLS 1.3.
01071d6b DNSSEC secure delegation record (%s:%s) has DS with different owner name: %s.
01071d6b Frequency for SAML SP metadata automation (%s) cannot be zero.
01071d6b Client SSL profile (%s): Configured certificates are incompatible with TLS 1.3, so TLS 1.3 will not be negotiated.
01071d6c SAML SP metadata automation (%s) cannot be associated with sso saml (%s) because sso saml is already associated with SP automation (%s). SAML server can only be associated with one automation.
01071d6c Client SSL profile (%s): Some configured certificates are incompatible with TLS 1.3, so will not be used if TLS 1.3 is negotiated.
01071d6d SAML SP metadata automation (%s) specifies SAML SSO server (%s) that cannot be found on the system.
01071d6d IPv6 management addresses are unsupported in 1NIC mode.
01071d6e SAML SSO server (%s) associated SAML SP metadata automation (%s) are not in the same partition.
01071d6f SAML SP metadata automation (%s) contains invalid metadata URL value (%s). Error (%s).
01071d6f The Traffic Acceleration FPGA is not allowed when TAM is not provisioned.
01071d70 SAML SP metadata automation (%s) must have server SSL profile configured.
01071d70 LDAP config (%s) must either have a matching client certificate and client key, or both of these fields must be empty.
01071d71 SAML SP metadata automation (%s) must have DNS resolver configured.
01071d71 Can't create scheduled-report (%s). You currently have %u scheduled-reports set, while this is above the max allowed scheduled-reports (%u).
01071d72 Metadata URL (%s) value cannot be empty in SAML SP metadata automation (%s).
01071d72 %s.
01071d73 SAML SP metadata automation (%s) must specify value for sso-config-saml object.
01071d73 The Traffic Accelerated virtual(%s) is required to have a destination address set
01071d74 SAML SP metadata automation (%s) contains duplicated URL value (%s).
01071d74 Anti-Fraud URL '%s' is invalid. Only SPA URLs and their views can have destination URLs in the Anti-Fraud profile '%s'.
01071d74 Opening socket on interface %s failed: %s
01071d75 SAML SP connector (%s) cannot be deleted because it is managed by SP connector automation (%s).
01071d75 Db variable %s(%u) should be greater than %s(%u).
01071d75 %s IP for interface %s failed: %s
01071d76 SAML SSO config (%s) is assigned to a SAML resource (%s), and therefore can only have one SP connector object associated with it.
01071d76 FDB MAC %s cannot be broadcast/multicast
01071d77 SAML SSO configuration (%s) cannot specify both (%s) and (%s) at the same time.
01071d78 Attribute (%s) in %s (%s) must be in session variable format
01071d79 SAML Artifact Resolution Service (%s) is configured to sign requests. However, the correponding SAML SSO Config (%s) does not have signing %s configured. Please specify an IdP signing %s.
01071d79 Interface %s cannot be used in passive/virtual-wire mode.
01071d7a Master Key not yet ready. Delaying DNSSEC Key Generation Events for %u seconds.
01071d7b Cannot assign access profile and both clientssl and serverssl profiles with ssl proxy enabled to the same virtual server (%s).
01071d83 Failed to configure iptables rules for config sync CGC routing: %s
01071d84 Configured iptables rules for config sync CGC routing: %s
01071d85 Config sync over the management port requires big3d, which is not currently running. Config sync will not work until big3d is running.
01071d93 Unable to find customization source (%s) for customization group (%s).
01071d93 Profile %s the set Certificate Chain Traversal Depth (authenticate-depth), %u, is invalid. This must be 0 (infinite) or between 1 and %u inclusive.
01071d93 Single-ip %s - cluster member IP address %s cannot be configured for cluster %s.
01071d94 Bot Defense Profile (%s) Micro Service (%s): Missing required field (%s).
01071d95 Per-request access policy (%s) is not referenced by any existing customization group set
01071d96 Failed to send DDL to PostgreSQL: %s
01071d96 The customization group set (%s) cannot share an access policy (%s) with other customization group set (%s).
01071d97 Anti-Fraud URL '%s' is invalid. URL path cannot have trailing slashes in the Anti-Fraud Profile '%s'.
01071d97 Access policy name cannot be changed in customization group set (%s)
01071d98 Customization group set (%s) does not refer to access policy
01071d98 Empty IP protocol name specified for rule (%s). Please specify a valid string corresponding to the IP protocol number.
01071d9b PEM Gx/Sd reporting volume threshold cannot be smaller than 8K bytes.
01071d9c PEM Mandatory-Action-List cannot be set when Single-Rule-Match-Mode is disabled.
01071d9d Address Exclusion is not supported for Security NAT translation object (%s) of type %s.
01071d9d Neighbor entry (%s) can not be resolved%s.
01071d9e Bot defense anomaly %s not found.
01071d9f Bot defense anomaly category %s not found.
01071d9f %s.
01071da0 Bot defense class %s not found.
01071da0 %s.
01071da1 %s: When %s is (%s) and %s (%s) is %s address, %s (%s) represents '%s %s addresses'.
01071da2 Virtual Server %s's Traffic Matching Criteria %s illegally shares destination address, source address, service port, and ip-protocol with Virtual Server %s's Traffic Matching Criteria %s.
01071da2 Blacklist-category %s must have match type destination to enable scrubbing.
01071da3 Virtual Server %s's Traffic Matching Criteria %s illegally shares destination address, source address, service port, and ip-protocol with Virtual Server %s destination address, source address, service port.
01071da3 Cannot change match type to source or source-and-destination if scrubbing is enabled on the blacklist category. Disable scrubbing before changing the match type.
01071da4 Uri Type %s out of its minimum %d or maximum %d characters range.
01071da5 Uri Type must have at least %d %s associated with it.
01071da6 No more than %d total file extensions can be defined (across all Uri Types).
01071da7 No more than %d total Uri Types can be defined.
01071da8 File extension '%s' already exists in '%s' Uri Type.
01071da9 Uri Type objects must be in the '%s' folder only.
01071daa %s
01071dac Bot signature category %s not found.
01071dac Cannot change match type to destination or source-and-destination if blacklist publisher profile is attached to the category.
01071dad Bot defense profile (%s) class override (%s) error: %s.
01071dad Policy '%s', rule '%s'; target '%s' action '%s' cannot have same fallback pool (%s) and default pool (%s).
01071dae Bot Defense Profile (%s) Micro Service (%s): %s.
01071dae Policy '%s', rule '%s'; target '%s' action '%s' requires default pool. Please specify default pool along with fallback pool (%s).
01071daf Bot Defense Profile (%s) Micro Service (%s) Url (%s): %s.
01071daf Throwing Invalid Monitor Rule Instance: %s
01071db0 Throwing Invalid Monitor Rule Instance: %s
01071db0 %s %s.
01071db1 Bot defense profile (%s) Signature (%s) should be Mobile Application Class signature.
01071db1 Throwing Invalid Monitor Rule Instance: %s
01071db2 Bot defense signature category illegal class (%s).
01071db2 Throwing Invalid Monitor Rule Instance: %s
01071db3 Bot defense profile (%s) signature category override not supported for (%s) which belongs to (%s) class.
01071db3 Throwing Invalid Monitor Rule Instance: %s
01071db4 Bot defense profile (%s) signature override not supported for (%s) which belongs to (%s) class.
01071db4 Removing monitor rule instance: %s
01071db5 Bot defense profile (%s) Micro Service (%s) class override (%s) error: %s.
01071db5 Saving monitor rule instance: %s
01071db6 Bot defense profile (%s) error: %s.
01071db6 Creating a new monitor rule instance: %s
01071dba Warning (%s): %u bit keysize is insecure, it will be disabled in the future.
01071dba Cannot delete SSO configuration (%s) because it is referenced by a SSO configuration select agent (%s)
01071dbc Fail to commit due to the preset autodiscovery-enable VS number limit is %d.
01071dbd Fail to change the value to be less than the current number (%d) of VS that enables auto_discovery.
01071dbf Setting DB variable %s to %s. Restarting services.
01071dbf The requested otp source (%s) is invalid: %s
01071dc0 %s changing OpenSSL FIPS flag from (%d) to (%d). Restarting services.
01071dc1 Setting DB variable %s to %s. No rebooting needed.
01071dc2 %s changing OpenSSL FIPS flag from (%d) to (%d). No rebooting needed.
01073035 The encryption key for OAuth profile (%s) cannot be modified directly. Use encryption secret to generate a new encryption key.
01073039 All the JWK configs in a JWT config must have unique cert-thumbprint-sha1. The cert-thumbprint-sha1 '%s' is already present in JWT config '%s'.
01073040 All the JWK configs in a JWT config must have unique cert-thumbprint-sha256. The cert-thumbprint-sha256 '%s' is already present in JWT config '%s'.
010c0009 Lost connection to mcpd - reestablishing
010c0018 Standby
010c0022 Opening %s for failover monitoring
010c002a Requesting tmm to resend gratuitous arps for traffic group %s.
010c002b Traffic group %s received a targeted failover command for %s.
010c002c Traffic group %s received a targeted failover command from cluster mate for %s.
010c002d Traffic group %s going standby via targeted failover command.
010c0037 Up service module error %s.
010c003b Bind fails on %s addr %s port %d error %s
010c003c Connect fails on %s addr %s port %d error %s
010c003e Offline
010c003f Forced offline
010c0044 Command: %s
010c0048 Bcm56xxd and lacpd connected - links up
010c0049 Tmm ready - links up.
010c0050 Sod requests links down
010c0052 Standby for traffic group %s
010c0054 Offline for traffic group %s.
010c0055 Forced offline for traffic group %s.
010c0056 Deactivating traffic group %s
010c0057 Activating traffic group %s
010c005a Dropping a failover packet that is too small (%u)
010c005b Dropping a packet that is not a failover packet.
010c005e Waiting for mcpd to reach phase base, current phase is %s
010c005f Mcpd has reached phase base, current phase is %s
010c0063 Waiting for Mcpd without a response. Try again...
010c006a Configuration CRC values disagree amongst peers. Suggest configsync peers.
010c006b Configuration CRC values agree amongst peers
010c006c proc stat: [0] %s
010c006d %s.
010c006e All devices in traffic group %s %s have a HA group.
010c0076 Exceeded mcp recv soft limit: %d. Succeeded after %d messages.
010c0077 Listening for unicast failover packets on address %s port %d.
010c007b Deleted unicast failover address %s port %d for device %s.
010c007e Not receiving status updates from peer device %s (Disconnected).
010c0082 Sorted Load-Aware failover %s.
010c0083 No failover status messages received for %s seconds, from device %s (%s).
010c0084 Failover status message received after %s second gap, from device %s (%s).
010c0085 First failover status message received from device %s (%s).
010c0089 Invalid go standby command. %s is not a valid traffic-group or device.
010c008a Invalid go standby command. %s is not a valid device.
010c008b Unable to send to unreachable unicast address %s port %d.
010c008c Previously unreachable unicast address %s port %d is now reachable.
010c0098 Multicast socket connect failure: %s.
010c0099 Connected to multicast group %s port %d on interface %s.
010c009a Disconnected from multicast group %s port %d on interface %s.
010c009b Availability log %s failed '%s'.
010c009c Timer interval set to %u.%06us (was %u.%06u).
010c009d Poll interval %dms, estimated %d packets/sec.
010c009e Config crc changed: old 0x%x new 0x%x.
010d0005 Chassis fan %d: status (%d) is bad
010d0006 Chassis power supply %d has experienced an issue. Status is as follows: %s
010d0009 %s: voltage (%d) is too high
010d0010 %s: fan speed (%d) is too low
010d0017 %s: milli-voltage (%d) is too low
010e0001 Cannot communicate with MCPD server
010e0002 Established new connection to MCPD server
010e0004 MCPD query response exceeding %d seconds
01100002 alertd is going down
01100017 Email action is failed for toaddress %s
01100042 Failed with MCPD at: %s (%s)
01100043 logcheck Notice: %s %d
01100048 "Log disk usage still higher than %d%% after logrotate and %d times log deletion"
01100049 logcheck Info: %s %d
01100053 %s
01100054 %s
01100055 %s
01100056 %s
01100057 %s
01100058 %s
01100059 Found db_name %s without value - reset to default %s.
01100060 trap string (%s) count (%d) (%s)");
01100061 clear suppression map (count %d)");
01110001 Error running %s
01110034 The configuration for running config-sync is incorrect.
0114001a HA stale %s pid %d detected.
01140029 HA %s %s fails action is %s.
0114002a HA %s %s created.
0114002b HA %s %s enabled.
0114002c HA %s %s disabled.
01140030 HA %s %s is now responding
01140043 Ha feature %s reboot requested
01140044 HA reports tmm ready
01140045 HA reports tmm NOT ready
01140100 Overdog daemon startup
01140101 Overdog daemon shutdown
01140102 Overdog daemon requests reboot
01140103 Watchdog touch enabled with %d seconds
01140104 Watchdog touch disabled
01140106 Overdog daemon calling bigstart restart
01150216 Notice from %s: %s
01150515 Processing Resource Record (%s:%s) failed due to error '%s'.
01150d03 Attempting to %s loopback address %s
01151500 NamedWatcher: Error encountered during initialization of named configuration monitor: %s.
01151501 NamedWatcher: Watching cur stat for dir:%s ts:%ld inode:%llu with id:%d.
01151502 NamedWatcher: Error %s setting up watch for dir:%s.
01151503 NamedWatcher: Unexpected EOF %s from named configuration monitor file descriptor.
01151504 NamedWatcher: Error %s reading from named configuration monitor file descriptor.
01151505 NamedWatcher: Expected at least %d bytes, only %d bytes are available.
01151506 NamedWatcher: Kernel monitor overflow %s.
01151507 NamedWatcher: %s monitor wd:%d len:%d events:%s dir:'%s' name:'%s'.
01151508 NamedWatcher: Read ignored event.
0115150a NamedWatcher: %s stat for %s ts:%ld inode:%llu.
0115150b NamedWatcher: stat for '%s' failed:%s.
0115150c NamedWatcher: Skipping event %s (len:%d) for '%s' because it contains the %s.
0115150d NamedWatcher: Deleting watch for dir:%s with id:%d.
01151513 NamedWatcher: Read event for dir:'%s'.
01151515 NamedWatcher: Dont care about event wd:%d events:%s name:'%s'.
01160004 LACPD reporting error conditions
01160005 LACPD reporting internal error conditions
01160009 LACPD reporting a link being added to aggregation
01160010 LACPD reporting a link being removed from aggregation
01160011 LACPD reporting a churn condition
01160012 LACPD reporting a churn condition
01160016 LACP reporting an internal condition as informational message
01160017 Internal Link %s is AVAILABLE.
01160018 Internal Link %s is UNAVAILABLE.
01160024 %s
01170003 halGetDossier returned error (%d): Dossier generation failed.
01170005 %s stat fails: %s.
01170012 Unsupported argument (-%c).
01170019 Detected Registration Key-Less dossier generation for CSP.
01170020 Option -%c requires an argument.
01170021 Invalid value (%s) passed for option (-%c).
01180005 Evaluation license has expired.
01180010 [license processing][error]: %s
01180017 Subscription license has expired.
01190003 arp_input: packet too short (%lu/%lu)
01190004 address conflict detected for %a (%m) on vlan %d
01190007 Neighbor update, route lookup failed, address = %la%%%u
01190008 Neighbor update, route is not link type, address = %la%%%u
01190009 Neighbor update failed, err = %E, address = %la%%%u, ifc name = %s
01190010 Neighbor delete failed, err = %E, address = %la%%%u
011a0060 Compression Stream failure: %s
011a0300 There was an error trying to send a DNSSEC Key Generation %s msg to MCP
011a0300 There was an error trying to send a DNSSEC Key Generation %s msg to MCP
011a0302 %s : %llu.
011a0302 There was an error trying to send a DNSSEC Zone SOA serial modify msg to MCP
011a0305 DNSSEC Zone %s cannot process a partial SOA serial update message
011a0306 Encountered error %s while trying to set a DNSSEC Key Generation event timer
011a0307 Processing %s Event for DNSSEC Key %s, ID %llu
011a0308 Unable to determine GTM local id, must skip processing DNSSEC Key Generation events
011a500f %s (%s) identified as self, %s
011a5010 Unable to identify which gtm server represents the local device
011ad103 BoxIP was NULL
011ae045 XML Buffer size (%lu bytes) exceeded when attempting to send %s.
011ae050 SSL Context set to use cipher list '%s'\n
011ae051 SSL Context set to use minimum TLS version '%s'\n
011ae052 Using Server specific(%s) cipher list '%s'\n
011ae053 Using Server specific(%s) minimum TLS version '%s'\n
011ae054 New key or certificate file detected, attempting to create new SSL Context.
011ae055 Creating replacement iQuery connection on all servers.
011ae056 Creating replacement iQuery connection to server %s.
011ae057 Creating replacement iQuery connection to ip %s.
011ae058 iQuery connection ID:%d to Remote IP:%s replaced with connection ID:%d.
011ae059 The specified TLS version (%s) is not a valid selection, SSL CTX not changed.
011ae05a The specified TLS version (%s) is not a valid selection.
011ae05a The specified TLS version (%s) is not a valid selection, server (%s) value not changed.
011ae05b SSL Cipher List unchanged since requested value is identical to current value %s".
011ae05c SSL Minimum TLS Version unchanged since requested value is identical to current value %s".
011ae05d Replacement iQuery connection to %s already in progresss. Ignoring request.
011ae05e iQuery connection ID:%d to Remote IP:%s created.
011ae05f SSL Context created with cipher list '%s' and minimum TLS version '%s'.
011ae060 Attempt(ignored) to replace an existing iquery connection with an invalid replacement.
011ae10e Autoconf deleted link (%s)
011ae10f Autoconf deleted linkIP (%s)
011ae110 Autoconf skipped deletion of link (%s) because %s
011ae111 Autoconf skipped deletion of linkIP (%s) because member (%s) exists on box (%s)
011ae112 SSL Cipher List must not be empty. Previous setting remains in effect.
011ae113 SSL verification of SSL connection to: %s %s
011ae114 %s: SSL error: %s (%d) from connection %s
011ae115 SSL Minimum TLS Version must not be empty. Previous setting remains in effect.
011ae116 Topology detected bad order value (%u) for topology entry (%s), reset order to (%u)
011ae116 The list processing time (%d seconds) exceeded the interval value. There may be too many monitor instances configured with a %d second interval.
011b0203 Error '%s' opening file %s
011b020b Error '%s' scanning buffer '%s' from file '%s'
011b0233 CACHE MISS during %s, prev=%s, curr=%s.
011b0236 Merged iStats merge interval changed to be every %d seconds.
011b0237 Merged iStats merge interval called with %d.
011b0309 %s %s %s
011b032e Graph '%s' is not supported, possibly because it is not licensed, or a license has expired.
011b0600 Error '%s' during rrd_update for rrd file '%s'
011b0601 Error '%s' during rrd_graph for graph '%s'
011b0816 Statistic collection has ALREADY been started.
011b0826 Cluster collection start error.Exitting
011b0900 TMSTAT error %s: %s
011b090c tmstat_query_rollup on table %s called
011b090e getTMValueUNKeyed start
011b090f DNS Services request rate limiter engaged.
011b0910 DNS Services request rate limiter disengaged.
011b0914 No individual CPU information is available.
011b0999 %s: %s
011d0002 No diskmonitor entries in database
011d0004 Disk partition %s has only %d free
011e0001 Limiting %s from %d to %d packets/sec for traffic-group %s
011e0002 %s: Aggressive mode %s %s (%llx) (%s %s). (%llu/%llu %s)
011e0003 mode sweeper: %s (%llx) (%s %s) %d Connections killed
011f0001 %s: Bad chunk state %d
011f0004 Invalid header insert profile, missing the colon separator in - %s
011f0005 HTTP header (%d) exceeded maximum allowed size of %d
011f0007 %s - Invalid action:0x%x %s (%C) %s (%C)
011f0008 %s - Invalid state transition to %s
011f0011 HTTP header count exceeded maximum allowed count of %d
011f0012 HTTP profile option %s incompatible with proxy_type. Using default instead.
011f0016 %s - Invalid action:0x%x Server sends too much data. serverside (%C) clientside (%C)
011f0017 Config error: HTTP Header Entry [%s:%d] update: agent clone failed
01200009 Packet rejected remote IP %*A port %d local IP %*A port %d proto %s: Connection limit exceeded.
01200012 Warning, connections equals limit %F, proto %s, VS %s: Connection limit reached.
01200014 Warning, connections equals limit %F, proto %s, RD %s: Connection limit reached.
01200016 Warning, node IP %*A has reached its connection limit.
01200017 Warning, pool member IP %*A port %u for pool %s has reached its connection limit.
01220001 TCL error: %s
01220002 Rule %s: %s
01220007 No pending rule event found for %F
01220008 Unable to resume pending rule event %s for closed %F
01220009 Pending rule %s aborted for %F
01220010 %d previous aborted rule log messages suppressed
01220011 Pending rule %s aborted for context %llx
01220012 Failed to configure rule %s for virtual %s.
01230001 Interface %d.%d: link is up, %dMbps %s
01230002 Interface %d.%d: link is down
01230032 Interface %s not found
01230066 Vlan %s - untagged interface %d/%d currently in use on vlan %s
01230074 Vlan %s, member %s - unsupported type %d
01230087 Vlan %s, member %s instance add error %u
01230088 Couldn't %s vlangroup %s
01230111 Interface %d.%d: HSB DMA lockup on %s.
01230113 "Unsupported media setting %s for interface %s"
01230140 RST sent from %A:%d to %A:%d, %s
01240006 Error querying request URI: %s
01260000 Profile %s: %s
01260006 Peer cert verify error: %s (depth %d; cert %s)
01260008 SSL transaction (TPS) rate limit reached
01260009 Connection error: %s:%d: %s (%d)
01260010 FIPS acceleration device failure: %s
01260012 Self-initiated renegotiation attempted while renegotiation disabled: %s
01260013 SSL Handshake failed for <PROTOCOL> <SRC> -> <DST>
01260014 Cipher %x:%x negotiated is not configured in profile %s
01260014 Cipher %x:%x negotiated is not configured in profile %s
01260015 Certificate supplied by server (subject CN: %s) was not configured on virtual: %s
01260017 Connection attempt to insecure SSL server (see RFC5746) aborted: %A:%d
01260018 Connection attempt to insecure SSL server (see RFC5746): %A:%d
01260024 OCSP failure on profile %s, certificate with issuer %s and serial number %lx: %s - %s
01260025 Cipher %x:%x negotiated is not supported by Proxy SSL configured in virtual server %s
01260026 No shared ciphers between SSL peers %A.%d:%A.%d.
01260034 SSL decryption canceled.
01260039 Block cipher data limit exceeded.
01260042 Negotiated ECDH ciphersuite (0x%05x : %s) not supported with FIPS or network-HSM keys configured in the SSL profile associated with the virtual server %s.
01260043 Skipping per-request policy because SSL Forward Proxy Bypass is disabled in the SSL profile (%s)
01260044 SSID is not supported with TLS 1.3.
0127000c Coalesced (%lu) requests for the previous command into 1 execution
01280045 Debug: %s
01290003 HALMSG reporting error conditions
01290004 HALMSG reporting warning conditions
012a0000 "LIBHAL reporting system is unusable"
012a0002 "LIBHAL reporting critical conditions"
012a0003 LIBHAL reporting error conditions
012a0004 LIBHAL reporting warning conditions
012a0005 LIBHAL reporting normal but significant condition
012a0006 LIBHAL reporting informational
012a0007 LIBHAL reporting debug-level messages
012a0013 Blade %d hardware sensor critical alarm: %s
012a0016 Blade %d hardware sensor notice: %s
012a0017 Chassis power module %d turned on
012a0019 Chassis power module %d is on.
012a0021 Chassis power module %d absent.
012a0022 %s
012a0023 %s
012a0024 %s
012a0025 %s
012a0026 %s
012a0027 %s
012a0028 %s
012a0029 %s
012a0030 %s
012a0031 %s
012a0032 %s
012a0033 %s
012a0034 %s
012a0035 %s
012a0036 %s
012a0037 %s
012a0038 %s
012a0039 %s
012a0040 %s
012a0041 %s
012a0042 %s
012a0043 %s
012a0044 %s
012a0045 %s
012a0046 Chassis power module 1 turned on.
012a0047 Chassis power module 2 turned on.
012a0048 Chassis power module 3 turned on.
012a0049 Chassis power module 4 turned on.
012a0050 Chassis power module 1 turned off.
012a0051 Chassis power module 2 turned off.
012a0052 Chassis power module 3 turned off.
012a0053 Chassis power module 4 turned off.
012a0054 Chassis power module 1 absent.
012a0055 Chassis power module 2 absent.
012a0056 Chassis power module 3 absent.
012a0057 Chassis power module 4 absent.
012a0058 Chassis with %d blades (%d W) may be inadequately powered - increase active number of power supplies
012a0059 Chassis power module %d is unidentified.
012a0060 Power supplies do not match.
012b0021 Executable %s version '%s'.
012b0022 Executable %s version is newer than %s.
012b0023 Executable %s SELinux context error (%s).
012b101e Dropping a message received from an unknown connection type from %s.
012b101f Deleted connection %s.
012b2007 %s: Begin xml broadcast
012b2008 %s: End xml broadcast
012b2009 Skipped xml broadcast to: %s reason: %s
012b200a Failed to send xml message: %s
012b3005 Error encountered while opening SSL certificates %s.
012b3007 SSL Context created using minimum TLS version %s, SSL cipher list '%s'.
012b3008 SSL Context Cipher list set to: %s.
012b3009 SSL Context minimum TLS Version set to: %s.
012b300a SSL Cipher list converted from:'%s' to:'%s'
012b300a SSL Context Cipher list converted from:'%s' to:'%s'
012b300b Replacing iQuery connection (%s:%d) with connection (%s:%d)
012b300c iQuery connection with id %d not found.
012b300d Error setting SSL Cipher list to: %s, previous value (%s) remains in effect.
012b300e SSL Error: %s on connection to %s.
012b300f Error setting SSL Context options.
012b3010 The specified TLS version (%s) is not a valid selection, SSL CTX not changed.
012b3011 Found an unexpected connection of type %d when looking for a GTM connection.
012b400b Moved %d pending and %d active probers from connection %u to connection %u
012b7010 No Route Domain support, cannot create a listener for Route Domain %u.
012c0004 Lost connection with MCP: %d ... Exiting
012c0010 BCM56XXD driver error
012c0011 BCM56XXD SDK error
012c0012 BCM56XXD info
012c0013 BCM56XXD starting
012c0014 SAMPLE: bcm56xxd - Exiting...
012c0015 Link: %s is %s
012c0016 BCM56XXD SDK info
012c0023 Optic in wrong port
012c0024 Optic Warning
012c0025 F5 Optics not supported on platform
012d0007 Lost connection with MCP: %08x
012e0029 The configuration was successfully loaded.
01300001 RAMCACHE Initialize - Not enough memory available to create the cache. Please try reducing the cache size and max entries
01300002 RAMCACHE Response - Too many Cache-Control headers in response, max is %d.
01300003 RAMCACHE - Header too long. Header %d of length %d exceeds the max %lu bytes.
01310027 ASM subsystem error (%s,%s): %s
01330024 Regular expression compilation failed on recv string: %s
01340001 HA Connection with peer %la:%d for traffic-group %s established.
01340002 HA Connection with peer %la:%d for traffic-group %s lost
01340003 Cluster error: %s
01340004 HA Connection detected dissimilar peer: local npgs %u, remote npgs %u, local npus %u, remote npus %u, local pg %u, remote pg %u, local pu %u, remote pu %u. Connection will be aborted.
01340007 HA Connection with peer %la:%d for traffic-group %s closing.
01340009 HA reconnect with peer %la:%d for traffic-group %s postponed.
01340012 HA context missing for %s on virtual %s
01360008 ERROR: Cannot connect to GWM server %s; Will try it again in 30 seconds.
01380002 Certificate '%s' in file %s will expire on %s
013a0004 %s
013a0005 %s
013a0006 %s
013a0007 %s
013a0008 %s
013a0014 %s
013a0015 %s
013a0016 %s
013a0018 "%s"
013a0019 %s
013a0020 %s
013a0024 %s
013b0004 %s
013b0008 %s
013c0004 %s
013c0006 %s
013d0006 cand done
013e0000 Tcpdump starting locally on %la:%u from %la:%u
013e0001 Tcpdump starting bcast on %la:%u from %la:%u
013e0002 Tcpdump stopping on %la:%u from %la:%u
013e0005 Tcpdump starting remote to %A from %A
013e0006 Tcpdump to %A failed to connect : %E
013e0007 Tcpdump stopping remote to %A from %A
013e0008 Tcpdump ICMP error Type:%d Code:%d from %A
013e0009 Tcpdump DPT session end error provider:%s id:%d err:%d
013e000d AUDIT - %s
01410000 %s
01410004 RTSP: client_port and server_port not paired
01410005 RTSP: client_port and server_port not specified
01410006 RTSP: multicast not compatible with unicast or interleaved
01410007 RTSP: incompatible port specifications
01410008 RTSP: no multicast port(s) specified
01410009 RTSP: no multicast address specified
0141000a RTSP: Expiring active RTP peer connection
0141000b RTSP: Expiring active RTCP peer connection
0141000c RTSP: Expiring active RTP connection
0141000d RTSP: Expiring active RTCP connection
0141000e RTSP: release RTP peer conn flow
0141000f RTSP: release RTCP peer conn flow
01410010 RTSP: release RTP conn flow
01410011 RTSP: release RTCP conn flow
01410012 RTSP: Can't create RTP endpoints: %E
01410013 RTSP: Can't create RTCP endpoints: %E
01410014 RTSP: Failed to set up sa_entry on client
01410015 RTSP: Can't find a port for media connections
01420001 %s
01420002 SAMPLE: tmsh - AUDIT - pid=13324 user=root query_partitions=all update_partition=Common module=(tmos)# status=[Command OK] cmd_data=list ltm virtual idnshare3-139
01420003 "%s"
01420004 %s
01420006 %s
01420007 Certificate '%s' in file %s expired on %s
01420008 Certificate '%s' in file %s will expire on %s
01420010 %s
01460005 SAMPLE: promptstatusd - mcpd.running(1) held, wait for mcpd
01460006 SAMPLE: promptstatusd - semaphore tmm.running(1) held
01460007 SAMPLE: promptstatusd - semaphore tmm.running(1) released
01470000 iSession: Connection error: %s:%u: %s:%d
01470002 iSession: tunnel %F: connection error: deduplication: unrecognized control message %d
01470006 iSession: tunnel %F: internal error: %s:%d: %s: %E; connection aborted
01470007 iSession: internal error: %s:%d: %s: %E
01480001 %s
01480002 %s
01480010 Got a message(%d) for a non existent flow
01480024 Can't bind the flow, waiting for config response on channel %s
01480031 headers limited to %d bytes
01480052 Profile %s missing plugin_type field.
01480053 Profile %s missing tmi_type field.
01480054 Command %s not registered.
01490510 %s: Initializing Access with max global concurrent access session limit: %d
01490523 {{Access Profile, %s}{Partition, %s}{Session ID, %s}{Max Concurrent Sessions, %d}} "#0:#1:#2: Initializing Access with max global concurrent connectivity session limit: #3"
01490526 %s: Initializing Access with max global concurrent connectivity session limit: %d
01490541 Access using device name: %s and device ID: %.*s.
01490555 %s: Initializing Access with max global concurrent url filtering session limit: %d
01490570 PPP listener local address %A tunnel nexthop is NULL
01490572 %s: API Protection feature is %s
01490573 %s: Ephemeral Authentication feature is %s.
014b0002 RADIUS: %s error %lE
014c0001 DIAMETER: %s error: %lE
014c000f DIAMETER: Invalid AVP length: %d
014c0010 DIAMETER: Invalid AVP code
014c0010 DIAMETER: Invalid AVP length: %d
014c0011 DIAMETER: Invalid AVP code
014c0012 DIAMETER: Invalid event
014c0013 DIAMETER: Retransmission triggered by timeout for message: AppId %lu HopByHopId %lu from %s
014c0014 DIAMETER: Retransmission triggered by result code %d for message: AppId %lu HopByHopId %lu from %s
014c0015 DIAMETER: Retransmission triggered by iRule (note '%s') for message: AppId %lu HopByHopId %lu from %s
014c0016 DIAMETER: Retransmission generated an error answer of %d for message: AppId %lu HopByHopId %lu EndToEndId %lu from %s
014c0017 DIAMETER: Retransmission retransmitted request message: AppId %lu HopByHopId %lu from %s
014c0018 DIAMETER: Message dropped after routing error %s: AppId %lu HopByHopId %lu EndToEndId %lu from %s
014c0019 DIAMETER: Error answer of %d generated after routing error %s: AppId %lu HopByHopId %lu EndToEndId %lu from %s
014c001a DIAMETER: Message added to Retransmission queue: AppId %lu HopByHopId %lu from %s
014c001b DIAMETER: Message removed from Retransmission queue: AppId %lu HopByHopId %lu EndToEndId %lu from %s
014c001c DIAMETER: Deleting stale pending request entry: original HopByHopId %lu outgoing HopByHopId %lu
014c001d DIAMETER: Unexpected answer message arrived: HopByHopId %lu from %A
014c001e DIAMETER: Dropping late answer for original request after request retransmitted: HopByHopId %lu from %A
014c001f DIAMETER: %s transport window for retransmission queue %c or proxy queue %c
014c0020 DIAMETER: Looped message detected from peer %s
014c0022 DIAMETER: Forced down pool member %A:%u as BIG-IP received DPR from it
014c0023 DIAMETER: Disabled pool member %A:%u as BIG-IP received DPR from it
014e0001 mysql failure detected, attempting to restart mysql (attempt %d).
014e0003 mysql service back online.
014e0007 mysqlhad starting to monitor mysqld
014f0001 %s
014f0002 %s
014f0004 %s
014f000e Becoming primary cluster member
014f0013 Script (%s) generated this Tcl error: (%s)
014f0017 Perpetual handler (%s) exited with failure
01510003 %s
01510004 %s
01510005 SAMPLE: vcmpd - VDisk (LBEMP-LOTWAN01.img/1): Failed to save info file - /shared/vmdisks/LBEMP-LOTWAN01.info
01510007 %s
01510011 vCMP guest %s powered off.
01530007 %s started ===============================
0153000c Error writing scratch database(%s), serving database is unchanged. zxfrd will exit and restart.
0153002c An instance of zxfrd (pid: %d) is already running! Exiting
01531003 Failed to sign zone transfer query for zone %s using TSIG key %s
0153100c Failed on receive of %d bytes for transfer of zone %s (%s)
0153100e Transfer of zone %s failed with rcode (%s).
01531010 Transfer of zone %s failed b/c there are no records
01531015 Failed to retrieve next RR in %s for zone %s
01531018 Failed to transfer zone %s from %s, will attempt %s
0153101b Ignoring NOTIFY for zone %s due IXFR in progress
0153101c Handling NOTIFY for zone %s
0153101f %s Transfer of zone %s from %s succeeded
01531023 Scheduling zone transfer in %ds for %s from %s
01531025 Serials equal (%d); transfer for zone %s complete
0153102a Failed connect callback to %s for transfer of zone %s
0153102d Notify request from %s not in allow-notify-list. Ignoring.
0153102e Error %s during socket %s.
0153102f Timed out waiting for transfer data for zone %s.
01531030 Kicking read timer for zone %s.
01531031 Setting read timer for zone %s.
01531032 There is an existing zone transfer scheduled for zone %s from %s, not re-scheduling.
01531033 There is a backlogged zone transfer scheduled for zone %s from %s, not adding another.
01531105 Zone %s expired. Zone will be unavailable until the next successful zone transfer.
0153120c Zone %s saved to scratch DB with SOA Serial %d.
01531300 Cluster status changing from %s to %s
0153e0f7 Lost connection to mcpd
01550004 Critical:
01550005 Critical:
01550006 Critical:
01570004 %s
015a0000 SAMPLE: devmgmtd - Initial trust configuration created
015a0004 "%s"
015c0004 %s
015c0009 IP Reputation has no license currently
015c0010 Initial load of IP Reputation database has been completed
015e0002 [pg:%d pu:%d] %s: %s
015e0004 [pg:%d pu:%d] %s: %s
015f0028  
015f0029  
015f0029 date_time, management_ip_address, bigip_hostname, device_product, device_vendor, device_version, msg_name, nps_name, bits_per_second, packets_per_second, connections_per_second, total_bits_per_po, total_packets_per_po, total_connections_per_po
015f0030  
015f0031  
015f0032  
015f0033  
01630002 (%s) (%s)
01660009 %s
01660010 %s
01660011 %s
01660012 %s
01660013 %s
01660014 %s
01660015 Interface %s. Non-F5 branded optics are not supported
01660016 %s
01670003 Inbound entry %A,%d,%A,%A found
01670006 [%u.%u] DNAT Picked :%A,%d
01670009 Inbound connection :%A,%d is active
01670010 Inbound entry:%A%%%d:%d, ds-lite remote:%A local:%A timeout:%d for key:%A%%%d:%d proto:%d added. ha mirrored: %s
01670016 No inbound entry found for %A%%%u:%u proto:%u
01670019 "DNAT configuration: %s"
01670020 DNAT connection: %s
01670021 [%u.%u] LSN Pool %s has no usable translation address for DNAT
01670028 LSN pool(%s) inbound route domain id %d\n
01670029 Translation failed: %s is unsupported.\n
01680027 netHSM: Thales RFS error [%s].
01680028 netHSM: Cannot load HSM vendor library [%s] with error [%s].
01680029 netHSM: Failed login: password[%s]. Error[%lu].
01680030 netHSM: Failed to allocate space [%lu] for [%s].
01680031 netHSM: The session with the network-hsm is invalid.
01680032 netHSM: PKCS11d stopped. Verify password, and restart PKCS11d.
01680033 netHSM: BigDB error [%d][%s].
01680034 netHSM: Key name is too long (>=255).
01680035 netHSM: PKCS11d (re)initialization is not complete.
01680036 netHSM: Unknown HSM vendor [%s].
01680037 netHSM: Failed to create ec key for key %llu
01680038 netHSM: Failed to set ec group for key %llu
01680039 netHSM: Failed to create ec point for key %llu
01680040 netHSM: Failed to find partition with label '%s' on the netHSM.
01680041 Failed to add key to cache index %lu; err %d. Cache size %lu.
01680042 Failed to find key handle for %s key with %s '%s'.
01680043 Failed to find key attribute [%s] for key with handle [%llu] .
01680044 Thread [%lu] successfully connected to partition labeled '%.*s' in slot '%lu'.
01680045 Nethsm: number of slots %u
01680046 pkcs11d loading key handles.
01680047 pkcs11d invalidating key handles.
01680048 %s: pkcs11_rv=0x%08lx, %-26s.
01680049 [PKCS11D][%u]:%s:%d: %s
01680050 %s
01680051 %s.
01690000 SAMPLE: evrouted - shutdown cleanly
016b0002 Rewrite: %s
016e0002 Execution of action '%.*s' failed, error %E
016e0005 Unable to resume pending policy event on connflow %F
016e0006 Pending policy event missmatch found for %F
01700000 PPTP CALL-REQUEST id;%d from;%A%%%u to;%A nat;%A%%%u ext-id;%d
01700001 PPTP CALL-START id;%d from;%A%%%u to;%A nat;%A%%%u ext-id;%d
01700002 PPTP CALL-END id;%d reason;%d from;%A%%%u to;%A nat;%A%%%u ext-id;%d
01700005 Error creating PPTP-GRE local flows, error %E.
01700009 Unable to locate flow %F.
0170000a Received an unexpected PPTP Control Message(%s) while processing connflow %F. Reason: %s.
0170000b Connflow(%F) has no peer, ignoring.
01700020 Unable to locate PPTP GRE flow with %s key %d while processing connflow %F.
01700021 Unable to retrieve layer 3 header from packet while processing connflow %F.
01700023 Connflow (%F) ignoring an unexpected MPI remote flow response.
01700028 Unable to find serverside PPTP flow for clientside flow %F.
01700029 PPTP DSLITE-CALL-REQUEST id;%d from;%A%%%u,%A%%%u to;%A nat;%A%%%u ext-id;%d
01700030 PPTP DSLITE-CALL-START id;%d from;%A%%%u,%A%%%u to;%A nat;%A%%%u ext-id;%d
01700031 PPTP DSLITE-CALL-END id;%d reason;%d from;%A%%%u,%A%%%u to;%A nat;%A%%%u ext-id;%d
01700032 PPTP DSLITE-CALL-FAILED id;%d reason;%d from;%A%%%u,%A%%%u to;%A nat;%A%%%u ext-id;%d
01740018 Profile PCP error: Invalid operation for %s.
01740023 Profile PCP error: PCP %s missing from message.
01740036 PCP: Invalid %s Option length, Expected %lu, Found %d - Client %A rtid %d
01740039 PCP Request: Client %A - OpCode %s(%d), Lifetime:%u, Packet Length:%lu
017b0009 IVS (connecting from parent %F): Internal virtual server %s received injected message %s with data %#x
017c0003 tmm IPsec: Tunnel down %A - %A
017c0004 tmm IPsec: Tunnel up %A - %A
017c0005 listener binding ERR=%d %s listener %s %A:%d FAIL
017c0006 NOTE: avoid common IPsec v1 and v2 tunnel local addr
017c0007 IPsec Tunnel UP destination(%A) source(%A) reqid(%d)
017c0008 IPsec Tunnel DOWN destination(%A) source(%A) reqid(%d)
01810004 %s
01810007 "%s"
01810008 %s
01820004 %s
01830003 Unable to find a flow for remote vtep %A%%%u, tunnel name = %s.
01830004 Tunnel output has a potential loop for remote endpoint %A%%%u, tunnel name = %s.
01850027 MR: Proxy missing for %s %s
01850028 MR: Message drop due to wrong Hop-by-Hop ID (%u)
01850028 MR: Message dropped due to wrong Hop-by-Hop ID (%u) or End-to-End ID (%u)
01850033 MR: Message dropped because ingress queue full (flow %F)
01850034 MR: Ingress buffer full, closing TCP window (flow %F)
01850035 MR: Ingress buffer draining, opening TCP window (flow %F)
01850036 MR: Passthru_mode state %s side connection: %F is torn down or aborted, reason: %lE
01850037 MR: Server side connection %F is established and in passthru_enabled state
01850038 MR: Router %s iRule scope is per %s
01850039 MR: Diameter: Performing dynamic route lookup, destination host %.*s
0185003a MR: Diameter: Dynamic route lookup failed for %.*s (Reason: %E)
0185003b MR: Diameter: Dynamic route added for %.*s
0185003c MR: Diameter: Dynamic route for %.*s set to delete in %d seconds
0185003d MR: Diameter: Dynamic route for %.*s deleted
0185003e MR: Diameter: Dynamic route for %.*s updated, generation %d
01860000 MR SIP: %s returned error: %lE
01860001 MR SIP: %s
01860002 MR SIP: Missing header %s in the message
01860003 MR SIP: Decrypt branch parameter failed with error : %lE
01860004 MR SIP: Encrypt branch parameter failed with error : %lE
01860005 MR SIP: %s
01860006 MR SIP: Invalid config attribute %s in profile %s
01860007 MR SIP: Generated response was not sent '%d - %s' (%F)
01860008 MR SIP: Generated response SENT '%d - %s' (%F)
01860009 MR SIP: Media flow creation (%F)<->(%F) failed due to collision
0186000a MR SIP: Parse error reading number for %s value near %d. Status Code %d
0186000b MR SIP: Parse error bad sip protocol version in headline near %d. Status Code %d
0186000c MR SIP: Parser error invalid or malformed uri in headline near %d. Status Code %d
0186000d MR SIP: Parser error invalid headline near %d. Status Code %d
0186000e MR SIP: Parser error too many header near %d. Status Code %d
0186000f MR_SIP: Parser error extraneous header field near %d. Status Code %d
01860010 MR_SIP: Parser error header too large near %d. Status Code %d
01860011 MR_SIP: Parser error missing header code %d. Status Code %d
01860012 MR_SIP: Parser error CSEQ method does not match headline tag %s : %s. Status Code %d
01860013 MR_SIP: Parser max-forwards value has reached zero. Status Code %d
01860014 MR_SIP: Server in maintence mode. Status Code 503
01860015 MR_SIP: Loop detected. Status code 482
01860016 MR_SIP: Missing Media Connection atributes. Status Code 488
01860017 MR_SIP: Too many media sessions %d / %d. Error Code %d
01860018 MR_SIP: Ingress message queue full, current message dropped (flow %F)
01860019 MR_SIP: Ingress message queue full, closing TCP window (flow %F)
0186001a MR_SIP: Ingress message queue draining, opening TCP window (flow %F)
01860026 MR SIP: invalid address: %A
01860027 MR SIP: Rejecting SIP registration request due to PBA Block timeout blackout. %d seconds left in block, %d-second blackout period
01860028 MR SIP: Backdown of SIP registration request expiry due to PBA Block timeout. %d -> %d in message
01860029 MR SIP: Re-writing SIP REGISTER response expiration value from registrar due to PBA Block timeout. %d -> %d
0186002a MR_SIP: Non-SIP message received. Client connection %F is in fail_open_enabled state
0186002a MR_SIP: Non-SIP message received. Client connection %F is in passthru_enabled state
0186002b MR_SIP: Server side connection %F is established and in fail_open_enabled state
0186002b MR_SIP: Server side connection %F is established and in passthru_enabled state
0186002b MR_SIP: Media flow creation (%F)<->(%F), flow index %u, timeout %u s
0186002c MR_SIP: Fail_open_enabled state %s side connection: %F is torn down or aborted, reason: %lE
0186002c MR_SIP: Passthrough_enabled state %s side connection: %F is torn down or aborted, reason: %lE
0186002c MR_SIP: Media flow creation (%F)<->(%F) failed with error: %lE
0186002d MR_SIP: Media flow deletion (%F)<->(%F)
0186002e MR_SIP: Subscriber registration created: subscriber URI %s
0186002f MR_SIP: Subscriber registration deleted: subscriber URI %s
01860030 MR_SIP: Subscriber registration updated: subscriber URI %s, lifetime %u s
01860031 MR_SIP: Non-Registered Subscriber registration created: subscriber URI %s
01860032 MR_SIP: Non-Registered Subscriber registration updated: subscriber URI %s, lifetime %u s
01890008 Postgres stopped with a non-zero status (%d).
0189000b Shutting down postgres.
018e0002 %s
018e0005 Exiting, received shutdown signal
018e0017 %s
018e001d %s
018e001e %s
01900006 Profile SCTP error: SCTP %s missing from message.
01900020 SCTP %s association (%F) confirmed peer transport address %la.
01900021 SCTP %s association (%F) peer transport address %la not confirmed, path %F inactive.
01900022 SCTP %s association (%F) %s path %F failed (path-retransmit-exceeded).
01900023 SCTP %s association (%F) %s path %F failed (destination unreachable).
01900024 SCTP %s association (%F) path %F restored.
01900025 SCTP %s association (%F) primary path changed to %F.
01900026 SCTP %s association (%F) path %F usable.
01900027 SCTP %s association (%F) %s path %F not usable (path-retransmit-exceeded).
01900028 SCTP %s association (%F) %s path %F not usable (destination unreachable).
01900029 SCTP %s association (%F) failed (association-retransmit-exceeded).
01900030 SCTP %s association (%F) initialization failed (init-retransmit-exceeded).
01900031 SCTP %s association (%F) aborted by peer.
01900032 SCTP %s association (%F) aborted (%s).
01910001 Tmrouted starting.
01910014 FATAL error: non_initial state (%d) and some state vars are unknown (cluster: %d, primary: %d)
01910030 FATAL error: failed to set timer %p at %s:%d
01910031 FATAL error: failed to clear timer %p at %s:%d
01910032 FATAL error: attempt to set already active timer %p at %s:%d
01910033 FATAL error: attempt to clear inactive timer %p at %s:%d
01910034 FATAL error: attempt to clear wrong timer %p at %s:%d
01910035 FATAL error: timer array exceeded
01910036 FATAL error: RHI failed to send %s request.
01910037 Tmrouted clean up timed out while shutting down.
01910050 error on cluster socket %d in state %d: %s
01910202 failed to add attribute %u to NETLINK message. got: %d need: %zu
01910204 memory allocation failed for %s: trying %zu bytes
01910300 HA daemon heartbeat disabled. Last value is %u.
01910301 HA daemon heartbeat enabled with %us period. Last value is %u.
01910600 Suppressing route %s matching admin network.
01910601 Unsuppressing route %s matched previous admin network.
01910602 Failed to suppress route %s matching admin network.
01910603 Withdrawing route %s matching admin network not suppressed.
01910604 New route %s matching admin network already suppressed.
01940007 "Failed to allocate the errdefs tmconf handle!"
0194000b "errdefs: error adding local syslog destination %s; check the configuration for missing elements."
0194000c "errdefs: error adding remote syslog destination %s; check the configuration for missing elements."
0194000d "errdefs: error adding remote hsl destination %s; check the configuration for missing elements."
0194000e "errdefs: error adding fslog destination %s; check the configuration for missing elements."
0194000f "errdefs: error adding alertd destination %s; check the configuration for missing elements."
01940010 "errdefs: failed to add splunk destination %s -- the delivering destination %s probably doesn't exist or contains errors."
01940011 "errdefs: error adding IPFIX destination %s; check the configuration for missing elements."
01940012 "errdefs: failed to add splunk destination %s -- the delivering destination %s probably doesn't exist or contains errors."
01940019 "Unable to connect to MCPD, will try again in 30 seconds."
0194001d Errdefsd is starting.
01940022 errdefs: error adding management port destination %s; check the configuration for missing elements.
01960002 netHSM: Failed to login to network HSM with login_status[%lu].
01960004 netHSM: Failed login: password[%s]. Error[%lu].
01960005 netHSM: The session with the network-hsm is invalid.
01960005 netHSM: The session with the network-hsm is invalid.
01960006 netHSM: Failed to open file [%s].
01960007 netHSM: Unknown client [%d].
01960008 netHSM: Thales RFS error [%s].
01960009 netHSM: Failed to allocate space [%u] for [%s].
01960010 netHSM: Unknown HSM vendor [%s].
01960011 netHSM: BigDB error [%d][%s].
01960012 netHSM: PKCS11d (re)initialization is not complete.
01960013 netHSM: PKCS11d stopped. Verify password, and restart PKCS11d.
01960014 netHSM: Error: %s.
01960014 netHSM: Key name is too long (>=255).
01960015 netHSM: Input string(%s) is too long (>=255).
01960016 netHSM: Failed to create ec key for key %llu
01960017 netHSM: Failed to set ec group for key %llu
01960018 netHSM: Failed to create ec point for key %llu
01960020 %s: file name too long (module: %s, dir: %s).
01960021 dlopen returned %s for module %s.
01960022 module %s is invalid (attach function missing).
01960023 %s(): mod_err = 0x%x
01960030 N3FIPS: Couldn't get curve id for key %PRId64 (%s, err=%u)
01960031 N3FIPS: Couldn't create group for curve id %u
01960032 N3FIPS: Couldn't get group order for curve id %u
01960033 N3FIPS: Couldn't get qx/qy for key %PRId64 (%s, err=%u)
01960034 N3FIPS: Couldn't read qx/qy for key %PRId64
01960035 N3FIPS: Couldn't export key %PRId64 (%s)
01960036 N3FIPS: Couldn't set the ec group for key %PRId64
01960037 N3FIPS: Couldn't retrieve curve id for label '%s'
01960038 N3FIPS: Couldn't assign ec_key to pkey for label '%s'
01960039 N3FIPS: Couldn't convert to bio_key.
01960040 N3FIPS: Couldn't read from the bio_key.
01960041 N3FIPS: Couldn't import private key (err=%u, reason='%s').
01960042 N3FIPS: Unsupported curve id %u.
01960043 N3FIPS(mem): Couldn't create octet string for key %PRId64
01960044 N3FIPS(mem): Couldn't export key %PRId64
01960045 N3FIPS(mem): Couldn't create ec key for key %PRId64
01960047 N3FIPS(mem): Couldn't create memory BIO.
01960048 N3FIPS(mem): Couldn'tgenerate a PEM buffer.
01960049 N3FIPS(mem): Failed to allocate PEM string of %zu bytes.
01960050 N3FIPS(mem): Couldn't duplicate ec_key for label '%s'
01960051 N3FIPS(mem): Couldn't allocate pkey for label '%s'
01960052 N3FIPS(mem): Couldn't allocate bio_key for label '%s'
01960053 N3FIPS(mem): Couldn't allocate bin_key for label '%s'
01960054 N3FIPS(mem): Couldn't allocate a FIPS request record.
01a30018 (%s). err(%d)(%s)
01a30019 read error (%s)/(%d)/(%d) (%d)(%s)
01a3001a write error (%s)/(%d)/(%d)(%d)(%s)
01a3001b Collecting pool member %s status monitor: %d session: %d
01a30025 The database has become inconsistent!
01a30040 Reconnected to TAM server after %d attempts
01a3004b Missing rd(%s) for vlan(%s)
01a3004c Virtual server (%s) is configured with unexpected virtual server type (%d)
01a3004d Error: load balance mode invalid for pool %s used by virtual %s - changed to Round Robin load balancing
01a3004e Error (%s) node(%s)
01a3004f node(%s) state(%s)
01a30050 Failed to post from(%s) to(%s) message (%d)/(%s) error: (%s)
01a30051 Failed to alloc (%s) for (%d)bytes context(%s) err(%d)/(%s)
01a40000 Failed to create IVS (%s).
01a40001 Failed to create OCSP context - %s, with error: %E.
01a40002 Failed to create OCSP request with OCSP object(%s), certificate(%s).
01a40003 HTTP status code of OCSP response(%d) indicates failure to obtain the response for certificate(%s).
01a40004 OCSP validation result of certificate(%s): OCSP response - (%s), certificate status - (%s), lifetime - %u.
01a40008 Unable to build certificate trust chain for profile %s
01a40008 %s
01a40009 Certificate(%s) has expired, or is going to expire in less than a week.
01a50024 Node to corrupt %s is invalid
01a50027 The revoke option is only available on VE platforms.
01a50031 Manifest created is larger than 512K: %u
01a50033 Unable to parse the manifest with a json parser.
01a50034 Failed to get variables from mcpd: %s
01a50035 Failed to to connect to mcpd.
01a50100 Error: Failed to store EULA in %s.
01a50101 Error: Failed to install backup file %s to %s.
01a50102 Error: Failed when calling /usr/bin/chcon for %s.
01a50111 Error: Server busy, retry in %d seconds.
01a60001  
01a70028 The platform was not found in %s.
01a70029 CCN is unsupported on vcmp guests.
01a70077 Error: OpenSSL PEM_read_bio_PrivateKey failed read key %s.
01a70095 Error: OpenSSL EVP_PKEY_get1_RSA failed.
01a70096 Error: OpenSSL RSA_check_key(%s) failed.
01a70097 Error: OpenSSL BN_new failed.
01a70098 Error: OpenSSL RAND_file_name failedo_RSAPrivateKey.
01a70121 Error: Failed while getting the status, %s.
01a70122 Error: Failed to obtain auto-check/auto-phonehome status.
01a70131 Error: Failed to obtain certificate cache path.
01a70132 Error: Failed while gettting the certificate cache path, %s.
01a70133 Error: Failed to obtain key cache path.
01a70134 Error: Failed while gettting the key cache path, %s.
01a70141 Error: Can't connect to mcp, %s.
01a70151 Error: OpenSSL RAND_status failed.
01a70152 Error: OpenSSL RSA_new failed.
01a70153 Error: OpenSSL BN_set_word failed.
01a70154 Error: OpenSSL RSA_generate_key_ex failed.
01a70155 Error: OpenSSL RAND_write_file failed.
01a70156 Error: OpenSSL PEM_write_bio_RSAPrivateKey for key %s failed.
01a70170 Error: Failed to obtain key passphrase from mcpd for key %s.
01a70171 Error: system call to tmsh save sys config.
01a70172 Error: Failed to create cached key file.
01a70173 Error: Failed to create cached certificate file.
01a70180 Error: Attempted to get cloud environment when not on cloud.
01a70181 Error: Failed to communicate with %s to obtain metadata.
01a90007 dynconf setrlimit %d failure: %s.
01a90008 dynconf setrlimit %d error: %s %d.
01aa0000 ICAP (%F): Incomplete message body received from server
01aa0001 ICAP (%F): Unexpected status code %u received from server
01aa0002 ICAP (%F): Server responded 204 beyond or without preview ('Allow: 204' is not supported)
01aa0003 ICAP (%F): Parsing ICAP response headers failed
01aa0004 ICAP (%F): Parsing ICAP chunked response body failed
01aa0005 ICAP (%F): Status code %u received from server
01aa0006 ICAP (%F): Response completed after request completed - connection may be reused by 'oneconnect'
01aa0007 ICAP (%F): Response completed before request - request truncated and oneconnect reuse disabled
01aa0008 ICAP (%F): An IVS result was imposed during iRule event %s - ICAP transaction terminated
01aa0009 ICAP (%F): An iRule parked at event %s
01aa0010 ICAP (%F): Processing message %s failed: %s
01aa0011 ICAP (%F): Processing ingress from IVS failed: %s
01aa0012 ICAP (%F): Processing egress from server failed: %s
01aa0013 ICAP: Client-facing state transition %s -> %s
01aa0014 ICAP: Server-facing state transition %s -> %s
01ad0001 Monitor Agent TMM %u: channel could not be opened: error %s(%s)
01ad0003 Monitor Agent TMM %u: channel could not be authenticated: error %s(%s)
01ad0013 Monitor Agent TMM %u: failed to handle %s message: MID %u, error %s(%s)
01ad0014 Monitor Agent TMM %u: created activity: MID %u, proto %s, endpoint %A:%u, monitor %s
01ad0015 Monitor Agent TMM %u: failed to create activity: proto %s, endpoint %A:%u, monitor %s
01ad0016 Monitor Agent TMM %u: deleted activity: MID %u, monitor %s
01ad0017 Monitor Agent TMM %u: sent probe: MID %u
01ad0018 Monitor Agent TMM %u: failed to send probe: MID %u, monitor %s
01ad0019 Monitor Agent TMM %u: received probe response: MID %u, reason %s(%s), info %#x
01ad0020 Monitor Agent TMM %u: probe response timeout: MID %u
01ad0021 Monitor Agent TMM %u: created/enlarged monitor table for %u entries
01af0004 Traffic rejected for hornet virtual (%s)
01b00001 %s: class name (%s) field name (%s)
01b00002 internal error - %s
01b10000 DSCPROXY: failed to allocate new %s.
01b10001 DSCPROXY: Attempting connect - remote_ip %A, local_ip %A, port %d.
01b10001 Failed to restart nslcd: %s
01b10002 DSCPROXY: Connection attempt failed to %la port %u: %E.
01b10003 DSCPROXY: Connection with peer %la:%d failed TLS handshake.
01b10004 DSCPROXY: Connection with peer %la:%d closed.
01b10005 DSCPROXY: Connection with peer %la:%d lost.
01b10006 DSCPROXY: Reconnect with peer %la:%d stuck in delay.
01b10007 DSCPROXY: %s connection with peer %la:%d established.
01b10008 DSCPROXY: Cannot connect to peer because local address is %s (%la) and remote address is %s (%la).
01b30001 Failed to configure iptables rules for config sync CGC routing: %s
01b30002 Configured iptables rules for config sync CGC routing: %s
01b30003 Config sync over the management port requires big3d, which is not currently running. Config sync will not work until big3d is running.
01b40001 A cipher group must be configured when TLS 1.3 is enabled (validation failed for %sprofile %s).
01b40002 Configuration error: sslo log configuration (%s) is part of system configuration, so it cannot be deleted.
01b40017 Configuration error: Virtual Server (%s) with Access Profile of type sslo is not compatible with profile of type (%s).
01b40018 Configuration error: Access Profile of type sslo is not compatible with exchange profile.
01b4001d The listen-ip or listen-port must not be zero in splitsession server profile %s for virtual server %s.
01b4001e The peer-ip or peer-port must not be zero in splitsession client profile %s for virtual server %s.
01b4001f Invalid value (%s) for profile %s field %s. Only integers between %d and %d are permitted.
01b40020 Invalid retransmission queue limits (high = %d, low = %d) High must be greater than low, and as they represent percentages, they both must be between 0 and 100.
01b40021 Invalid unroutable options selected. Only one of 'Discard' and 'Respond' may be selected.
01b40023 Virtual Server (%s) cannot use both an Access profile and an Anti-Fraud profile.
01b40024 Virtual Server (%s) of type Internal contains an HTTP profile. It must also contain a Service profile.
01b40025 Virtual Server (%s) contains a Fraud Protection profile and a Service profile. The Service profile must be of type F5 Module.
01b40027 On profile (%s) with GMSSL enabled: no-tls, no-ssl, and no-dtls must be selected.
01b40028 On profile (%s): Invalid SSL option (%s) found.
01b40029 Client SSL profile (%s): %s is not RSA %s. To add non-RSA cert/key, please use [cert-key-chain add].
01b4002a Client SSL profile (%s):%s and profile %s options cannot be specified together.
01b4002b Client SSL profile (%s): the profile has no RSA cert/key pair that can be modified. To add RSA cert/key, please use [cert-key-chain add].
01b4002c Client SSL profile (%s): inherit-cert-key-chain and cert/key can not be set together.
01b4002e Client SSL profile (%s): SM2 certificate and key type is incompatible with SSL forward proxy mode.
01b4002f Client SSL profile (%s): un-licensed certificate and key type.
01b40030 Client SSL profile (%s): cert-key-chain (%s): SM2 certificate and key can not be used as forward proxy CA.
01b40033 Server SSL profile (%s): SM type %s (%s) is not allowed in a serverSSL profile.
01b40034 Clieint SSL profile (%s): Un-licensed type %s (%s).
01b40035 Cipher Group (%s): %s can not be used with other %s together in one cipher group.
01b40036 SSL profile (%s): A cipher group must be configured when GMSSL is enabled.
01b40037 Virtual Server (%s): GMSSL clientSSL profile (%s) and non-GMSSL clientSSL profile (%s) cannot be configured in the same virtual server.
01b40039 %s critical message rate limit threshold (%u) must be greater than major message rate limit threshold (%u).
01b4003c The addresses within the specified address list(%s) have different route domains.
01b4003e Server SSL Profile (%s): %s response control cannot be set to mask when forward proxy is disabled
01b4003f VLAN(%s) and tmc have different route-domain
01b40040 TMC(%s) and %s have different route domain.
01b40041 Policy: '%s' Rule '%s' Condition '%s', Option 'use case sensitive string comparison' not supported for data type '%s'.
01b40042 Cannot add record to an external data group (%s).
01b50001 VE 1NIC Self IP configuration error: %s
01b50002 The label '%s' is longer than the %u characters specified by the PKCS11 Standard.
01b50003 Certificate (%s) is not generated from the key (%s).
01b50004 Certificate signing request (%s) is not generated from the key (%s).
01b50005 Key (%s) access requires passphrase.
01b50009 Certificate order manager (%s) certificate authority (%s) requires client certificate and key to access the account.
01b50010 Certificate order manager (%s) fields (%s) should be empty for the selected certificate authority (%s).
01b50011 Certificate order manager (%s) empty order-info. Please provide a valid order-info corresponding to the CA.
01b50012 Certificate order manager (%s) invalid order-info for Certificate Authority (%s).\n%s.
01b50015 Certificate order manager (%s) certificate authority (%s) order-info field (%s) value (%s) is not valid. Allowed values are (%s).
01b50016 Certificate order manager (%s) certificate authority (%s) order-info field (%s) value (%s) is not valid. An Integer value is expected.
01b50017 Certificate order manager (%s) certificate authority (%s) order-info field (%s) value (%s) is not valid. An integer value within range (%d-%d) is expected.
01b50018 Certificate order manager (%s) CA certificate (%s) is invalid. %s.
01b50019 Certificate order manager (%s) client certificate key pair is mismatched.\n%s
01b50020 Key (%s) cert-order-manager revoke-reason should not be empty for certificate revoke.
01b50020 Key (%s) cert-order-manager cannot be deleted when order-status is in 'pending'.
01b50021 Key (%s) cert-order-manager association is being deleted while order-type (%s) is in progress.
01b50022 Key (%s) cert-order-manager order-status should be in 'pending' to check-status.
01b50022 Key (%s) cert-order-manager order-status should not be in 'pending' while deleting key.
01b50022 Key (%s) cert-order-manager order-id should be valid to download a certificate.
01b50023 Key (%s) is being deleted while order-type (%s) is in progress.
01b50027 Key (%s) changing order-type to (%s) is not allowed as there is order-type (%s) in progress.
01b50028 Key (%s) cert-order-manager order-type(%s) needs a valid certificate signing request (CSR) with name (%s). %s
01b50029 CSR (%s) is being deleted while key (%s) cert-order-manager order-type (%s) is in progress.
01b50030 Key (%s) cert-order-manager current order-type (%s) cannot be canceled.
01b50032 Certificate order manager (%s) base-url should not include authentication information.
01b50033 Certificate order manager (%s) additional header %s. Expected configuration '%s'".
01b50034 Certificate order manager (%s) internal proxy should not be empty.
01b50034 Key (%s) Certificate order manager (%s) authority (%s) requires challenge passphrase for submitting the order.
01b50035 Key (%s) cert-order-manager certificate authority (%s) order-passphrase requirements not met.%s
01b50036 Key (%s) cert-order-manager order-passphrase not required for certificate authority (%s).
01b50037 Key (%s) cert-order-manager order-type should not be changed along with check-status.
01b50037 Key (%s) cert-order-manager order-type should not be changed while downloading certificate.
01b50038 Certificate order manager (%s) CA certificate should not be empty.
01b50039 Key (%s) certificate order manager order-id should not be empty while making a renewal order.
01b50040 System generated key (%s) should not be associated with certificate order manager.
01b50041 Certificate order management is disallowed on key (%s) as its folder (%s) is associated with a sync-only device-group (%s). This operation is allowed on folders associated with sync-failover device-group or if the device-group on the folder is set to none.
01b50042 Certificate order manager (%s) - Certificate authority is not allowed to be modified. Please create a new certificate order manager if a different certificate authority is needed.
01b50043 Certificate order manager (%s) has invalid (%d) validity-days. %s
01b50047 Certificate order manager (%s) certificate authority (%s) security token is invalid. %s
01b60001 No cipher match found in '%s'
01b60002 No TLS version match found in '%s'
01b60003 QoS Round-trip time and Hops can't both have non-zero values.
01b60004 DNSSEC External Zone (%s) must be a descendant of DNSSEC Zone (%s).
01b60005 DNSSEC External Zone (%s:%s) duplicates existing DNSSEC zone (%s) with the same name (case-insensitive and unique across folders).
01b60006 DNSSEC External Zone (%s:%s) duplicates existing external zone (%s:%s) with the same name (case-insensitive).
01b60007 DNSSEC External Zone (%s) references a nonexistent DNSSEC zone (%s)
01b60008 DNSSEC Zone %s duplicates existing external zone (%s:%s) with the same name (case-insensitive).
01b60009 Unable to parse DNSSEC secure delegation record (%s:%s):%s (%s).
01b6000a DNSSEC external secure delegation record (%s:%s) has DS with different owner name: %s.
01b6000b At least one ds-algorithm must be specified.
01b6000c DNSSEC External Zone (%s) must contain at least one DS record string.
01b6000d DNSSEC External Zone (%s) contains a duplicate DS record (%s).
01b6000e DNSSEC External Zone (%s) DS record string (%s) contains a non-IN class type (%s). It must be 'IN'.
01b6000f DNSSEC External Zone (%s) DS record string (%s) contains a non-DS resource record type (%s). It must be 'DS'.
01b60010 DNSSEC External Zone (%s) DS record string (%s) contains an invalid digest type (%s). It must be an integer in the range of 1 - 2.
01b60011 DNSSEC External Zone (%s) DS record string (%s) contains an invalid key tag (%s). It must be an integer in the range of 0 - 65535 and match that of the corresponding DNSKEY RR.
01b60012 DNSSEC External Zone (%s) DS record string (%s) contains an invalid DNSKEY algorithm (%s). It must be an integer in the range of 3 - 255 and match that of the corresponding DNSKEY RR.
01b60013 DNSSEC External Zone (%s) DS record string (%s) contains an invalid TTL (%s). It must be an integer in the range of 0 - 2147483647.
01b60014 DNSSEC External Zone (%s) DS record string (%s) is missing the DNSKEY digest.
01b60015 Topology order value (%u) ignored because longest match is enabled.
01b60016 Cannot specify order (%u) that is greater than the number of topology records (%u)
01b60018 DS record is not a valid attribute for external insecure zone %s
01b60019 DNSSEC SEP Record is missing %s.
01b6001a DNSSEC FIPS manager could not parse %s key file (%s)
01b6001b Handling request for dnssec generation of key %s with id %llu. %s.
01b6001c Failed to handle request for new dnssec key generation: Invalid primary key in request for DNSSEC Key Generation.
01b6001d Failed to handle request for new dnssec key generation: Non existent key %s.
01b6001e Invalid control character %u found in GTM object with name %s.
01b6001f DNS monitor '%s' has invalid parameter value '%s'
01b70001 Per-request policy (%s) should have only one per-req-policy-properties object
01b70002 Policy (%s) of type %s cannot have per-req-policy-properties attached, policy type must be %s.
01b70003 Discovery interval (%u) for OAuth provider (%s) must be greater than (%u) minutes.
01b70005 oneshot_macro attribute for the requested object (%s) can be set to true only for access policy of type per request macro and per request sslo macro.
01b70008 JWK config (%s) is configured to use client secret for key type octet. Hence, this cannot be used as %s in %s (%s).
01b7000b OAuth claim object (%s) has an invalid value (%s). When claim-type is set to '%s', allowed value is %s or a valid session variable.
01b7000c Access Profile or Per-Request Policy cannot be attached to virtual (%s) when API Protection profile is attached.
01b7000d In API Protection Profile (%s), Last Generated Path ID value (%d) must be greater than or equal to its previous value (%d).
01b7000e In API Protection Profile (%s), Last Generated Path ID should be provided when setting Path ID manually(%d) in the children Path object.
01b7000f In API Protection Profile (%s), Path ID (%d) in the children Path object should not be greater than Last Generated Path ID (%d) value.
01b70010 In API Protection Profile (%s), children Path object has path_id modified to '%d'. Updating Path ID for an exisitng API Protection Profile Path object is not allowed.
01b70011 Access profile (%s) is of type api-protection and cannot be attached via the access profile link. API protection profiles must be directly attached to the Virtual Server.
01b70012 Per request policy (%s) is of type api-protection and cannot be attached via the per request policy link. API protection profiles must be directly attached to the Virtual Server.
01b70013 Once an access profile has been associated to an API Protection profile (%s), a new access profile (%s) cannot be attached.
01b70014 Once a per request policy has been associated to an API Protection profile (%s), a new per-request policy (%s) cannot be attached.
01b70015 Access profile (%s) attached to the API protection profile (%s) must be of type api-protection.
01b70016 Per request policy (%s) attached to the API protection profile (%s) must be of type api-protection.
01b70017 API Server (%s) cannot be attached to two API protection profiles (%s and %s).
01b70018 DNS Resolver must be attached if a server is present on API protection profile (%s).
01b7001a In API Protection Profile (%s), Path ID (%d) is not allowed. Path ID must be unique for the API protection profile.
01b7001b In API Protection Profile (%s), Path ID (%d) value is out of bounds. Valid value must be between (0) and (%d).
01b7001c In API Protection Profile (%s), path ID cannot be generated for child path object. Maximum allowed value (%d) is reached
01b7001d Response (%s) cannot be attached to two API protection profiles (%s and %s).
01b7001e Default response cannot be empty in API protection profile (%s).
01b7001f Default response (%s) must be a part of responses associated with the API protection profile (%s).
01b70020 API Protection base profile (%s) cannot be modified or deleted.
01b70021 Invalid URL (%s) for API Server (%s): %s.
01b70022 If URL (%s) is of https scheme, serverssl profile must be present in API Server (%s).
01b70023 Status code cannot be empty in Response Config (%s).
01b70024 Status string cannot be empty in Response Config (%s).
01b70025 Response Config (%s) cannot have 'Connection' header present.
01b70026 Response Config (%s) cannot have 'Content-Length' header present.
01b70027 In API Server Selection Agent (%s), Server (%s) selected must be part of servers associated with the API protection Profile (%s).
01b70028 %s (%s) cannot be configured to use SSO Config (%s) since the SSO method is not supported for API Protection. Use SSO Config with SSO method configured for one of 'HTTP Basic', 'Kerberos' or 'OAuth Bearer'.
01b70029 In %s Agent (%s), Response (%s) selected must be part of responses associated with the API protection Profile (%s).
01b7002a Invalid URI (%s) in Path (ID = %d) for API Protection Profile (%s): %s.
01b7002b Method cannot be empty in Path (ID = %d) for API Protection Profile (%s).
01b7002c This combination of URI (%s) and method (%s) must be unique in API Protection Profile (%s).
01b7002d In API Protection profile (%s), Response (%s) cannot be deleted since it is used in %s (%s).
01b7002e In API Protection Profile (%s), Server (%s) cannot be deleted since it is used in %s (%s).
01b7002f %s (%s) cannot be attached to two API protection profiles (%s and %s).
01b70030 Status code (%s) in Response Config (%s) does not contain valid session variable.
01b70031 Status string (%s) in Response Config (%s) does not contain valid session variable.
01b70032 Header (%s) in Response Config (%s) does not contain valid session variable.
01b70033 Header value (%s) in Response Config (%s) does not contain valid session variable.
01b70034 Response body (%s) in Response Config (%s) does not contain valid session variable.
01b70035 The virtual server (%s) must have an HTTP profile assigned to it before you can associate an API protection profile.
01b70036 You cannot associate the base API protection profile with the virtual server (%s).
01b70037 Header name and header value in response (%s) cannot be empty.
01b70038 In the API Protection Profile (%s), the path (ID = %d) refers to an API Server (%s) that is not part of this profile.
01b70039 In SSO config '%s',scope value(%s) contains invalid characters. Valid values are session variables or ASCII character set (0x21/ 0x23-0x5B/ 0x5D-0x7E).
01b7003a OpenID Connect should not be enabled for '%s' grant in agent '%s'
01b7003b Unable to find customization source (%s) for customization group (%s).
01b7003c Deletion of customization source (%s) is prohibted. Object must always be present.
01b7003d Per-request access policy (%s) is not referenced by any existing customization group set
01b7003e The customization group set (%s) cannot share an access policy (%s) with other customization group set (%s).
01b7003f Access policy name cannot be changed in customization group set (%s)
01b70041 DoS profile (%s) is already referenced by another API protection profile.
01b70041 %s profile (%s) is already referenced by another API protection profile.
01b70041 In API Protection Profile (%s), the Base Path (%s) is invalid: uri path must start with a '/' and cannot contain invalid characters.
01b70042 DoS profile (%s) is already attached to a virtual server.
01b70042 %s profile (%s) is already attached to a virtual server.
01b70042 When force-authn is set to session-var-setting, force-authn-session-var cannot be empty in agent (%s)
01b70043 Bot defense profile (%s) is already referenced by another API protection profile.
01b70043 Another DoS profile is already attached to virtual server (%s).
01b70043 Force-authn session variable (%s) in agent (%s) is not in session variable format
01b70044 Bot defense profile (%s) is already attached to a virtual server.
01b70044 Cannot attach DoS profile to virtual server (%s). It is assigned to API protection profile (%s)
01b70044 API Rate Limiting Config (%s) contains invalid Quota Interval (%d). Quota Interval must be between 1 and 60 minutes.
01b70045 Cannot dettach DoS profile from virtual server (%s). It is assigned to the attached API protection profile
01b70045 API Rate Limiting Config (%s) contains invalid Spike Interval (%d). Spike Interval must be between 1 and 60 seconds.
01b70046 API Rate Limiting Config (%s) contains invalid Max Quota Requests (%s). Max Quota Requests must be a valid number or a subsession /perflow variable.
01b70047 API Rate Limiting Config (%s) contains invalid Max Spike Requests (%s). Max Spike Requests must be a valid number or a subsession /perflow variable.
01b70048 API Rate Limiting Config (%s) cannot be attached to two API protection profiles (%s and %s).
01b70049 API Rate Limiting Key (%s) cannot be attached to two API protection profiles (%s and %s).
01b7004a In API Protection Profile (%s), Rate Limiting Config (%s) cannot be deleted since it is used by one or more Rate Limiting Configuration entry in API Rate Limiting Agent (%s).
01b7004b In API Rate Limiting Agent (%s), Rate Limiting Config (%s) selected must be part of rate limiting configurations associated with the API protection Profile (%s).
01b7004c In API Rate Limiting Agent (%s), Weight assigned (%d) to Rate Limiting Config (%s) is invalid. Weight must be greater than 0 and less than the Quota/ Spike limit value in corresponding Rate Limiting Config.
01b7004d In API Protection Profile (%s), the Black/White list (%s) refers to Rate Limiting Key (%s), which is required to exist in the same profile.
01b7004e Key Name (%s) configuration is invalid for the Rate Limiting Key (%s). Key Name must be unique for all the Rate Limiting Keys in an API Protection Profile (%s).
01b7004f In the API Protection Profile (%s), a Rate Limiting Config (%s) refers to an API Rate Limiting Key (%s) that is not part of this profile.
01b70050 In API Rate Limiting Config (%s), Max Quota Requests is required when Enable Quota is true
01b70051 In API Rate Limiting Config (%s), Max Spike Requests is required when Enable Spike Limit is true
01b70052 In API Protection Profile (%s), Rate Limiting Key (%s) cannot be deleted since it is an auto-generated key.
01b70053 API Rate Limiting Key (%s) cannot be deleted as it is associated with Rate Limiting Config (%s).
01b70054 Rate Limiting Config (%s) must have a Rate Limiting Key attached when associated to an API Protection Profile (%s).
01b70055 In the API Protection Profile (%s), the Blacklist or Whitelist (%s) must have an API Rate Limiting Key attached.
01b70056 %s (%s) associated with %s (%s) does not exist.
01b70057 Empty Rate Limiting Config. Must select a rate limiting configuration associated with the API protection Profile.
01b70058 API Protection Profile (%s) had an unexpected default rate limiting response (%s) during upgrade.
01b70059 APM must be provisioned when a Virtual Server is using an API Protection Profile (%s) that has a reference to the access profile.
01b7005b APM Network Access (%s) DNS name (%s) is not a valid domain name.
01b7005c Not allowed to create or modify SWG Scheme (%s) because the swg-scheme object is deprecated.
01b7005d Ephemeral Authentication (%s) requires using either LDAP or RADIUS authentication, or both.
01b7005e Expiry time (%u) of the password for Ephemeral Authentication (%s) must be in the range of %u-%u.
01b7005f Minimum length (%u) of the password for Ephemeral Access Configuration (%s) must be at least %u.
01b70060 Maximum length (%u) of the password for Ephemeral Access Configuration (%s) cannot be larger than %u.
01b70061 Minimum length (%u) of the password must be less than or equal to the maximum length (%u) for Ephemeral Access Configuration (%s).
01b70062 Minimum length (%u) of %s must be an integer no larger than %u for Ephemeral Access Configuration (%s).
01b70063 Total number of uppercase, lowercase, digits, and special characters (%u) exceeds the maximum length (%u) of the password for Ephemeral Access Configuration (%s).
01b70064 Special characters (%s) should only include these characters %s for Ephemeral Access Configuration (%s).
01b70065 The special characters (%s) in the password have a duplicate character (%c) for Ephemeral Access Configuration (%s).
01b70066 The number of special characters in the password (%u) is less than the minimum number required (%u) for Ephemeral Access Configuration (%s).
01b70067 Ephemeral Authentication cannot be empty in Ephemeral Access Configuration (%s).
01b70068 The %s (%s) associated with %s (%s) is not a valid %s.
01b7006a If using Single Sign-On (%s), you can select only one authentication method for ephemeral authentication (%s).
01b90001 AJAX encryption or both AJAX integrity and strong integrity must be enabled for URL '%s' while parameter '%s' has AJAX mapping enabled in the Anti-Fraud profile '%s'.
01b90001 Security FlowSpec: %s: route domain (%s) is already used by %s.
01b90005 %s: The number of custom signatures (%d) is over limit (%d).
01b90006 Dos signature %s: '%s' is not applicable for %s and should be kept as the default value, '%s'.
01b90007 Dos signature %s: '%s' is not allowed to be modified %s.
01b90008 Dos profile %s: cannot be deleted because %s.
01b90009 %s: The associated custom signature (%s) is not a custom Dos persistent signature.
01b9000a %s: shareability-state cannot be changed to not-shareable because it is referred by %s.
01b9000b %s: The associated custom signature (%s) is not a shareable or doesn't have matching parent-profile.
01b9000c %s: The associated custom signature (%s) only can be referred by %s.
01b9000d Dos signature %s: The signature's partition (%s) doesn't match its '%s' partition (%s).
01b90014 Cannot edit response page %s while its type is Default.
01b9001c Bot signature category %s not found.
01b9001d Bot defense profile (%s) class override (%s) error: %s.
01b9001e Bot Defense Profile (%s) Micro Service (%s): %s.
01b9001f Bot Defense Profile (%s) Micro Service (%s) Url (%s): %s.
01b90020 Bot defense profile (%s) anomaly override (%s): %s.
01b90021 Bot defense profile (%s) Signature (%s) should be Mobile Application Class signature.
01b90022 Bot defense signature category illegal class (%s).
01b90023 Bot defense profile (%s) signature category override not supported for (%s) which belongs to (%s) class.
01b90024 Bot defense profile (%s) signature override not supported for (%s) which belongs to (%s) class.
01b90025 Bot defense profile (%s) Micro Service (%s) class override (%s) error: %s.
01b90026 Bot defense profile (%s) error: %s.
01b90027 Only one place directive may be specified for firewall rule (%s) per transaction.
01b90028 Internal error #%u in firewall rule ordering
01b90029 There is a loop in firewall rule ordering specified with place_before and place_after options in the following rules: %s
01b9002b Inconsistency in Anti-Fraud log profile: %s.
01b9002c Security FlowSpec: %s: %s is not user settable field.
01b9002d Security FlowSpec: %s: %s are mutual exclusive fields. They cannot be specified simultaneously.
01b9002e Security FlowSpec: %s: 'expiry-time' (%s) is invalid. It is earlier than current time (%s).
01b9002f Security FlowSpec: %s: The rule can not be created since the sum of current system advertised flowspec routes (%d) and user defined routes in database (%d) would exceed the max flowpsec route limit (%d) as per profile (%s) configuration.
01b90030 Security FlowSpec: %s: The value (%d) for %s is outside the acceptable value set [range %d - %d (inclusive)].
01b90031 Security FlowSpec: %s: %s must be configured when %s is redirect.
01b90032 Security FlowSpec: %s: %s (%s) and %s (%s) must be the same type (IPv4 or IPv6).
01b90033 Security FlowSpec: %s: For port range, beginning port (%d) can not be greater than end port (%d).
01b90034 Security FlowSpec: %s: The rule can not be created or changed to persisted one since total number of persisted rules in MCP database (%d) would exceed the max allowed in database limit (%d) as per profile (%s) configuration.
01b90035 %s cannot be changed to %s because the number of persisted rules of profile %s in MCP database is already %d.
01b90036 Security FlowSpec: %s: can not refer %s which is neither in the same partition as profile nor in /Common partition.
01b90037 Blacklist Publisher Profile (%s): %s is invalid.
01b90038 Security FlowSpec: %s: port argument is not allowed for non-port-based protocol (%d).
01b90039 Security FlowSpec: %s: The protocol (%d) is not supported.
01b9003a Security FlowSpec: %s: The max flowspec route limit can not be decreased since the sum of current system advertised flowspec routes and user defined routes in database (%d) would exceed the specified max flowpsec route limit (%d).
01b9003b Security FlowSpec: %s: IP fragement can't be specified with IPv6 Flowspec rule (%s).
01b9003c Multiple extension header types defined in policy %s, rule %s. Only one extension header type per rule supported.
01b9003d Extension header type %s used more than once in policy %s. Extension header type that doesn't support additional values can be used only once per policy.
01b9003e Value %u associated with extension header type %s used more than once in policy %s. Any (Extension header type, value) pair can be used only once per policy.
01b9003f Specifying values for extension header type %s is not supported, but values specified in policy %s, rule %s.
01b90040 Aggregate log rate for security packet filter cannot be greater than %u.
01b90045 Firewall Zone configuration %s exceeds maximum allowed limit of %d.
01b90047 %s: %s is not supported.
01b90048 %s: Configuration cannot be modified because %s.
01b90049 The %s (%s) for %s (%s) has the incorrect number of 0-bits set for the given address/prefixlen.
01b9004a Inconsistency in Anti-Fraud log profile: %s.
01b9004b Inconsistency in the Anti-Fraud DOM signature '%s'(hash ID): %s in the Anti-Fraud profile '%s'.
01b9004c Log publisher '%s' used by Anti-Fraud log profile '%s' can have only Remote HSL, Splunk or Syslog destinations.
01b9004d Anti-Fraud parameter '%s' is invalid. Enabling CSS selector for parameter requires: 1. either Full AJAX encryption or AJAX integrity enabled 2. parameter type is explicit in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').
01b90050 (%s, %s) %s (%s) must have match type (%s) to enable %s.
01b90055 Dos Signature (%s): %s can be %s when %s is %s.
01b90056 %s (%s): %s must set to %s when %s is set.
01b90063 Unable to create source-translation object %s as EIF timeout can be set only if inbound-mode is endpoint-independent-filtering.
01bb0001 Route domain configuration error: %s
01bb0002 %s - sadc
01bb0005 Raising ICMP monitor priority is not supported on this platform (%s).
01bb0006 ICMP monitor priority feature not supported in vCMP mode.
01bf0004 Creating/Modifying Protocol Inspection compliance map are not allowed.
01bf0005 Deleting Protocol Inspection compliance map are not allowed.
01bf0006 Dependency failed between Protocol Inspection profile %s and the profile %s for the virtual %s, \'%s\' field must be enabled for %s
01bf0007 Creating/Modifying Protocol Inspection service config object is not allowed.
01bf0008 Deleting Protocol Inspection compliance service config is not allowed.
01bf0009 Creating/Modifying Protocol Inspection service config map is not allowed.
01bf0010 Deleting Protocol Inspection service config map is not allowed.
01bf0011 Deleting Protocol Inspection service config enums is not allowed.
01bf0012 Creating/Modifying Protocol Inspection service config enums is not allowed.
01bf0013 Creating/Modifying predefined Protocol Inspection common-config meta objects is not allowed.
01bf0014 Deleting predefined Protocol Inspection common-config meta objects is not allowed.
01bf0015 Creating/Modifying predefined Protocol Inspection common-config compliances is not allowed.
01bf0016 Deleting predefined Protocol Inspection common-config compliances is not allowed.
01bf0017 Creating/Modifying predefined Protocol Inspection common-config service configs is not allowed.
01bf0018 Deleting predefined Protocol Inspection common-config service configs is not allowed.
01bf0019 Protocol Inspection service config %s requires valid value: %s
01bf0020 Protocol Inspection common-config is not defined.
01c00001 Please modify the addresses of cluster members only through the cluster component.
01c80025 CONNECTOR: L7 get protocol failed
01c80026 CONNECTOR: L7 get protocol wrong type %d
01c80027 CONNECTOR: Cannot allocate memory for %s
01c80028 CONNECTOR: Create and insert node for connflow %F, proxy %s, listener %s, profile %s
01c80029 CONNECTOR: Error creating node for connflow %F, proxy %s, profile %s [%s]
01c80030 CONNECTOR: Send Perform-Method to connector %s, method-id %u
01c80031 CONNECTOR: Teardown/abort connector %s, profile %s, message %s
01c80032 CONNECTOR: Listener %s, profile %s connect to service entry virtual server %s
01c80033 CONNECTOR: Listener %s, profile %s service %s entry ingress, ingress bytes %u
01c80033 CONNECTOR: Listener %s, profile %s, service connection result %u
01c80034 CONNECTOR: Listener %s, profile %s connected to service entry virtual server %s
01c80035 CONNECTOR: Listener %s, profile %s initialize connection
01c80036 CONNECTOR: Listener %s, profile %s service returned bytes %u
01c80036 CONNECTOR: Uninitialize service connection
01c80037 CONNECTOR: Listener %s, profile %s, state %s, process message %s
01c80038 CONNECTOR: Listener %s, profile %s enqueue service connect to %s
01c80039 CONNECTOR: Listener %s, profile %s dequeue service connect [hold=%s ingress-len=%u]
01c80040 CONNECTOR: State %s event %s [external event %s]
01c80040 CONNECTOR: Listener %s, profile %s dequeue service connect [error=%u]
01c80041 CONNECTOR: Listener %s, profile %s forward events [%s%s%s] to service %s
01c80042 CONNECTOR: encountered error: %E File: %s Function: %s, Line: %d
01c90000 MR MQTT: %s returned error: %lE
01c90002 MR MQTT: Keepalive timeout resulted in connection close.
01c90003 MR MQTT: Broker connection being reused.
01c90004 MR MQTT: Parser error (%E), connection will be closed.
01c90005 MR MQTT: Ingress buffer full, closing TCP window (flow %F)
01c90006 MR MQTT: Ingress buffer draining, opening TCP window (flow %F)
01cc0000 Config error: Agent Rate Limiting Config Entry [%s:%d] update: agent clone failed
01cc0000 NATS server returned error: '%.*s'
01cc0000 Peer (%s) delay %d ms %s the %s threshold %d ms
01cc0001 The number of messages sent to the peer (%s) %d msgs/sec %s the %s rate limit threshold %d msgs/sec
01cc0002 The number of messages from the peer (%s) %d msgs/sec %s the %s rate limit threshold %d msgs/sec
01cc0003 Peer (%s) errors percentage %d %s the %s threshold %d percentage
01cc0004 Peer (%s) timeouts percentage %d %s the %s threshold %d percentage
01cc0006 Peer (%s) connection state has changed: %s
01cc0008 telemd setrlimit %d error: %s %ld.
01d30003 Geo_Redundancy: Reload failed: %s (%E)
01d30004 Geo_Redundancy: Session DB update failed: %E
01d30007 Geo_Redundancy: Message dropped, %s, %E
01d30008 Geo_Redundancy: Unknown GEO message received, %d
01d30009 Geo_Redundancy: Can't send message, %s, %d
01d3000a Geo_Redundancy: unexpectedly disconnected %s
01d3000b Geo_Redundancy: status set to offline
01d3000c Geo_Redundancy: status set to connected
01d3000d Geo_Redundancy: status set to reload sending
01d3000e Geo_Redundancy: status set to reload receiving
01d30010 Geo_Redundancy: watchdog has expired
01d30011 Geo_Redundancy: connection to kafka established, %s
01d30012 Geo_Redundancy: connection to kafka lost, %s, %E
01d4000f Geo_Redundancy: watchdog is alive
05000017 Attr(%attr/%s) is unknown under (%parent/%s)
05000018 client(%client/%s) last response code(%responsecode/%s) result(%result/%d)(%resultmsg/%s) request_id(%requestid/%d)
05000019 client(%client/%s) last request code(%requestcode/%s) request_id(%requestid/%d)
0501001e Failed to call sem_post. ctx(%context/%s) client(%client/%s) Error: (%error/%d)((%strerr/%s))
05010022 message-post failure(%failure/%s) from (%user/%s)
05010023 Internal pipe operation (%op/%s) failed client(%client/%s) ((%errno/%d)/(%sterrror/%s)) bytes (%expect/%d)/(%done/%d)
05010024 Session inactive for (%user/%s) failed (%ctx/%s)
05020039 Expect only one busy block, as min-upd > config-switch (%count/%d) (%sequences/%s)
05020061 Failed to init ha
05020062 Failed to exit ha
05020063 Failed to send heartbeat to update ha
05020065 Cannot find PM(%pm/%s) for status update for VIP(%vip/%s)
05020067 Unhandled message(%msg/%s) reason(%reason/%s)
05020068 stats reset failed (%reason/%s)
05020069 SNAT detected for pm(%pm/%s) when DSR mode is enabled on vip(%vip/%s)
0503000a Class (%class/%s) was not requested
0503000b Hornet response error (%error/%d) (%msg/%s)
0503000c Neuron rule programming failure. Operation: (%op/%s) Rule Text: (%text/%s) Error: (%error/%s)
05030011 nexthop update failed with err ((%err/%s))
05030012 vlan update failed with err ((%err/%s))
05030013 virtual update failed with err ((%err/%s))
05030014 Pool-member update failed with err ((%err/%s))
05030015 Self-IP update failed with err ((%err/%s))
05030016 SNAT-pool-member update failed with err ((%err/%s))

 

Log Messages Details

00020000 : Resuming log processing at this invocation; held %d messages.

Location:
/var/log/ltm

Conditions:
The following messages are not the actual log messages.

        00020000:6: Re-enabling general logging; held %d messages
        00020000:6: Cumulative log rate exceeded! Throttling all non-debug logs.

You should locate the unthrottled versions, which will look like one of the following:

        00020000:6: Developer error: unrecognised logging variable '$vname'!
        00020000:6: Developer error: unrecognised logging domain in '$prodsub'!

It would also help to have the name of the process that logged the message.

These messages occur when a feature tries to log, read, or write a control flag for a logging product or subset that does not exist (the initial four digits of a log number). It is also possible that these logs are being generated by code that is attempting to map command line options, GUI elements, db variables, etc., to log control variables.

Impact:
If these messages are coming from a feature, that feature is not successfully logging. If these messages are coming from some kind of bridge between command line options, GUI elements, db variables, or log control variables, then the knob or control does not work.

Recommended Action:
If these messages are the result of a miscoded feature, then the feature has never been able to send logs, and there is no work-around for the problem.

If these messages are the result of a miscoded control knob (command line option, GUI element, db variable, etc.), then that control knob will not work, but the associated logs can still be controlled via Common Logging Framework objects (Publishers, Destinations, and Filters).

In either case, please file a bug.


01010001 : %s starting

Location:
/var/log/ltm

Conditions:
Example:
01010001:5: pgo_use x86_64 padc TMM Version 13.0.0.0.0.1622 starting

The message is emitted at 'notice' priority, and is an announcement that the given TMM instance has started. It is always emitted, and provides the target, architecture, and build version for the TMM executable.

Impact:
The appearance of this message indicates system health. Its presence is useful for locating the point in the logs where TMM instances start.

Recommended Action:
None.


01010004 : Memory allocation failed: %s

Location:
/var/log/ltm

Conditions:
This error occurs when there is not enough free memory left in the system to allocate the required amount for a software module.

Impact:
The impact could range from some of the functionality being briefly delayed until more memory becomes available to a significantly more damaging issue, such as the system failing to allocate memory for new connections, causing the system to become unusable.

Recommended Action:
If possible, provision more memory to TMM.
Use 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Consider restarting said process(es), saving the core(s), and filing a bug.


01010007 : "Config error: %s"

Location:
/var/log/ltm

Conditions:
The following configuration error messages point to a failure in setting up internal services necessary for the Network Access feature in APM to work.
- Config error: Access forwarding virtual create failed.
- Config error: Access HTTP forwarding virtual create failed.

The following configuration error message points to a failure in setting up internal services necessary for the Portal Access feature in APM to work.
- Config error: Access portal virtual create failed.

Impact:
Network Access feature in APM will not work.
- Config error: Access forwarding virtual create failed.
- Config error: Access HTTP forwarding virtual create failed.

Portal Access feature in APM will not work.
- Config error: Access portal virtual create failed.

Recommended Action:
This issue might be a result of invalid configuration. Please reload configuration using 'tmsh load sys config'. The output of config reload should be without error.


01010011 : Persistence cookie hash failed

Location:
/var/log/ltm

Conditions:
This error can occur when, for a given persistence profile, a cookie hash entry (in the profile's persistence table) is either invalid or becomes stale, compared to the expected HTTP cookie header in the server side response from a pool member requiring persisted connections. The length of the HTTP cookie header probably exceeds the offset of the cookie hash specified in the persistence profile.

Impact:
This error indicates an invalid cookie hash persistence entry and, as a result, connections might not be persisted for the expected pool or pool members. Instead the default load-balancing method is applied.

Recommended Action:
Either of the following actions can help to solve the problem:
1. Correct the cookie hash entry in the persistence profile, by changing the cookie hash offset or length, to accommodate the HTTP cookie in the server side response for the correct parsing of the cookie hash.
2. Change the HTTP cookie header in the server side response, on the pool member requiring persistent connections, to accommodate the expected cookie hash in the related persistence profile.


01010013 : database size increased by %d bytes, %d total

Location:
/var/log/ltm

Conditions:
This message is an informative message that is logged when the BIG-IP configuration database needs to be extended. It does not necessarily reflect an error.

Impact:
None.

Recommended Action:
None.


01010019 : Caught signal %d, exiting

Location:
/var/log/ltm

Conditions:
Example:
01010019:5: Caught signal 2, exiting

The message is emitted at 'notice' priority, and is an announcement that the TMM has received either a SIGINT (2) or a SIGKILL (15) signal. The most common way to send TMM one of these signals is with the 'kill' command from the BIG-IP device's root shell.

The 'kill' command requires the process identifier ("pid") for the targeted executable. To find the list of pids for TMM, from the root shell, enter the following command:

cat /var/run/tmm.*.pid | sort -un

On a running BIG-IP system, one or two pids will be displayed. Choose either pid, substituting the number into the command "kill -INT ____". For example:

[root@bigip:Active:Standalone] log # cat /var/run/tmm.*.pid | sort -un
20050
[root@bigip:Active:Standalone] log # kill -INT 20050
[root@bigip:Active:Standalone] log # Jan 26 16:12:14 bigip emerg logger: Re-starting tmm
Jan 26 16:12:14 bigip emerg logger: Re-starting tmm1
Jan 26 16:12:14 bigip emerg logger: Re-starting tmm2
Jan 26 16:12:14 bigip emerg logger: Re-starting tmm3
Jan 26 16:12:14 bigip emerg logger: Re-starting tmm4
Jan 26 16:12:14 bigip emerg logger: Re-starting tmm5
Jan 26 16:12:14 bigip emerg logger: Re-starting tmm6
Jan 26 16:12:15 bigip emerg logger: Re-starting tmm7
# grep 01010019 /var/log/ltm
Jan 26 16:12:13 bigip notice tmm[20050]: 01010019:5: Caught signal 2, exiting

Impact:
When a TMM process instance receives a SIGINT or SIGKILL signal, all TMM instances are restarted immediately. No core file is produced. On systems where multiple TMM processes are running, tmm.start will detect the termination of any of its child TMM process instances and display the following message:

notice tmm.start: /etc/bigstart/scripts/tmm.start caught SIGCHILD, sending SIGTERM to all remaining tmms

This assures that if any TMM process is terminated for any reason, all TMM processes are restarted.

Recommended Action:
It is abnormal for SIGINT or SIGKILL to be sent to a process. If this message is seen in the logs, it indicates that a TMM process received the indicated signal. F5 Networks is not aware of any way this can occur, other than through the action of a root user at the bash shell prompt. Blocking access to the root ("Advanced") shell, or selecting Appliance Mode in the BIG-IP license should eliminate the possibility of seeing this message.


01010020 : MCP Connection %s, exiting

Location:
/var/log/ltm

Conditions:
MCP connection is closed, aborted, or expired after tmm saw any data coming from mcp. It might happen due to any connectivity problems between tmm and mcp or mcp being down.

Impact:
It is a critical error for TMM. It restarts. Attempts to reconnect will be made after that.

Recommended Action:
Verify that mcpd is up, and consider restarting it. Inspect /var/log/ltm to find mcpd messages pointing to the reason of failure.


01010027 : Unable to attach to PCI device %02x:%02x.%02x

Location:
/var/log/ltm

Conditions:
At startup, tmm attaches to several hardware acceleration devices (network devices such as kernel interfaces, HSB DMA engines, ssl crypto, and compression devices). Any failure to initialize a device results in the 'Unable to attach' with the specific PCI bus:slot.func coordinates.

Impact:
Device will not be used by tmm and could impact traffic passing, or result in fallback to software compression or crypto.

Recommended Action:
Restart tmm. System reboot. Potential RMA.


01010028 : No members available for pool %s

Location:
/var/log/ltm

Conditions:
The probable cause for this message is external to the BIG-IP system: the pool members (servers) are all either down or unreachable. Additionally, this message could also be caused by a hardware or software issue on the BIG-IP itself.

Impact:
Services that require access to members of the given pool log errors and cease to function.

Recommended Action:
Find and correct the server access problem following typical server connectivity debugging processes.


01010029 : Clock advanced by %u ticks

Location:
/var/log/ltm

Conditions:
This message will be logged if the tmm clock is modified by more than 100 ticks at once after tmm is ready. This could indicate a situation where the TMM might be preempted or has a lagging clock, or an NTP message was received with a large difference in time.

Impact:
The tmm common ticks which affects flow timeouts, TCP timestamps etc will be abruptly incremented.

Recommended Action:
After ensuring that the time/NTP server is correctly set on the blade(s) and chassis, reboot the BIG-IP once to ensure that the tmms are correctly synchronized to the NTP time.


01010038 : Syncookie counter %d exceeded vip threshold %u for virtual = %A:%d

Location:
/var/log/ltm

Conditions:
A virtual server is under high load such that the outstanding SYN cookie threshold is reached. The threshold is configured with the default-vs-syn-challenge-threshold LTM global-settings connection property.

Impact:
While the per-virtual server SYN cookie threshold is reached, SYN cookies will not be issued on the virtual server. Connections will be established without SYN cookies.

Recommended Action:
Investigate whether the traffic load is normal or excessive. The SYN cookie threshold might be reached due to a normal spike in traffic or an attack.


01010040 : Clock has unexpectedly adjusted by %lld ms

Location:
/var/log/ltm

Conditions:
Internal TMM clock adjustment occurred.

Impact:
TMM might be unable to converge on an accurate representation of its internal time. TMM clock has been advanced by more ticks than expected. This can indicate that TMM has been preempted or has a lagging clock.

Recommended Action:
If this message occurs routinely, contact support.


01010044 : "%s feature %s licensed"

Location:
/var/log/ltm

Conditions:
This message does not necessarily denote a problem. It displays the license status of BIG-IP device's component.
When status for component X is "licensed", this log displays the message:
Component X is licensed.
When the component is not licensed, the message is:
Component X is NOT licensed.

Impact:
If the message is "Component X is licensed", there is no impact. It is an informative message.
If the message is "Component X is not licensed", then you cannot use the mentioned component/feature.

Recommended Action:
If you want to use a component that is not currently licensed, you need to activate the license.


01010045 : Bandwidth utilization is %d Mbps, exceeded %d%% of Licensed %d Mbps

Location:
/var/log/ltm

Conditions:
This message appears when the system is using more bandwidth that it was licensed to use.

Impact:
The system will not perform at its full potential with a limited license.

Recommended Action:
A license with better bandwidth utilization would stop this message from appearing.


01010054 : tmrouted connection %s

Location:
/var/log/ltm

Conditions:
The connection between the tmrouted daemon and TMM has been lost.

Impact:
This is expected behavior during shutdown or restart. If it occurs during normal operation examine system log files for indications as to the behavior of the tmrouted daemon, which likely restarted. If the tmrouted deamon restarts, dynamic routing will be interrupted.

Recommended Action:
Look for tmrouted corefiles and tmrouted log messages in /var/log/ltm.


01010056 : Syncookie counter %d exceeded vip threshold %u for virtual = %s

Location:
/var/log/ltm

Conditions:
A virtual server configured with traffic-matching-profile is under high load such that the outstanding SYN cookie threshold is reached. The threshold is configured with the default-vs-syn-challenge-threshold LTM global-settings connection property.

Impact:
While the per-virtual server SYN cookie threshold is reached, SYN cookies will not be issued on the virtual server. Connections will be established without SYN cookies.

Recommended Action:
Investigate whether the traffic load is normal or excessive. The SYN cookie threshold might be reached due to a normal spike in traffic or an attack.


01010201 : Inet port exhaustion on %*A to %*A%c%d (proto %d)

Location:
/var/log/ltm

Conditions:
This error appears on a system when an unused ephemeral port cannot be found by using the ephemeral port search criteria. Variables specify the lost IP address and port connection due to this condition. The search criteria defaults to 16 random attempts, with 16 linear attempts. A single IP address can choose from about 64k ports, so not finding a port indicates that the system is using over 60k ports. The exact number of ports in use is unknown, because the algorithm discovers open ephemeral ports through a methodology, instead of counting ports. The results of the algorithm are approximately 64k ports.

Impact:
When this error occurs, the port-find functionality fails and the connection is lost.

Recommended Action:
There is no workaround for this error. The algorithm stops when this error is written to /var/log/ltm. To mitigate this condition, a warning message is available in BIG-IP version 12.0, indicating that the port-find functionality is heavily loaded (statistically 80% to 90% of the 64k ports in use). You can use an SNMP trap to alert this message, and inform the client to add more virtual IP's the system, relieving the heavily loaded connections.


01010213 : L3 Address LB method deprecated; using 'Least Connections' for pool %s

Location:
/var/log/ltm

Conditions:
A virtual server is configured with L3 Address load balancing method.

Impact:
The Least Connections load balancing method will be used instead of the deprecated L3 ADDR load balancing method.

Recommended Action:
Set the virtual server load balancing method to Least Connections. or other desired load balancing method.


01010216 : DNSSEC: Signature failed (%s) for RRSET (%s, %lu) with key %s, generation %llu.

Location:
/var/log/ltm

Conditions:
Unable to sign RRSet. See error for more details. Typically this is due to the device running out of memory, but could also be due to the device experiencing a heavier than usual load.

Impact:
RRSet will not be signed.

Recommended Action:
If this is memory related, use the command 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Consider restarting said process(es), saving the core(s), and filing a bug.


01010221 : Pool %s now has available members

Location:
/var/log/ltm

Conditions:
A pool with no available members now has available members. The pool may have had no available members due to administrative action, monitors, connection limits, or other constraints on pool member selection.

Impact:
This indicates that traffic is now load-balanced to the available member as desired.

Recommended Action:
None.


01010225 : Failure to query dns-express db (%s)

Location:
/var/log/ltm

Conditions:
This log messages covers a variety of errors that indicate a query to the DNS Express database was not successful. The possible reasons include the database not being readable and malformed queries.

Impact:
Generally, a query in this situation will continue to be processed according to the DNS Profile configuration. An AXFR request to the BIG-IP will result in either a SERVFAIL or FORMERR response to the requesting client.

Recommended Action:
This message should be used in conjunction with other log messages to determine impact to the system.


01010231 : DNSSEC: Did not add RRSIGs to response RR set (owner: %s).

Location:
/var/log/ltm

Conditions:
Tmm has detected that it should have signed a dns response with a dnssec key but didn't add a resource record signature.

Impact:
The current dns response will be dropped.

Recommended Action:
The message indicates a problem signing a resource record using a dnssec key. Other log messages might indicate why a particular key failed to sign the resource record, and should be investigated to verify that the information associated with the dnssec keys is correct.


01010235 : Inet port find called for pg %d with invalid cmp state %x

Location:
It can happen when current TMM's CMP state is invalid or the target TMM is down.

Conditions:
This error message appears when a TMM runs port find for a target TMM that is not active based on current CMP state. A TMM in BIGIP is identified as {PG, PU}. PG refers to slot index and PU refers to TMM index on the slot. This error message complains the PG of the target TMM is down based on current CMP state.

Impact:
It might cause flow connections to fail.

Recommended Action:
No workaround. Reboot if the problem persists.


01010239 : LSN error: %s

Location:
LTM log

Conditions:
An LSN pool is configured, but the CGNAT module is not licensed and provisioned.

Impact:
The CGNAT configuration is ignored by TMM until the CGNAT module is licensed and provisioned. No other negative impacts.

Recommended Action:
License and provision the CGNAT module.


01010240 : Syncookie HW mode activated, server = %A:%d, HSB modId = %d

Location:
/var/log/ltm

Conditions:
This message indicates that the BIG-IP device has detected a syncookie DOS attack and activated hardware syncookie protection mode on the HSB.

Impact:
This is an information message regarding hardware syncookie protection state on the BIG-IP device. it does not indicate any operation error. Refer to https://support.f5.com/csp/article/K14813 for more information on detecting and mitigating DoS/DDoS attacks.

Recommended Action:
None.


01010241 : Syncookie HW mode exited, server = %A:%d, HSB modId = %d from %s

Location:
/var/log/ltm

Conditions:
When HSB exits hardware syncookie protection mode on the BIG-IP device. It indicates that the BIG-IP device detects that the syncookie DOS attack has stopped.

Impact:
This is an information message regrading hardware syncookie protection state on the BIG-IP device. It is not an error message. Refer to https://support.f5.com/csp/article/K14813 for more information on detecting and mitigating DoS/DDoS attacks.

Recommended Action:
None.


01010250 : Pool member %A:%u exceeded configured rate limit.

Location:
/var/log/ltm

Conditions:
If this message appears, the configured number of allowed new connections per second for pool member has been exceeded.

Impact:
New connections for pool member are created faster than allowed in configuration. The BIG-IP device prevented an excessive number of connection requests to this pool member. Connections still might have been established after a retry to the other pool member.
This might indicate that the pool member is a target for more connections than it was configured to handle. If all pool members report this problem at the same time, the virtual server might be experiencing a high-demand traffic event or be under Denial of Service (DoS) attack.

Recommended Action:
Rate limit can be changed as described in Manual: Setting Connection Limits (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-2-1/30.html).


01010251 : Virtual %s exceeded configured rate limit.

Location:
/var/log/ltm

Conditions:
If this message appears, the configured number of allowed new connections per second for virtual server has been exceeded.

Impact:
New connections for virtual server are created faster than allowed in configuration. Thus, the BIG-IP device prevented an excessive number of connection requests. This might indicate that virtual server is during high-demand traffic event or under Denial of Service (DoS) attack.

Recommended Action:
Rate limit can be changed as described in Manual: Setting Connection Limits (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-2-1/30.html).


01010259 : External Datagroup (%s) %s.

Location:
/var/log/tmm.x, where x indicates the tmm thread number.

Conditions:
All variants of the message are related to operations on externals datagroups (see ttps://devcentral.f5.com/articles/the101-irules-101-datagroups-amp-tables ). These operations are conducted by an administrator through a configuration interface (web GUI, tmsh CLI, or by script) and include datagroup creation, update, and deletion.

- "queued" and "queued for update": This is not an error. The message indicates that tmm started processing external datagroup file (for datagroup creation or update, respectively).

- "creation finished" and "update finished": This is not an error. The message indicates that tmm successfully finished processing external datagroup file (for datagroup creation or update, respectively).

- "deleted": This is not an error. The message indicates that processing of external datagroup file was cancelled, because datagroup was deleted.

- "failed": Processing of external datagroup file failed. Either tmm is out of memory or a TCL error occurred.

Impact:
Only a "failed" message indicates an error: An external datagroup was not created nor updated (depending on operation requested).

Recommended Action:
For a "failed" message: Check for excessive memory usage using 'ps aux --sort -rss | head'. Consider restarting the processes consuming too much memory. If there is no excessive memory usage, file a bug. Try re-issuing datagroup operation.


01010260 : Hardware Error(%s): %s %s

Location:
/var/log/tmm.n, where n is the specific TMM on the BIG-IP that detected the problem.

Conditions:
Occurs when the driver for the Cavium NITROX security co-processor detects a hardware failure.

Impact:
Hardware offloading of SSL traffic will stop and all SSL processing will be done in software. This may result in a performance degradation.

Recommended Action:
Shutdown (power off) the BIG-IP and then restart it. If the problem occurs again, please contact F5 Support for assistance.


01010273 : Access policy Configuration object: [%s] not found

Location:
/var/log/apm

Conditions:
This message will never appear in a good BIG-IP policy configuration environment. This can appear only if an access policy configuration in the BIG-IP system gets corrupted for some reason. The situation it is reporting, when it receives an access policy item modification or deletion (which should have an association with it parent "access policy" object), but could not find its parent "access policy" object.

Impact:
None.

Recommended Action:
Edit the BIG-IP access policy config and remove reported access policy item.


01010274 : Access Policy and Access Policy Item join failed: [%s] not found

Location:
/var/log/apm

Conditions:
This error might appear during a resolve relation between "access policy item" and "access policy". Each access policy has one or more access policy items. At the end of access policy configuration modification process, it is required to resolve all relationships between access policy items within access policy. During this process, if any relationship is broken, mostly due to configuration corruption, it reports this error.

Impact:
There is no direct impact on the system, as it ignores the missing relationship. However, the access policy might not work the way it supposed to, as the reported "access policy item" will not appear in the configuration.
This situation will appear only if the BIG-IP access policy configuration gets corrupted.

Recommended Action:
Edit the access policy and reload.


01010276 : FTPS warning: Security policy disabled for %A%%%u:%u due to explicit FTPS mode negotiation

Location:
/var/log/ltm

Conditions:
When we enter explicit FTPS mode, the ASM profile must be disabled; otherwise, it tries to evaluate encrypted data to make firewall decisions.

Impact:
The configured ASM profile cannot function.

Recommended Action:
Reconfiguration is required. Don't use FTPS with ASM. Refer to the following devcentral article: https://devcentral.f5.com/articles/ftps-offload-via-irules


01010290 : TCP: Memory pressure activated

Location:
/var/log/ltm

Conditions:
TMM has used more memory than the threshold specified in the sys db variable TM.TCPMemoryPressure.lowater (in percent).

Impact:
TCP memory pressure has been reached. TMM might drop payload data or entire packets until memory usage falls below the threshold.

Recommended Action:
Occasionally seeing this message is not necessarily an issue, but might indicate that the TMM needs more available memory. Restarting the TMM might be sufficient to reduce the TMM's memory usage, but the messages are likely to return if the TMM does not have enough memory. Methods to increase the memory available to the TMM include increasing the provisioning level of the LTM module, reducing the amount of traffic directed towards the BIG-IP system, and (on vCMP guests and VE) increasing the memory allocated to the BIG-IP system. TMM memory usage can be observed with the "tmstat" command.


01010291 : TCP: Memory pressure deactivated. Dropped %llu packets, %llu bytes

Location:
/var/log/ltm

Conditions:
TMM was using more memory than the threshold specified in the sys db variable TM.TCPMemoryPressure.lowater (in percent), and memory usage is now below the threshold.

Impact:
TCP memory pressure had been reached, and has now subsided. TMM dropped payload data and/or entire packets as specified in the message.

Recommended Action:
Occasionally seeing this message is not necessarily an issue, but might indicate that the TMM needs more available memory. Restarting the TMM might be sufficient to reduce the TMM's memory usage, but the messages are likely to return if the TMM does not have enough memory. Methods to increase the memory available to the TMM include increasing the provisioning level of the LTM module, reducing the amount of traffic directed towards the BIG-IP system, and upgrading the memory of the BIG-IP system. TMM memory usage can be observed with the "tmstat" command.


01010300 : BDoS: (TMM) Histogram (%p) %s for context %s (ref cnt %d).

Location:
/var/log/bdosd.log

Conditions:
BDoS (dynamic-signature) is enabled/disabled per context.

Impact:
None. This is a log message that displays histogram memory ref count state and is logged only when log.tmm.level is set to level Debug.

Recommended Action:
To disable logging this message, change log.tmm.level to a log level other than Debug.


01010301 : BDoS: (TMM) %s failure for context %s - %s (error %s).

Location:
/var/log/bdosd.log

Conditions:
TMM fails to create BDoS histogram memory for a specific context (device or virtual server) when dynamic-signature feature is enabled on that context. This might happen mainly due to OOM condition.

Impact:
This error message indicates that TMM is unable to enforce the BDoS dynamic-signature feature for the specific context for which the message is logged.

Recommended Action:
None.


01010302 : BDoS: (TMM) %s signature (%s) for context %s at idx %u (detection=%u mitigation=%u state=%s transient=%s retired=%s).

Location:
/var/log/bdosd.log

Conditions:
A new (AFM) BDoS dynamic signature is generated (or an existing signature is updated) by the AFM bdosd daemon during an attack, and the signature create/update message is sent to the tmm daemon for enforcement.

Impact:
None. This is an informational/debug message that is logged only if log.tmm.level is set to level Debug.

Recommended Action:
To disable logging this message, change log.tmm.level to a log level other than Debug.


01010303 : BDoS: (TMM) signature (%s) removed (at idx %u of signature table) from context %s.

Location:
/var/log/bdosd.log

Conditions:
A BDoS dynamic signature is being removed via a remove message received from the bdosd daemon.

Impact:
None. This informational/debug message is logged in TMM only if log.tmm.level is set to level Debug.

Recommended Action:
None.


01010305 : BDoS: (TMM) afm_provisioned=%s dos_provisioned=%s l4_bdos_licensed=%s bdos_feature_enabled=%s detection=%s

Location:
/var/log/bdosd.log

Conditions:
Debug log message that displays AFM/DHD module provision status, as well as l4bdos feature flag license state.

Impact:
None. This is an informational/debug message that is logged whenever if log.tmm.level is set to debug level.

Recommended Action:
None.


01010307 : Memory allocation failed: %s %s

Location:
/var/log/ltm

Conditions:
The message can appear during crypto operations if an allocation request fails to deliver the requested block size.

Impact:
This is an out-of-memory condition. The primary response is to drop the flow associated with the failed allocation request.

Recommended Action:
None.


01010308 : Access Policy update: %s End Txn Failed (%d)

Location:
/var/log/apm, GUI

Conditions:
This error is triggered due to some error in MCPD or in the communication with MCPD. The error represents something observed by a consumer and hence, the source of the error (either in the producer or framework) cannot be ascertained easily.

Impact:
Creation or update of a Per-Request Access policy or its components might not occur.

Recommended Action:
This might be a transient error and might succeed on retry. If this is due to problems in MCPD, restarting MCPD might be necessary.


01010309 : Access Policy(%s) update: Subroutine properties can be only assigned to Access policy of type subroutine

Location:
/var/log/ltm

Conditions:
A subroutine-properties object (tmsh list apm policy subroutine-properties) has been associated with an access-policy object (includes per-request policies and access policy macros) that is not of type subroutine. This is an invalid configuration.

Impact:
This is an invalid configuration. The policy might fail to execute as expected

Recommended Action:
Find the access-policy object and remove the subroutine-properties from it.


01010310 : Incomplete hud chain for listener: %s

Location:
/var/log/ltm

Conditions:
A virtual server has been changed so that the client-side and server-side protocol profiles assigned to the virtual server are the same profile.

Impact:
The virtual server will be ignored, that is, connections to the virtual server will not be accepted.

Recommended Action:
Check the virtual server's client-side and server-side profile configuration and try again.


01010311 : Failed to configure VDI-enabled listener %s: %En

Location:
/var/log/ltm

Conditions:
For a virtual server on a specific VLAN with a VDI profile assigned, an attempt has been made to enable TCP connection redirections.

Impact:
An attempt to create or update a VDI-enabled virtual server will fail. The specifier in the format string will, in this case, give a particular error code to what has actually happened.

Recommended Action:
No known workaround. It is recommended to escalate to F5 if this error happens repeatedly.


01010313 : Profile %s create failed.

Location:
/var/log/ltm

Conditions:
A generic error in tmm profile update handler.

Impact:
The profile update operation might have not been completed successfully.

Recommended Action:
Check your profile update operation for a possible error.


01010314 : profile %s update: bad profile

Location:
/var/log/ltm

Conditions:
The tmm receives a profile update message, but the profile cannot be found.
The profile could have been already deleted or the create operation failed.

Impact:
The system might not function as expected.

Recommended Action:
Check that profile creation, updates, and deletions follow the expected sequence.


01010315 : Agent [%s] update: Invalid event validate

Location:
/var/log/ltm

Conditions:
The update event received by the TMM is not one of the recognized types. This can indicate a serious communication problem between the TMM and MCPD.

Impact:
Agent update was not processed.

Recommended Action:
None.


01010316 : Agent [%s] update: agent clone failed

Location:
/var/log/ltm

Conditions:
While processing an update to an agent, the TMM attempted to copy an existing agent object, but this cloning process failed.

Impact:
The agent was not successfully cloned, so the policy did not properly load into TMM. End-users might experience resets.

Recommended Action:
Updating the agent again might allow the agent to properly load.


01010317 : Agent [%s] update: agent store failed

Location:
/var/log/ltm

Conditions:
The TMM attempted to add the agent object to a collection, but failed. The failure could be due to memory pressure. It could also be due to finding a duplicate entry.

Impact:
The updated agent was not added to the collection, so the dataplane will not be able to find the updated agent. The old configuration might be used, or the dataplane might fail to find an instance of the agent object, resulting in resets.

Recommended Action:
None.


01010318 : Agent [%s] update: agent construct failed

Location:
/var/log/ltm

Conditions:
Agent construction failed. This could be due to memory pressure, or failure to retrieve fields from MCP.

Impact:
An update of agent failed to process. An old configuration might be used, or the dataplane might fail to find an instance of the object, resulting in resets.

Recommended Action:
None.


01010322 : pem protocol profile gx modify {%s}: invalid

Location:
/var/log/ltm

Conditions:
An attempt has been made to modify a non-existent Gx protocol profile.

Impact:
The Gx protocol profile modification operation will fail. There should be no impact to ongoing services.

Recommended Action:
Check for a valid Gx protocol profile prior to performing any operations on it.


01010323 : {%s, %s}: protocol message cannot be deleted, error %E

Location:
/var/log/ltm

Conditions:
An attempt has been made to modify a non-existent Gx protocol message within a valid Gx protocol profile.

Impact:
The Gx protocol message modification within a Gx protocol profile will fail. There should be no impact to ongoing services.

Recommended Action:
Check for a valid Gx protocol message in a Gx protocol profile prior to performing any operations on it.


01010324 : {%s, %s}: not found, cannot modify.

Location:
/var/log/ltm

Conditions:
An attempt has been made to modify a non-existent RADIUS or Gx protocol message within a valid protocol profile.

Impact:
The RADIUS or Gx protocol message modification within a protocol profile will fail. There should be no impact to ongoing services.

Recommended Action:
Check for a valid RADIUS or Gx protocol message in a protocol profile prior to performing any operations on it.


01010325 : pem protocol profile radius modify {%s}: invalid

Location:
/var/log/ltm

Conditions:
An attempt has been made to modify a non-existent RADIUS protocol profile.

Impact:
The RADIUS protocol profile modification will fail. There should be no impact to ongoing services.

Recommended Action:
Check for a valid RADIUS protocol profile prior to performing any operations on it.


01010326 : {%s, %s}: protocol message cannot be deleted, error %E

Location:
/var/log/ltm

Conditions:
An attempt was made to delete a RADIUS protocol message that has some deletion restrictions on it. One such restriction could be an invalid or unconfigured message.

Impact:
The RADIUS protocol message deletion will fail. There should be no impact to ongoing services.

Recommended Action:
Check for a valid RADIUS protocol message prior to performing any operations on it.


01010327 : {%s, %s}: not found, cannot modify.

Location:
/var/log/ltm

Conditions:
An attempt has been made to modify a non-existent RADIUS or Gx protocol message within a valid protocol profile.

Impact:
The RADIUS or Gx protocol message modification within a protocol profile will fail. There should be no impact to ongoing services.

Recommended Action:
Check for a valid RADIUS or Gx protocol message in a protocol profile prior to performing any operations on it.


01010328 : BDoS: (TMM) afm_provisioned=%s dos_provisioned=%s dns_bdos_licensed=%s detection=%s

Location:
/var/log/bdosd.log

Conditions:
Debug log message that displays AFM/DHD module provision status as well as dns_bdos feature flag license state.

Impact:
None. This is an informational/debug message that is logged whenever log.tmm.level is set to debug level.

Recommended Action:
To disable logging this message, change log.tmm.level to non-debug level.


01010329 : BDoS: (TMM) Signature %s: threshold_mode=%s detection=%u mitigation_curr=%llu

Location:
/var/log/bdosd.log

Conditions:
There is an ongoing DDoS attack.

Impact:
The debug log message shows the current threshold mode, detection and mitigation (rate limit) values for an existing AFM BDoS signature that is being used to mitigate a DDoS attack. This message is logged only if log.tmm.level is set to level Debug.

Recommended Action:
To disable the log message, change log.tmm.level to a log level other than Debug.


01010330 : Failed to register the Neuron App %s with the Neuron client

Location:
/val/log/ltm

Conditions:
A tmm reports that it can not register with the neurond daemon:

May 25 07:28:06 mewtwo err tmm2[14613]: 01010330:3: Failed to register the Neuron App neuron_client_tmm_bigproto with the Neuron client

The neurond is not running or enabled. Check the neurond logs and running status.

Impact:
The function in the application that tries to register with the Neuron daemon will not be available.

Recommended Action:
None.


01010331 : Neuron client %s failed with %s(%s)

Location:
/var/log/ltm

Conditions:
Neuron daemon reports the failure and the reason for the failure of an API call from the application that initiates the API call:

May 11 06:24:15 i10800-R22-S20 err tmm[25098]: 01010329:3: Neuron client neuron_client_tmm_epva_fix failed with client request submit(client connection is busy (has outstanding requests))

The neuron daemon cannot finish the API request from the client, and the Neuron SDK returns an error code that corresponds to the error message sent back to the client.

Impact:
The client functions that are specified in the API cannot complete. The application might retry or bail out, depending on the application implementation, which might affect the application functions that depend on Neuron.

Recommended Action:
There is no workaround without interrupting the operation. The neurond daemon might be restarted to see if the Neuron chip can recover.


01010332 : Neuron application %s registered

Location:
/var/log/ltm

Conditions:
Informational message showing that an application that requires Neuron functionality has successfully registered with the Neuron daemon:

May 11 06:24:15 i10800-R22-S20 notice tmm[25098]: 01010332:3: Neuron application bigproto registered

An application that requires Neuron functionality registered with the Neuron daemon during startup time.

Impact:
None.

Recommended Action:
None.


01010334 : DNS Express will not be initialized because TMM has more than 32 threads.

Location:
/var/log/tmm

Conditions:
tmm is configured in such a way to use more than 32 threads.

Impact:
DNS Express will not be available, but all other DNS profile capabilities will continue to function.

Recommended Action:
If DNS Express is not being used, no action is required. If DNS Express is desired, changing the configuration to use less than 32 threads is necessary. This is likely only to be observed when htsplit has been disabled, so verify that the DB variable scheduler.splitplanes.ltm is set to "true", the default value, with the command "list sys db scheduler.splitplanes.ltm".


01010336 : listener binding ERR=%d %s listener %s %A:%d FAIL

Location:
/var/log/tmm, /var/log/tmm1, /var/log/tmm2, and so on.

Conditions:
An attempt was made to add an IKEv1 or IKEv2 listener for a tunnel. This failure could be due to duplication, which happens if both IKEv1 and IKEv2 try to use the same tunnel local IP address (which is not supported).

Impact:
The IPsec tunnel does not work, and cannot pass traffic. When both IKEv1 and IKEv2 listeners try to use the same tunnel local IP address, the second attempt to add a listener fails, regardless of whether the listener is IKEv1 or IKEv2.

Recommended Action:
Try to determine if a configuration policy uses the same local IP address in tunnels for both IKEv1 and IKEv2, and if so, change the configuration to avoid competition for that IP address.

If something else is causing the problem, no workaround is known at this time.

Changing the configuration should take effect and work immediately without a restart. However, a restart might clear up any confused state.


01010337 : NOTE: avoid common IPsec v1 and v2 tunnel local addr

Location:
/var/log/tmm, /var/log/tmm1, /var/log/tmm2, and so on.

Conditions:
IKEv1 and IKEv2 might have been competing for the same local IP address. (A tunnel's local IP address should be used for IKEv1 or IKEv2 only, but not both.)

Impact:
The attempt to add a listener for a tunnel failed, due an existing listener being duplicated.

Recommended Action:
Check whether configurations for IKEv1 and IKEv2 accidentally use the same local IP address. Ensure that only one uses a given local IP address.

The fix should take effect immediately and a restart should not be required.


01010342 : Disabled TCP HW checksum offloading automatically disables TCP Segmentation Offload (TSO)

Location:
/var/log/ltm

Conditions:
A BigDB variable for TCP HW checksum offloading (tm.tcpudptxchecksum value software-only) is disabled.

Impact:
The BIG-IP system automatically disables TCP Segmentation Offload (TSO), thereby preventing an incorrect configuration.

Recommended Action:
None.


01010343 : Syncookie SW mode activated, server = %A:%d

Location:
/var/log/ltm

Conditions:
The SYN cookie feature is enabled on a BIG-IP Virtual Edition (VE) platform, and the system has detected a SYN flood attack.

Impact:
The platform enters software SYN cookie protection mode. When this happens, packets on this virtual server are validated for SYN cookies in order to protect the system from SYN flood attacks.

Recommended Action:
None.


01010344 : Syncookie SW mode exited, server = %A:%d

Location:
/var/log/ltm

Conditions:
The SYN cookie feature is enabled on a BIG-IP Virtual Edition (VE) platform, and the system has detected a SYN flood attack.

Impact:
The platform enters software SYN cookie protection mode. When the platform exits the SYN cookie state, the platform returns to a normal operation state.

Recommended Action:
None.


01010346 : [LTM LB][%C]%s

Location:
/var/log/ltm

Conditions:
The new "LB::enable_decisionlog" iRule command has been executed on a virtual server. This command is intended to help F5 Engineering Services debug LTM load-balancing issues.

Impact:
Extra logging to /var/log/ltm occurs, possibly resulting in reduced performance.

Recommended Action:
This message is for debugging LTM load-balancing issues, and does not need a workaround. It only appears when explicitly enabled. It is recommended that this feature only be enabled with the guidance of F5 Engineering Services.


01010347 : DynaD activated

Location:
/var/log/ltm

Conditions:
The DynaD feature is activated via the associated tmsh command (tmsh modify sys dynad instrumentation <script> active true).

Impact:
The system logs a notification message to indicate that an attempt was made to activate the DynaD feature.

Recommended Action:
None.


01010348 : DynaD inactivated

Location:
/var/log/ltm

Conditions:
This log message occurs when the DynaD feature is inactivated via the associated tmsh command (tmsh modify sys dynad instrumentation <script> active false).

Impact:
The system logs a notification message to indicate that an attempt was made to inactivate the DynaD feature.

Recommended Action:
None.


01010348 : Access Policy(%s) update: Customization group set can be only assigned to Access policy of type per-request

Location:
/var/log/ltm

Conditions:
A customization-group-set object (tmsh list apm policy customization-group-set) has been associated with an access-policy object (includes per-request policies and access policy macros) that is not of type per-request policy.

Impact:
This is an invalid configuration. The policy might fail to execute as expected.

Recommended Action:
Find the customization-group-set object and correct access-policy name in it or delete this object. Then reload the BIG-IP configuration.


01010349 : DNSSEC: Failed to parse DS record string (%s): %s

Location:
/var/log/ltm

Conditions:
When BIG-IP signs both the zone and the parent zone, it should respond to DS queries directly. This issue occurs when adding a DS record for a zone when the DS record doesn't have proper format, resulting in parse failures.

Impact:
Failure to add DS Record

Recommended Action:
Verify the format of the DS Record has proper format.


01010355 : DNS: Awaiting full DNSSEC Key %s Generation %llu from MCP

Location:
var/log/ltm

Conditions:
A DNSSEC key generation is in the process of being created, but tmm hasn't yet received the crypto portion that it needs for signing.

Impact:
This is a log level notice message and does not represent an error. It is signalling that a given DNSSEC key generation cannot be used to sign responses until the full DNSSEC key generation is received by tmm. This generally takes a second or two, at most, to be resolved.

Recommended Action:
None.


01010356 : %s: filter '%s' init failed.

Location:
/var/log/ltm

Conditions:
The initialization of a traffic filter has failed.

Impact:
The filter won't work, and traffic might be denied or dropped.

Recommended Action:
If the virtual server causing the filter to fail is known, delete and recreate the virtual server. Otherwise, reload the configuration.


01010364 : Hybrid fixed-policy setting change: from %d to %d.

Location:
/var/log/ltm

Conditions:
TMM is starting or the command "tmsh modify sys crypto acceleration-strategy fixed-ratio <value>" is run to set the new value.

Impact:
None. This is an informational message for the crypto operation offload hybrid-mode setting change.

Recommended Action:
None.


01020037 : The requested %s (%s) already exists

Location:
/var/log/ltm

Conditions:
A client is attempting to create a non-partitioned object that already exists in the database. The primary key for the object must be unique.

Impact:
The client's transaction will fail.

Recommended Action:
Change the value used for the object's primary key, and resubmit the transaction.


01020066 : The requested %s (%s) already exists in partition %s

Location:
/var/log/ltm

Also, UI interfaces when a transaction fails.

Conditions:
This error message occurs when attempting to create something that already exists. This can happen in a variety of ways.

(1) Simple user error. Attempt to create an object that shares the same name or identifier. For example, creating two pools with the name 'poolA'. A less obvious one is uniqueness constraints, for example ltm node's address must be unique across all partitions.

(2) Reconfigure an iApp. iApp reconfigure tends to perform delete followed by create. Ordering internally matters for logical dependencies, and can come into conflict with referential integrity constraints.

(3) If a transaction contains multiple actions over a single object. For example, if you deleted an HTTP monitor `m1` followed by creating an HTTPS monitor, naming it `m1`, then attempted to sync. Other ways of creating such transactions can be done by using tmsh transactions functionality or merge loading of configuration.

Impact:
This can cause a validation error, sync to fail, or iApp deployment to fail.

Recommended Action:
(1) If a transaction contains multiple actions over a single object, separate them into two transactions. For example, if you deleted an HTTP monitor `m1` followed by creating an HTTPS monitor, naming it `m1`, and then attempted to sync.

(2) If it is an iApp, please open a support ticket.


0102006e : IP Address %s is invalid with netmask %s, must not be the same as network address.

Location:
Wherever log local0 points when mcp unittests are being run.

Conditions:
Unit test is run.

Impact:
None.

Recommended Action:
None.


0102006f : The string does not contain only space separated integers between 0 and 4294967295

Location:
/var/log/ltm

Conditions:
Generated by the LocalLB.ProfileDiameterSession and LocalLB.ProfileDiameterRouter iControls.
The error will be logged if the user attempts to store a number greater than 4294967295 or less than 0.

Impact:
When the error occurs, the iControl will send an error message and will not store the values in mcp.

Recommended Action:
The workaround is to make sure all the values stored by these iControls fall within the range of 0-4294967295.


01060001 : Service detected %s for %s:%u monitor %s.

Location:
/var/log/ltm

Conditions:
Example:
Service detected UP for my_service:80 monitor my_monitor_name.

This message is logged for each pool member when a change is detected for its associated monitor status. Possible status might be: "UP", "DOWN", "ENABLED", "DISABLED".

Impact:
This message might not itself indicate an error, as it merely reports the detected status-change. For example, an "UP" status upon system-start is to be expected, as is a change to "DISABLED" or "ENABLED" resulting from user-initiated action (such as user action through the xui or tmsh).

However, an unexpected "DOWN" status not resulting from intentional user-initiated action might indicate an issue, such as a failed server resource or an improperly configured monitor.

Recommended Action:
This message might not itself indicate an error, but a notification of a pool member status change due to monitor results, or user-initiated action. If an unexpected "DOWN" status is reported, the user should verify the server resource availability and ensure correct monitor configuration.


01060002 : Node address detected %s for %s monitor %s.

Location:
/var/log/ltm

Conditions:
Example:
Node address detected UP for 10.10.0.1 monitor my_monitor_name.

This message is logged for each node when a change is detected for its associated monitor status. Possible status may be: "UP", "DOWN", "ENABLED", "DISABLED".

Impact:
This message might not itself indicate an error, as it merely reports the detected status-change. For example, an "UP" status upon system-start is to be expected, as is a change to "DISABLED" or "ENABLED" resulting from user-initiated action (such as user-action through the xui or tmsh).

However, an unexpected "DOWN" status not resulting from intentional user-initiated action might indicate an issue, such as a failed node or an improperly configured node monitor.

Recommended Action:
This message might not itself indicate an error, but a notification of a node status change due to monitor results, or user-initiated action. If an unexpected "DOWN" status is reported, the user should verify the node availability and ensure correct monitor configuration.


01060110 : Lost connection to mcpd with error %d, will reinit connection.

Location:
/var/log/ltm

Conditions:
Example:
Lost connection to mcpd with error <some-error>, will reinit connection.

This message is logged when 'bigd' fails to successfully read a message from 'mcpd'. The 'bigd' process will then shut down and restart to attempt re-connection to 'mcpd'.

The 'mcpd' process might have halted due to system error, or manual administrator intervention. Under normal system behavior, if the 'mcpd' process has crashed, it will automatically be restarted and the 'bigd' process will successfully re-connect. This error-message might indicate the loss of communication with the 'mcpd' process while it is restarting.

Impact:
The 'bigd' process exists to report to the 'mcpd' process resource health (resulting from probe-responses or lack thereof for monitored resources). This message indicates 'bigd' has lost connection to 'mcpd', and thus must re-establish that connection.

Recommended Action:
No user intervention is required, as 'bigd' will attempt to re-establish its connection with 'mcpd'. Confirm the 'mcpd' process is successfully running, and is not halted due to manual administrator intervention or load-failure of an improper configuration.


01060111 : Open SSL error - %s

Location:
/var/log/ltm

Conditions:
SSL/TLS warning or error in communications.

Impact:
The impact will be encountered by the daemon that is logging the error, usually bigd. If bigd is the daemon logging the error, it means that a monitor is failing the SSL/TLS connection in the way described in the log text. The monitor will mark the pool members down for all pools it is associated with.

Recommended Action:
Determine which monitor is generating the errors by isolating the pool members that are failing. For more information on determining which pool member is failing, see SOL13768: Identifying which pool members are failing an SSL/TLS handshake.

Once you have identified the affected https monitor, first see SOL12531: Troubleshooting health monitors.

Check the monitor's cipher list to ensure that the cipher list is compatible with the pool members that it is connecting to. Do not put TLSv1_0 in the cipher list. Test your cipher list by running 'openssl ciphers <cipherlist>' at the command line using the cipher list from the monitor. For more information, see SOL16526: Configuring the SSL cipher strength for a custom HTTPS health monitor.

If you have a custom monitor connecting to a server running an old version of openssl, read SOL17183: The HTTPS monitor may incorrectly mark pool members down due to SSL SessionTicket Extension.


01060136 : Received links up - monitoring starts.

Location:
/var/log/ltm

Conditions:
Example (v11.6.0, and earlier):
Received links up - monitoring starts.

Example (v11.6.1, and later):
(_set_db_variable): adaptive tmstat logging enabled: true

This message is logged in v11.6.0, and earlier, when the 'bigd' process receives a "links-up" message indicating that monitoring can proceed, at which point 'bigd' begins monitoring (sending probes and processing responses).

This is an indication of proper behavior. When 'bigd' starts, it waits for an initial "links-up" message to indicate gateways are configured. Otherwise, sending monitor-probes might cause false gateway failsafe failovers to occur, and generate false monitor failures. After receiving the "links-up" message, any gateway failsafe failovers or monitor failures are genuine.

Starting in v11.6.1, this message is removed. However, a similar message is inserted to note status-changes, as follows:

Example:
"(_set_db_variable): adaptive tmstat logging enabled: true"

Impact:
This message is not an error, but a notification that 'bigd' began its logging (sending probes and processing responses).

Recommended Action:
None.


01060145 : Pool %s member %s monitor status %s. [ %s ] [ %s ]

Location:
/var/log/ltm

Conditions:
Example:
Pool my_pool member my_member1 monitor status up. [ my_member1: UP, my_member2: UP %s ] [ was down ]

This message is logged when a status change is detected in a pool member. The message reports the parent pool name, the new pool member status, the status of all pool member peers, and the previous status for this pool member that had the status-change.

Possible pool member status includes: "unchecked", "checking", "forced up", "up", "down", "forced down", "irule down", "down", "down; waiting manual resume", "disabled", "checking".

Impact:
This message might not itself indicate an error, as it merely reports the detected status-change. For example, a pool member will typically transition through several status-changes upon system-start such as "unchecked"=>"checking"=>"up". Similarly, user-initiated actions (such as through the xui or tmsh) might forcibly set the status to "forced down" or "disabled".

However, an unexpected "down" status might indicate an issue, such as a failed server resource, or an improperly configured pool member or monitor.

Recommended Action:
This message might not itself indicate an error, but a notification of a pool member status change. If an unexpected "down" status is reported, the user should verify the server resource availability, and ensure a correct pool member and monitor configuration.


01060156 : Bigd PID %d, instance %d, fail to serialize 'bigd=>mcpd' message (exceed msg-length limit?): %s.

Location:
/var/log/ltm

Conditions:
The 'bigd' service has attempted to send a message to the 'mcpd' service that exceeds the maximum message size limit.

Impact:
This is a diagnostic message, and does not itself indicate an error. The user need not perform any action, and the system will continue monitor logging.

Recommended Action:
None.


01060157 : Receive string cannot be empty for reverse monitor '%s'

Location:
/var/log/ltm

Conditions:
Attempting to use a monitor on a node or pool member, where the monitor is a reverse monitor and the receive string is empty.

Impact:
The monitor instance will fail to run in bigd.

Recommended Action:
Enter a receive string or use a different monitor.


01060158 : Disable string must be empty for reverse monitor '%s'

Location:
/var/log/ltm

Conditions:
Attempting to use a monitor on a node or pool member, where the monitor is a reverse monitor and the disable string is non-empty.

Impact:
The monitor instance will fail to run in bigd.

Recommended Action:
Clear the disable string or use a different monitor.


01070007 : Received shutdown signal %d

Location:
/var/log/ltm

Conditions:
Mcpd logs this notice as a result of receiving a SIGTERM (15), SIGINT (2), or SIGHUP (1) signal.

SIGTERM is sent on behalf of `bigstart restart mcpd` when issued on the command line by the user.

Impact:
Mcpd will restart, which subsequently causes multiple daemons to restart as well.

Recommended Action:
Do not use `bigstart restart mcpd`.


01070043 : Monitor %s parent not found.

Location:
/var/log/ltm

Conditions:
Example:
Jan 26 14:10:21 localhost err mcpd[5090]: 01070043:3: Monitor /Common/foo parent not found.

This message reports a failure to create a new monitor because the referenced parent-monitor does not exist (from which the new monitor was to copy default-parameters). The following command generates this error:

tmsh create ltm monitor http foo defaults-from MyMonitorNoExist

...error in '/var/log/ltm':
Jan 26 14:10:21 localhost err mcpd[5090]: 01070043:3: Monitor /Common/foo parent not found.

In this case, the 'foo' monitor is not created because the parent 'MyMonitorNoExist' did not exist.

Impact:
No operation occurred (the create-monitor attempt fails, and the configuration is not modified).

Recommended Action:
When creating a new monitor that uses 'defaults-from', an existing monitor of the appropriate type should be specified.


0107004e : LTM configuration is not allowed when VCMP is provisioned. Virtual server %s conflicts with VCMP.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Creating or enabling virtual servers while VCMP is provisioned.

Impact:
Virtual server can't be used when VCMP is provisioned.

Recommended Action:
Delete all virtual servers when VCMP is provisioned.


01070069 : Subscription not found in mcpd for subscriber Id %s.

Location:
/var/log/ltm

Conditions:
The system process named in the message is attempting to unmark itself as a subscriber, but has specified a subscriber name that it had not previously used.

This message occurs during system shutdown or restart.

Impact:
No user impact. This message implies that there is a defect in TMOS, but a comparatively minor one. There is no risk of system instability or dropped traffic.

Recommended Action:
None.


01070147 : Snatpool %s must reference at least one translation address.

Location:
/var/log/ltm

Conditions:
Example:
Snatpool my_pool must reference at least one translation address.

A SNAT pool is configured, and set as active; but has no SNAT pool members.

Impact:
The configuration failed to load, and the SNAT pool is unavailable.

Recommended Action:
User should set the empty SNAT pool to inactive, or add pool members. Alternatively, user could configure SNAT without pools, such as for 'standard' (explicitly specifying the translation address) or 'automap' (allowing the system to auto-assign from the BIG-IP device's existing self-IP addresses), or 'intelligent' (SNAT mapping implemented within an iRule).

After configuration repair, the configuration can be reloaded and the SNAT pool should be available (no reboot is required).


01070151 : Rule [%s] error: %s

Location:
/var/log/ltm or GUI.

Conditions:
This is a general TCL parsing error message caused when validating iRules.
The TCL error itself is present in the log message and includes information about the offending code, which quickly allows resolution in most cases.

The message can be triggered whenever an iRule is updated:
- either using the GUI by clicking update;
- saving the edited iRule when using the tmsh commend (for example, edit ltm rule <x>)

Errors will appear in the GUI or the ltm log file and examples include:
Rule [<rule_name>] error: <rule_name>:1: error: [parse error: missing close-brace][{ set port [TCP::local_port] if { $p == 443) log local0.info]
Rule [<rule_name>] error: <rule_name>:1: error: [command is not valid in the current scope][set sp [class match -value [string tolower [IP::local_addr]] equals dg_test ]]
Rule [<rule_name>] error: <rule_name>:2: error: [unexpected extra argument "="][TCP::local_port = 443]
Rule [<rule_name>] error: <rule_name>:9: error: [missing a script after "else"][]
Rule [<rule_name>] error: <rule_name>:3: error: ["invalid argument local0"][log local0 "MATCH OK"]
Rule [<rule_name>] error: <rule_name>:8: error: [invalid keyword "{ log local0. "in CLIENT_ACCEPTED" if { $cond }" must be: priority timing][when CLIENT_ACCEPTED { { log local0. "in CLIENT_ACCEPTED" if { $cond }" ]

Impact:
Updating of the iRule will not be performed and corresponding logic changes will not be applied to any associated virtual servers.
The iRule code needs to be corrected prior to successful update.

Recommended Action:
Inspect the error message and locate the error in the iRule code.
Once located, correct the error. The correction depends on the contents of the error generated.

For simple syntax errors like 'missing brace' or 'unexpected extra argument', inspect the code around the designated error line indicated in the log message and ensure braces ('{') are paired, and commands used (for example, [TCP::local_port]) have the correct number of arguments.

For errors that involve use of the wrong commands, ensure that the commands are valid to use in the current setting (for example, PEM commands require PEM to be licensed).

Some errors might be caused due to incorrectly referenced configuration objects. A common case is referring to a Data Group that is not yet configured when the iRule is updated. In these cases, ensure that the dependent configuration objects exist and that the references in the iRules are using the correct names.


01070165 : "License file stat fails: %s."

Location:
/var/log/ltm

Conditions:
The file /config/bigip.license doesn't exist or there are errors accessing the file.

Impact:
The BIG-IP system is not licensed.

Recommended Action:
License the BIG-IP system or check the file /config/bigip.license.


01070259 : Requested member (%s) is untagged on another VLAN

Location:
/var/log/ltm

Conditions:
A VLAN is configured with an interface as an untagged member. When an additional vlan is configured with the same interface as an untagged member, the configuration will fail with this error message.

Impact:
VLAN configuration will fail.

Recommended Action:
You must correct your VLAN configuration. Either remove the interface from the previously configured VLAN, where it appears as an untagged member, or add it to the new VLAN as a tagged member.


0107025d : Nameserver for Wide IP Zones (%s) is not a fully qualified domain name or contains invalid characters.

Location:
/var/log/gtm

Conditions:
The value of GTM Globals Nameserver is not a fully-qualified domain name, or it contains invalid characters.

Impact:
The GTM Globals Nameserver value needs to a fully-qualified domain name, such as ns.example.com. The default value will be used for all Nameserver records that ZoneRunner automatically created. The default value is "this.name.is.invalid."

Recommended Action:
Choose a valid domain name that is registered to the user's domains.


0107025e : Nameserver for Wide IP Zones is empty. A valid, fully qualified domain name must be specified.

Location:
GUI, CLI

Conditions:
A user has modified the GTM global settings and left the "WideIP Zone Nameserver" field empty.

Impact:
The settings are not updated.

Recommended Action:
Do not leave the "WideIP Zone Nameserver" field empty.


01070261 : Can't create a home directory for username %s (%s)

Location:
LTM log.

Conditions:
The reason for the failure is described in the parenthesized portion of the message.

Impact:
The user is created, but the user cannot log in.

Recommended Action:
No general workaround. The error described in the message is required to determine this information.


01070265 : The %s (%s) cannot be deleted because it is in use by a %s (%s)

Location:
/var/log/ltm

Conditions:
Mcpd will log this when a client is attempting to delete a configuration that is currently being used by another configuration object.

Impact:
The transaction will fail and rollback; mcpd will be in the state it was in just prior to attempting the transaction.

Recommended Action:
Remove or reconfigure the object that is referencing the configuration object that you want to delete.


01070277 : The requested %s (%s) was not found

Location:
In tmsh or the GUI, as the response to a request to create or modify configuration.

Conditions:
The user referred to a configuration object that does not exist.

Impact:
The requested change failed validation and no change to the configuration occurred.

Recommended Action:
Correct the spelling of the object name or choose a different object.


0107028a : The source address (%s) for virtual server (%s) must have a prefix length.

Location:
/var/log/ltm

Conditions:
Example:
The source address (10.10.0.5) for virtual server (my_server) must have a prefix length.

This message is logged upon configuration load when a virtual server is missing its prefix length, which is required to identify the virtual server subnet.

The virtual server is configured in CIDR notation including the IP address and prefix length, such as 192.168.100.0/24. The prefix length (mentioned in the message) is the number of bits set in the network mask, such as a prefix length of 24 associated with a subnet mask of 255.255.255.0.

Impact:
The configuration for this virtual server failed to load (because its configuration is improper), and this virtual server is unavailable.

Recommended Action:
User should configure the virtual server with its IP address and prefix length (in CIDR notation, such as 192.168.100.0/24), and reload the configuration.


01070301 : Pool (%s) is referenced by one or more virtual servers

Location:
/var/log/ltm

Conditions:
This message is logged when a user-initiated attempt is made (such as through xui or tmsh) to delete a pool that is currently referenced by one or more virtual servers. Deleting a pool that is still referenced by a virtual server is not permitted, as it would result in a (dangling) foreign key reference from the virtual server to the now-deleted pool.

Note that this message is removed in v11.5.0 (and thus is reported only in v11.4.1 and earlier). In v11.5.0 and later, validation of foreign keys from a virtual server to a pool is performed differently, thereby removing this message from the codebase.

Impact:
No action is taken, and the pool is not deleted (the pool is unchanged). This message merely logs the rejection of the user-initiated attempt to delete a pool.

Recommended Action:
User should first remove the pool references by any virtual server, and then delete the pool. When the pool is not referenced by any virtual server, the pool delete operation will successfully complete and this error message will not be logged.


0107030c : Host persistence requires an HTTP profile to be associated with the virtual server

Location:
/var/log/ltm, GUI

Conditions:
A virtual server has been configured to use HTTP Host persistence. That virtual server has no HTTP profile attached to it.

Impact:
The configuration is inconsistent, and will fail to load.

Recommended Action:
Add an HTTP profile to the virtual server requiring HTTP Host persistence. Or choose another kind of persistence profile that doesn't require an HTTP profile on the virtual server.


01070315 : profile %s requires a key

Location:
/var/log/ltm

Conditions:
A 'key' is missing from the cert-key-chain object that is associated with a clientSSL profile. Or, 'key' is missing from the server SSL profile, when 'cert' is present.

Impact:
This results in mcpd validation failure of the specific clientSSL/serverSSL profile, resulting in failure of mcpd operation/transaction.

Recommended Action:
In order to fix the issue, user needs to add 'key' to cert-key-chain object in clientSSL profile, or to the serverSSL profile.


01070318 : The requested media %s for interface %s is invalid.

Location:
/var/log/ltm

Conditions:
The user attempts to set the media on an interface to an invalid type.

Impact:
The change does not take effect.

Recommended Action:
Do not attempt to set the interface media to an invalid value.
Use "tmsh list net interface X media-capabilities" command to see a list of accepted media values for interface X.


01070320 : Snatpool %s is still referenced by a virtual server.

Location:
/var/log/ltm

Conditions:
User-initiated action (such as through tmsh or xui) attempted to delete a SNAT pool that is still being referenced by a virtual server or SNAT.

Impact:
No action occurred, and the attempt to delete the SNAT pool failed (the SNAT pool is unaffected).

Recommended Action:
User should first remove the SNAT pool from being referenced by the virtual server or SNAT object. A subsequent attempt to delete the SNAT pool will then succeed.


0107032f : The vlan (%s) associated with the static route %s/%d must have a Self IP using the IPv%u protocol.

Location:
/var/log/ltm, GUI, console

Conditions:
The system is attempting to create a static route when none of the self-IP addresses for the static route are on the same interface and the addresses do not use the same IP protocol format (IPv4 or IPv6).

Impact:
The system cannot create a static route.

Recommended Action:
Create all self-IP addresses for the static route on the same interface and ensure that the addresses use the same IP protocol format.


01070340 : %s (%s) is referenced by one or more rules

Location:
/var/log/ltm

Conditions:
One common problem is, an object is to be deleted, but it is still referenced actively, because there are multiple references to one object.

Impact:
Because of this error, the user action will fail. For example, if there are multiple references to an object and user attempts to delete it, the system does not delete it.

Recommended Action:
User needs to search for the object indicated in the message across the iRules, and remove the object dependency before deleting the object.


01070341 : Virtual server %s references rule %s which does not exist.

Location:
/var/log/ltm

Conditions:
A configuration load or change contains a virtual server that references a rule that does not exist.

Impact:
The rule associated with the virtual server could not be found, and is not active.

Recommended Action:
User should confirm the rule exists when referenced by a virtual server. Confirm that the rule exists, and that the name referenced by the virtual server is spelled correctly.


01070354 : Self IP %s / %s: This network is defined on two vlans (%s and %s)

Location:
/var/log/ltm, console, and GUI.

Conditions:
The self IP being created is on a network that is in a different VLAN than the one specified during self IP creation.

Impact:
MCPD will prevent the self IP address from being created until the conflict is resolved.

Recommended Action:
Create the self IP in the current VLAN.


01070356 : %s feature not licensed

Location:
/var/log/ltm
The contents of /var/log/ltm may be viewed in the GUI under System > Logs > Local Traffic. These messages are of the form "<FEATURE_NAME> feature not licensed." The <FEATURE_NAME> list of items regularly increases with each release.

Conditions:
These messages occur whenever mcpd queries the license for a feature flag that is not in the license. This message typically occurs during configuration validation.

Impact:
There is no single consistent BIG-IP action, or easily counted set of actions, associated with these messages. In general, however, the feature named in the message does not function, and the BIG-IP system might not achieve the Active operational state.

Recommended Action:
Upgrade the license to support the requested features. Downgrade the BIGIP software to a version that does not require the unlicensed features, or modify the configuration to remove objects that depend on the unlicensed features. The probable cause for these messages is using a configuration file from a more feature-rich license, or the release of BIG-IP software with a less feature-rich license or software image.


01070392 : Self IP %s / %s: This IP shares a network with %s (%s / %s).

Location:
/var/log/ltm, console, and GUI.

Conditions:
The self IP being created conflicts with the admin address of the BIG-IP device.

Impact:
MCPD will prevent the self IP address from being created with the conflicting address.

Recommended Action:
Either create the self IP with a different address, or correct the conflicting admin address of the BIG-IP device.


01070394 : %s in rule (%s) requires an associated %s profile on the virtual server (%s)

Location:
/var/log/ltm

Conditions:
A configuration load contains a rule associated with a virtual server, but the required profile was not found on that virtual server. The intended profile might be present in the virtual server, but was misspelled in the rule, or the required profile was not associated with the virtual server.

Note that this message is used only on v11.6.1, and earlier.

Impact:
The configuration failed to load, and the rule is not in effect.

Recommended Action:
User should change the rule to reference a profile present on the virtual server. Confirm that the identified profile in the rule is properly spelled, and that the profile is associated with the virtual server. The configuration might then be reloaded (a reboot is not required).


01070404 : Add a new Publication for publisherID %s and filterType %p

Location:
/var/log/ltm

Conditions:
A system process has started up and connected to mcpd. This process is registering as a publisher, meaning that mcpd acts as a proxy for certain user commands that require obtaining data from this process. For example, when the user runs the command 'show sys connection', this will be forwarded to TMM instances, and their responses will be forwarded back to the user's shell.

Impact:
This message does not indicate a problem with the system.

Recommended Action:
None.


01070406 : Removed publication with publisher id %s

Location:
/var/log/ltm

Conditions:
A system process is removing itself as a publisher. See error catalog item 620989 for a description of the publishing mechanism.

Impact:
This message does not indicate a problem with the system. The most common case it would be seen is a shutdown or reboot of the system. If the publishing process is exiting unexpectedly, it will generate its own log messages.

Recommended Action:
None.


01070407 : Removed information for Publication %s and filterType %p

Location:
/var/log/ltm

Conditions:
A system process is removing itself as a publisher, but only for certain types of messages. It remains a publisher for other types of messages. See error catalog item 620989 for a description of the publishing mechanism.

Impact:
This message does not indicate a problem with the system.

Recommended Action:
None.


01070408 : Deleting abandoned subscriber connection for %s

Location:
/var/log/ltm

Conditions:
A system service has restarted and subscribed to mcpd objects without cleaning up after itself in its previous instantiation.

Impact:
This indicates a problem that is resolving itself. mcpd is not impacted, although whatever caused the other process to restart might be a concern. That failure would log its own error messages.

Recommended Action:
None.


01070410 : Removed subscription with subscriber id %s

Location:
/var/log/ltm

Conditions:
A system process is ending its subscription to mcpd objects. This is the mechanism by which this process is informed about updates to the configuration.

This is a clean unsubscription, so the system is likely shutting down or restarting.

Impact:
This message does not indicate an error.

Recommended Action:
None.


01070413 : Updated existing subscriber %s with new filter class %llx

Location:
/var/log/ltm

Conditions:
A system process is changing the set of configuration objects about which it is concerned. This is the mechanism by which this process is informed about updates to the configuration.

Impact:
This message does not indicate an error.

Recommended Action:
None.


01070417 : AUDIT - user %s - transaction #%u-%u - object %u - %s

Location:
/var/log/audit

Conditions:
Auditing changes made to configuration in mcpd.

Impact:
Not an error.

Recommended Action:
None.


01070418 : connection %p (user %s) was closed with active requests

Location:
/var/log/ltm

Conditions:
Two possible conditions:

* A system service is connected to mcpd and has started a transaction, but not written anything to it for five minutes, indicating that it likely is no longer using it.

* A connection was closed while mcpd had not yet finished responding to it.

Impact:
This message might indicate a minor TMOS bug, but one that is likely to quickly resolve with no impact.

Recommended Action:
None.


01070419 : Platform initialization phase triggered

Location:
/var/log/ltm

Conditions:
mcpd logs this message as a result of entering the first of four initialization phases.

Impact:
This is the expected behavior of a healthy mcpd on startup.

Recommended Action:
None.


01070421 : Base configuration initialization phase triggered.

Location:
/var/log/ltm

Conditions:
mcpd is starting up from configuration files, as opposed to being restored from a binary file. The binary file either did not exist prior to mcpd starting or it may have been corrupted.

Base configuration initialization phase is #2 of 4 total initialization phases.

Impact:
Restoring from configuration files on startup is part of normal operation, and as a result, mcpd should become fully operational (contingent upon successful completion).

Recommended Action:
None.


01070424 : Full configuration initialization phase triggered.

Location:
/var/log/ltm

Conditions:
mcpd is starting up from configuration files, as opposed to being restored from a binary file. The binary file might not have existed prior to mcpd starting, or it might have been corrupted.

Impact:
Restoring from configuration files on startup is part of normal operation; as a result, mcpd should become operational.

Recommended Action:
None.


01070427 : Initialization complete. The MCP is up and running

Location:
/var/log/ltm

Conditions:
mcpd successfully completed initialization, which means all configuration loaded and reached a running phase.

Impact:
mcpd function as designed

Recommended Action:
None.


01070465 : DB changed: %s, configsync needed

Location:
/var/log/ltm

Conditions:
If a BIG-IP device is in an HA pair, config sync autodetect is enabled, and a db variable is modified.

More specifically, if the following db variables are set:
  1. failover.isredundant value true
  2. configsync.autodetect value enabled

Impact:
No impact. This is information only.

Recommended Action:
Disable config sync autodetect or ignore.


01070466 : Received end of platform data

Location:
/var/log/ltm

Conditions:
Mcpd logs this message in response to receiving the end_platform_id request from chmand. This is a normal part of the boot process, and is the result of chmand publishing platform info to an initialized mcpd. This message can be seen every time mcpd starts up.

Impact:
Mcpd can now perform actions that require the platform object, such as install the VCMP n-stage validator. This is expected behavior.

Recommended Action:
None.


01070468 : %s

Location:
/var/log/ltm

Conditions:
A transaction to change the configuration successfully completes and the log.mcpd.level db variable is set to debug.

Impact:
None.

Recommended Action:
None.


01070596 : An unexpected failure has occurred, %s, exiting...

Location:
/var/log/ltm

Conditions:
mcpd has reached an unrecoverable error.

Impact:
mcpd will restart, along with most other system services. Traffic will be lost.

Recommended Action:
Often this will resolve itself after one restart. If not, removing the binary database (rm -vf /var/db/mcp*) is another common cause for some instances of this error.


01070599 : Current management-ip (%s) has to be deleted before adding a new management-ip (%s) with the same address family.

Location:
/var/log/ltm

Conditions:
The user attempts to create a sys management-ip of an address family that is already configured.

Impact:
The configuration operation fails.

Recommended Action:
Delete the clashing management-ip before adding the correct one.


01070604 : Cannot delete IP %s because it would leave a route unreachable.

Location:
/var/log/ltm

Conditions:
When removing a self-ip, and the address is the only way in which a static route can be reached, the deletion would strand the route.

Impact:
The condition prevents a static route from being removed.

Recommended Action:
Remove any static route that utilizes the self-ip, and try the deletion again.


01070608 : License is not operational (expired or digital signature does not match contents)

Location:
/var/log/ltm

Conditions:
*) This message is logged when the license was not reactivated before an upgrade, and the license's check service date is older than the release date of the install.

*) This message is logged when the license has been modified, or the digital signature does not match the contents.

Impact:
The BIG-IP system is not licensed.

Recommended Action:
If a support contract is current, reactivate the license. Reactivation can be performed from the GUI on a running boot location, or by using tmsh (tmsh install sys license).


01070622 : The monitor %s has a wildcard destination service and cannot be associated with a node that has a zero service

Location:
Associating a pool member with a zero port with a monitor that requires a port generates error message in question.

Conditions:
Pool member with zero port; associated monitor that requires a port (for example TCP or HTTP).

Impact:
Monitors that require a destination port cannot be associated with pool members where the port is unspecified or zero.

Recommended Action:
Assure that the pool member has a non-zero specified port.


01070638 : "Pool %s member %s:%u monitor status %s."

Location:
/var/log/ltm

Conditions:
Example:
Pool my_pool member 10.10.0.5:80 monitor status forced down.

This message is logged when a status change is detected for the pool member, resulting in the pool member being in a status other than 'up'. Possible status values are: 'unchecked', 'node down', 'down', 'forced down', 'up and awaiting man resume', 'iRule down', 'inband down', 'FQDN down'. Note that the 'up' status is not listed, because this message is not reported when the pool member status is 'up'.

The pool member status is dependent upon the virtual server configuration, and the configuration and health status results for associated monitors.

Impact:
This message might not itself indicate an error, because it merely reports the detected pool member status change. For example, user-initiated action (such as through the xui or tmsh) might explicitly change the pool member status (such as to 'forced down' for maintenance). However, an unexpected 'down' status might indicate a configuration or resource availability issue.

Note also that the parent pool status might be unchanged as a result of this pool member status change, as long as the threshold is not exceeded for the number of available pool members required for the parent pool to be available.

Recommended Action:
If an unexpected 'down' status is reported, verify the pool member configuration, the configuration of associated pool member monitors, and the resource availability to ensure pool member availability.


01070639 : Pool %s member %s:%u session status %s.

Location:
/var/log/ltm

Conditions:
Example:
Pool my_pool member my_member:80 session status forced disabled.

This message is logged when "session-status" is changed, such as from user action to "enable" or "disable". Possible status includes: 'enabled', 'node disabled', 'disabled', and 'forced disabled'.

Impact:
This message is a log-notification only when the pool member session status changes.

Recommended Action:
This is not an error, but a notification of a pool member status change that records the resulting status.


01070640 : Node %s address %s monitor status %s.

Location:
/var/log/ltm

Conditions:
Example:
Node my_node address 10.10.0.1 monitor status forced down.

This message is logged when a status change is detected for the node, resulting in the node being in a status other-than 'up'. Possible status values are: 'unchecked', 'node down', 'down', 'forced down', 'up and awaiting man resume', 'iRule down', 'inband down', 'FQDN down'. Note that the 'up' status is not listed, because this message is not reported when the node status is 'up'.

The node status is dependent upon node configuration and heath results for associated node monitors.

Impact:
This message might not itself indicate an error, as it merely reports the detected node status change. For example, user-initiated action (such as through the xui or tmsh) might explicitly change the node status (such as to 'forced down' for maintenance). However, an unexpected 'down' status might indicate a configuration or resource availability issue.

Recommended Action:
This message might not itself indicate an error, but a notification of a node status change due to monitor results, or user-initiated action. If an unexpected 'down' status is reported, verify the node configuration, the configuration of associated node monitors, and the resource availability to ensure node availability.


01070690 : Port mirroring is not supported on this platform.

Location:
/var/log/ltm

Conditions:
This occurs if you configure port mirroring on a platform that does not support port mirroring.

Impact:
You will not be able to configure port mirroring.

Recommended Action:
None.


0107070e : Software version not covered by service agreement. Reactivate license before continuing.

Location:
/var/log/ltm
The contents of /var/log/ltm can be viewed in the GUI under System->Logs->Local Traffic.

Conditions:
The BIG-IP software version used was released after the Service Check Date specified in the license.

Impact:
The BIG-IP system is not usable in this state. You must either upgrade the license, to one for the installed software version, or revert to a BIG-IP software version that the current license supports.

Recommended Action:
You must either upgrade the license, to one for the installed software version, or revert to a BIG-IP software version that the current license supports.


01070712 : "Caught configuration exception (%d), %s."

Location:
/var/log/ltm

Conditions:
MCPD logs this error in response various configuration issues that might arise while attempting to process a transaction. The nature of the issue could be caused by any number of runtime scenarios, for example, "can't get class information from schema repository", "invalid MAC address", "Can't get class definition while retrieving sub classes", etc.

Impact:
MCPD will stop processing the current transaction and roll back to the last valid state.

Recommended Action:
Depending on the message being logged, modify the configuration that caused the error, and then attempt to submit the transaction again.


01070727 : "Pool %s member %s:%u monitor status up."

Location:
/var/log/ltm

Conditions:
Example:
Pool my_pool member 10.10.0.5:80 monitor status up.

This message is logged when a status change is detected for the pool member, resulting in the pool member being marked 'up'. The pool member status is dependent upon virtual server configuration, and the configuration and health results from associated monitors.

Impact:
This message is not an error, but merely reports the detected 'up' pool member status. This message is expected upon system start, where properly configured pool members transition to an 'up' status.

Recommended Action:
None.


01070728 : Node %saddress %s monitor status up.

Location:
/var/log/ltm

Conditions:
Example:
Node my_node address 10.10.0.1 monitor status up.

This message is logged when a status change is detected for the node, resulting in the node being marked 'up'. The node status is dependent upon node configuration and health results for associated node monitors.

Impact:
This message is not an error, but merely reports the detected 'up' node status. This message is expected upon system start, where properly configured nodes transition to an 'up' status.

Recommended Action:
None.


01070730 : Configuration restored from binary image

Location:
/var/log/ltm

Conditions:
Mcpd loaded the configuration from a binary image format on disk.

Impact:
The binary image is considered to be saved in a valid state, so restoring from the binary means that the BIG-IP system does not run validation and business logic, as it typically would when processing configuration (/config/*.conf) files.

Recommended Action:
Loading from binary is typically a desirable behavior as it's faster than processing configuration files; however, if one wanted to run business logic and validation, you could remove the binary file and restart mcpd, for example,

rm -f /var/db/mcpdb.*
bigstart restart mcpd


01070734 : Configuration error: %s

Location:
/var/log/ltm

This error appears in the GUI, as a result of a configuration update.

Conditions:
This error is a validation exception, usually occurring when a user attempts to update the configuration.

The most common ways for user error include:

1) Invalid naming.
No keywords, empty names, special characters, etc.

2) Invalid value for an attribute.
Can be value ranges, NULL constraints, and other defined domains.

3) Dependency required.
Let X and Y be two different classes. When an X is configured, a related Y must be configured.

4) Invalid reference to another object.
Can be a permissions problem, a NULL constraint, or the object referenced doesn't exist.
Let X and Y be two different classes. X must configure an X.a. When X.a references Y, Y must exist and X must be allowed to refer to Y.

5) Logical constraints of attributes.
Let X be a class. When X.a is configured, X.b must not be configured.

Impact:
A transaction can fail upon encountering this exception.

Recommended Action:
Check the configuration update and correct the issue.


01070736 : Couldn't write to the user/role/partition file, %s (%d)

Location:
/var/log/ltm, and in tmsh

Conditions:
There is some error writing the user role partition file, which indicates a disk error. The error message includes errno from the failed operation, which might give more specific information about the cause.

Impact:
The transaction containing changes to the user role partition file is rolled back. If the error persists, changes to user roles and partition access will be impossible.

Recommended Action:
Examine the errno in the error message to determine more information about the root cause, and resolve that.


01070807 : Monitor %s instance %s:%u has been %s.

Location:
/var/log/ltm

Conditions:
Examples:
Monitor my_http instance 10.10.0.2:80 has been enabled.
Monitor my_http instance 10.10.0.2:80 has been disabled.

This message is logged when the user changes the monitor instance status to either 'enabled' or 'disabled', such as through tmsh or the xui. A 'disabled' monitor sends no health-check probes, and thus does not contribute to an indication of the resource's health. Disabling a monitor does not otherwise impact availability of the monitored resource.

Impact:
This message is log-notification only when the monitor instance status is changed between 'enabled' and 'disabled'.

Recommended Action:
This is not an error, but a notification of monitor instance status change that records the resulting status.


01070822 : "Access Denied: %s"

Location:
/var/log/ltm, CLI, GUI

Conditions:
User attempts to read, modify, or delete a config that they do not have access to, per the partition access settings, or attempts to perform an action that is not allowed for the role. The error message describes more precisely what access was denied.

Impact:
User is prevented from doing things they are not authorized to do.

Recommended Action:
If the user needs access to config or actions, then the user must be given sufficient partition/role access.


01070823 : Read Access Denied: %s

Location:
/var/log/ltm, shown in tmsh

Conditions:
A user attempts to query objects or stats in a partition to which the user does not have read access, or attempts to query non-partitioned objects but does not have non-partitioned read access.

Impact:
User is not able to read the desired objects or stats.

Recommended Action:
If the user needs read access to the objects or stats, then the user must be given a role on the appropriate partition with read access.


01070827 : User login disallowed: %s

Location:
/var/log/ltm

Conditions:
Attempt to log in as a user with no partition access specified.

Impact:
Unable to log in as user with no partition access specified. Such a user has no access.

Recommended Action:
Specify partition-access for every user account that needs access to the BIG-IP device.


01070921 : Virtual Server '%s' on partition '%s' %s by user '%s'.

Location:
/var/log/ltm

Conditions:
A user (with sufficient permissions) has enabled or disabled a virtual server.

Impact:
The virtual server is either enabled or disabled as requested; the network service(s) provided by the virtual server were either made available or made unavailable.

Recommended Action:
This is a user requested action, not an issue with the product.


01070927 : Request failed, data provider (%s) disconnected from mcpd

Location:
/var/log/ltm

Conditions:
The system process named in the message is attempting to unmark itself as a publisher, but has specified a publisher name that it had not previously used. See error catalog item 620989 for a description of the publishing mechanism.

This message occurs during system shutdown or restart.

Impact:
No user impact. This message implies that there is a defect in TMOS, but a comparatively minor one. There is no risk of system instability or dropped traffic.

Recommended Action:
None.


01070931 : Clustering quorum reached

Location:
/var/log/ltm

Conditions:
Any chassis platform during normal start up.

Impact:
This message indicates that the 'quorum' stage of the chassis clustering algorithm has been reached.

Recommended Action:
None.


01070933 : License blob received from primary.

Location:
/var/log/ltm

Conditions:
On a cluster with more than one member.

Impact:
None.

Recommended Action:
None.


01070967 : The specified vlan, vlangroup or tunnel (%s) cannot be removed from its default route domain (%s).

Location:
/var/log/ltm

Conditions:
When trying to remove VLAN or VLAN-GROUP from default route-domain, without attaching to another route-domain.

Impact:
Validation error, no operation impact. Action will be prevented.

Recommended Action:
None.


01070978 : The vlan (%s) for the specified self IP (%s) must be one of the vlans in the associated route domain (%s). For example: 192.168.0.1%1234 for self IP in route-domain 1234.

Location:
/var/log/ltm, console, and GUI.

Conditions:
When the self IP VLAN is not one of the VLANs in the route-domain, where the route domain is extracted based on the self IP address format.

Impact:
MCPD will prevent the self IP address from being created with the designated VLAN.

Recommended Action:
Verify that the route domain, as specified in the self IP address has the right VLANs as its members.


01070979 : The specified vlan (%s) for route domain (%s) is in use by a self IP.

Location:
/var/log/ltm

Conditions:
When attempting to remove a VLAN that still has a SelfIp association.

Impact:
VLAN is prevented from removal until the SelfIp in question is moved or removed.

Recommended Action:
Move the SelfIp(s) associated with the VLAN to other VLANs.


01070995 : get_tmstat: tmstat_sample not ready. Statsd may not be running.

Location:
/var/log/ltm

Conditions:
This warning message can appear while attempting to query statistics from a segment, subscribing to the segment directory fails. Typically this will occur if the statsd is not ready. Other less likely cases include a problem with resources, such as no memory available.

Impact:
Query of segment will fail.

Recommended Action:
In a typical case, the query can be retried when the statsd is ready. Then it succeeds. In the case of a resource problem, the statsd will need to be restarted.


01071027 : Master key OpenSSL error: %s

Location:
/var/log/ltm

Conditions:
These logs indicate that there is a problem with the BIG-IP device's secure vault feature, device group mutual authentication, or OpenSSL processing of those features. They come in two types.

These logs indicate a problem with openssl processing itself, such as an out-of-memory condition.
Master key OpenSSL error: Unit Key Generation fails!
Master key OpenSSL error: Key decrypt update
Master key OpenSSL error: Key decrypt final
Master key OpenSSL error: Master decrypt update
Master key OpenSSL error: Master decrypt final
Master key OpenSSL error: RSA public encrypt error
Master key OpenSSL error: b64_decode BIO_read error
Master key OpenSSL error: Cannot find proper algorithm
Master key OpenSSL error: Cannot create new X509 certificate
Master key OpenSSL error: Setting certificate version to SSL v3"
Master key OpenSSL error: Cannot allocate a pub_key type
Master key OpenSSL error: Cannot create new ASN1 type.
Master key OpenSSL error: Key size mismatch with PKCS1 padding size
Master key OpenSSL error: Cannot convert signature to data stream
Master key OpenSSL error: Error signing certificate
Master key OpenSSL error: Loading unit key: Error converting data blob to key.
Master key OpenSSL error: AES256 Symmetric Unit Key Generation fails!

These logs pertain to a corrupt master key, unit key, device group certs/keys, or HA certs/keys failures.
Master key OpenSSL error: Cannot open key store
Master key OpenSSL error: Cannot open key store RSA
Master key OpenSSL error: Cannot load %s (/.unit[1,2].key, /unit[1,2].crt, /master.[1,2], /master, /.unitkey, /temp, /master.recovery, /var/www/unitkeys/unit.crt)
Master key OpenSSL error: Cannot read master key
Master key OpenSSL error: Key encrypt
Master key OpenSSL error: Master encrypt
Master key OpenSSL error: Cannot save master key for peer.
Master key OpenSSL error: Symmetric Unit Key encrypt
Master key OpenSSL error: Symmmetric Unit Key decrypt
Master key OpenSSL error: Cannot open unit certificate file.
Master key OpenSSL error: Cannot read unit certificate file.
Master key OpenSSL error: Cannot write unit cert
Master key OpenSSL error: (/.unit[1,2].key, /unit[1,2].crt, /master.[1,2], /master, /.unitkey, /temp, /master.recovery, /var/www/unitkeys/unit.crt)
Master key OpenSSL error: Peer Certificate file

Impact:
Loading or syncing configurations with encrypted attributes will fail.

Recommended Action:
Reset the device trust group or the HA group. Or, reload a backup UCS file as described in K9420.
https://support.f5.com/csp/#/article/K9420


01071029 : %s

Location:
/var/log/ltm

Conditions:
1. These log messages pertain to the unit key and possible issues it may encounter.
Unit key SHA1 function failed.
Unit key hash does not match! Possible key corruption or tampering. Retry ...
Unit key read failed! Retry ...
Unit key read failed! back off to platform phase...
SecureVault encountered issue with reading Unit key from SEEPROM. Try rebooting the system...
Removing corrupt key header.
Cannot open unit key store
Unit key write to hal failed.
Unit key write verify failed.
Cannot load unit key
No Unit Key Found
Failed to encrypt the unit key
Loading unit key: Error converting data blob to key.

2. These log messages relate to the unit keys encryption of the master key:
Save Master Key aborted -- cannot load unit key.
Failed to encrypt the master key
save_master_key(master): Not ready to save yet -- no master key
save_master_key(master): Not ready to save yet -- no unit key
Couldn't retrieve the old master key.
Master Key not present.
Failed to encrypt the Master key

3. These log messages relate to attempts to change the master key.
Invalid master key
Attempted to rekey with a blank master key
Save Master Key aborted -- cannot determine unit id!
Cannot determine failover unit ID

4. This message is a general error.
b64_decode BIO_read error

5. This log message relates to the custom password db variable for encrypted attributes.
Custom Key not present. Please set the security.custompassword db variable.

Impact:
Possible issues using the secure vault feature.

Recommended Action:
1 and 2. Attempt to reboot the system. If the problem is not resolved, contact F5 support.
3. Attempt to change the key with a valid key.
4. None.
5. Set the security.custompassword db variable.


0107102d : Cannot load master key file. Updating to a new master key.

Location:
/var/log/ltm

Conditions:
The master key file does not exist or has been corrupted.

Impact:
Previous configurations with encrypted attributes using the old master key will be unloadable.

Recommended Action:
Upload a backup ucs file.
https://support.f5.com/csp/#/article/K9420


01071031 : %s

Location:
/var/log/ltm

Conditions:
When one of the system auth db variables SystemAuth.DisableRootLogin or SystemAuth.DisableBash is changed to "false" (turning off the security feature) or when the db variable SystemAuth.PrimaryAdminUser is modified, a message is logged indicating that a security setting has changed and the user account that made the change:

Security setting systemauth.disablerootlogin has been disabled by user admin
Security setting systemauth.disablebash has been disabled by user admin
Security setting systemauth.primaryadminuser has been modified from admin to newadmin by user admin

Impact:
None.

Recommended Action:
None.


01071038 : %s

Location:
/var/log/ltm

Conditions:
1. The following log entries occur during changes to the master key or aspects of the changing process.
Loading keys from the file.
Unit key read from the hardware.
Attempting Master Key migration to new unit key.
Master Key updated by user <user>
Unit key hash on write: <hash value>
Reloading the RSA unit to support config roll forward.
Read the unit key file if exists.
Loading master key from database object!

2. The following log entries relate to loading the unit key from the hardware, if these are different, there is an issue with the hardware.
Unit key hash from key header: <hash value>
Unit key hash computed from read key: <hash value>

3. The following log entries indicate that the master key is missing or corrupted:
Unable to load master key from database. Configuration object was null.
Unable to load master key from database. Empty master key attribute.
Unable to load master key from database. Master key decode fails.
Secondaries couldn't load master key from the file.
Secondaries couldn't load master key from the database.

Impact:
1. No impact.
2. Attempt rebooting the BIG-IP.
3. Recreate the master key

Recommended Action:
None.


01071047 : Removing %d %s local objects from slot %d

Location:
/var/log/ltm

Conditions:
mcpd logs this message in response to removing configuration objects associated with a chassis slot. This can happen as the result of a cluster member being disabled or going down. Interfaces and trunk working members, for example, which are associated with the cluster member are then removed.

Impact:
This is expected behavior. The removed configuration objects will be unavailable for a given slot until the blade has been restored.

Recommended Action:
None.


01071070 : Failed to %s file %s with error %d

Location:
/var/log/ltm

Conditions:
Mcpd logs this message in response to two events:
1. Failing to change permissions to read-only for file BigDB.dat
2. Failing to open file BigDB.dat

Both issues will be accompanied by an errno number. The first corresponds to the return value of chmod. The second corresponds to an error produced while attempting to construct an ofstream.

Impact:
The impact of failing to change permissions to read-only is that BigDB.dat can still be written to. This may be inconsequential, but it could also lead to unexpected behavior.

If mcpd fails to open BigDB.dat, it will throw an exception and core.

Recommended Action:
Unknown at this time. The workaround depends on what errno is given with the failure.


01071138 : The access policy (%s) has an action/macrocall item (%s) that is referenced by any rule's next item for %d time(s). Exactly one reference is allowed.

Location:
/var/log/ltm or TMSH

Conditions:
Access policy has incorrect topology. This might happen during access policy creation/modification by TMSH commands or script, at access policy import, or at configuration loading/verification.

Impact:
Access policy with incorrect topology is not created/modified.

Recommended Action:
If the message appears during access policy creation/modification by TMSH script, it is necessary to check the script used and correct it to exclude the invalid "next item" clause in API rules.
If the message appears during access policy import or configuration loading, there is no simple workaround. It is not recommended to try to use a broken configuration.
Manual editing of configuration files or exported access policy archive might be necessary, but it must not be done without explicit support recommendations.


01071246 : "Unable to reload the dns cache\n"

Location:
/var/log/ltm

Conditions:
This message can appear when dnscached failed to reload configuration files. Most likely that happens during the BIG-IP device startup, when dnscached is not started yet, but the command to reload configuration already executed.

Impact:
dnscached might have an invalid configuration or is not configured.

Recommended Action:
When the BIG-IP device is fully started, you can restart dnscached to reload the configuration:
tmsh modify sys db dns.cache value disable
tmsh modify sys db dns.cache value enable

To verify current status of dnscached, please use command:
tmsh list sys db dns.cache


010712a5 : Ha_group %s unknown %s %s.

Location:
/var/log/ltm, tmsh

Conditions:
The administrator has attempted to add a non-existent pool, trunk, or cluster object to an ha-group.

Impact:
The ha-group configuration is not modified.

Recommended Action:
Specify an existing pool, trunk, or cluster object for the HA group.


01071321 : Vlan allowed mismatch found: hypervisor (%s:%s), guest (%s:%s) and (%s:%s).

Location:
/var/log/ltm on a VCMP guest

Conditions:
A VLAN in a VCMP guest matches either the name or tag of a VCMP-host published VLAN. This usually happens when a VCMP-published VLAN is modified in the VCMP guest.

Impact:
This log message will appear in /var/log/ltm to advise a VCMP guest administrator about the mismatch.

Recommended Action:
Ensure that your VLAN configuration is as you expect, and consider modifying your VLAN configuration on either your host or your guest to resolve this error. Support usually recommends making VLAN changes on the VCMP host, which are then published to the VCMP guest in this case.


01071392 : Background command '%s' failed. %s

Location:
/var/log/ltm

Conditions:
Many components use this to execute a command. If the command fails, this message is logged for the command.

Impact:
Many components use this to execute a command. Actual impact depends on the command.

Recommended Action:
Many components use this to execute a command. A workaround might not be needed, or depends on the command.

Debug information might be obtained by setting mcpd's log level to info.


010713b1 : Cannot delete IP (%s) because it is used by the system state-mirroring (%s) setting.

Location:
/var/log/ltm, console, and GUI.

Conditions:
When trying to delete a self IP, but self IP is referenced in mirroring settings.

Impact:
Prevent the self IP from being deleted, until the mirroring setting no longer references the self IP.

Recommended Action:
Remove the self IP from the mirroring setting before trying to delete the self IP again.


010713b8 : Propose change to system hostname (%s).

Location:
/var/log/ltm

Conditions:
This message is logged by mcpd when vCMP hypervisor proposed a hostname change.

Impact:
None.

Recommended Action:
None.


010713ba : Propose change to default gateway (%s).

Location:
/var/log/ltm

Conditions:
This log message occurs on a VCMP guest when the VCMP guest starts, and when a user on the VCMP hypervisor changes the management gateway of the VCMP guest.

Impact:
None.

Recommended Action:
None.


010713bc : Propose change to management IP address (%s/%s).

Location:
/var/log/ltm

Conditions:
This message is logged on a VCMP guest when either of the following occurs:
1) When the VCMP guest starts
2) When a user on the VCMP hypervisor changes the management address of the VCMP guest.

Impact:
None. This log message is informational.

Recommended Action:
N/A


010713c0 : System state ready for hypervisor mgmt settings: (%s)

Location:
/var/log/ltm

Conditions:
This message is displayed during normal start-up on a VCMP guest when the VCMP guest received a management address or hostname from the VCMP host.

Impact:
This log message informs the user whether or not the VCMP guest is ready to install the management network and hostname config proposed by the VCMP host

Recommended Action:
None.


010713c1 : Initial management network proposals triggered (%s)

Location:
/var/log/ltm

Conditions:
Mcpd is initializing the hypervisor admin network settings. This generally happens upon system startup, re-licensing, or when the system status goes from down to up.

Impact:
There is no expected immediate impact of this message. The message merely indicates that mcpd has begun performing an operation and that there are no expected side effects until that operation is complete.

Recommended Action:
None.


010713c2 : No new proposal values detected

Location:
/var/log/ltm

Conditions:
Mcpd processed a message to update the settings for the admin network parameters or cluster floating interface (address, gateway address, or hostname), however, the message contained no new or changed information.

Impact:
No changes will be made to the admin network parameters or cluster floating interface.

Recommended Action:
If a change to the admin network parameters or cluster floating interface was intended, verify that the correctly changed information has been provided through the chosen configuration method.


010713c3 : Hypervisor updating %s. Old value: (%s) New value: (%s).

Location:
/var/log/ltm

Conditions:
This message is displayed during normal start-up on a VCMP guest when the VCMP guest received a management address or hostname from the VCMP host.

Impact:
The VCMP guest might install the proposed configuration depending on its current configuration.

Recommended Action:
None.


010713f6 : CentMgmt objects must be in the '/Common' folder

Location:
/var/log/ltm

Conditions:
Prior to version 11.1.0, using the cm device command to add a device to the system outside of devmgmtd.

Impact:
None.

Recommended Action:
None.


01071412 : Cannot delete IP (%s) because it is used by the system config-sync setting.

Location:
/var/log/ltm, console, and GUI.

Conditions:
When trying to delete a self IP, but self IP is referenced in config sync settings.

Impact:
Prevent the self IP from being deleted, until the config sync settings no longer reference the self IP.

Recommended Action:
Remove the self IP from the config sync setting before trying to delete the self IP again.


0107142f : Can't connect to CMI peer %s, %s

Location:
/var/log/ltm reports "Can't connect to CMI peer %s, %s"

tmsh show cm sync-status shows the connection state

tmsh prompt will show whether devices are connected. States include 'connected' or 'disconnected'.

Conditions:
Internal Conditions:
- socket failures, for example, create, setting socket options, failure to connect or poll on file descriptor.
- TMM on the local side has not yet established a listener (or failed to bind the socket)

External Conditions:
- The other device isn't ready, for example, the TMM on the other side hasn't been initialized to receive connections.
- General network failures (e.g. switch failure, cable failure, power outage, etc.)

Impact:
This generally is not a BIG-IP system error; it indicates external network failures. The BIG-IP will attempt to reconnect to peers till there's a successful connection.

Recommended Action:
This error is usually seen as a result of external network problems, but can be a symptom of internal problems such as mcpd running out of memory, the kernel running out of file descriptors, or mcpd restarting. This error is usually seen as a result of external network problems, but can be a symptom of internal problems such as mcpd running out of memory, the kernel running out of file descriptors, or mcpd restarting.

To check file descriptors: sysctl fs.file-nr

If mcpd runs out of memory or restarts, it should be logged in /var/log/ltm.

The config-sync connection uses port 6699, which is then routed and tunneled through tmm which establishes an ssl connection on port 4353 to the peer.

To check if the config sync listener exists and whether there are peer connections over the config-sync connection:
    lsof -i | grep 6699

This should produce something like the following:
mcpd 6594 root 20u IPv6 1004016 TCP 10.20.0.1:6699 (LISTEN)
mcpd 6594 root 106u IPv6 1004433 TCP 10.20.0.1:6699->10.20.0.2:49485 (ESTABLISHED)
mcpd 6594 root 108u IPv6 1004454 TCP 10.20.0.1:40654->10.20.0.2:6699 (ESTABLISHED)

This indicates that the local BIG-IP has successfully created a listener, and is listening for peer connections, and that there are two connections for each peer device (one in each direction). This might help you determine which connection failed to connect.

To inspect the unencrypted CMI traffic on the BIG-IP:
    tcpdump -nn -l -i <config sync vlan>:h port 6699
To check file descriptors: sysctl fs.file-nr

If mcpd runs out of memory or restarts, it should be logged in /var/log/ltm.

The config-sync connection uses port 6699, which is then routed and tunneled through tmm which establishes an ssl connection on port 4353 to the peer.

To check if the config sync listener exists and whether there are peer connections over the config-sync connection:
    lsof -i | grep 6699

This should product something like the following:
mcpd 6594 root 20u IPv6 1004016 TCP 10.20.0.1:6699 (LISTEN)
mcpd 6594 root 106u IPv6 1004433 TCP 10.20.0.1:6699->10.20.0.2:49485 (ESTABLISHED)
mcpd 6594 root 108u IPv6 1004454 TCP 10.20.0.1:40654->10.20.0.2:6699 (ESTABLISHED)

This indicates that the local BIG-IP has successfully created a listener and is listening for peer connections and that there are two connections for each peer device (one in each direction). This may help you determine which connection failed to connect.

To inspect the unencrypted CMI traffic on the BIG-IP:
    tcpdump -nn -l -i <config sync vlan>:h port 6699


01071430 : Cannot create CMI listener socket on address %s, port %d, %s

Location:
This will show in /var/log/ltm, and the CMI section of the prompt status will stay Disconnected.

Conditions:
Unable to create and bind the TCP connection used for listening to incoming CMI connections. The message will include strerror(3) output describing the problem.

Impact:
CMI will remain disconnected.

Recommended Action:
If the error string contains 'Cannot assign requested address', then ensure that a route exists to the remote device's configsync-ip.


01071431 : Attempting to connect to CMI peer %s port %d

Location:
/var/log/ltm

Conditions:
mcpd is starting up and attempting to set up a CMI connection to another device in the trust domain.

Impact:
This is not an error message. Other later messages will indicate whether this succeeded or failed.

Recommended Action:
None.


01071432 : CMI peer connection established to %s port %d after %d retries

Location:
/var/log/ltm

Conditions:
This device has successfully created a CMI connection to another device in the trust domain. This happens on mcpd startup or after a previous disconnection.

Impact:
This is not an error message. Configuration synchronization is now possible with the named device.

Recommended Action:
None.


01071434 : No CMI peer devices configured

Location:
/var/log/ltm

Conditions:
A device is in a DSC trust domain with other devices, but no config sync addresses have been configured.

Impact:
The device will be unable to connect to peers to sync configuration.

Recommended Action:
The user might be able to configure the configsync-ip on the local device to resolve the issue. If multiple devices are in this state, it might require the user to reset the trust on all of the devices, configure the configsync-ip individually, and then re-add the devices to the trust domain.


01071435 : Disconnecting from CMI peer %s as a result of a reconfiguration

Location:
/var/log/ltm

Conditions:
The CMI configuration has changed, requiring mcpd to intentionally disconnect from the named device. If it makes sense for the configuration change, it will attempt to reconnect shortly.

Impact:
If this happens because you removed a device from trust, there is no impact. If you modified the CMI configuration but left the device in place, you will not be able to sync the configuration until the device has reconnected.

Recommended Action:
None.


01071436 : CMI listener established at %s port %d

Location:
/var/log/ltm

Conditions:
mcpd is initializing and successfully created a listener that can accept incoming CMI connections.

Impact:
This is not an error message. This part of the system is healthy. mcpd can now accept incoming CMI connections.

Recommended Action:
None.


0107143a : CMI reconnect timer: %s

Location:
This message appears in /var/log/ltm, but only when mcpd debug logging is enabled.

Conditions:
There are two possible versions of this message.

The following message occurs when the device loses its CMI connection to at least one other device, and is starting up a timer to try reconnecting every five seconds:
CMI reconnect timer: enabled because at least one device is disconnected

Once the condition is cleared, the following message occurs to indicate that the reconnect timer is canceled:
CMI reconnect timer: disabled because all peers are connecting or connected

Impact:
mcpd is unable to make a CMI connection to at least one other device. The prompt status will also show as Disconnected.

Recommended Action:
Investigate why the connection is failing. The other device might either be unreachable or having an error of its own. Run 'show cm sync-status' to see exactly which device is disconnected.


0107143b : CMI connection debug info: %s

Location:
/var/log/ltm

Conditions:
MCPD log level is set to 'debug'. Debugging message related to CMI inter-device configuration synchronization. Usually this message indicates a change in state, such as a device connecting or disconnecting.

Impact:
Generally low. If the system is in an error state, a higher priority message will be logged at the same time.

Recommended Action:
None.


0107143c : Connection to CMI peer %s has been removed

Location:
/var/log/ltm

Conditions:
The CMI connection to another device has disconnected, either due to a problem with the other device or with the link itself.

Impact:
Synchable configuration will not be sent to the device in question until the connectivity problem is resolved.

Recommended Action:
If this is unexpected, inspect the log on the other process to determine what may be going wrong.


01071451 : Received CMI hello from %s

Location:
/var/log/ltm

Conditions:
Another device has established a CMI connection to this device.

Impact:
This is not an error message. CMI configuration sync will now be possible between the two devices.

Recommended Action:
None.


0107146f : Self-device %s address cannot reference the non-existent Self IP (%s); Create it in the /Common folder first.

Location:
/var/log/ltm, tmsh

Conditions:
The administrator has attempted to define a configsync or mirror-ip address that is not a valid self-ip.

Impact:
The operation fails and the address is not set.

Recommended Action:
Create the self-ip prior to using it as a configsync or mirror-ip address.


01071470 : Disconnecting from CMI device %s, the device is not in a trust domain

Location:
/var/log/ltm

Conditions:
This error occurs when another device attempts to create a CMI connection (that is, the mcpd for the additional device is starting up), and the device name it announces is unrecognized. This issue can occur if the device was removed from CMI while it was offline. Alternately, this error can occur if another device attempts to create a CMI connection, and there is no self device. During normal operation, this error is impossible.

Impact:
The BIG-IP system refuses to accept the connection. Sync will not occur, usually the expected behavior, because this message occurs if CMI was deconfigured on one device but the other devices were not informed.

Recommended Action:
Log on to the device attempting to connect, and remove it from its trust domain. Log on to any other devices in the trust domain and remove the device object. If desired, re-add the device to the trust domain.


0107147f : Could not read certificate file (%s)

Location:
This error message is displayed on the user interface, such as XUI or TMSH.

Conditions:
If you have scripts (such as iRule, CLI, APL or App Template scripts) and want to sign them for read-only protection, as part of the signing process, and the provided certificate cannot be read by BIG-IP system, this error message is displayed.

Impact:
When this message appears, verify that the certificate is correct and available before applying the signature.

Recommended Action:
When this message appears, verify that the certificate is correct and available before applying the signature.


01071485 : %s (%s) content does not match the signature.

Location:
/var/log/ltm, CLI, GUI

Conditions:
The signature on an AplScript, AppTemplate, CliShellScript, or iRule object does not match its contents.

Impact:
Configuration changes including the mismatched signature/content will be rejected.

Recommended Action:
None.


01071488 : Remote transaction for device group %s to commit id %llu %llu %s %llu failed with error %s

Location:
/var/log/ltm

Conditions:
This message occurs when this device sends a Config Sync to another device, and validation fails remotely on that device. This message includes another log message that provides more information.

This message indicates a legitimate misconfiguration, and provides an action to take that is related to the synchronized objects.

One common example applies to a floating self IP. The self IP object is required to name a VLAN on which it listens. A VLAN of the same name must exist on the other device, as well.

Impact:
The remote device aborted the Config Sync transaction, and did not acquire any of its changes.

Recommended Action:
This message can include a more specific error, which you can reference in the error catalog for resolution.


0107149c : Virtual server %s has more than one clientssl/serverssl profile but none of them is default for SNI.

Location:
/var/log/ltm

Conditions:
The virtual server is configured to securely host (such as through HTTPS) multiple DNS hostnames, but none of the profiles are the default, and the virtual server configuration has unchecked the "Require Peer SNI Support", thereby permitting client connections not using SNI support.

This is an error because a default profile is required to identify the SSL certificate to be provided from the virtual server to the client when an incoming client connection requests an unrecognized hostname, or when the client does not support the Server Name Identification extension (SNI, RFC 4366) to the TLS protocol.

Impact:
The virtual server configuration fails to load, and the virtual server is unavailable.

Recommended Action:
User should configure the server to select a default SSL profile for SNI, for each of one Client SSL profile and one Server SLL profile, or enable the feature to, 'Require Peer SNI support'. The configuration should then load successfully (a reboot is not required).


010714a0 : Sync of device group %s to commit id %llu %llu %s %llu from device %s complete

Location:
/var/log/ltm

Conditions:
The mcpd log level is set to 'notice' or 'debug', a device is in a trust domain with at least one other peer, and the peer synced a device group.

Impact:
The local device has updated the last sync information of the peer for a particular device group.

Recommended Action:
Set the db variable log.mcpd.level to 'notice' or any other more restrictive level.


01071515 : Unclassified domain logging on %s requires log publisher to be set.

Location:
tmsh, GUI

Conditions:
When configuring Unclassified domain logging in a classification profile, without any log profile assigned to classification profile.

Impact:
Unclassified domain logging is not available through classification HSL.

Recommended Action:
Attach log profile to classification profile.


01071528 : Device group '%s' sync inconsistent, %s.

Location:
/var/log/ltm, tmsh

Conditions:
This can be reported via:
"tmsh show /cm sync-status"

A device is in a DSC device group and a configuration sync failed.

Impact:
The configuration is unable to propagate to the peer.

Recommended Action:
There should be additional information in the message to indicate why the sync failed. There may also be additional logs in /var/log/ltm.

See also: tmsh show /cm sync-status


01071539 : Mcpd is starting. The BIG-IP version is %s

Location:
/var/log/ltm

Conditions:
mcpd is starting. This happens as a normal result of restarting the daemon or simply first time boot.

Impact:
This is normal and expected behavior. Mcpd should begin to progress through initialization phases.

Recommended Action:
None.


01071587 : Commit ID message ignored, %s

Location:
/var/log/ltm

Conditions:
This message occurs when a device receives a commit ID update (that is, a config change) from a peer, but the commit ID is missing the originator field.

Impact:
No known negative impact.

Recommended Action:
To examine the commit IDs from a peer, you can run tmsh run /cm sniff-updates.


010715bc : "The application service (%s) has strict updates enabled, the object (%s) must be updated using an application management interface."

Location:
GUI, CLI

Conditions:
An application service has strict updates enabled, and you are trying to manage associated objects outside of the application management interface.

Impact:
Any changes that you make directly to objects associated with the application service will be lost.

Recommended Action:
Update the objects through the iApp menu in the BIG-IP Configuration utility or through the tmsh sys appplication service. An alternative is to access the application service through the iApp menu, view the advanced properties, and disable strict updates for the service so that you can manage associated objects directly. However, if you use the iApp to make changes later, the changes that you made directly will be lost.


0107167d : Data publisher not found or not implemented when processing request %s.

Location:
/var/log/ltm

Conditions:
Possible causes of this error include:
- Statsd daemon might not be running yet.
- Mcpd received a bad request.
- A stats publisher is not available to handle the request.

Impact:
Impact can potentially include:
- No stats available.
- Certain requests are not be processed by Mcpd.

Recommended Action:
(1) Ensure that statsd daemon is running. `bigstart status statsd merged`
(2) Ensure that the publishing daemon is running. For example, if the error is logged when you run `tmsh show net arp`, determine whether the TMM is up by running `bigstart status tmm`.

If any of the daemons are down, run `bigstart start <daemon>`.

If all daemons are running, then neither of the two cited daemons is the cause. Instead, the cause might be an internal issue related to a malformed request, in which case you should file a support ticket.


01071681 : SNMP_TRAP: Virtual %s has become available

Location:
/var/log/ltm

Conditions:
This message is logged when the virtual server becomes "available", transitioning from some other status. Note that this indicates the virtual server is now "status-green", transitioning from some other status such as "unchecked-blue" or "unavailable-red".

Impact:
This message is log-notification only when the virtual server status is changed to be available (status "green"). This is not an error, as this virtual server is established as correctly configured to receive new client connections.

Recommended Action:
This is not an error, but a notification of a virtual server status change that has now become available.


01071682 : SNMP_TRAP: Virtual %s has become unavailable

Location:
/var/log/ltm

Conditions:
Example:
SNMP_TRAP: Virtual my_server has become unavailable

This message is logged when the virtual server becomes "unavailable", transitioning from some other status. Note that this indicates the virtual server is now "status-red", transitioning from some other status such as "available-green" or "unchecked-blue".

Impact:
This message is log-notification only when the virtual server status is changed to be unavailable (status "red"). Because the virtual server is unavailable, no new client connections will be established to this virtual server.

Recommended Action:
This is a notification of a virtual server status change for a virtual server has now become unavailable. The unavailable-status (i.e., "red") might be an indication of an error, such as when the required number of pool members are unavailable due to configuration error or one-or-more pool member failures.


0107168c : Incremental sync complete: This system is updating the configuration on device group %s device %s from commit id { %llu %llu %s } to commit id { %llu %llu %s }.

Location:
/var/log/ltm

Conditions:
A device in a DSC device group is able to successfully construct an incremental sync message requested by a peer.

Impact:
This is information about a successful operation.

Recommended Action:
None.


0107168e : Unable to do incremental sync, reverting to full load for device group %s device %s from commit id { %llu %llu %s } to commit id { %llu %llu %s }.

Location:
/var/log/ltm

Conditions:
The device is in a DSC device group with incremental sync enabled.

If a peer device requests an incremental sync, and the local device is unable to reconstruct the series of incremental syncs out of the sync cache from the commit_id specified by the peer, it will revert to a full sync.

This usually occurs because the cache is full and prior commit_id transactions have been dropped to make space.

The cache can be inspected by an Administrator via:
tmsh show cm device-group <device group name> incremental-config-sync-cache

The size of the cache can be set/checked per device group:
tmsh list cm device-group <device group name> incremental-config-sync-size-max

Impact:
Syncing may take a longer to complete. If automatic syncing is enabled, and many changes are made to configuration in the device group, this could cause mcpd to become unresponsive and in extreme cases run out of memory and core.

Recommended Action:
If a user is seeing this message, it's recommended to increase the size of the incremental sync cache and/or reduce the size and frequency of config changes.


010716b3 : A draft policy (%s) can not be applied to a ACL rule.

Location:
/var/log/ltm

Conditions:
An unpublished L7 policy is being assigned to an AFM ACL rule.

Impact:
Configuration validation, no impact.

Recommended Action:
Publish the L7 policy before assigning it to the AFM ACL rule.


010716b4 : Policy %s cannot be assigned to %s, because %s.

Location:
/var/log/ltm

Conditions:
An L7 policy is not compatible with a destination object, for example, when a non-classification policy is being assigned to an AFM ACL rule.

Impact:
Preventive configuration validation, no impact.

Recommended Action:
Attach only compatible L7 policies to a destination object.


010716e3 : Policy '%s'; an action occurs before conditions in another rule. For best-match, all actions must happen later than all conditions.

Location:
/var/log/ltm

Conditions:
A Best-Match CPM policy has an action in one or more of its rules that is not guaranteed to follow a condition in one or more rules. (The rules containing the action and condition may be different.)

Impact:
The policy will not load.

Recommended Action:
Change the Best-Match policy so that the actions occur in events that are compatible with the conditions. Actions must always occur after conditions.

If action events are not guaranteed to follow conditions, then a programatic solution is available via iRules. The situation where the action's event is encountered before the condition event can be handled in an arbitrary way by the iRule.


0107172d : Policy '%s' can't be applied to virtual server '%s' because it has no rules

Location:
The error message is visible in the web user interface, TMSH/CLI console, and the LTM log (/var/log/ltm).

Conditions:
The error message is triggered by the attempt of a user driven action to create or modify an LTM policy without specifying policy rules.

Impact:
Directing the user to create or modify an LTM policy within the required validation conditions, in this case by specifying policy rules for the LTM policy.

Recommended Action:
The user action should follow the correct steps while creating or modifying an LTM policy, by adding at least a validation rule to the LTM policy.


01071764 : HA order list in traffic group (%s) cleared because there is no self failover device group.

Location:
/var/log/ltm

Conditions:
When a device is no longer a member of a sync-failover group, any ha-order list specified for any traffic group is automatically cleared.

Impact:
None. Expected behavior because of a configuration change.

Recommended Action:
None.


0107179a : Setting DB variable %s to %s. Reboot is required for changes to take effect.

Location:
/var/log/ltm

Conditions:
On a BIG-IP non-Virtual Edition (VE) device or hardware device that does not have a FIPS 140-2 Level 1 license, a FIPS 140-2 Level 1 license has been procured and installed.

-- BIG-IP non-VE or hardware device does not have a FIPS 140-2 Level 1 license.
-- A FIPS 140-2 Level 1 license is procured and installed.
-- The prompt changes to 'REBOOT REQUIRED'.

Impact:
The system prompt changes to 'REBOOT REQUIRED'. The device must be rebooted for the new license settings to take effect.

Recommended Action:
None.


010717b3 : Setting DHCP request-option to none can result in management-ip misconfiguration and loss of management connectivity.

Location:
/var/log/ltm

Conditions:
- Using DHCP to configure management-ip, management-route, DNS, hostname, etc. in a BIG-IP.
- Setting DHCP request-option to none using "tmsh modify sys management-dhcp sys-mgmt-dhcp-config request-options none".

Impact:
As request-options specify the management options that a dhclient running on BIG-IP device requests from the dhcp server in the network, setting request-options to none could result in a BIG-IP device not receiving any configuration (mgmt-ip, mgmt route, dns etc) crucial for management connectivity.

Recommended Action:
DHCP servers can be configured with "authoritative" setting, in which case, it would always provide dhclient with a fixed set of configuration, even if it receives an empty request-options list from dhclient.


010717b6 : %s can only be used in one LSN pool or security nat source translation object. The PCP Server %s (%s) is in use by lsn pool %s.

Location:
GUI, CLI

Conditions:
If PCP Server is already in use by one of the LSN Pools for FW NAT Source translation objects and the user is configuring the same PCP server on another LSN Pool or FW NAT source translation object, user will see this MCP validation error.

Impact:
Creation/Modificaton of the LSN Pool or FW NAT Source translation object would fail unless the user modifies the PCP server field.

Recommended Action:
None.


010717dc : VXLAN tunnel remote address can be configured only as any(0.0.0.0) with flooding types none and multipoint.

Location:
GUI, /var/log/ltm

Conditions:
When configuring a non-multicast VXLAN tunnel in which the tunnel remote-address is set to non-zero address.

Impact:
MCP validation blocks this improper configuration for non-multicast VXLAN tunnels and displays this error message.

Recommended Action:
For non-multicast VXLAN tunnels, the user has to set the tunnel remote-address to 'any' (0.0.0.0).


010717e2 : Client SSL profile (%s): must have at least one set of %s.

Location:
/var/log/ltm

Conditions:
The user has configured a Client SSL profile improperly.

Impact:
The profile configuration does not specify a certificate/key pair, and is therefore disallowed.

Recommended Action:
Specify a certificate/key pair in the Client SSL profile configuration.


0107183b : Cannot disable LDNS cache when a Wide IP has persistence enabled.

Location:
/var/log/ltm

Conditions:
During a GTM configuration load or while processing a configuration modification, MCPD received a message to set the LDNS cache to disabled but there exists at least one wideip that has persistence enabled.

Impact:
The LDNS cache is required for wideip persistence, therefore MCPD will set the LDNS cache to enabled.

Recommended Action:
The LDNS cache must be enabled for wideip persistence to function; therefore, it is advised that either wideip persistence must be disabled or the LDNS cache must remain enabled.

The following tmsh command will disable persistence for all wideips of the specified record type:
tmsh modify gtm wideip <wideip_record_type> all persistence disabled


01071860 : Cannot enable feed list %s. Maximum number of enabled feed list allowed is %d.

Location:
log/UI/TMSH, GUI

Conditions:
When trying to enable more than 8 urldb feedlist entries for custom url categorization.

Impact:
Only the first 8 feedlist entries will work.

Recommended Action:
Remove one or more feedlist entries from 8 already enabled feedlist entries, if a new one is needed.


01071863 : OCSP cert-validator (%s): DNS resolver and proxy server pool can not be both empty.

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
The user is trying to create an OCSP cert-validator, but assigning neither a DNS resolver nor a proxy server pool to the OCSP validator.

Impact:
None.

Recommended Action:
Specify either a DNS resolver or a proxy server pool for the OCSP cert-validator.


01071864 : OCSP cert-validator (%s): The certificate (%s) can not be used by an OCSP cert-validator as a %s, because it is currently using some cert-validator (%s) to monitor its status.

Location:
/var/log/ltm

Conditions:
The error message is not being used.

Impact:
None.

Recommended Action:
None.


01071865 : Unable to find an HTTP-based OCSP responder URL that is configured in the OCSP cert-validator (%s) or in the AIA (Authority Information Access) extension of the certificate (%s).

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
An OCSP validator is assigned to a certificate, but no OCSP responder URL is found in either the OCSP validator's configuration or the certificate's AIA (Authority Information Access) extension.

Impact:
None.

Recommended Action:
Either configure the OCSP responder URL for the OCSP validator, or use a certificate that contains the AIA extension that specifies the OCSP responder's URL.


01071866 : OCSP cert-validator (%s): Please specify a HTTP-based absolute URL for the OCSP responder.

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
The user is trying to configure an invalid URL address (not starting with http://) as the responder URL of an OCSP cert-validator.

Impact:
None.

Recommended Action:
Configure an OCSP responder URL to the OCSP cert-validator that starts with "http://".


01071867 : OCSP cert-validator (%s): Both key and certificate should be specified for signing the OCSP request.

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
The user is trying to configure only the signer key (without a signer certificate) or only the signer certificate (without a signer key) to an OCSP cert-validator. Signer key and certificate should come as a pair.

Impact:
None.

Recommended Action:
Either specify both key and certificate, or specify none of them.


01071868 : OCSP cert-validator (%s): Only prime256v1 named curve is supported for signer key.

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
The signer key of the OCSP validator is an EC (elliptic curve) key with an unsupported curve type (the only supported curve is prime256v1).

Impact:
None.

Recommended Action:
If the signer key is an EC (elliptic curve) key, make sure that its curve type is prime256v1.


01071869 : OCSP cert-validator (%s): Security type %s is not supported for signer key.

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
The user is trying to configure a signer key to an OCSP validator, but the key type of the signer key is not supported.

Impact:
None.

Recommended Action:
The security type of the key can be obtained by "tmsh list sys crypto key". Currently fips and nethsm types are not supported.


0107186a : OCSP cert-validator (%s): Signer key (%s) and signer certificate (%s) do not match.

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
The signer key and signer certificate that the user is configuring for the OCSP cert-validator don't match.

Impact:
None.

Recommended Action:
Make sure that the key and certificate match each other. If not, try to get a correct key/certificate pair.


010718e1 : Only the standard-balanced-fpga firmware type is permitted in vCMP mode.

Location:
tmsh, GUI, iControl, /var/log/ltm

Conditions:
Provisioning VCMP or changing the FPGA.

Impact:
User is forced to only use standard-balanced-fpga when using VCMP.

Recommended Action:
Make sure the FPGA is set to standard-balanced-fpga when using VCMP.


010718e3 : Certificate (%s) has enabled OCSP at cert-validation-option but is not associated with any OCSP cert-validator.

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
The user is trying to enable OCSP monitoring for a certificate that has no OCSP validator assigned.

Impact:
None.

Recommended Action:
Assign an OCSP validator to the certificate first, and then enable the OCSP monitoring for the certificate.


010718e4 : OCSP cert-validator (%s): can not use both DNS resolver and proxy server pool. Please ensure that only one of them is configured.

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
The user is trying to create an OCSP cert-validator, but assigning both of DNS resolver and proxy server pool to the OCSP validator.

Impact:
None.

Recommended Action:
Remove either the DNS resolver or proxy server pool from the OCSP cert-validator.


01071909 : Log publisher '%s' used by the Anti-Fraud profile '%s' must have a single destination of type '%s'.

Location:
TMSH, GUI

Conditions:
Trying to delete a publisher used by Anti-Fraud, or trying to set a publisher with wrong destination type.

Impact:
Configuration will fail.

Recommended Action:
Detach publisher from Anti-Fraud profile prior publisher removal. Set a publisher with the correct destination type.


0107190a : Field '%s' cannot be empty in the Anti-Fraud profile '%s'.

Location:
/var/log/ltm, GUI, and console

Conditions:
An empty field was specified while configuring an Anti-Fraud profile.

Impact:
Configuration will not be applied.

Recommended Action:
Specify a non-empty field.


01071911 : %s in rule (%s) are not allowed under %s event on the %s (%s).

Location:
/var/log/ltm, GUI

Conditions:
This is an error that is issued when MCPD is validating iRule proc with the current configuration and detecting an incompatibility.

This scenario is most likely involves the user creating a library of nested reusable iRule procs that are meant to be called from multiple event based iRules and other procs, and then combining one or more iRules with these procs by associating them with the virtual server in order to achieve the desired behavior. One or more of of the rules invoking functionality in the procs does so in under the wrong event.

For example, an iRule proc might attempt to return an application specific combination of HTTP headers, including the host header:

# user creates virtual
ltm virtual vs_http {
   destination any:80
   profiles {
     http {}
     tcp {}
   }
   ...
}
   

# user creates rule in ltm rule /Common/rl_app_http
proc get_app_host_headers { } {
 return "[HTTP::header app_1]-[HTTP::host]"
}
proc get_app_headers { } {
 return "[call get_app_host_headers]-[HTTP::host]"
}

this code may then be called from an iRule event in
# in ltm rule /Common/rl_http_req
when HTTP_RESPONSE {
 set app_h [call rl_app_http::get_app_host_headers]
}


# Error is issued by validation code upon saving since HTTP::host is not valid under HTTP_RESPONSE

Impact:
Saving the modified configuration will not be possible.
The virtual server configuration or iRules need to be corrected before saving the configuration will be possible.

Recommended Action:
Users need to ensure that the correct combination of iRule commands and events is associated with the virtual server by performing one of the steps:
1. Associate the right profile(s) with the virtual server.
2. Use only applicable commands in iRule procs.
3. Ensure that the combination of events in iRules and commands is still valid when modifying virtual server configuration.


01071912 : %s in rule (%s) requires an associated %s profile on the %s (%s).

Location:
/var/log/ltm

Conditions:
A an iRule script was added to a virtual that referred to a configuration object (like pool, snat pool, transport-congig, etc). When this iRule script was added to a virtual or transport-config, the validation logic identified that the referred object would not be present unless the named profile existed on the virtual or transport-config.

Impact:
There should be no impact. The validation logic checks the configuration to insure the script will run properly.

Recommended Action:
Remove the reference to the named object and add the script to the virtual or transport-config.


01071913 : %s in rule (%s) under %s event at %s (%s) does not satisfy cmd/event/profile requirement.

Location:
/var/log/ltm and GUI

Conditions:
This is an error that is issued when MCPD is validating iRule proc with the current configuration and detecting an incompatibility.

This scenario is most likely involving the user creating a library of reusable iRule procs that are meant to be called from multiple event based iRules, and then combining one or more iRules with these procs by associating them with the virtual server in order to achieve the desired behavior. The user then decides to remove a profile deemed unnecessary from the virtual.

However, the combination of virtual server, the iRule event that leads to calling the proc and the commands executed in the iRule proc itself, might lead to incompatible combination.

For example, an iRule proc might attempt to return an application specific combination of HTTP headers:

# user creates virtual
ltm virtual vs_http {
   destination any:80
   profiles {
     http {}
     tcp {}
   }
   ...
}
   

# user creates rule in ltm rule /Common/rl_app_http
proc get_app_headers { } {
 return "[HTTP::header app_1]-[HTTP::header app_2]"
}

this code may then be called from an iRule event in
# in ltm rule /Common/rl_http_req
when HTTP_REQUEST {
 set app_h [call rl_app_http::get_app_headers]
}


# user then decides to remove http profile from the virtual server
... (tmos)# mod ltm virtual vs_http profiles delete { http } <ENTER>

# Error is issued by validation code

Impact:
Saving the modified configuration will not be possible.
The virtual server configuration or iRules need to be corrected before saving the
configuration will be possible.

Recommended Action:
Users need to ensure that the correct combination of iRule commands and events is associated with the virtual server by performing one of the steps below:
1. Associate the right profile(s) with the virtual server
2. Use only applicable commands in iRule procs
3. Ensure the combination of events in iRules and commands is still valid when modifying
   virtual server configuration


01071918 : CMI device (%s) has a different version (%s) from this device (%s).

Location:
/var/log/ltm

Conditions:
Another device attempts to make a CMI connection to this device, but reports that it has a different version of TMOS than this device.

This message will show up during the process of upgrading a CMI trust domain from one version of TMOS to a later one.

Impact:
CMI sync between devices of different versions is not supported.

Recommended Action:
This message usually will show up during the process of upgrading a CMI trust domain from one version of TMOS to a later one. Once all devices are upgraded to the new TMOS version, they will be able to connect to each other.


010719a8 : URL parameters can be %s only when %s is enabled in the Anti-Fraud profile '%s'.

Location:
mcpd, tmsh console, GUI

Conditions:
Parameter's flag is dependent on URL flag. (in order to enable Parameter's flag 'A', URL's flag 'B' must be enabled).

Impact:
Parameter's flag won't be set.

Recommended Action:
Enable the dependent flags.


010719ac : Anti-Fraud parameter '%s' is invalid. Parameter cannot be %s while it is %s in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').

Location:
mcpd, tmsh console, GUI

Conditions:
A mobilesafe parameter is marked as encrypted, and the user want's to mark it as enforced (entangled).
OR
A mobilesafe parameter is marked as enforced, and the user want's to mark it as encrypted.

Impact:
Parameter remains with original flag enabled.

Recommended Action:
Enable either "encrypted" or "enforced", but not both.


010719b7 : URL whitelist words can be selected only from malware blacklist words in the Anti-Fraud profile '%s'.

Location:
mcpd, tmsh console, GUI

Conditions:
Setting a whitelist word that isn't configured in blacklist words (of the same profile).

Impact:
The mcp transaction aborted. Malware object is not changed.

Recommended Action:
Add whitelist words only if they are configured in blacklist words (of the same profile).


010719b7 : Anti-Fraud DOM signature '%s'(hash ID) cannot be deleted as it appears in the DOM signatures whitelist in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to delete an Anti-Fraud DOM signature that appears in a DOM signatures whitelist. The whitelist is in a URL in the Anti-Fraud profile.

Impact:
The Anti-Fraud DOM signature is not deleted.

Recommended Action:
If an Anti-Fraud DOM signature needs to be deleted, then before deleting it,
remove it from all DOM signatures whitelists that it appears in.


010719c9 : Unicast address warning (FAILOVER MAY NOT WORK): %s should be a mgmt (blade) address or non-floating self IP.

Location:
/var/log/ltm

Conditions:
The address does not seem to be valid with the information present in the local box, but may still be valid based on the configuration of the network.

Impact:
Verify the unicast address to make sure there is not a configuration error.

Recommended Action:
None.


010719d6 : The location '%s' cannot have empty path between leading '/' and file extension or trailing '/', and also cannot contain only '/' and '.' in the Anti-Fraud profile '%s'.

Location:
mcpd, tmsh console, GUI

Conditions:
Setting invalid location (empty or contains only '/' and '.' characters).

Impact:
The mcp transaction aborted. Changes will not take effect.

Recommended Action:
Set valid locations only (non-empty, containing alphanumeric characters).


010719e7 : Virtual Address %s general status changed from %s to %s.

Location:
/var/log/ltm

Conditions:
Example:
Virtual Address my_server general status changed from YELLOW to GREEN.

This message is logged when a general status change is detected for the virtual address. Possible general statuses for a virtual address include: 'GREEN', 'YELLOW', 'RED', 'BLUE', 'GRAY'.

The general status for a virtual address typically depends on one-or-more pool members, and the associated configuration of the virtual address itself. For example, a pool of four members might be associated with a virtual address, and require a minimum of two pool members to be available for the virtual address to be marked up (that is, "GREEN"). Thus, the conditions for a change in the general status of the virtual address include a combination of the virtual address configuration, plus the health of the contributing pool members.

Impact:
This message might not indicate an error, because it merely reports the detected general status change. For example, upon system start, it is expected that the general status might change from "BLUE" (unchecked) to "GREEN" (available). Similarly, user-action (such as through xui or tmsh) might explicitly change the general status, such as to "GRAY" when forcing the virtual address to be unavailable during maintenance.

Recommended Action:
This message might not indicate an error, but a notification of a virtual address general status change, due to monitor results or user-initiated action. If an unexpected "RED" status is reported, the user should verify the virtual address configuration, and the availability of the contributing pool members.


010719e8 : Virtual Address %s monitor status changed from %s to %s.

Location:
/var/log/ltm

Conditions:
Example:
Virtual Address my_name monitor status changed from CHECKING to UP.

This message is logged when a status change is detected for a virtual address. Possible statuses include: "UNCHECKED", "CHECKING", "INBAND", "FORCED_UP", "UP", "UP_MAX", "DOWN_MIN", "ADDR_DOWN", "DOWN", "FORCED_DOWN", "MAINT", "IRULE_DOWN", "INBAND_DOWN", "DOWN_WAIT_MAN_RES".

Impact:
This message might not itself indicate an error, as it merely reports the detected status change. For example, upon system start it is expected that the status might change from "UNCHECKED" to "CHECKING" to "UP". Similarly, user action (such as through the xui or tmsh) might explicitly change the status, for example, to "FORCED_DOWN".

However, an unexpected "DOWN" status not resulting from intentional user-initiated action might indicate an issue, such as a failed resource or an improperly configured virtual address.

Recommended Action:
This message might not itself indicate an error, but a notification of a virtual address status change, due to monitor results or user-initiated action. If an unexpected "DOWN" status is reported, the user should verify that the virtual address is available and ensure correct monitor configuration.


010719ea : GTM changed state from %s to %s.

Location:
/var/log/ltm

Conditions:
Example:
notice reported: notice mcpd[7345]: 010719ea:5: GTM changed state from UP to DOWN.

This message is not an error by itself, only a notice.
It only means that the GTM module went from UP to DOWN or vice versa.
If the message shows up repeatedly in the logs, this could mean that something else is wrong with the system and the user should look for additional clues as to why this is happening.

Impact:
"GTM changed state from UP to DOWN" means that the gtmd daemon went offline, while offline GTM functionalities will not be available.
"GTM changed state from DOWN to UP" means that the gtmd daemon went online, while online GTM functionalities are available.

Recommended Action:
If GTM is DOWN, the user can bring the daemon back online with the command "bigstart start gtmd", "bigstart stop gtmd" to take it offline. If that does not work, the user should investigate further as to why the daemon is going offline or refusing to come online.


010719fd : No IPv%s self IP exists on VLAN (%s) for static route (%s)

Location:
/var/log/ltm

Conditions:
The last IPv4 or IPv6 self IP was deleted from a VLAN, which will leave a static route without an IP on the egress VLAN.

Impact:
The self IP cannot be deleted until the static route is deleted or its nexthop is changed to use a different VLAN.

Recommended Action:
Before deleting the last IPv4 or IPv6 self IP from a VLAN, delete static routes for that protocol that use the VLAN.


01071a01 : Anti-Fraud parameter '%s' is invalid. URL parameters can appear only in POST request when URL Application Type is Mobile in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').

Location:
mcpd, tmsh console, GUI

Conditions:
Trying to set a Mobilesafe parameter to GET method.

Impact:
The transaction aborted. No change to parameter.

Recommended Action:
Either disable mobilesafe encryption, or declare mobilesafe parameter for POST method only.


01071a14 : device_trust_group: Requesting device data from device %s.

Location:
/var/log/ltm

Conditions:
When the local device requests device-specific data from the remote device. This usually happens when the remote device has changed something in its device data, and the local device needs to sync this information.

Impact:
None.

Recommended Action:
None.


01071a15 : device_trust_group: Sending device data to device %s.

Location:
/var/log/ltm

Conditions:
Information that a device is sending its device-specific trust data to the remote device that requested it.

Impact:
None.

Recommended Action:
None.


01071a37 : Anti-Fraud %s '%s' was created as %s and this setting cannot be changed.

Location:
/var/log/ltm

Conditions:
Attempting to change the type of an Anti-Fraud URL or parameter from explicit to wildcard and vice-versa.

Impact:
Configuration will not load.

Recommended Action:
Do not change the type of an Anti-Fraud URL or parameter. Delete item and recreate it with the desired type instead.


01071a38 : Wildcard %ss must have unique priorities in the Anti-Fraud profile '%s'.

Location:
/var/log/ltm

Conditions:
Attempting to assign identical priorities to wildcard URLs or parameters in an Anti-Fraud profile.

Impact:
Configuration will not load.

Recommended Action:
Verify priorities are unique among wildcard URLs or parameters in an Anti-Fraud profile.


01071a39 : Cannot %s of explicit %s in the Anti-Fraud profile '%s'.

Location:
/var/log/ltm

Conditions:
Attempting to edit priority of explicit URL or parameter in an Anti-Fraud profile.

Impact:
Configuration will not load.

Recommended Action:
Do not edit priority of an explicit URL or parameter.


01071a6e : Incompatible options - traffic group %s cannot have both auto-failback-enabled and the failover-method set to ha-score

Location:
/var/log/ltm, console

Conditions:
When a user tries to set both parameters for a traffic-group.

Impact:
The command will not be executed.

Recommended Action:
None.


01071a85 : Anti-Fraud URL '%s' is invalid. Wildcard URL cannot have %s enabled in the Anti-Fraud profile '%s'.

Location:
mcpd, tmsh console, GUI

Conditions:
Trying to set mutual exclusive flags (that is, wildcard + mobilesafe encryption).

Impact:
The mcp transaction aborted. No change will be made to URL object.

Recommended Action:
Do not try to set mutual exclusive flags.


01071a95 : Admin IP (%s/%s): Gateway (%s) for management route (%s) is not in a connected network.

Location:
/var/log/ltm

Conditions:
When the user creates a management-ip that is not on the same subnet as the management-route, an error message is added to /var/log/ltm.
This validation error message is to help the user to prevent leaving a stray management gateway configured.

Impact:
None.

Recommended Action:
Delete the stray management-route and add a new one that matches the management-ip.


01071a9a : The '%s' for interface %s has been adjusted to '%s'.

Location:
/var/log/ltm

Conditions:
The bundle status and bundle speed attributes of each interface are detected when the system boots up, based on the type of physical ports.
For ports that support the bundle feature, the two attributes have to be updated to reflect the run time values.
A notice is logged into the /var/log/ltm to notify the user of this update.

Impact:
None.

Recommended Action:
None.


01071aa6 : %s bad actor cannot be enabled if per-source detection/limit pps is less than 1% of the DoS vector (%s) %s setting for %s.

Location:
/var/log/ltm

Conditions:
The per-source detection/limit pps is less than 1 percent of the corresponding value of the DoS vector. The Dos vector is specified by the configuration value of the rate threshold/rate limit in the DoS vector.

Impact:
Security DoS DNS/SIP/NETWORK/Device attack vector bad actor cannot be enabled.

Recommended Action:
Change the configuration settings of the DoS attack vector for either per-source detection/limit pps or rate threshold/rate limit.


01071aa7 : %s bad actor per-source detection/limit pps cannot be greater than the Dos vector (%s) %s setting for %s.

Location:
/var/log/ltm

Conditions:
The per-source detection/limit pps is greater than the corresponding value of the DoS vector. The DoS vector is specified by the configuration value of the rate threshold/rate limit in the DoS vector.

Impact:
The security DoS DNS/SIP/NETWORK/Device attack vector bad actor cannot be enabled.

Recommended Action:
Change the configuration settings of attack vector for either the per-source detection/limit pps or the rate threshold/rate limit.


01071acc : Cannot enable maintenance mode when device is forced offline.

Location:
/var/log/ltm, GUI, console

Conditions:
When the device is in forced offline mode; setting it to maintenance mode will not be allowed until the device is back online.

Impact:
None. Validation for a bad config operation.

Recommended Action:
None.


01071acd : The requested device (%s) was not found in self failover device group (%s).

Location:
/var/log/ltm, GUI, console

Conditions:
When a device is not a member of the failover group and a command is executed to specify a traffic group HA order, including the non-member device.

Impact:
The respective HA order command will be rejected with the validation error displayed in the respective UI.

Recommended Action:
Do not include devices that are not member of the failover group when specifying a traffic group HA order; or include the device non-member in the failover group before executing the HA order command.


01071ad3 : The requested provision module (%s) is not compatible with already provisioned module (%s).

Location:
GUI, console

Conditions:
(1) User tries to provision URLDB module, but SWG module is already configured.
(2) User tries to provision SWG module, but URLDB module is already configured.

Impact:
None.

Recommended Action:
Either provision SWG or URLDB module, depending on the use case, but not both.


01071ad4 : LSN pool %s shares the same name as security nat source translation object. LSN iRules that take in 'pool name' as an argument would default to LSN objects

Location:
GUI, CLI

Conditions:
Name of the object has to be unique across LSN Pools and Source translation object, and if the user is attempting to configure a LSN Pool or Source translation Object with name that is already in use by another LSN Pool or Source translation object, this mcpd validation error is thrown to the user via GUI or TMSH.

Impact:
Creation of the LSN pool or FW NAT source translation object would fail unless user uses a different name.

Recommended Action:
None


01071ad9 : Security NAT Source Translation object %s shares the same name as LSN pool. LSN iRules that take in 'pool name' as an argument would default to LSN objects.

Location:
GUI, CLI

Conditions:
This is a warning message shown to the user if the user is attempting to configure the FW Nat source translation object with a name that is already in use by another LSN Pool.

Impact:
User would see this warning, but the configuration will go through fine. So No impact.

Recommended Action:
None


01071af3 : Anti-Fraud parameter '%s' is invalid. URL parameters cannot be entangled for Mobile while no parameter is encrypted for Mobile in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').

Location:
mcpd, tmsh console, and GUI

Conditions:
Trying to enable Mobilesafe parameter's both encrypt and enforce (entangle) options.

Impact:
Mobilesafe Parameter can have encrypt or enforce options enabled, but not both.

Recommended Action:
None.


01071af8 : The firewall rule UUID cannot be modified by user once it's created.

Location:
/var/log/ltm

Conditions:
A user has tried to modify the policy rule UUID value.

Impact:
The operation to modify the policy rule fails.

Recommended Action:
Modify the policy rule without changing the UUID value.


01071af8 : The firewall rule UUID (%s) already exists in other rules.

Location:
/var/log/ltm

Conditions:
A firewall rule is attempting to use the same UUID that exists in another firewall policy.

Impact:
You cannot create the policy.

Recommended Action:
Try to create the policy with a different rule UUID.


01071af9 : The specified firewall rule UUID (%s) is diffrent from exists rule UUID.

Location:
/var/log/ltm

Conditions:
A different rule UUID has been applied to the same rule.

Impact:
Modifying the rule or re-creating the rule operation fails.

Recommended Action:
Allow the system to choose the rule UUID instead of specifying a different UUID for the same rule.


01071aff : AOM webui is not available in this release.

Location:
/var/log/ltm

Conditions:
When the user tries the following tmsh commands:
- modify sys aom webui enabled
- modify sys aom webui disabled

Impact:
The AOM web services are not supported in this release of BIG-IP software. Typing the tmsh command doesn't do anything.

Recommended Action:
None.


01071b00 : AOM vkvm is not available in this release.

Location:
/var/log/ltm

Conditions:
When the user tries the use one of the following the tmsh commands:
- modify sys vkvm enabled
- modify sys vkvm disabled

Impact:
This tmsh command does not do anything. The AOM Virtual Keyboard, Video and Mouse redirection is not supported in this release of BIG-IP software.

Recommended Action:
None.


01071b27 : Scope name cannot be empty for OAuth Authorization agent %s.

Location:
/var/log/apm, TMSH

Conditions:
The scope name is empty in the OAuth Authorization agent.

Impact:
Object save will fail.

Recommended Action:
Specify a scope name in the OAuth Authorization agent.


01071b28 : Scope name (%s) associated with OAuth Authorization agent (%s) is not defined under OAuth scope. If this error appears during import access profile, then the scope-name in the scope already exists on this BIG-IP as part of another scope object. You may want to edit the existing scope and retry importing access profile.

Location:
/var/log/apm, TMSH

Conditions:
If the scope referenced in the OAuth Authorization agent is not created under OAuth Scope, this error will be seen

Impact:
Object save will fail.

Recommended Action:
Create the scope under OAuth Scope first, and then it can be referenced in the OAuth Authorization agent.


01071b29 : %s entry refers to invalid OAuth Authorization agent %s, entry %d.

Location:
/var/log/apm, TMSH

Conditions:
This occurs when the OAuth Authorization Agent Scope or Claim entry refers to an invalid OAuth Authorization agent and its entry.

Impact:
Object won't be saved.

Recommended Action:
Specify the correct OAuth Authorization agent and its entry while creating or modifying an OAuth Authorization agent Scope or Claim entry.


01071b2c : The client app (%s) that is associated with the %s (%s) does not exist.

Location:
/var/log/apm, TMSH

Conditions:
This appears when a client app is referenced in an OAuth profile, and that OAuth client app does not exist.
It also appears when a JWT access token claim is associated with a client app, and the reference client app does not exist.

Impact:
Object save will fail.

Recommended Action:
Make sure that the client app is valid, or create one if necessary. And then, the client app can be referenced in the OAuth Profile, or while associating a JWT access token claim with the client app.


01071b3b : Notice: Purging initiated for OAuth DB Instance (%s). Time taken for DB purging depends on the amount of data; BIG-IP performance may be affected during this time. Only expired tokens will be removed.

Location:
/var/log/ltm, GUI, CLI

Conditions:
An administrator initiates an immediate DB purge of expired tokens (via the Purge Now button).

Impact:
BIG-IP system performance might be affected during this time.

Recommended Action:
None.


01071bad : The certificate (%s) can not simultaneously use a cert-validator (%s) and be configured as the %s of a cert-validator (%s).

Location:
/var/log/ltm, console, iControl, GUI

Conditions:
A conflicting configuration occurred, based on the configuration order:

Order 1: The certificate already has a cert-validator configured, but the user is trying to configure this certificate as some cert-validator's trusted responder or signer certificate.

Order 2 (the other way around): The certificate is already a trusted responder or signer certificate of some cert-validator, but the user is trying to assign a cert-validator to it.

Impact:
None.

Recommended Action:
None.


01071bbd : SSL profile (%s): When CRL configuration name (%s) is specified, both static CRL file (%s) and Allow-Expired-CRL settings are not allowed.

Location:
/var/log/ltm

Conditions:
A user has attempted to configure a CRL object and a static CRL file together in a Client SSL profile.

Impact:
The system has successfully prevented the user from an invalid configuration. There is no impact to the user.

Recommended Action:
None.


01071bcd : Security NAT Source Translation object (%s) cannot use both Self IP and DSLITE tunnel for PCP configuration.

Location:
GUI, CLI

Conditions:
If user is attempting to configure both the DSLITE and Self IP parameters in the PCP configuration in FW NAT source translation object, this error messages is shown to the user.

Impact:
Creation/Modification of the FW NAT source translation object would fail unless removes either of the Self IP or DS Lite tunnel PCP configuration.

Recommended Action:
None


01071bd1 : Inbound CMI connection from IP (%s) denied because it came from VLAN (%s), not from expected VLAN (%s).

Location:
/var/log/ltm

Conditions:
This should not happen under any circumstances.

Impact:
Mcpd has detected that sync traffic is being sent over a VLAN that is not the correct one. Therefore, if any traffic is sent, it is unexpectedly unencrypted. For security purposes, sync is disabled.

Recommended Action:
There is no workaround.


01071bd6 : %s (%s): Cannot enable Device-ID without enabling Bot Signatures and the 'Search Engine' Bot Signature Category.

Location:
/var/log/ltm, console

Conditions:
Using tmsh to create or modify a dos profile with application enabled, and enabling the device-id field without enabling the Search Engine Bot Signature Category.

Impact:
Creation or modification of the dos profile will fail.

Recommended Action:
Create the dos profile using two separate steps. For example:
create security dos profile dos1 application add { dos { bot-signatures { check enabled } } }
modify security dos profile dos1 application modify { dos { tps-based { device-captcha-challenge enabled } } }


01071bd8 : The tag-mode for requested member %s has to be 'none' on platforms that do not support QinQ.

Location:
/var/log/ltm

Conditions:
If the user attempts to configure the tag-mode of a VLAN member to some other value, but 'none' on platforms that do not support QinQ, the MCP validation rejects the configuration, and an error message is logged in the /var/log/ltm.

Impact:
The configuration issued via tmsh command is rejected as invalid.

Recommended Action:
If the user has to configure QinQ functionality, the use must switch to using a platform that supports QinQ.


01071be4 : port-fwd-mode value of interface (%s) is not compatible with vlan (%s) member interface (%s).

Location:
/var/log/ltm

Conditions:
This message is caused by an invalid configuration. When adding a member to a VLAN, the member's forwarding mode must be the same as other members in the vlan. For example, the port-fwd-mode value of the interface must be the same value as other interfaces in the same VLAN.

Impact:
Unable to add the member.

Recommended Action:
Inspect the relevant object configuration in VLAN, trunk, and interface. Do not add an incompatible member with different port-fwd-mode value to the same VLAN.


01071be5 : Member interface (%s) of trunk (%s) not found.

Location:
/var/log/ltm

Conditions:
Caused by an invalid configuration when a trunk consists of a interface, but the interface does not exist. This is very unlikely to happen.

Impact:
The interface will not be added.

Recommended Action:
Inspect the relevant object configuration in the trunk and interface. Delete the trunk object and re-create it.


01071be6 : port-fwd-mode value of interface (%s) is not compatible with trunk (%s) member interface (%s).

Location:
/var/log/ltm

Conditions:
This is caused by an invalid configuration. All interfaces in the same trunk must have the port-fwd-mode property set to the same value.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in trunk and interface. Only add interfaces with the same port-fwd-mode value to the same trunk.


01071bed : The URL (%s) belongs to Custom Category (%s) has invalid type as regex-match and not supported yet.

Location:
/var/log/ltm

Conditions:
When the custom category url type is mentioned as regex type, you would see this message in /var/log/ltm. This regex type is not exposed in TMUI or GUI. This is only possible through programmatic internal access.

Impact:
You will not see this message in console or GUI, because regex type is not exposed.

Recommended Action:
None.


01071bee : SSLv2 is no longer supported and has been removed. The 'sslv2' keyword in the cipher string has been ignored.

Location:
/var/log/ltm

Conditions:
This message appears if an ssl profile is parsed that has the sslv2 enabled. This is a warning that appears in the logs.

Impact:
The high level impact is that you are using an ssl profile that previously tried to enable sslv2. We have disabled sslv2 and this is warning them that we are ignoring the fact that they tried to enable sslv2. SSLv2 has numerous vulnerabilities and enabling it can even open up vulnerabilities in more secure versions of SSL or TLS.

Recommended Action:
Remove the "sslv2" string from the cipher list.


01071bf0 : Vlan %s c-tag %s is out of range.

Location:
/var/log/ltm

Conditions:
MCP validation code rejects the tmsh configuration for a vlan tag that is grater than 4094 or less than 1. An error is logged in /var/log/ltm.

Impact:
The configuration issued via tmsh command is rejected as invalid.

Recommended Action:
Reissue the tmsh command with a VLAN tag, which is less than or equal to 4094, and equal to or greater than 1.


01071bf1 : Vlan %s tag %d is out of range.

Location:
/var/log/ltm

Conditions:
When the user attempts via tmsh to configure a VLAN tag which is greater than 4094, the MCP validation code rejects the configuration and an error message is logged at /var/log/ltm.

Impact:
The configuration issued via a tmsh command is rejected as invalid.

Recommended Action:
Reissue the tmsh command with a VLAN tag, which is less than or equal to 4096.


01071bf6 : Cannot change FIPS name on busy guest: %s.

Location:
/var/log/ltm

Conditions:
The user tries to change the "fips-name" property of a vCMP guest configuration while the guest is running.

Impact:
The system does not allow the change operation because the guest might be actively using the FIPS partition referred to by the "fips-name" property. As a result, the configuration remains unmodified.

Recommended Action:
Before changing the "fips-name" property of the guest, disable the guest and wait until it stops running.


01071bf7 : Invalid URL format %s in CA-bundle manager %s. Check help page.

Location:
/var/log/ltm

Conditions:
The proxy server configuration on the CA-bundle manager object is restricted to use HTTP proxy.

Impact:
None.

Recommended Action:
The proxy server should be prefixed with HTTP or none.


01071bf8 : Bundle manager %s cannot use a certificate file object %s that depends on itself. This would cause a cyclic dependency.

Location:
/var/log/ltm

Conditions:
CA-bundle manager can be configured with other CA-bundles as sources. In this case, the newly created CA-bundle manager is trying to manage a CA-bundle file that eventually depends on itself. For example, CA-bundle manager A depends on a CA-bundle B managed by CA-bundle manager B, and B is in turn dependent on CA-bundle A.

Impact:
None.

Recommended Action:
Check the dependency relationship between the newly created CA-bundle manager and its included or excluded CA-bundle sources.


01071bf9 : CA-bundle management trace: CA-bundle %s depends on %s.

Location:
/var/log/ltm

Conditions:
CA-bundle manager can be configured with other CA-bundles as sources. In this case, the newly created CA-bundle manager is trying to manage a CA-bundle file, which eventually depends on itself. For example, CA-bundle manager A depends on a CA-bundle B, managed by CA-bundle manager B, and B is in turn dependent on CA-bundle A.

Impact:
None.

Recommended Action:
Check the dependency relationship between the newly created CA-bundle manager and its included or excluded CA-bundle sources.


01071bfa : CA-bundle manager %s does not exist.

Location:
/var/log/ltm

Conditions:
A database join operation refers to a CA-bundle manager that does not exist.

Impact:
None.

Recommended Action:
None.


01071bfb : The default CA-bundle manager %s cannot be deleted.

Location:
/var/log/ltm

Conditions:
The default CA-bundle manager called ca-bundle is being deleted.

Impact:
None.

Recommended Action:
The default CA-bundle manager called ca-bundle cannot be deleted.


01071bfc : The default CA-bundle manager %s cannot be changed.

Location:
/var/log/ltm

Conditions:
An attempt is being made to modify the default CA-bundle manager named ca-bundle.

Impact:
The default CA-bundle manager nameed ca-bundle cannot be modified.

Recommended Action:
None.


01071bfd : The default CA-bundle manager %s cannot change the exclude-url or exclude-bundle sets.

Location:
/var/log/ltm

Conditions:
The default CA-bundle manager called ca-bundle is being modified, regarding the exclude CA-bundles.

Impact:
None.

Recommended Action:
The default CA-bundle manager called ca-bundle cannot be modified.


01071bfe : The port number must be removed from %s, and set separately.

Location:
/var/log/ltm

Conditions:
The URL downloads in the CA-bundle manager configuration might use a proxy. The proxy server and port number are set separately.

Impact:
None.

Recommended Action:
The proxy server and port number are set separately using different attributes.


01071bfe : %s: %s can't be deleted because %s.

Location:
/var/log/ltm, GUI, tmsh

Conditions:
When a configuration object is not allowed to be deleted in the certain situation (described in the message), the error message will be triggered.

If this happens, the related configuration will not be updated.

Impact:
The related configuration will not be updated.

Recommended Action:
The fix that the reason described in the message as to why it cannot be deleted.


01071bff : The trusted CA-bundle must be provided in CA-bundle manager %s in order to download from URLs.

Location:
/var/log/ltm

Conditions:
The CA-bundle manager has an include or exclude URL source, but the trusted CA-bundle is not provided for downloading from the URL source.

Impact:
None.

Recommended Action:
When a CA-bundle manager refers to URL resource as a source, it must also provide the trusted CA-bundle.


01071c00 : The requested certificate file object %s for %s was not found.

Location:
/var/log/ltm

Conditions:
The certificate file object referred by the CA-bundle manager is not yet set up in the configuration database.

Impact:
Fail to set up the CA-bundle manager.

Recommended Action:
Create the proper certificate file object before referring to the object in the CA-bundle manager.


01071c01 : Object %s cannot be used in both include and exclude sets in CA-bundle manager %s.

Location:
/var/log/ltm

Conditions:
The same CA-bundle source, either from local file system or remote URL, is used as both include-source and exclude-source when users configure a CA-bundle manager.

Impact:
None.

Recommended Action:
Users must not use the same CA-bundle source as both include and exclude sources.


01071c02 : CA-bundle URL %s in CA-bundle manager %s only supports HTTPS.

Location:
/var/log/ltm

Conditions:
Users may try to use a CA-bundle manager to compose a new CA-bundle by downloading remote CA-bundle through HTTP or other protocols, such as SFTP.

Impact:
CA-bundle download methods other than HTTPS are disallowed.

Recommended Action:
Use a HTTPS URL.


01071c03 : F5 CA-bundle %s cannot be dynamically managed.

Location:
/var/log/ltm

Conditions:
User may try to create a CA-bundle manager that will manage the update operations of the CA-bundle f5-ca-bundle.crt.

Impact:
The special CA-bundle f5-ca-bundle.crt cannot be managed by the CA-bundle manager due to security reasons. It has to be updated manually, or by F5 official releases.

Recommended Action:
It is a required feature, not to be fixed.


01071c04 : Cannot find device group (%s).

Location:
/var/log/ltm

Conditions:
No device group is configured: needed for policy sync feature.

Impact:
Policy sync validation fails.

Recommended Action:
Create a device group and use it for policy sync.


01071c05 : Cannot find Policy Sync object definition file (%s).

Location:
/var/log/ltm

Conditions:
Cannot find data file(s) needed for the policy sync feature.

Impact:
Policy sync validation fails.

Recommended Action:
Configure data files to use for policy sync.


01071c06 : Cannot find Policy Sync object list file (%s).

Location:
/var/log/ltm

Conditions:
Cannot find the Policy Sync object list file.

Impact:
Policy sync validation fails.

Recommended Action:
Configure the Policy Sync object list file.


01071c07 : Cannot find Policy Sync data file (%s).

Location:
/var/log/ltm

Conditions:
Cannot find the Policy Sync data file.

Impact:
Policy sync validation fails.

Recommended Action:
Configure the Policy sync data file.


01071c08 : Cannot determine whether agent type %s is appropriate for access policy (%s) of type %s because it is not attached to apm profile access using access-policy property.

Location:
/var/log/ltm

Conditions:
Cannot determine whether agent type is appropriate for access policy because it is not attached to apm profile access using access-policy property.

Impact:
Access policy validation failure.

Recommended Action:
Attach access policy to access profile.


01071c09 : Cannot determine whether agent type %s is appropriate for access policy (%s) of type %s because visibility is not properly defined.

Location:
/var/log/ltm, GUI, CLI GUI

Conditions:
It cannot be determined whether agent type is appropriate for access policy because visibility is not properly defined.

Impact:
Access policy validation fails.

Recommended Action:
Fix policy agent visibility.


01071c0a : Cannot determine whether agent type %s is appropriate for access policy (%s) of type %s parent of access policy (%s) of type %s because it is not attached to apm profile access using access-policy property.

Location:
/var/log/ltm, GUI, CLI

Conditions:
It cannot be determined whether the agent type is appropriate for the access policy type of parent access policy. This is because the policy is not attached to the access profile using the access-policy property.

Impact:
Access policy validation failure.

Recommended Action:
Attach an access policy to the access profile.


01071c0b : Cannot determine whether agent type %s is appropriate for access policy (%s) of type %s parent of access policy (%s) of type %s because visibility is not properly defined.

Location:
/var/log/ltm, GUI, CLI

Conditions:
It cannot be determined whether the agent type is appropriate for the access policy of the parent of the access policy because visibility is not properly defined.

Impact:
Access policy validation failure.

Recommended Action:
Fix agent visibility.


01071c0c : Categories can't be assigned without selecting dynamic bwc policy.

Location:
/var/log/tmsh, GUI, CLI

Conditions:
There is no bandwidth control (BWC) policy during agent resource assignment.

Impact:
Agent resource assignment cannot be completed.

Recommended Action:
Define a BWC policy.


01071c0d : Default attribute consuming service (%s) must be present in the list 'attribute-consuming-services' of apm saml aaa (%s)

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Misconfiguration.
An admin attempts to configure a default attribute consuming service in apm aaa saml object.
Selected 'default' attribute consuming service must be present in the list 'attribute-consuming-services' associated with apm aaa saml object. Error indicated that selected default value is not present in the list.

Impact:
This is mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
A 'default' attribute consuming service must be first configured in 'attribute-consuming-services' associated with apm aaa saml object. After that, the service can be selected as 'default'.


01071c0e : Attribute consuming service session and object cannot variable be configured at the same time in agent (%s)

Location:
/var/log/ltm, tmsh

Conditions:
Administrator attempts to change configuration on 'apm policy agent aaa-saml' object,
and set both properties 'attribute-consuming-service' and 'attr-consuming-service-session-var'.
This is not valid configuration.

Impact:
This is mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
Configure either 'attribute-consuming-service' or 'attr-consuming-service-session-var' property of 'apm policy agent aaa-saml' object.


01071c0f : Attribute consuming service variable (%s) in agent (%s) is not in session variable format

Location:
/var/log/ltm, tmsh

Conditions:
Administrator attempts to change configuration on 'apm policy agent aaa-saml' object,
and set property 'attr-consuming-service-session-var'. The provided value is not in valid format "%{session.var}".

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
The 'attr-consuming-service-session-var' must refer to a valid session variable, for example, "%{session.var}".


01071c10 : 'attribute-name' must be configured for attribute (%s) in attribute-consuming-service (%s)

Location:
/var/log/ltm, tmsh, GUI

Conditions:
An administrator attempts to configure 'apm saml attribute-consuming-service' object.
The object permits specifying list of attributes. Each attribute must have a unique 'attribute-name' property.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
Provide 'attribute-name' value for specified attribute.


01071c11 : All attribute names must be unique within attribute-consuming-service (%s). Provided attribute name (%s) is not unique

Location:
/var/log/ltm, tmsh, GUI

Conditions:
An administrator attempts to configure 'apm saml attribute-consuming-service' object.
The object permits specifying list of attributes. Each attribute must have a unique 'attribute-name' property.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
Provide a *unique* 'attribute-name' value for specified attribute.


01071c12 : attribute-consuming-service (%s) must specify at least one attribute

Location:
/var/log/ltm, tmsh, GUI

Conditions:
An administrator attempts to configure 'apm saml attribute-consuming-service' object.
The object permits specifying list of attributes. At least one attribute must be configured for every object.

Impact:
This is mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
Configure an attribute for specified attribute-consuming-service object.


01071c13 : attribute-consuming-service-index (%d) in aaa saml server (%s) conflicts with index of existing service (%s). Please provide unique index.

Location:
/var/log/ltm, tmsh

Conditions:
An administrator attempts to configure apm aaa saml object to modify a list of attribute consuming services. The explicitly provided index for attribute consuming service is not unique for said aaa saml object.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
Do not specify index when configuring a list of attribute consuming services in aaa saml object.
Index will be auto generated when not explicitly specified.
If index must be specified manually, provide a unique value for the index. Value must be unique per aaa saml object.


01071c14 : 'service-name' value must be configured in attribute-consuming-service (%s)

Location:
/var/log/ltm, tmsh, GUI

Conditions:
An administrator attempts to configure 'apm saml attribute-consuming-service' object.
The object requires non-empty value for property 'service-name', which was not provided resulting in error.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
Provide a value for 'service-name' property of attribute-consuming-service object.


01071c15 : aaa saml server must be configured before attribute consuming service can be specified

Location:
/var/log/ltm, tmsh, VPE UI

Conditions:
An administrator attempts to change configuration on 'apm policy agent aaa-saml' object,
and set property 'attribute-consuming-service', but aaa saml service has not been specified for this agent.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
Specify aaa saml server property for 'apm policy agent aaa-saml', and then provide value for 'attribute-consuming-service'.


01071c16 : SAML agent (%s) specifies attribute consuming service (%s) that is not configured in aaa saml server (%s)

Location:
/var/log/ltm, tmsh, VPE UI

Conditions:
An administrator attempts to change configuration on 'apm policy agent aaa-saml' object,
and set property 'attribute-consuming-service'.

However, the chosen 'attribute-consuming-service' object is not present in the list of services associated with specified aaa saml server.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
Add requested service in the list 'attribute-consuming-services' of aaa saml server.


01071c18 : Attribute consuming service (%s) cannot be removed from aaa saml server (%s) because service is set as default

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Misconfiguration.
An admin attempts to delete a service from the list of 'attribute-consuming-services' associated with apm aaa saml object that is also configured as 'default' attribute consuming service for that apm aaa saml object. Error indicated that this configuration is not valid.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
The service must be removed as 'default' attribute consuming service for the apm aaa saml object first and then deleted from the list of 'attribute consuming services' associated with the apm aaa saml object.


01071c19 : The requested username source (%s) is not a valid session variable.

Location:
/var/log/ltm, tmsh, VPE UI

Conditions:
Admin can define multiple session variables for username source. If one of these session variables is not valid, this error occurs.

Impact:
Admin can't configure username source field. It is considered to be an mcp configuration error.

Recommended Action:
None.


01071c1a : The requested password source (%s) is not a valid session variable.

Location:
/var/log/ltm, tmsh, VPE UI

Conditions:
Admin can define multiple session variables for password source. If one of these session variables is not valid, this error will be thrown.

Impact:
Admin can't configure password source field. It is considered to be an mcp configuration error.

Recommended Action:
None.


01071c1b : Virtuals Servers in the same listener group can have different profiles. Modifying the profiles in the listener will not update the profiles in the Virtual Servers. To update the profiles in Virtual servers, modify the Virtual Servers individually.

Location:
Console, TMSH

Conditions:
Attempt to modify spm or subscriber management profile for a PEM listener.

Impact:
Modification of spm and subscriber management profile for the PEM listener is blocked.

Recommended Action:
User has to directly modify the virtual servers in the listener group, as suggested in the error message.


01071c1c : You cannot delete the nodejs version (%s).

Location:
/var/log/ltm

Conditions:
There is an attempt to delete the known nodejs versions maintained by MCPD. This action is not exposed via tmsh or the GUI; it is the result of a 'backdoor' attempt.

Impact:
None. The attempt tp change the node version is blocked.

Recommended Action:
None.


01071c1d : You cannot modify the nodejs version (%s).

Location:
/var/log/ltm

Conditions:
An attempt is made to modify the known nodejs versions maintained by MCPD. Since this action is not exposed via tmsh or the GUI, it is the result of a 'backdoor' attempt.

Impact:
None.

Recommended Action:
None.


01071c1e : Cannot perform Protocol inspection update: %s

Location:
/var/log/ltm

Conditions:
The Protocol Inspection module failed (load/install/delete) with the Update package.

Impact:
The Protocol Inspection update package action is not performed.

Recommended Action:
None.


01071c1f : Protocol Inspection compliance inspection %s requires valid value: %s

Location:
/var/log/ltm

Conditions:
attempt to set invalid compliance inspection value

The user runs the following tmsh command with an invalid compliance inspection value:
"modify security protocol-inspection profile <profile name> { services modify { <service name> { compliance modify { <compliance inspection name> { value <value> } }}}}"

Impact:
None.

Recommended Action:
Do not set an invalid compliance inspection value (for example, if the type of the compliance inspection value is integer and you to set some string value).


01071c20 : Too many Protocol Inspection profiles. Up to %d supported.

Location:
/var/log/ltm

Conditions:
The limit of the number of allowed Protocol Inspection profiles has been reached.

Impact:
No more Protocol Inspection profiles can be added.

Recommended Action:
Delete unused / obsolete / not needed Protocol Inspection Profiles.


01071c22 : Modifying predefined Protocol Inspection profiles are not allowed.

Location:
/var/log/ltm

Conditions:
An attempt has been made to modify an "protocol_inspection" predefined profile. An example is the use of any tmsh command which starts with "modify protocol-inspection profile <predefined profile name> ... ".

Impact:
None.

Recommended Action:
Do not modify following "protocol_inspection" predefined profiles: "protocol_inspection", "protocol_inspection_dns",and "protocol_inspection_http"


01071c23 : Creating predefined Protocol Inspection profiles are not allowed.

Location:
/var/log/ltm

Conditions:
An attempt has been made to create a "protocol_inspection" predefined profile from tmsh.

Impact:
Creating a "protocol_inspection" profile with the name of a predefined profile from tmsh is disallowed. Predefined profiles have names such as "protocol_inspection", "protocol_inspection_dns", and "protocol_inspection_http".

Recommended Action:
Do not create a profile that has the same name as a predefined profile.


01071c24 : Deleting predefined Protocol Inspection inspections are not allowed.

Location:
/var/log/ltm

Conditions:
An attempt has been made to delete a "protocol_inspection" predefined inspection.

Impact:
None.

Recommended Action:
Do not delete "protocol_inspection" predefined inspections.


01071c25 : Modifying predefined Protocol Inspection inspections are not allowed.

Location:
/var/log/ltm

Conditions:
An attempt has been made to modify "protocol_inspection" predefined inspections.

Impact:
None.

Recommended Action:
Do not modify predefined inspections. A user can modify user-defined signatures only.


01071c27 : Protocol Inspection internal error: %s.

Location:
/var/log/ltm

Conditions:
This is an internal error.

Impact:
The "protocol_inspection" module does not work properly.

Recommended Action:
None.


01071c28 : Invalid Protocol Inspection snort signature: %s.

Location:
/var/log/ltm

Conditions:
The user has run one of the following tmsh commands with an incorrect snort signature:
"create security protocol-inspection signature <sig name> { sig "<snort signature>" ... }"
"modify security protocol-inspection signature <sig name> { sig "<snort signature>" ... }"

Impact:
None.

Recommended Action:
Create correct signatures in valid snort format.


01071c2a : Creating/Modifying Protocol Inspection compliance enums are not allowed.

Location:
/var/log/ltm

Conditions:
An attempt has been made to create or modify "protocol_inspection" compliance enums.

Impact:
Creating or modifying "protocol_inspection" compliance enums is disallowed.

Recommended Action:
Do not create or modify "protocol_inspection" compliance enums.


01071c2b : Deleting Protocol Inspection services are not allowed.

Location:
/var/log/ltm

Conditions:
An attempt has been made to delete a "protocol_inspection" service.

Impact:
Deleting a "protocol_inspection" service is disallowed.

Recommended Action:
Do not delete a "protocol_inspection" service.


01071c2c : Creating/Modifying Protocol Inspection services are not allowed.

Location:
/var/log/ltm

Conditions:
An attempt has been made to create or modify a "protocol_inspection" service.

Impact:
Creating or modifying a "protocol_inspection" service is disallowed.

Recommended Action:
Do not create or modify a "protocol_inspection" service.


01071c2d : The VLAN (%s) tag is %u. The port-fwd-mode value of %s (%s) must be set to (%s).

Location:
/var/log/ltm

Conditions:
This is caused by an invalid configuration; a VLAN with the tag 'any.' The VLAN member must have the port-fwd-mode set to 'l2wire.'

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in VLAN, trunk, and interface. You can add an interface with port-fwd-mode set to 'l2wire' to a VLAN with a tag 'any.' You can also add a trunk with interface members with a port-fwd-mode set to 'l2wire' to a VLAN with the tag 'any.'


01071c2e : The VLAN (%s) can have at most %u member because member (%s) port-fwd-mode value is (%s).

Location:
/var/log/ltm

Conditions:
A VLAN to which you assign an interface or trunk with the port-fwd-mode property set to 'l2wire' can have a maximum of one member.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration for the VLAN, trunk, and interface. Don't add more than one member to the VLAN if a VLAN member (interface) has the port-fwd-mode property set to 'l2wire'.


01071c2f : The requested VLANGROUP (%s) can have at most %u member(s) because VLAN members have virtual-wire members.

Location:
/var/log/ltm

Conditions:
The configuration is invalid. A VLAN group containing VLANs with visual-wire members can have at most 2 VLANs.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in the VLAN group, VLAN, trunk, and interface. Don't add more than 2 VLANs to a VLAN group if a VLAN has virtual wire members.


01071c30 : Vlan (%s) is not compatible with member vlan in VLANGROUP (%s).

Location:
/var/log/ltm

Conditions:
The configuration is invalid. The VLANs in a VLAN group must contain interfaces for which the value of the forwarding mode property is the same.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in VLAN group, VLAN, trunk, and interface. Modify VLANs in the same VLAN group so that all interfaces have the same value for the forwarding mode property.


01071c31 : The VLANGROUP (%s) mode and the VLAN (%s) member (%s) port-fwd-mode are not compatible.

Location:
/var/log/ltm

Conditions:
The configuration is invalid. The mode of the VLAN group is not set to 'virtual wire', even though the VLAN member being added to the VLAN group consists of interfaces with the forwarding mode property set to 'virtual wire'.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in VLAN group, VLAN, trunk, and interface. Change the mode of the VLAN group to 'virtual wire' when adding a VLAN that contains an interface with the forwarding mode property set to 'virtual wire'.


01071c32 : The VLANs must have the same tag in VLANGROUP (%s) when they have l2wire member.

Location:
/var/log/ltm

Conditions:
The configuration is invalid. The VLAN group contains VLANs that include a trunk or an interface with the forwarding mode property set to 'virtual wire', but the tags for the VLANs do not match.

Impact:
None.

Recommended Action:
Modify or re-create the VLANs with the same tag before adding the VLANs to the same VLAN group.


01071c32 : The VLANs must have the same tag in VLANGROUP (%s) when they have virtual-wire member.

Location:
/var/log/ltm

Conditions:
The message is caused by an invalid configuration. When vlan-group consists of vlans, which consist of trunks or interfaces with port-fwd-mode set to 'virtual-wire', the vlans must have the same tag.

Impact:
None.

Recommended Action:
Modify or re-create the vlans with the same tag, before adding them to the same vlan-group.


01071c33 : The VLAN (%s) tag (%u) cannot be modified %s '4096'.

Location:
/var/log/ltm

Conditions:
You cannot change the VLAN tag of an existing VLAN from the special tag 4096 to a numeric tag, or from a numeric tag to the special tag 4096.

Impact:
None.

Recommended Action:
Delete the VLAN and re-create the VLAN with the new tag.


01071c34 : The requested member (%s) is already configured as a member of VLAN (%s) with tag (%d). A member can belong to only one VLAN for a given tag.

Location:
/var/log/ltm

Conditions:
The configuration is invalid. The system attempted to assign the same 'virtual wire' interface, either tagged or untagged, to more than one VLAN.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in VLAN group, VLAN, trunk, and interface. Do not attempt to add the same 'virtual wire' interface to more than one VLAN.


01071c34 : The requested member (%s) is already configured as a member of VLAN (%s) with tag (%u). A member can belong to only one VLAN for a given tag.

Location:
/var/log/ltm

Conditions:
This message is caused by an invalid configuration. A 'virtual-wire' interface can be a member of at most one VLAN. It cannot be a member of another VLAN, no matter it is tagged or untagged.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in vlan, trunk, and interface. Don't add a 'virtual-wire' interface to more than one VLAN.


01071c35 : The VLAN (%s) has %s interface while the VLAN (%s) has %s interface. Interfaces of VLANs that are in the same 'virtual-wire' VLANGROUP (%s) must have the same taggedness.

Location:
/var/log/ltm

Conditions:
The VLANs that are members of the VLAN group do not have the same VLAN tag.

Impact:
The VLAN configuration is invalid.

Recommended Action:
Inspect the relevant object configuration in the VLAN group, VLAN, trunk, and interface. Change the configuration to ensure matching tags for the VLANs in the VLAN group.


01071c36 : The SelfIP (%s) cannot associate with %s (%s) with (%s) interface.

Location:
/var/log/ltm

Conditions:
The system has an invalid configuration. The self IP address can only be associated with a VLAN or VLAN group that has either a Layer 3 interface or no interface. The self IP address cannot be associated with a VLAN or VLAN group that has an interface with its forwarding mode set to Passive or Virtual Wire.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in the VLAN group, VLAN, and self IP address. Do not associate self IP address with a VLAN or VLAN group with a Passive or Virtual Wire interface.


01071c37 : %s: %s is not supported on this platform (%s).

Location:
/var/log/ltm

Conditions:
The configuration is invalid based on platform attributes. There are values in the field of this object that are not supported on certain platforms.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration that causes the error.


01071c38 : Rule Profiler object %s requires log publisher to be specified.

Location:
/var/log/ltm

Conditions:
The system is attempting to create an iRule profiler (tracer) without a log publisher and attempting to remove a log publisher from an iRule profiler (tracer).

Impact:
The iRule profiler (tracer) configuration cannot be created or modified.
Tracing iRules will not be possible.

Recommended Action:
Repeat the configuration operation, specifying a valid log publisher.


01071c38 : Modify of ephemeral %s (%s) is not permitted.

Location:
/var/log/ltm

Conditions:
User-initiated action (such as through 'tmsh') attempted to modify an ephemeral node, which is not allowed. Ephemeral nodes are created as a result of a DNS resolve operation, which creates an ephemeral node that maintains the configuration established through its parent FQDN template.

Impact:
No action occurred, and the configuration is unchanged. No further user action is necessary.

Recommended Action:
Instead of trying to modify a specific ephemeral node, the user may modify the FQDN template that is used to create ephemeral nodes, at which point the configuration changes will propagate to all existing and future ephemeral nodes that are created from that FQDN template.


01071c3a : Route MTU for (%s) below minimum %u.

Location:
/var/log/ltm

Conditions:
When creating a static route with an MTU below the minimum value of 68.

Impact:
An exception aborts the creation of static route.

Recommended Action:
Correct the MTU value to be above 68.


01071c52 : Routing object (%s) cannot have both items: %s.

Location:
TMSH

Conditions:
This will occur if there is an attempt to have a routing object reference two objects that cannot be referenced at the same time.

Impact:
The user will not be able to have the object being configured reference both of the objects which are not allowed to be referenced at the same time. The user must choose either one or neither of the objects to reference.

Recommended Action:
Reference either one or neither of the objects attempting to be referenced.


01071c55 : Invalid as-path (%s): %s.

Location:
TMSH

Conditions:
This will occur if there is an attempt to create an invalid AS-Path object.

Impact:
The user will not be able to create the AS-Path object as configured.

Recommended Action:
Create the AS-Path object with valid values.


01071c56 : Invalid as-path entry (%s) for as-path (%s): %s.

Location:
TMSH

Conditions:
This will occur if there is an attempt to create an invalid AS-Path entry object.

Impact:
The user will not be able to create the AS-Path entry object as configured.

Recommended Action:
Create the AS-Path entry object with valid values.


01071c58 : Virtual server %s is in ALG mode. Must not use static source translation, as used by attached profile %s.

Location:
gui, cli (tmsh), /var/log/ltm

Conditions:
You have attempted to configure a virtual server in MRF mode with Application Level Gateway enabled on the router profile and a security nat policy with static source translation.

Impact:
Configuration will not load until it is corrected.

Recommended Action:
None.


01071c5c : Cannot disable AJAX encryption for URL '%s' while parameter '%s' has AJAX mapping enabled in the Anti-Fraud profile '%s'.

Location:
/var/log/ltm, GUI

Conditions:
Improper FPS URL configuration.

Impact:
Configuration will not load.

Recommended Action:
Disable parameter AJAX mapping before disabling AJAX encryption.


01071c5c : AJAX encryption or both AJAX integrity and strong integrity must be enabled for URL '%s' while parameter '%s' has AJAX mapping enabled in the Anti-Fraud profile '%s'.

Location:
/var/log/ltm, CLI

Conditions:
A URL has a parameter with a none empty AJAX mapping. A URL is valid only if it has either:

 1) AJAX encryption is enabled (and RT encryption or parameter encrypt or a parameter substitute value is enabled), or

 2) AJAX integrity is enabled and 3) Strong integrity is enabled

Therefore, disabling 1 and 2 or 3 is not allowed.

Impact:
The configuration fails.

Recommended Action:
1. Remove parameters with none-empty AJAX mapping on this URL.
2. DO NOT disable AJAX encryption AND AJAX integrity or Strong Integrity.


01071c5d : Anti-Fraud parameter '%s' is invalid. AJAX mapping '%s' for parameter cannot start or end with a '.' in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').

Location:
tmsh, GUI

Conditions:
Trying to set invalid JSON path.

Impact:
Configuration will fail.

Recommended Action:
Set a valid JSON path.


01071c5e : Anti-Fraud parameter '%s' is invalid. Enabling AJAX mapping for parameter requires that either 1. AJAX encryption and either value substitution or Real-Time Encryption or parameter encryption enabled 2. Full and Enhanced AJAX Data Manipulation Check enabled in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').

Location:
/var/log/ltm, GUI

Conditions:
Improper FPS profile configuration.

Impact:
Configuration will not load.

Recommended Action:
Either enable AJAX encryption or parameter value substitution.


01071c60 : DynaD private key generation failed ('%s').

Location:
/var/log/ltm

Conditions:
Out-of-memory or internal OpenSSL failure.

Impact:
Encrypted DynaD instrumentation may fail to execute.

Recommended Action:
Consider restarting mcpd.


01071c61 : DynaD public key generation failed ('%s').

Location:
/var/log/ltm

Conditions:
Out-of-memory or OpenSSL error, invalid private key, and a bad public key (/var/lib/dynad/tmm.dynad.pub).

Impact:
Encrypted DynaD instrumentation may fail to execute

Recommended Action:
Multiple options (1) consider reloading the configuration, (2) deleting "sys dynad key" element from BIG-IP_base.conf, reload configuration, and (3) consider re-installing the software image.


01071c62 : DynaD failed to decrypt private key. Re-generating.

Location:
/var/log/ltm

Conditions:
This may occur if there is (1) a bad dynad key value (BIG-IP_base.conf:sys dynad key), or (2) a master-key mis-match.

Impact:
May be unable to execute encrypted DynaD instrumentation.

Recommended Action:
(1) Delete a key from BIG-IP_base.conf; reload configuration. (2) Restore the old master-key (https://support.f5.com/csp/article/K9420).


01071c63 : DynaD development mode requires an F5 development license.

Location:
/var/log/ltm

Conditions:
An attempt was made to enable dynad development-mode without a development license.

Impact:
dynad development-mode will remain disabled.

Recommended Action:
Obtain a development license.


01071c64 : DynaD signature verification failed ('%s').

Location:
/var/log/ltm

Conditions:
This message can occur due to:
a) Bad signature (invalid or does not match /var/lib/dynad/tmm.pub.key value)
b) Memory failure
c) System error (failure to read file)

Impact:
DynaD instrumentation signature could not be verified and will not be executed.

Recommended Action:
Contact support.


01071c65 : DynaD cannot activate unsigned instrumentation.

Location:
/var/log/ltm, console

Conditions:
DynaD instrumentation signature could not be verified (warning).

Impact:
DynaD instrumentation will not be activated. Full error details will be logged to /var/log/ltm.

Recommended Action:
Refer to recommended action for error found in /var/log/ltm. Consider contacting support.


01071c66 : The VLAN (%s) member (%s) must be tagged when the tag is '4096'.

Location:
/var/log/ltm

Conditions:
The configuration is invalid. When a VLAN has the special tag 4096, the VLAN member can only be configured as a tagged interface.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in the VLAN. Specify the VLAN interface as tagged when the VLAN tag is 4096.


01071c67 : The PEM rating group id needs to be greater than Zero. Rating group %s cannot use rating group id %d because it is invalid.

Location:
GUI, TMSH, /var/log/ltm

Conditions:
Occurs if the Rating group id field is set to Zero

Impact:
Configuration will be aborted, if rating group id field is set to zero while configuration.

Recommended Action:
Provide a valid rating group id (greater than 0).


01071c68 : Profile %s's SSL client certificate constrained delegation CA key is missing.

Location:
GUI, tmsh shell, iControl shell

Conditions:
When client certificate constrained delegation is enabled on one server-ssl profile, with client certificate constrained delegation CA key not configured.

Impact:
The client certificate constrained delegation cannot be enabled on this server-ssl until the user configures client certificate constrained delegation CA key.

Recommended Action:
None.


01071c69 : Profile %s's SSL client certificate constrained delegation CA cert is missing.

Location:
GUI, tmsh shell, iControl shell

Conditions:
When client certificate constrained delegation is enabled on one server-ssl profile, with client certificate constrained delegation CA certificate not configured.

Impact:
The client certificate constrained delegation cannot be enabled on this server-ssl until the user configures client certificate constrained delegation CA certificate.

Recommended Action:
None.


01071c6a : Profile %s's SSL client certificate constrained delegation peer-cert-mode is invalid.

Location:
GUI, tmsh shell, iControl shell

Conditions:
When client certificate constrained delegation is enabled on one client-ssl profile, and peer certificate mode not "request" or "require".

Impact:
The client certificate constrained delegation cannot be enabled on this client-ssl profile until the user configures peer certificate mode to "request" or "require".

Recommended Action:
None.


01071c6b : Profile %s supports only RSA key and certificate for SSL client certificate constrained delegation.

Location:
GUI, tmsh shell, iControl shell

Conditions:
When client certificate constrained delegation is enabled on one server-ssl profile, with client certificate constrained delegation CA key/certificate not RSA based.

Impact:
The client certificate constrained delegation cannot be enabled on this server-ssl until the user configures client certificate constrained delegation CA key/certificate with RSA type.

Recommended Action:
None.


01071c6c : Profile %s's SSL client certificate constrained delegation key is missing.

Location:
GUI, CLI, iControl

Conditions:
Client certificate constrained delegation is configured on one Server SSL profile and an RSA key and certificate are not configured.

Impact:
The client certificate constrained delegation cannot be enabled on this Server SSL profile.

Recommended Action:
Configure one RSA key and certificate.


01071c6d : Profile %s's SSL client certificate constrained delegation CA key and certificate do not match

Location:
/var/log/ltm

Conditions:
When configuring a server SSL profile for 'client certificate constrained delegation (C3D)', the configured CA key does not match the configured CA certificate.

Impact:
This is a new log message for C3D.

Recommended Action:
None.


01071c6e : PKCS11d (re)initialized. Re-connecting to network-HSM PKCS11d.

Location:
/var/log/ltm

Conditions:
The PKCS11d daemon is restarting.

Impact:
The message is benign and used to log the PKCS11d restart, so there is no impact.

Recommended Action:
None.


01071c72 : Policy '%s', rule '%s'; %s SSL server profile %s not found.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Condition occurs when a server SSL profile is specified but a matching profile is not found in the BIG-IP system. Check spelling. The command to find the list of known SSL server profiles is:
    tmsh list ltm profile server-ssl

Impact:
The create/change operation fails.

Recommended Action:
Try again specifying a known SSL server profile. A list of the known SSL server profiles can be found using the following tmsh command:
    tmsh list ltm profile server-ssl


01071c73 : F5 Service Connector %s validation error: %s.

Location:
/var/log/ltm

Conditions:
An F5 Service Connector validation error has occurred and is caused by any of these conditions:
- The name is already used.
- An SSL Server profile is missing or doesn't exist.
- A DNS resolver is missing or doesn't exist.
- An object cannot be deleted because it is referenced by an F5 MFA Configuration object.

Impact:
The system does not apply the configuration changes.

Recommended Action:
Depending on system conditions, you can take any of these actions:
- Use another name.
- Use an existing SSL Server profile.
- Use an existing DNS resolver.
- Delete a corresponding F5 MFA Configuration object first.


01071c74 : F5 MFA Configuration %s validation error: %s.

Location:
/var/log/ltm

Conditions:
An F5 MFA Configuration validation error has occurred and is caused by any of these conditions:
- The name is already used.
- Am F5 Service Connector is missing or doesn't exist.
- An allowed device type isn't specified.
- The SMS template doesn't contain the session variable %{session.f5_mfa.device_registration.registration_url}
- The object cannot be deleted because it is referenced by an F5 MFA User Verification agent or by F5 MFA Device Registration.

Impact:
The system does not apply the configuration changes.

Recommended Action:
Depending on system conditions, you can take any of these actions:
- Use another name.
- Use an existing F5 Service Connector name.
- Specify at least one allowed device type.
- Add the session variable %{session.f5_mfa.device_registration.registration_url} to the SMS template.
- Delete the corresponding agent or agents first.


01071c75 : F5 MFA User Verification Agent %s validation error: %s.

Location:
/var/log/ltm

Conditions:
An F5 MFA User Verification validation error has occurred and is caused by any of these conditions:
- The name is already used.
- A customization group is missing or has an incorrect type.

Impact:
The system does not apply the configuration changes.

Recommended Action:
Depending on system conditions, you can take any of these actions:
- Use another name.
- Use the name of an existing customization group of type aaa-f5-mfa-user-verification.


01071c76 : F5 MFA Device Registration Agent %s validation error: %s.

Location:
/var/log/ltm

Conditions:
An F5 MFA Device Registration Agent validation error has occurred and is caused by any of these conditions:
- The name is already used.
- A customization group is missing or has an incorrect type.

Impact:
The system does not apply the configuration changes.

Recommended Action:
Depending on system conditions, you can take any of these actions:
- Use another name.
- Use the name of an existing customization group of type aaa-f5-mfa-device-registration.


01071c77 : Issuer is required for JWT config (%s).

Location:
/var/log/apm, GUI, CLI

Conditions:
The issuer is not configured for JWT configObject.

Impact:
A save operation on an object or a configuration load operation fails.

Recommended Action:
Configure an issuer in JWT configObject.


01071c78 : Invalid %s (%s) in JWT config (%s). The value %s.

Location:
/var/log/apm, GUI, CLI

Conditions:
There is an invalid URI for issuer or JWKS URI attribute in JWT Config

Impact:
A save operation on an object or a configuration load operation fails.

Recommended Action:
Configure a valid URI.


01071c79 : Self-issued token is not allowed (%s) for JWT config (%s).

Location:
/var/log/apm, GUI, CLI

Conditions:
The issuer is configured to use a self-issued value ("https://self-issued.me") in a JWT configuration.

Impact:
A save operation on an object or a configuration load operation fails.

Recommended Action:
Use a valid issuer in the JWT Configuration.


01071c7a : In JWT config (%s), same signing algorithm is present in both allowed signing algorithms and blocked signing algorithms. This is not allowed.

Location:
/var/log/apm, GUI, CLI

Conditions:
The same signing algorithm is configured in both the allowed signing algorithms and the blocked signing algorithms in a JWT configuration.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Remove the same signing algorithm from the allowed signing algorithms or the blocked signing algorithms configuration in the JWT config.


01071c7b : OAuth Provider (%s) references OAuth JWT Config (%s) that does not exist.

Location:
This error will be logged in /var/log/apm. It will appear in TMSH/TMUI

Conditions:
JWT config in OAuth Provider is invalid/ does not exist.

Impact:
Object save/Configuration load will fail.

Recommended Action:
Use a valid JWT config in OAuth Provider.


01071c7c : When key-type is '%s', '%s' must be present for jwk-config (%s).

Location:
/var/log/apm, tmsh

Conditions:
Required fields are not present, or wrong key type specified.

Impact:
Configuration load will fail. Object save will fail.

Recommended Action:
Correct the invalid configuration.


01071c7d : The JWK config (%s) with key-type '%s' cannot contain an empty '%s'.

Location:
/var/log/apm,TMSH,GUI

Conditions:
Required fields are not present.

Impact:
Object save and Configuration Load will fail.

Recommended Action:
Fill in required fields.


01071c7e : The field (%s) is not relevant to key-type '%s' and thus cannot be present for jwk-config (%s).

Location:
/var/log/ltm, TMSH

Conditions:
Fields relevant to other key types are present.

Impact:
Configuration load and object save will fail.

Recommended Action:
Remove irrelevant fields.


01071c7f : Certificate key file must be referenced when passphrase is present for jwk-config (%s).

Location:
TMSH, GUI

Conditions:
While creating/modifying a JWK object, this error message will appear if a passphrase is specified but a certificate key is not.

Impact:
This JWK object creation/modification will not succeed.

Recommended Action:
Specify a certificate key reference.


01071c80 : JWT access token lifetime (%u) for %s (%s) must be in range of (%u-%u).

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
The error occurs when the admin sets the JWT access token lifetime out of its valid range. Both the OAuth profile and the Client App configuration have a JWT access token lifetime setting.

Impact:
The out of range lifetime value will be rejected.

Recommended Action:
The admin should set the JWT access token lifetime within its valid range indicated by the error message.


01071c81 : JWT refresh token lifetime (%u) for %s (%s) must be in range of (%u-%u).

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
The error happens when the admin sets the JWT refresh token lifetime out of its valid range. Both the OAuth profile and the Client App configuration have a JWT refresh token lifetime setting.

Impact:
The out of range value will be rejected.

Recommended Action:
The admin should set the JWT refresh token lifetime within its valid range indicated by the error message.


01071c82 : OpenID Connect Configuration Endpoint URL (%s) for %s (%s) must end with (%s).

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
Per RFC specification, some URLs used in OpenID Connect must end with certain pattern, such as, the well-known endpoint must end with "/.well-known/openid-configuration". This error occurs if this kind of requirement is not met.

Impact:
The URL entered by the admin will not be accepted.

Recommended Action:
The admin should correct the URL per requirement.


01071c83 : (%s) (%s) load failed due to %s

Location:
/var/log/ltm, CLI

Conditions:
1) Mismatch between x5tsha1 in certificate and the value specified in object.
2) Mismatch between x5tsha256 in certificate and the value specified in object.
3) Mismatch between modulus in certificate and the value specified in object.
4) Mismatch between public exponent in certificate and the value specified in object.
5) Mismatch between x coordinate in certificate and the value specified in object.
6) Mismatch between y coordinate in certificate and the value specified in object.
7) Mismatch between curve in certificate and the value specified in object.
8) RSA load failed for specified certificate.
9) Elliptic curve load failed for specified certificate.
10) Elliptic Curve Point load failed for specified certificate.
11) Elliptic Curve group failed for specified certificate.
12) Elliptic Curve Group NID not supported.
13) Extraction of EC key coordinates failed.
14) Failed to allocate BIO for specified certificate.
15) Failed to write BIO for specified certificate.
16) Failed to get BIO memory pointer for specified certificate.
17) Certificate begin marker not found in certificate.
18) Certificate end marker not found in certificate.
19) Certificate file path does not exist.
20) OpenSSL API failed for certificate.
21) Certificate public key load failed.
22) Certificate key file path does not exist.

Impact:
The JWK configuration is not saved.

Recommended Action:
Change the incorrect values based on the error message and save the object.


01071c85 : (%s) key-type (%u) does not match certificate (%s) type (%u).

Location:
/var/log/ltm

Conditions:
While creating or modifying OAuth JWK Config, the prerequisite condition is the specification of certificate object and mismatched key-type value. Condition 1: The specified key-type is rsa , and providing a certificate of non-rsa type. OR Condition 2: The specified key-type is elliptic-curve, and providing a certificate of non-elliptic-curve type.

Impact:
The creation or modification of the OAuth JWK Config object would fail.

Recommended Action:
Provide the certificate of type matching the specified key-type value. If the provided certificate is of type rsa, specify key-type as rsa. Or if the provided certificate is of type elliptic-curve, specify key-type as elliptic-curve.


01071c86 : The %s must be provided in base64url encoded format for jwk-config (%s).

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
If this occurs, some field in the JWK configuration, such as the shared-secret, the modulus, or the public-exponent, etc., is not properly encoded in BASE64URL format.

Impact:
It might indicate that the configuration is corrupted or manually entered incorrectly.

Recommended Action:
Enter the indicated field correctly. In case of data corruption, delete the JWK configuration, and recreate it from scratch, if necessary.


01071c87 : The claim name (%s) of claim (%s) cannot contain spaces.

Location:
/var/log/apm, TMSH, GUI

Conditions:
While creating or modifying an OAuth Claim object. This occurs when the claim name contains spaces.

Impact:
Object cannot be saved.

Recommended Action:
Choose a claim name without spaces while creating or modifying OAuth claim.


01071c88 : The word (%s) is a reserved word and cannot be used as claim name for the claim (%s).

Location:
/var/log/apm, TMSH

Conditions:
The word that is used as a claim name for OAuth Claim is a reserved word and must not be used.

Impact:
Object creation or modification will fail.

Recommended Action:
Use a different word as a claim name for OAuth Claim.


01071c89 : The %s claim name (%s) is already in use by agent %s for this entry.

Location:
/var/log/apm, TMSH

Conditions:
When the same claim is configured again for a particular entry in the OAuth Authorization agent.

Impact:
Object save will fail.

Recommended Action:
A claim can be configured only once for a particular entry in the OAuth Authorization agent.


01071c8a : The %s claim (%s) that is associated with the %s (%s) does not exist. If this error appears during import access profile, then the claim-name in the claim already exists on this BIG-IP as part of another claim object. You may want to edit the existing claim and retry importing access profile.

Location:
/var/log/apm, TMSH

Conditions:
The JWT access token claim that is specified either in the OAuth Client App or in the OAuth Profile is not created under OAuth Claim.

Impact:
Object save will fail.

Recommended Action:
Create the claim under OAuth claim before referencing in the OAuth Client App or OAuth Profile.


01071c8b : The %s claim name cannot be empty for OAuth Authorization agent %s.

Location:
/var/log/apm, TMSH, GUI

Conditions:
This error will occur when the oauth authorization agent contains a claim entry with empty claim name during creating or modification.

Impact:
The object will not be saved.

Recommended Action:
Create the oauth authz agent correctly by specifying claim name for the claim entry.


01071c8c : %s claim name (%s) associated with OAuth Authorization agent (%s) is not defined under OAuth claim. If this error appears during import access profile, then the claim-name in the claim already exists on this BIG-IP as part of another claim object. You may want to edit the existing claim and retry importing access profile.

Location:
/var/log/apm, TMSH

Conditions:
If the claim referenced in the OAuth Authorization agent is not created under OAuth Claim, this error will be seen.

Impact:
Object save will fail.

Recommended Action:
Create the claim under OAuth Claim first, and then it can be referenced in the OAuth Authorization agent.


01071c8d : %s cannot be empty because %s for %s (%s).

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
The error happens when some field is required by the OAuth profile configuration and it is empty. For example, the Issuer field is required when JWT support is enabled, or the DB Instance field is required when opaque token support is enabled.

Impact:
Admin not able the enable JWT support or opaque token support if those required fields are missing.

Recommended Action:
Fill in those required fields as indicated in the error message.


01071c8e : %s in %s (%s) is not an allowed URL: %s

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
The error happens when the admin enters a mal-formatted URL for a field that requires a URL, such as the Issuer in an OAuth profile.

Impact:
None.

Recommended Action:
The admin should fix his URL to be a properly formatted URL.


01071c8f : The %s (%s) associated to %s (%s) is not a valid %s.

Location:
/var/log/ltm

Conditions:
Either the OAuth profile name or the JWK config name under Additional JWK for JWKS URI setting is invalid.

Impact:
Change the key use setting in the JWK configuration in the OAuth profile to signing.

Recommended Action:
Make sure that the JWK configuration under Additional JWK for JWKS URI setting in the OAuth profile exists in the JWK configuration list.


01071c90 : JWT config %s to be associated with JWK config (allowed keys) %s does not exist.

Location:
/var/log/apm, GUI, CLI

Conditions:
Allowed keys are configured for an invalid JWT config.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Configure allowed keys for a valid JWT config and save the object.


01071c91 : In JWT config %s, allowed keys '%s' do not exist. Use a valid JWK config for allowed keys.

Location:
/var/log/apm, GUI, CLI

Conditions:
An invalid JWK configuration is used for allowed keys in a JWT config.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Use a valid JWK configuration for allowed keys and save the object.


01071c92 : In JWT config (%s), the same JWK config (%s) is present in both allowed keys and blocked keys. This is not allowed.

Location:
/var/log/apm, GUI, CLI

Conditions:
The same JWK configuration is present in both allowed keys and blocked keys in JWT Config.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Remove the duplicate JWK configuration from allowed keys or blocked keys in JWT Config and save the object.


01071c93 : JWT config %s to be associated with JWK config (blocked keys) %s does not exist.

Location:
/var/log/ltm, CLI

Conditions:
Blocked keys are associated with an invalid JWT Config.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Configure blocked keys for a valid JWT Config and save the object.


01071c94 : In JWT config (%s), blocked keys '%s' do not exist. Use a valid JWK config for blocked keys

Location:
/var/log/apm, GUI, CLI

Conditions:
An invalid JWK config is used for blocked keys in JWT Config.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Use a valid JWK Config to configure blocked keys in JWT Config and save the object.


01071c95 : JWT Provider List %s to be associated with OAuth Provider %s does not exist.

Location:
/var/log/apm, GUI, CLI

Conditions:
There is an OAuth provider configuration for an invalid JWT provider List.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Try to configure OAuth Provider in a valid JWT Provider List only and then save the configuration.


01071c96 : In JWT Provider List %s, OAuth Provider %s does not exist. Use a valid OAuth Provider for providers attribute.

Location:
/var/log/apm, GUI, CLI

Conditions:
An invalid OAuth Provider is configured for the providers attribute in JWT Provider List.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Use a valid OAuth Provider for the providers attribute in JWT Provider List and save the object.


01071c97 : Error generating JWT encryption key using secret.

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
This error occurs when an openssl function (not F5 software), PKCS5_PBKDF2_HMAC_SHA1, failed.

Impact:
The admin should never see this error. If it really happens, it is possible that the OS environment/file system might be corrupted.

Recommended Action:
Suggest the admin to try again. If the same error occurs, restart the BIG-IP system. If the same error still occurs, reinstall the software image.


01071c98 : The JWK config (%s) associated to %s (%s) can contain public key types only (such as, rsa, elliptic-curve).

Location:
/var/log/ltm

Conditions:
Under OAuth profile settings, rotation-key(tmui) or additional-jwk-for-jwks-uri(tmsh) includes a JWK config pointing to non public-key type and/or algorithm. Using JWK config with 'octet' key-type will lead to this configuration error.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
For rotation-key(tmui) or additional-jwk-for-jwks-uri(tmsh) use JWK config containing public key-type or algorithm. This includes RSA, Elliptic-Curve key types/algorithms.


01071c99 : The OAuth profile (%s) does not allow JWK config (%s) with duplicate key-id (%s) of type (%s).

Location:
/var/log/ltm

Conditions:
OAuth profile allows configuring the JWK config, and additional JWK for JWKS URI config for JWKS URI. If the entries configured in these entries contains a JWK setting with the same key-id and algorithm type, this error will be shown.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
* Disassociate all JWK settings containing a duplicate key-id mentioned in the error that is attached to one of JWK or additional JWK setting on OAuth profile.
* Modify the key-id of the JWK config mentioned in the error message leading to this error.


01071c9a : The JWK config (%s) containing algorithm (%s) does not match key type (%s).

Location:
/var/log/ltm

Conditions:
The signing algorithm in a given JWK config doesn't match the selected key-type.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
* For key-type rsa, valid algorithm types can be RS256, RS384 or RS512
* For key-type octet, valid algorithm types can be HS256, HS384 or HS512
* For key-type elliptic-curve, valid algorithm types can be ES256, ES384


01071c9b : The JWK config (%s) associated to %s (%s) contains an invalid signing algorithm.

Location:
/var/log/ltm

Conditions:
The JWK config assigned to the OAuth profile includes invalid signing algorithm (none).

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
A JWK config containing a 'none' signing algorithm is not allowed to be assigned to OAuth profile. Change JWK config signing algorithm to RS, HS, or ES type signing algorithms to get past this error.


01071c9c : The JWK config (%s) associated to %s (%s) can only be used for signing.

Location:
/var/log/ltm

Conditions:
The JWK config in the OAuth profile contains key use setting set to encryption. At this time, only signing is supported for key usage.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
Change key use setting in the JWK config in the OAuth profile to signing.


01071c9d : The JWK config (%s) associated to %s (%s) requires certificate key configuration.

Location:
/var/log/ltm

Conditions:
A JWK config can be created without specifying a certificate-key value. However, a JWK config without certificate-key cannot be used by a OAuth profile for token signing. A JWK config used by OAuth AS must contain certificate-key value.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
Fix the JWK config to contain a certificate-key value, and then associate the created JWK config to the OAuth profile for JWT signing.


01071c9e : The encryption secret is needed to generate an encryption key for OAuth profile (%s).

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
When the admin enables the JWT support for the first time in an OAuth profile, and does not provide an encryption secret, this error occurs.

Impact:
The JWT support will not be enabled. If it is the creation of an OAuth profile, the profile will not be created.

Recommended Action:
The admin should give an non-empty encryption secret.


01071c9f : Allowed signing algorithms list cannot be empty in JWT config (%s) for Issuer (%s).

Location:
/var/log/apm, TMSH, GUI

Conditions:
Allowed signing algorithms list has been left empty.

Impact:
Object save and Configuration load will fail.

Recommended Action:
Move one algorithm at least to allowed signing algorithms.


01071ca0 : When the %s flag is enabled, OAuth Provider (%s) must have %s JWT config attached for the JWT provider list (%s)

Location:
/var/log/ltm, GUI, CLI

Conditions:
The JWT config is not attached to a provider (manual or auto depending on flag) before being added to the JWT provider list.

Impact:
The command to add the provider to the JWT Provider List fails.

Recommended Action:
Attach the JWT config to a provider (either manually or by auto-discovery) before adding it to the JWT provider list.


01071ca1 : The JWK config (%s) associated to %s (%s) was auto-generated and is meant for Client/Resource Server purposes only.

Location:
/var/log/apm, TMSH

Conditions:
If an auto-discovered key is being referenced by an OAuth profile, this error will be seen.

Impact:
Object save will fail.

Recommended Action:
This key can be used only by Client/RS configuration.


01071ca2 : When jwt-token is enabled, a JWK config must be assigned as the JWT Primary Key for OAuth Profile (%s).

Location:
/var/log/apm, TMSH, GUI

Conditions:
If the attribute primary-key is not filled while creating/modifying an OAuth Profile, and JWT token flag is enabled.

Impact:
Will not let you save without this value.

Recommended Action:
Assign a JWK to primary key.


01071ca3 : Error loading cert-chain (%s) associated to JWK config (%s)%s

Location:
/var/log/ltm

Conditions:
A certificate chain setting in the JWK config contains an invalid entry or the certificate chain contents are invalid.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
Make sure that the certificate chain associated in the JWK-config exists in the BIG-IP certificate store. Check Traffic Certificate management under 'System -> Certificate Management' in the GUI to make sure. If the certificate chain does exist, make sure that the certificate-chain contents are valid.


01071ca4 : Invalid certificate order within cert-chain (%s) associated to JWK config (%s).

Location:
/var/log/ltm

Conditions:
In a given JWK config, if a cert-chain input is specified, the chain should contain the certificate of the issuer of the cert provided in the cert input. If cert-chain is a bundle, that is, it contains multiple certificates, then every subsequent certificate should be the issuer of the previous certificate.
If the certificate bundle contains multiple certificates, but the issuer is not in order, it will lead to this error.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
Fix the order of certificate(s) in the cert-chain input file so that the 'cert' input certificate issuer is present in the cert-chain file, and each next certificate contains the issuer of the previously issued certificate.

Here is an example of a valid cert/cert-chain config:

cert input contains:
  CN = as-cert.com
  issuer = intermediate-level3-cert.com

cert-chain input contains:
  1st CN = intermediate-level3-cert.com
  1st issuer = intermediate-level2-cert.com
  ---------------------------
  2nd CN = intermediate-level2-cert.com
  2nd issuer = intermediate-level1-cert.com
  ---------------------------
  1st CN = intermediate-level1-cert.com
  3rd issuer = root-cert.com
  ---------------------------


01071ca5 : The JWK config (%s) associated to OAuth %s (%s) failed trust verification with trusted CA bundle (%s).

Location:
/var/log/ltm

Conditions:
This is a common error for OAuth profile or OAuth provider page.

The JWK config, associated with a OAuth profile or provider, contains a certificate, certificate-chain, and trusted-ca bundle assigned to the OAuth profile or provider that failed a trust verification check. A trust verification check means that the certificate issuer is included within certificate-chain and that the issuer for certificate-chain is included in the trusted-ca bundle.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
* If a JWK config contains only a certificate, make sure to include the certificate issuer in the trusted-ca bundle.
* If a JWK config includes a certificate-chain, make sure that the certificate issuer is included in the certificate-chain. If there are multiple certificates in the certificate-chain, the issuer for all of the certificates must exist within the certificate-chain, except the last certificate. A certificate issuer for the last certificate-chain must be part of trusted-ca bundle.


01071ca6 : Only '%s' token validation mode is allowed for OAuth %s agent '%s'.

Location:
/var/log/ltm, tmsh

Conditions:
Misconfiguration.
Admin attempts to configure token-validation-mode for Oauth Client Agent as something other than 'External' in tmsh. The error indicates that this configuration is not valid.

Impact:
This is mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
Allowed token-validation-mode ('External') must be configured for Oauth client agent.


01071ca7 : JSON web token '%s' already exists in Provider List '%s'. The change you are trying to make is not allowed because it would result in a provider list that contains more than one instance of the same JSON web token.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Misconfiguration.
Admin attempts to add a Provider to a Provider list when the Provider has JWT config associatedm and the Provider list already has the same JWT config associated through some other Provider in the list. All the JWT configs associated with a Provider list must be unique.

Impact:
This is mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
When attempting to add a Provider to a Provider list, check that the operation will not result in a Provider list with more than one instance of the same JWT config.


01071ca8 : JSON web key '%s' already exists in Provider List '%s'. The change you are trying to make is not allowed because it would result in a provider list that contains more than one instance of the same JSON web key.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Misconfiguration.
Admin attempts to add a Provider to a Provider list when the Provider has JWK config(s) associated and the Provider list already has the same JWK config(s) associated through some other Provider in the list. All the JWK configs associated with a Provider list must be unique.

Impact:
This is mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
When attempting to add a Provider to a Provider list, check that the operation will not result in a Provider list with more than one instance of the same JWK config.


01071ca9 : OAuth parent profile's jwt-refresh-token-enc-secret attribute cannot be modified.

Location:
/var/log/apm, TMSH

Conditions:
If OAuth profile's jwt-refresh-token-enc-secret is modified from TMSH.

Impact:
A validation exception is seen.

Recommended Action:
Do not specify jwt-refresh-token-enc-secret for parent profile.


01071caa : The encryption key for OAuth profile (%s) cannot be specified directly. Use encryption secret to generate a new encryption key and make sure that jwt-token is enabled.

Location:
/var/log/apm, TMSH

Conditions:
If jwt-refresh-token-enc-key is specified directly.

Impact:
Object save will fail.

Recommended Action:
Do not specify jwt-refresh-token-enc-key. Instead use jwt-refresh-token-enc-secret to generate key.


01071cab : The JWK config (%s) associated to %s (%s) requires key ID configuration.

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
The JWK does not have an ID configured. This JWK can be used in a client but not in an AS. Associating the JWK with an OAuth profile is intended to use it in an AS.

Impact:
The admin cannot associate this JWK to the OAuth profile without changing the JWK configuration.

Recommended Action:
The admin can give the JWK an ID, or use another JWK that already has an ID.


01071cac : When more than one JWK config of key-type '%s' is present in a JWT config, all the keys of that key-type must have key-id or cert-thumbprint-sha1 or cert-thumbprint-sha256 present.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Misconfiguration.
An admin attempts to add a JWK config to a JWT config, resulting in the JWT config having more than one JWK config of the same key-type, and not all the JWK configs of that key-type have key-id, cert-thumbprint-sha1, or cert-thumbprint-sha256 present.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
When more than one JWK config of the same key-type is associated with a JWT config, all these JWK configs must have key-id, cert-thumbprint-sha1, or cert-thumbprint-sha256 present.


01071cad : All the JWK configs in a JWT config must have unique key-id for each key-type. The key-id '%s' for key-type '%s' is already present in JWT config '%s'.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Misconfiguration.
Admin attempts to add a JWK config to a JWT config, and the JWK config has pair (key-id, key-type) that is already present in the JWT config through some other JWK config. The pair (key-id, key-type) must be unique within a JWT config.

Impact:
This is mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
When attempting to add a JWK config to a JWT config, check that the operation will not result in a JWT config with more than one instance of the same pair (key-id, key-type).


01071cae : %s (%s) for OAuth profile (%s) should be unique across other OAuth Authorization Server endpoints.

Location:
TMSH

Conditions:
When the oauth endpoints are configured to be the same, this warning will be seen.

Impact:
The object is saved, however the OAuth AS functionality will be affected.

Recommended Action:
Configure different values for Authorization server endpoints.


01071caf : The issuer cannot be modified for autodiscovered JWT config '%s'.

Location:
/var/log/ltm, tmsh

Conditions:
Modification error.
Admin attempts to modify issuer attribute of an auto-discovered JWT config in tmsh. This operation is not allowed.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
None.


01071cb0 : Cannot enable Real-Time Encryption when a custom encryption function is specified in the Anti-Fraud URL '%s'.

Location:
/var/log/ltm, GUI

Conditions:
Improper FPS profile configuration.

Impact:
Configuration will not load.

Recommended Action:
Either disable a custom encryption function or enable Real-Time Encryption.


01071cb0 : For autodiscovered JWT config '%s', you can move algorithms between the allowed and blocked lists only.

Location:
/var/log/ltm, tmsh

Conditions:
Misconfiguration.
Admin attempts to modify the allowed-algorithms or blocked-algorithms of an auto-discovered JWT config, by either adding a new algorithm that was not previously present in either of the two lists, or by removing an algorithm from either of the two lists without adding that algorithm to the other list.
For auto-discovered JWT config, the algorithms can be moved between allowed and blocked lists only.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
For auto-discovered JWT config, the algorithms can be moved between allowed and blocked lists only.


01071cb1 : JWK config '%s' is autodiscovered, JWT config '%s' is not. An autodiscovered JWK config can be added to an autodiscovered JWT config only.

Location:
/var/log/ltm, tmsh

Conditions:
Misconfiguration.
Admin attempts to add an auto-discovered JWK config to a manual JWT config. An auto-discovered JWK config can be associated with an auto-discovered JWT config only.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
This operation is not allowed. Auto-discovered JWK config cannot be added to manual JWT config.


01071cb2 : For autodiscovered JWT config '%s', you can move autodiscovered keys between the allowed and blocked lists only.

Location:
/var/log/ltm, tmsh

Conditions:
Misconfiguration.
Admin attempts to modify the allowed-keys or blocked-keys of an auto-discovered JWT config, by either adding a new key that was not previously present in either of the two lists, or by removing a key from either of the two lists without adding that key to the other list.
For auto-discovered JWT config, the keys can be moved between allowed and blocked lists only.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
For auto-discovered JWT config, the keys can be moved between allowed and blocked lists only.


01071cb3 : Autodiscovered JWK config '%s' cannot be modified.

Location:
/var/log/ltm, tmsh

Conditions:
Modification error.
Admin attempts to modify an attribute of an auto-discovered JWK config in tmsh. This operation is not allowed.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
None.


01071cb4 : Autodiscovered JWT config cannot be modified for OAuth Provider '%s'.

Location:
/var/log/ltm, tmsh

Conditions:
Modification error.
Admin attempts to modify auto-jwt-config-name of a Provider in tmsh. This operation is not allowed.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
None.


01071cb5 : Autodiscovered JWT config '%s' is associated with OAuth Provider '%s'. It cannot be added to Provider '%s'.

Location:
/var/log/ltm, tmsh

Conditions:
Misconfiguration.
Admin attempts to add an auto-discovered JWT config to a Provider, and the JWT config is already associated with another Provider. An auto-discovered JWT config is bound to one Provider and cannot be added to another Provider.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
Auto-discovered JWT config needs to be discovered on TMUI to be associated with a Provider.


01071cb6 : Support for at least Opaque or JWT token should be enabled for OAuth profile (%s).

Location:
/var/log/ltm, tmsh, GUI

Conditions:
This occurs when support for both an opaque and jwt token is disabled.

Impact:
Object save will fail.

Recommended Action:
Enable support for at least an opaque token or jwt token.


01071cb7 : The auto-generated attribute for %s '%s' cannot be modified.

Location:
/var/log/ltm, tmsh

Conditions:
Modification error.
Admin attempts to modify the 'auto-generated' attribute of a JWT config or a JWK config in tmsh. This operation is not allowed.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
None.


01071cb8 : The auto-generated attribute for %s '%s' cannot be specified.

Location:
/var/log/ltm, tmsh

Conditions:
Misconfiguration.
Admin specifies an 'auto-generated' attribute while creating a new JWT config, or a JWK config in tmsh. This is not allowed as the value for this field is populated automatically.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
Auto-generated attribute should not be specified while creating a new JWT config or JWK config.


01071cb9 : Claim value cannot be empty for OAuth claim (%s).

Location:
/var/log/apm, TMSH

Conditions:
When the claim value is empty in the OAuth Claim.

Impact:
Object save will fail.

Recommended Action:
Configure claim value in OAuth Claim.


01071cba : %s claim value associated with OAuth claim (%s) cannot be empty for OAuth Authorization agent %s, entry %d.

Location:
/var/log/apm, TMSH

Conditions:
In the OAuth Authorization agent, the claim value of the OAuth Claim is empty.

Impact:
Object save will fail.

Recommended Action:
Configure claim value in the Claim that is configured in the OAuth Authorization agent.


01071cbb : The JWK config (%s) containing algorithm (%s) does not match curve (%s) for elliptic-curve.

Location:
/var/log/apm, TMSH

Conditions:
When the algorithm specified in the JWK config does not match with the curve. When algorithm is ES256, curve value must be P-256. When algorithm is ES384, curve value must be P-384. Any other combination is invalid.

Impact:
Object save will fail.

Recommended Action:
In the JWK config, when algorithm is ES256, configure curve value P-256. When algorithm is ES384, curve value of P-384 must be configured. Any other combination is invalid.


01071cbc : The last-discovery-time cannot be specified while creating Provider '%s'.

Location:
/var/log/ltm, tmsh

Conditions:
Misconfiguration.
Admin specifies a 'last-discovery-time' attribute while creating a new OAuth Provider in tmsh. This is not allowed as the value for this field is populated automatically.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
The 'last-discovery-time' attribute should not be specified while creating a new OAuth Provider in tmsh as this will be populated automatically.


01071cbd : The last-discovery-time cannot be modified for Provider '%s'.

Location:
/var/log/ltm, tmsh

Conditions:
Modification error.
Admin attempts to modify a 'last-discovery-time' attribute of an OAuth Provider in tmsh. This operation is not allowed.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
The 'last-discovery-time' is updated on discovering auto JWT config/JWK config on TMUI. It is not allowed to modify this field in tmsh.


01071cbe : When use auto JWT config is enabled, OAuth Provider (%s) must have trusted CA present.

Location:
/var/log/ltm, tmsh

Conditions:
Misconfiguration.
An admin attempts to create an OAuth Provider with the default value 'true' for attribute use-auto-jwt-config, and does not specify trusted-ca-bundle.
Or, an admin attempts to set the value for trusted-ca-bundle to 'none' for an OAuth Provider that has the value 'true' for use-auto-jwt-config.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
For an Oauth Provider with use-auto-jwt-config=true, trusted-ca-bundle is a mandatory field.


01071cbf : The JWK Config (%s) cert field cannot be empty if cert-key (%s) is specified.

Location:
CLI

Conditions:
The certificate key reference field is filled in but not the certificate field itself.

Impact:
The object cannot be saved.

Recommended Action:
Either attach a certificate along with the key, or use the modulus/exponent/x/y/curve fields.


01071cc0 : %s (%s): Traffic Scrubbing Advertisement Duration must be more than zero.

Location:
/var/log/ltm

Conditions:
A DoS Profile is configured with Application enabled and Traffic Scrubbing Advertisement Duration is set to 0.

Impact:
DoS profile changes are not saved.

Recommended Action:
Set the value to a value more than zero.


01071cc1 : %s (%s): RTBH Advertisement Duration must be more than zero.

Location:
/var/log/ltm

Conditions:
A DoS Profile is configured with Application enabled and RTBH Advertisement Duration is set to 0.

Impact:
DoS profile changes are not saved.

Recommended Action:
Set the value to a value more than zero.


01071cc2 : Anti-Fraud parameter '%s' is invalid. Cannot enable both %s and %s for same parameter in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').

Location:
/var/log/ltm

Conditions:
Both "substitute value" and "check integrity" are enabled in an anti-fraud parameter.

Impact:
The configuration will not load.

Recommended Action:
Disable either of the 'substitute value' or 'check integrity' check boxes for the given parameter.


01071cca : Dos Signature (%s): %s is not user settable field.

Location:
/var/log/ltm, TMSH, GUI

Conditions:
This message will happen when user is trying to change unchangeable field of Dos Signature Configuration.

Impact:
The configuration is not changed.

Recommended Action:
None.


01071ccb : %s (%s): Attacked dst can not be enabled if per-destination detection/limit pps is less than 0.1%% of the corresponding vector setting.

Location:
/var/log/ltm

Conditions:
The per-source detection/limit pps is less than 1 percent of the corresponding value of the DoS vector. The DoS vector is specified by the configuration value of the rate threshold/rate limit in the DoS vector.

Impact:
The security DoS DNS/SIP/NETWORK/Device attack vector attacked dst cannot be enabled.

Recommended Action:
Change the configuration settings of attack vector for either the per-source detection/limit pps or the rate threshold/rate limit.


01071ccc : %s (%s): Attacked dst per-destination detection/limit pps cannot be greater than the corresponding vector setting.

Location:
/var/log/ltm

Conditions:
The per-source detection/limit packets per second is greater than the corresponding DoS vector specified in the value of the rate threshold/rate limit.

Impact:
Security DoS DNS/SIP/NETWORK/Device attack vector attacked dst actor cannot be enabled.

Recommended Action:
Change the configuration settings of the attack vector for either per-source detection/limit pps or rate threshold/rate limit.


01071cd4 : %s: %s can't be deleted because %s.

Location:
/var/log/ltm, GUI, console

Conditions:
When a configuration object is not allowed to be deleted, the error message is triggered.

Impact:
No update to the related configuration.

Recommended Action:
None.


01071cd5 : %s: %s can't be modified because %s.

Location:
/var/log/ltm, GUI, console

Conditions:
When modification to a configuration object is not allowed, the error message is triggered.

Impact:
No update to the related configuration.

Recommended Action:
None.


01071cd6 : Dos Signature (%s): %s is not allowed to be reset by user once it is specified.

Location:
/var/log/ltm, console, GUI

Conditions:
This message will happen when user is trying to reset unresettable field of Dos Signature Configuration.

Impact:
The configuration is not changed.

Recommended Action:
None.


01071cd9 : Field-list contains an invalid/duplicate value.

Location:
CLI

Conditions:
An attempt has been made to add an invalid field to the field-list when creating a security log profile.

Impact:
The CLI displays an error message when creating the security log profile:

root@(cfg-sync Standalone)(autodosd DOWN)(/Common)(tmos)# create security log profile test nat {format { end-inbound-session { type field-list field-list {context_name src_ip dest_ip test } user-defined [TEST] }}}
01071bf2:3: Field-list contains an invalid/duplicate value.The message indicates an invalid field configuration. After removing the invalid field, log profile can be created/modified.

Recommended Action:
Remove the invalid field.


01071cdc : Security static PAT %s translation object '%s' address (%s) is overlapping with another address (%s) located in '%s' PAT %s translation object.

Location:
GUI, CLI

Conditions:
A security static PAT translation object contains an overlapping address with another static PAT translation object address.

Impact:
An error message is displayed and the configuration is not applied.

Recommended Action:
Remove the overlapping address/address range from the configuration.


01071cdd : Traffic-group (%s) is referenced by security NAT Policy (%s) and cannot be deleted.

Location:
/var/log/ltm

Conditions:
An attempt was made to delete a traffic group that is being referenced by a security NAT policy object.

Impact:
The operation to delete the traffic group failed.

Recommended Action:
The referenced security NAT policy object must be deleted first. Then the traffic group can be deleted.


01071cde : Traffic-group (%s) is referenced by security source translation (%s) and cannot be deleted.

Location:
/var/log/ltm

Conditions:
An attempt was made to delete a traffic group that is being referenced by a security source translation object.

Impact:
The operation to delete the traffic group will fail.

Recommended Action:
The referenced security source translation object must be deleted first. Then the traffic group can be deleted.


01071cdf : %s (%s): Dos vector (%s) does not support Attacked destination DOS attack detection.

Location:
var/log/ltm

Conditions:
Certain dos vectors do not support attacked destination detection because they are error or drop vectors for which the system does not process traffic and drop packets. Do not configure for an attacked destination.

Impact:
Not an error or defect; this is an informational type message for the user.

Recommended Action:
None.


01071ce3 : %s (%s) cannot be set to (%s) when %s (%s) is set to (%s)

Location:
/var/log/ltm, GUI, console.

Conditions:
This is a generic error message describing a validation constraint across two different objects' value(s).

The objects can be:
1) of the same type
2) different types
3) the same instance

The constraint can be:
1) over the same property
2) over different properties

The specialization of this template should tell you which object classes and specific properties it is referring to.

Impact:
Validation error.

Recommended Action:
None.


01071ce4 : %s (%s): %s feature is not supported for %s attack type.

Location:
/var/log/ltm, console, GUI

Conditions:
This will happen when configuring Dos Attack for a feature that is not supported with the specified attack type.

Impact:
The configuration in the system will not be changed.

Recommended Action:
None.


01071ce5 : %s (%s): %s cannot be enabled if %s is not enabled for %s attack type.

Location:
/var/log/ltm, console, GUI

Conditions:
This will happen when enabling a Dos Attack feature that depends on a condition that is not satisfied.

Impact:
The configuration in the system is not changed.

Recommended Action:
None.


01071ce6 : The value (%s) is invalid. Valid TTL is %s.

Location:
GUI, console

Conditions:
The error message displays if a user attempts to configure the scrubber advertisement tel and the values are not in a valid range.

Impact:
Configuration of the scrubber TTL fails unless you change one of the allowed values for the TTL.

Recommended Action:
None.


01071ce7 : Cannot configure Advertisement TTL while scrubbing is in progress.

Location:
GUI, console

Conditions:
The user is attempting to modify the scrubber advertisement TTL, while the scrubber action is already in progress for one of the monitored objects.

Impact:
Modification of the scrubber advertisement TTL will fail, unless the user configures this value once the scrubbing action is done for all the monitored objects.

Recommended Action:
None.


01071ce8 : The VLAN %s has the same tag %u as VLAN %s. So the port-fwd-mode of the interface associated with the VLAN must be set to l2wire.

Location:
/var/log/ltm

Conditions:
The configuration is invalid. If an interface is added to a 'virtual wire' VLAN, the forwarding mode of the interface cannot be changed to the value other than 'virtual wire'.

Impact:
None.

Recommended Action:
Remove the interface from the VLAN before changing the forwarding mode property of the interface.


01071ce8 : The VLAN (%s) has the same tag %u as VLAN (%s). So the port-fwd-mode of the interface associated with the VLAN must be set to virtual-wire.

Location:
/var/log/ltm

Conditions:
This message is caused by an invalid configuration. If an interface is added to a 'virtual-wire' vlan, the port-fwd-mode cannot be changed to the value other than 'virtual-wire'.

Impact:
None.

Recommended Action:
Remove the interface from VLAN before changing the port-fwd-mode property.


01071ce9 : The Scrubber Route Domain (%s) has a destination IP (%s) that overlaps with (%s).

Location:
/var/log/ltm, console, GUI

Conditions:
When attempting to configure a scrubber-rd-network in scrubber-rt-domain, its destination IP must not overlap with other scrubber-rd-networks within the same scrubber-rt-domain.

Impact:
Validation failure.

Recommended Action:
Choose a different value.


01071ceb : Operation failed for CA bundle manager %s due to other pending operation.

Location:
/var/log/ltm

Conditions:
When a ca-bundle manager is updated more than once over a very short period of time, the keymgmtd will see two concurrent updates to the ca-bundle manager.

Impact:
The second update operation will be rejected.

Recommended Action:
Successive update to the same ca-bundle manager needs to be separated by a short time period. In most update operations, this error log will not be encountered.


01071ced : MQTT monitor '%s' must have a username when password is configured.

Location:
/var/log/ltm, console, GUI

Conditions:
The message appears for a missing username in MQTT monitor when a password is configured.

01071c73:3: MQTT monitor '/Common/mon-mqtt-1.2' must have a username when password is configured.

MQTT monitor is created and it has a 'password' field filled in while 'username' field remains empty (having value "none" in tmsh).

Impact:
Submitting configuration of MQTT monitor is not accepted.

Recommended Action:
Have a non-empty value for 'username' field in the MQTT monitor when username and password credentials are required.


01071cef : Policy (%s) of type %s cannot have subroutine-properties attached, policy type must be %s.

Location:
/var/log/ltm

Conditions:
This message is generated when an attempt is made to attach a subroutine to an access policy that is not of type "subroutine".

Impact:
The system cannot perform the requested operation of attaching the subroutine to a policy.

Recommended Action:
Create a policy of type "subroutine".


01071cf0 : DNS resolver must be configured for SAML metadata automation object (%s).

Location:
/var/log/ltm, VPE UI, tmsh

Conditions:
Administrator attempts to configure 'connection-properties' attribute of SAML metadata automation object. Administrator has not specified required DNS resolver in 'connection-properties' resulting in the validation error.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
Specify DNS resolver in connection-properties attribute of SAML metadata automation object.


01071cf1 : SAML metadata automation object (%s) should have only one 'connection-properties' attribute configured.

Location:
/var/log/ltm, VPE UI, tmsh

Conditions:
Administrator attempts to configure SAML metadata automation object, and set more then one property 'connection-properties'.

Only a single 'connection-properties' configuration is allowed per SAML metadata automation object, so the error will be shown.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
Configure only one 'connection-properties' attribute per SAML metadata automation object.


01071cf3 : Authorize redirect request (%s) must always use 'GET' method.

Location:
Console.

Conditions:
If an authorize redirect request is created with POST method, then this message displays

Impact:
Create the OAuth Request object fails.

Recommended Action:
Create authorize redirect request only with 'GET' method.


01071cf4 : Invalid %s for Monitor Test (%s) conflicts with monitor value (%s)

Location:
/var/log/ltm, tmsh, iControl REST

Conditions:
One or more of the parameters specified in the tmsh 'run ltm monitor' command to test an LTM monitor configuration are incorrect.
Specifically, the destination IP Address and/or Service Port are specified in the 'run ltm monitor' command, when the destination IP Address and/or Service Port are already specified in the LTM health monitor configuration being tested.

Impact:
A potentially-invalid or misleading monitor test is prevented from running.
If the destination IP Address and/or Service Port of an LTM health monitor is configured, that configuration will be used during the monitor test.
Preventing conflicting destination IP Address and/or Service Port parameters from being specified in the tmsh 'run ltm monitor' command helps ensure accuracy of the monitor test, and fidelity with actual behavior of the LTM health monitor as configured once assigned to an LTM node, pool member or pool.

Recommended Action:
When performing a test of an LTM monitor using the tmsh 'run ltm monitor' command, only provide destination IP Address and/or Service Port parameters which are not already configured in the LTM health monitor being tested.


01071cf5 : Invalid state (%s) for Monitor Test target (%s) marked for cleanup

Location:
/var/log/ltm

Conditions:
A monitor instance created internally for the purpose of executing the tmsh 'run ltm monitor' command (to test LTM health monitor configuration) was found to be in an unexpected state.

Impact:
The LTM monitor test result cannot be evaluated accurately.
This condition results from an invalid internal state in mcpd and/or bigd daemon processing. Therefore, it might be an indication of more significant inconsistencies within the BIG-IP configuration subsystem.

Recommended Action:
Further diagnosis of the mcpd and bigd daemons is indicated, including enabling mcpd and bigd debug logging and repeating the LTM monitor test which encountered the error condition.


01071cf6 : The current provisioning does not support the TurboFlex profile. Please provision LTM first or choose another profile suggested on the help page.

Location:
/var/log/ltm

Conditions:
TurboFlex profiles need certain provisioning to be configured. Different TurboFlex profiles have different requirements, but all of them can be configured when LTM is provisioned.

Impact:
When the user selects a TurboFlex profile, the profile does not become the active profile.

Recommended Action:
Provision LTM or other modules that support the chosen TurboFlex profile listed under the description of each profile. (The TMSH command is "show sys turboflex profile all field-fmt".)


01071cf7 : The chosen turboflex is not licensed, therefore the change cannot be made.

Location:
/var/log/ltm, GUI, tmsh

Conditions:
This only happens when the user is trying to change the active TurboFlex profile. If the user has an unthrottled license, which is also called a PAYG standard license, some TurboFlex profile will not be licensed. Therefore, choosing the unlicensed profile will trigger this message, and the change will not be made.

Impact:
The change of the desired TurboFlex profile will not be done.

Recommended Action:
If you would like the TurboFlex profile, you will need to upgrade the license from unthrottled to throttled, in other words, from PAYG standard to PAYG performance.


01071cf9 : The provision module %s requires TurboFlex profile %s. Please either un-provision the module or choose the required profile. For more information, please see 'tmsh help sys turboflex' on the command line, or look at the 'Help' tab on the TurboFlex page under Resource Provisioning.

Location:
/var/log/ltm, GUI

Conditions:
Some provisioning module can only be provisioned when a certain TurboFlex profile is set as active. Therefore, this error will appear when you are trying to provision a module when the required TurboFlex profile is not active, or when you are switching to another TurboFlex profile that does not allow a provisioned module to be provisioned that the previous profile allowed.

Impact:
The modifying action will not be done.

Recommended Action:
The error message will tell you which profile to modify with the command "tmsh modify sys turboflex profile-config type <profile>", or which modules to un-provision with command "modify sys provision <module> level none", in order for the change to occur without error.


01071cfb : Please get the Advanced Protocols or FIX add-on license to enable FIX features.

Location:
/var/log/ltm

Conditions:
The TurboFlex low latency profile cannot be enabled.

Impact:
The TurboFlex configuration will remain unchanged or will be the default configuration.

Recommended Action:
Customers will need to get an additional add-on license from F5 in order to enable the profile.


01071cfc : %s changing OpenSSL FIPS flag from (%d) to (%d). Reboot is required for changes to take full effect.

Location:
/var/log/ltm

Conditions:
Enabling or disabling either FIPS 140-2 compliance mode or modifying the Common Criteria DB variable (Security.CommonCriteria) changes the OpenSSL FIPS flag. Log the message. The prompt changes to 'Reboot Required'.

Impact:
The log message and the prompt change to 'Reboot Required' to remind the user to reboot for all FIPS changes to take effect.

Recommended Action:
Reboot the BIG-IP system for all processes to get initialized correctly in the compliant mode.


01071cfc : %s changing OpenSSL FIPS flag from (%d) to (%d). Reboot is required for changes to take full effect.

Location:
/var/log/ltm

Conditions:
On a BIG-IP non-VE device or hardware device that did not have a FIPS 140-2 Level 1 license, a FIPS 140-2 Level 1 license has been procured and installed.

Impact:
The system prompt changes to "REBOOT REQUIRED".

Recommended Action:
Reboot the device for the new license settings to take effect and for FIPS-specific code-paths to execute in the system OpenSSL.


01071cfd : The VLAN (%s) tag %u cannot be modified to %u once the VLAN is created. Please delete and re-create it.

Location:
/var/log/ltm

Conditions:
The configuration is invalid. The VLAN tag is not allowed to change to an existing VLAN tag when a virtual wire interface is associated with any VLANs of the same tag.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in the VLAN, trunk, and interface. You can delete the VLAN and re-create the VLAN with the tag.


01071cfe : %s (%s): AutoMitigate %s %u must be lower than AutoMitigate ceiling %u.

Location:
GUI, CLI

Conditions:
In the AFM DoS feature, the attack detection threshold is higher than the detection ceiling value set for a vector.

Impact:
An attack detection threshold that exceeds the detection ceiling value invalidates the configuration.

Recommended Action:
Reset the detection ceiling to a value higher than the threshold.


01071cff : %s (%s): AutoMitigate %s 'infinite' must be lower than AutoMitigate ceiling %u.

Location:
GUI, CLI

Conditions:
In the AFM DoS feature, the attack detection threshold value is set to Infinite while the attack detection ceiling is set to a finite value.

Impact:
The configuration is invalid.

Recommended Action:
Set the rate threshold value to a finite value that is lower than the ceiling value.


01071d00 : Maximum response size (%u) for OAuth provider (%s) must be in range of (%u-%u).

Location:
TMSH

Conditions:
When the admin specifies the maximum allowed response size for a particular provider with too large or too small of a value.

Impact:
The out of range value will not be set. The previous value remains.

Recommended Action:
The admin has to enter a value within the range.


01071d01 : Invalid value (%s) for profile %s field %s. Only integers between 0 and 4294967295 are permitted.

Location:
/var/log/ltm, console, GUI

Conditions:
When the user enters a non-integer, a negative integer, or an integer that exceeds 4294967295 in a field that's limited to unsigned long integers.

Impact:
The profile will not be updated or created until the error is corrected.

Recommended Action:
Enter a value between 0 and 4294967295 in the field indicated by the error message.


01071d02 : Size of field '%s' for monitor '%s' exceeds allowed maximum of %d bytes.

Location:
/var/log/ltm, tmsh console, iControl REST, GUI

Conditions:
When a monitor has a password, or a secret parameter, and it is being created or updated with a value exceeding the allowed maximum number of bytes.

Impact:
Upon receiving the message, a creation or modification of the object for specified monitor fails.

Recommended Action:
Set the size of the identified parameter within the specified limit.


01071d03 : Encryption object is too big.

Location:
/var/log/ltm, tmsh console, iControl REST, GUI

Conditions:
There is an object which has a parameter stored in Secure Vault, and the size of the parameter, in bytes, exceeds a documented limit during the object creation or modification.

Impact:
An operation on the object creation or modification fails.

Recommended Action:
Set the parameter's value with the documented limit.


01071d04 : Encryption failed.

Location:
/var/log/ltm, tmsh console, iControl REST, GUI

Conditions:
There is an object which has a parameter stored in Secure Vault and encryption of the parameter fails during the object creation or modification.

Impact:
An operation on the object creation or modification fails.

Recommended Action:
None.


01071d05 : %s is not a valid IP address or hostname.

Location:
/var/log/ltm, console, GUI

Conditions:
For apm::aaa::active-directory, provide invalid ip or FQDN hostname for domain-controller.

Impact:
Configuration cannot be saved.

Recommended Action:
Supply valid ip or hostname for the value.


01071d06 : Overlapping %s IP addresses (%s) is in NAT policy '%s', rule '%s'.

Location:
/var/log/ltm

Conditions:
There are overlapping IP addresses in a NAT policy rule.

Impact:
No impact. Message is informational only

Recommended Action:
None.


01071d07 : The VLANGROUP (%s) is composed of VLAN (%s) of tag %u with %s member (%s). A similar VLANGROUP must be created first and be composed of VLAN of tag '4096' with member (%s).

Location:
/var/log/ltm

Conditions:
The BIG-IP system has an invalid VLAN Group configuration.

Impact:
The BIG-IP system logs an error message.

Recommended Action:
Inspect the relevant object configuration in the VLAN Group, VLANs, and the interface used in virtual-wire configuration. Then create VLANs of tag 4096 with the same interface, and create another VLAN Group with those VLANs.


01071d08 : Connectivity profile (%s) does not exist.

Location:
/var/log/ltm

Conditions:
The connectivity profile does not exist even when a handle is on it. A race condition might have occurred.

Impact:
Upgrading or modifying a connectivity profile is likely to fail for the object in question.

Recommended Action:
To avoid race conditions, do not have multiple tmsh sessions editing the connectivity profiles.


01071d09 : Management auto-lasthop (%s) can't be disabled on a 1-NIC platform.

Location:
/var/log/ltm

Conditions:
The user tries to disable management auto-lasthop ("tmsh modify ltm global-settings general mgmt-auto-lasthop") on VE system configured with 1-NIC.

Impact:
Management auto-lasthop cannot be disabled.

Recommended Action:
None.


01071d09 : Invalid multicast address '%s' specified for multicast-ip.

Location:
/var/log/ltm

Conditions:
An invalid multicast address has been specified in the cm/device configuration. IPv4 multicast addresses must be in the 224.0.0.0/4 subnet and IPv6 multicast addresses must use the ff00:/8 prefix.

Impact:
Multicast failover packets do not work on the multicast interface, thus reducing the reliability of operation in high-availability (HA) cluster.

Recommended Action:
Configure a valid multicast address on all devices in the HA cluster.


01071d0a : adm: %s

Location:
Those messages wraps Behavioral Signature debug logs independent for development team to investigate an issue.

Conditions:
Those massages should only be activate if a further investigation of an issue is required.

Impact:
no impact

Recommended Action:
no workaround


01071d0a : Policy (%s) of type %s cannot have per-req-policy-properties attached, policy type must be %s.

Location:
cli

Conditions:
A user has tried to add a per-req-policy-properties object to an Access policy that is not of type "per-rq-policy" or "sslo-policy".

Impact:
The operation to add the per-req-properties object fails.

Recommended Action:
Add the per-req-policy-properties object to a policy of the correct type.


01071d0b : adm: %s

Location:
This log message is contained in internal Behavioral Signatures error logs.

Conditions:
Those errors could be caused by a broken feature or critical system errors.

Impact:
Behavioral signatures will not be managed correctly.

Recommended Action:
no workaround


01071d0b : Configuration error: Virtual Server (%s) with Access Profile of type sslo is not compatible with profile of type (%s).

Location:
/var/log/ltm, GUI

Conditions:
For a virtual server, an attempt has been made to assign a type of profile that is incompatible with an SSLO Access profile assigned to that virtual server. The two profiles are incompatible.

Impact:
This results in an invalid configuration.

Recommended Action:
None.


01071d0c : adm: %s

Location:
This log message wraps internal Behavioral Signatures warning logs.

Conditions:
Those errors usually refer to invalid signatures, usually self created by using the tmsh.

Impact:
The signature will not be created / modified.

Recommended Action:
Those warnings should explain what went wrong which will explain how to fix the issue.


01071d0c : Configuration error: Access Profile of type sslo is not compatible with exchange profile.

Location:
/var/log/ltm, GUI

Conditions:
An attempt has been made to add or modify both the exchange property for SSLO and an SSLO Access profile. They are incompatible.

Impact:
This results in an invalid configuration.

Recommended Action:
None.


01071d0d : adm: %s

Location:
Those messages wraps Behavioral Signature information logs.

Conditions:
Those logs indicates the successful transaction with the added / modified signature.

Impact:
no impact.

Recommended Action:
no workaround


01071d0d : Configuration error: Virtual server (%s) cannot be used for connector profile (%s), type must be internal.

Location:
/var/log/ltm, GUI

Conditions:
The user has specified a virtual server as a connector profile's entry virtual server, while the virtual server type is not set as type "nternal".

Impact:
The user cannot successfully deploy an SSL orchestrator using a connector profile.

Recommended Action:
Either remove the entry virtual server property from the connector profile, or change the virtual server's type to "internal".


01071d0e : Global ASM health alerts configurations error: %s

Location:
tmsh

Conditions:
In tmsh when trying to configure new ASM alert with illegal value.

Example:
(/Common)(tmos)# modify asm health-alerts tmm-cpu-utl-threshold 200
01071d06:3: Global ASM health alerts configurations error: tmm CPU utilization threshold can't be more than 100.

Example:
root@(eddie)(cfg-sync Disconnected)(monpd DOWN)(/Common)(tmos)# modify asm health-alerts backlog-msg-queue-utl-threshold 900
01071d06:3: Global ASM health alerts configurations error: backlog message queue utilization threshold can't be more than 100.

Impact:
The threshold for the specific ASM alert will not be configured unless a legal value is given.

Recommended Action:
Provide legal value to the threshold field.


01071d0e : Configuration error: Connector profile (%s) cannot be attached to virtual server (%s) when per-request policy (%s) is attached to this virtual server. Attach service connect agent to the per-request policy instead.

Location:
/var/log/ltm, GUI

Conditions:
The user has tried to attach a connector profile to a virtual server when a per-request policy is attached to the same virtual server.

Impact:
The user cannot successfully configure an SSL orchestrator deployment.

Recommended Action:
Either attach a connector profile to a virtual server, or attach a per-request policy to it, and attach service connect agent to the per-request policy.


01071d0f : Configuration error: Virtual server (%s) used by connector profile (%s) must have a service profile attached.

Location:
/var/log/ltm, GUI

Conditions:
The user has tried to specify an entry virtual server for a connector profile when a service profile is attaching to this virtual server.

Impact:
The user cannot configure a SSL orchestrator deployment successfully.

Recommended Action:
Either remove the service profile from the virtual server, or set the entry virtual server of the connector profile to "none".


01071d10 : Configuration error: Virtual server (%s) used by connector profile (%s) with inline service profile (%s) must have a splitsession client profile attached.

Location:
/var/log/ltm, GUI

Conditions:
The user has tried to specify an entry virtual server of a connector profile when:

1) The virtual server is attached to an inline, inline-http, or inline-http-explicit service profile, and

2) The virtual server does NOT have a split session client profile attached

Impact:
The user cannot configure the SSL orchestrator deployment successfully.

Recommended Action:
Doone of the following:

1) Set connector profile's entry virtual server to "none".
2) Change the service profile's type so that it's not any of the inline types.
3) Attach a split session client profile to the virtual server.


01071d12 : Cannot delete the Anti-Fraud URL '%s' since it is referenced by the Anti-Fraud View '%s' in the Anti-Fraud Profile '%s'.

Location:
/var/log/ltm, TMSH and GUI

Conditions:
Trying to delete a 'Base URL' while it has 'View URL' children

Impact:
Configuration failed

Recommended Action:
Delete all VIews before deleting it's parent 'Base URL'


01071d13 : Anti-Fraud Base URL '%s' must exist before creating the Anti-Fraud View '%s' in the Anti-Fraud Profile '%s'.

Location:
/var/log/ltm, TMSH and GUI

Conditions:
Trying to create a 'View URL' before its parent 'Base URL'

Impact:
Configuration load fails

Recommended Action:
Create 'Base URL' before crating its 'View URLs'


01071d14 : '%s' can be modified only for a 'Base URL', while the Anti-Fraud URL '%s#%s' is a 'View URL' in the Anti-Fraud Profile '%s'.

Location:
/var/log/ltm, TMSH and GUI

Conditions:
Trying to set a 'Base URL only' attribute in an View URL object.

Impact:
Configuration load fails

Recommended Action:
set 'Base URL only' attributes only in a Base URL objects.


01071d15 : Configuration error: access log configuration (%s) is part of system configuration, so it cannot be deleted.

Location:
/var/log/ltm, CLI, GUI

Conditions:
User attempted to delete the default APM log setting configuration.

Impact:
Deleting the default APM log setting configuration is disallowed.

Recommended Action:
None.


01071d16 : DNS profile (%s) cannot have both edns0 client subnet insertion and the DNS cache enabled simultaneously.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A change was made to the configuration of a DNS profile such that both edns0 client subnet insertion and DNS caching are set to enabled.

Impact:
The current implementation of the DNS cache is not client subnet aware and therefore might cache responses for all clients when the scope of the response is actually much narrower. Consequently, the configuration changes are dropped.

Recommended Action:
Enable the DNS cache by disabling edns0 client subnet insertion (or vice versa). This can be accomplished in the same command/transaction:

tmsh modify ltm profile dns <profile_name> enable_cache <yes/no> cache <cache_name/none> edns0-client-subnet-insert <disabled/enabled>


01071d16 : Configuration error: sslo log configuration (%s) is part of system configuration, so it cannot be deleted.

Location:
/var/log/ltm, CLI, GUI

Conditions:
The user attempted to delete the default SSLO log setting configuration.

Impact:
Deleting the default SSLO log setting configuration is disallowed.

Recommended Action:
None.


01071d17 : DNS profile (%s) inherits options from DNS profile (%s) and cannot have both edns0 client subnet insertion and the DNS cache enabled simultaneously.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A change was made to the configuration of the parent DNS profile so that a child DNS profile that inherits default options from the parent profile has entered an invalid state with both edns0 client subnet insertion and DSN caching enabled.

Note that the child profile might or might not be an immediate child of the parent and it is possible for the child to have one or more profiles between it and the parent profile.

Impact:
The current implementation of the DNS cache is not client subnet aware and therefore might cache responses for all clients when the scope of the response is actually much narrower. Consequently,the configuration changes are dropped.

Recommended Action:
Change the child profile so that it does not enter an invalid state. If the child profile explicitly sets a configured value rather than using the default value from the parent profile, then changing an option on the parent profile's configuration does not affect the same option on the child.

Setting the child's edns0-client-subnet-insert option to "disabled" or the cache-enabled option to "no" should allow changes to the parent profile.


01071d18 : The IP::port(%s:%d) to be dedicated, can't be shared. Refer pools(%s, %s)

Location:
/var/log/ltm

Conditions:
A pool member that is in a pool dedicated to traffic acceleration cannot also be part of another pool.

Impact:
The configuration is rejected.

Recommended Action:
Change the pool member to be in only one of the pools mentioned in the error message.


01071d19 : The IP(%s) to be dedicated, can't be shared.

Location:
/var/log/ltm

Conditions:
A member of a SNAT pool that is being used for traffic acceleration is shared between two SNAT pools.

Impact:
The configuration is rejected.

Recommended Action:
Change the configuration so that the SNAT pool member is being used in one SNAT pool only.


01071d1a : The dedicated snatpool member address (%s) matches a selfip address (%s)

Location:
/var/log/ltm

Conditions:
A SNAT pool member address matches a self IP address.

Impact:
The configuration is rejected.

Recommended Action:
Change the IP address of either the self IP or the SNAT pool member.


01071d1b : The VIP(%s) needs pool(%s) or snatpool(%s) as dedicated for Accelerated traffic only

Location:
/var/log/ltm

Conditions:
The configuration has assigned a pool or a SNAT pool to both a virtual server that is traffic accelerated and a virtual server that is not traffic accelerated.

Impact:
The configuration is rejected.

Recommended Action:
Remove the pool or SNAT pool from the non-traffic-accelerated virtual server.


01071d1b : Virtual server (%s) requires clientssl profile when the ftps-mode in FTP profile (%s) is require.

Location:
/var/log/ltm

Conditions:
A virtual server has an FTP profile, but no SSL profiles, assigned to it. Also, the FTP profile has FTPS mode set to "none" or "require".

Impact:
The virtual server creation or modification is rejected.

Recommended Action:
None.


01071d1c : The VIP(%s) in DSR mode, expect source-address-translation type(%d) as none

Location:
/var/log/ltm

Conditions:
In the configuration of the virtual server, both DSR mode and Source Address Translation are enabled.

Impact:
The configuration is rejected.

Recommended Action:
Disable either DSR mode or Source Address Translation for the virtual server.


01071d1d : The TrafficAcceleration profile(%s) does not support persist-mode(%d)

Location:
/var/log/ltm

Conditions:
A traffic acceleration profile is set to an invalid persist mode. The only persistence mode that is supported for traffic acceleration is Source Address.

Impact:
The configuration is rejected.

Recommended Action:
Assign the traffic acceleration profile to either no persistence or Source Address persistence.


01071d1e : The VIP(%s) does not support persistence profiles(%s) because it is dedicated for traffic-acceleration

Location:
/var/log/ltm

Conditions:
A persistence profile is assigned to a virtual server dedicated to traffic acceleration via Traffic Acceleration Module (TAM). TAM does not support persistence profiles.

Impact:
The configuration is rejected.

Recommended Action:
Remove either the persistence profile or the traffic-acceleration profile that is assigned to the virtual server.


01071d1f : The VIP(%s) does not support last hop pools because it is dedicated for traffic-acceleration

Location:
/var/log/ltm

Conditions:
A last hop pool is assigned to a virtual server dedicated to traffic acceleration via Traffic Acceleration Module (TAM). TAM does not support last hop pools.

Impact:
The configuration is rejected.

Recommended Action:
Remove either the last hop pool or the traffic-acceleration profile assigned to the virtual server.


01071d20 : The Pool(%s) does not support load-balancing mode(%u) because it is in use for traffic-acceleration

Location:
/var/log/ltm

Conditions:
An invalid load balancing mode is configured for a pool assigned to a Traffic Acceleration Module (TAM) virtual server. The only supported load balancing modes are Round Robin and Ratio Member.

Impact:
MCPD rejects the configuration.

Recommended Action:
Assign either the Round Robin or the Ratio Member load balancing mode to the pool assigned to the virtual server.


01071d23 : MQTT multiple peers on %s %s not supported.

Location:
/va/log/ltm

Conditions:
The MQTT protocol is attached to a Message Routing virtual server, and multiple message-routing peers are being attached to an MQTT route.

Impact:
The configuration fails. This is a validation check.

Recommended Action:
Ensure that an MQTT route does not have multiple peers, and the configuration should successfully load.


01071d24 : MQTT %s %s refers to non-existing %s %s.

Location:
/var/log/ltm

Conditions:
The MQTT protocol is attached to a Message Routing virtual server, and in an MQTT peer or route configuration, a peer or route is referencing a non-existent pool or peer.

Impact:
The configuration fails. This is a validation check.

Recommended Action:
Check whether the peer or pool being referenced by the route or peer exists. Check for any name mismatches or create the appropriate configuration objects. The configuration should successfully load.


01071d25 : \'%s\' at rule %s is %s by virtual server %s of type %s.

Location:
GUI, CLI

Conditions:
The virtual server is configured not as flow-based. For example, the command "virtual" does not work when the virtual server is message-routing.

Impact:
Some iRule commands cannot run, and the error prevents the configuration from loading.

Recommended Action:
Fix the tcl script by deleting the offending command.


01071d25 : Error configuring Virtual Server (%s). Connection mirroring is not supported in combination with an IMAP profile.

Location:
/var/log/ltm, CLI, GUI

Conditions:
Connection mirroring is configured with an IMAP profile.

Impact:
This is an invalid configuration.

Recommended Action:
Do not use connection mirroring in IMAP profiles.


01071d26 : Error configuring Virtual Server (%s). Connection mirroring is not supported in combination with an POP3 profile.

Location:
/var/log/ltm, CLI, GUI

Conditions:
An attempt was made to configure connection mirroring with an IMAP profile.

Impact:
The configuration fails.

Recommended Action:
Do not use connection mirroring on POP3 profiles.


01071d27 : Error parsing SAML assertion consumer service url: (%s) in SAML SP connector (%s)

Location:
/var/log/ltm, VPE UI, CLI

Conditions:
In an Access Policy Manager (APM) Single Sign-On (SSO) saml-sp-connector object, one of the specified assertion consuming services contains an improperly structured URL.

Impact:
The object containing this configuration is not saved. This is an MCP configuration error.

Recommended Action:
Verify that the provided URL is correct. If the URL is not correct, specify the correct URL in the assertion consuming services of the APM SSO saml-sp-connector object.


01071d28 : 'sp-location' in SAML SP connector (%s) is set to internal-multi-domain, but the virtual server where SP is located is not specified in 'multi-domain-location' property.

Location:
/var/log/ltm, VPE UI, CLI

Conditions:
For an Access Policy Manager (APM) Single Sign-On (SSO) saml-sp-connector object, an administrator has set the "sp-location" property to "internal-multi-domain", even though the "multi-domain-location" property is not specified.

Impact:
The object containing this configuration is not saved. This is an MCP configuration error.

Recommended Action:
In the object's "multi-domain-location" property, specify the URL for the virtual server location behind which the SAML service provider is located. The location must contain the scheme and hostname only, for example, https://application.f5.com.


01071d28 : Virtual server (%s) requires clientssl profile (%s) to enable SSL forward proxy when FTP profile (%s) is present.

Location:
/var/log/ltm

Conditions:
A virtual server is configured as follows:

1) An FTP profile and SSL profiles assigned to it, and
2) The FTPS mode in the FTP profile is set to "none" or "require", and
3) The SSL profiles have forward proxy disabled.

Impact:
The virtual server creation or modification is rejected.

Recommended Action:
None.


01071d29 : Multidomain location (%s) of SAML SP connector (%s) is invalid: (%s). Location must begin with http or https and must contain hostname with no path.

Location:
/var/log/ltm, VPE UI, CLI

Conditions:
In an Access Policy Manager (APM) Single Sign-On (SSO) saml-sp-connector object, the configured property "multi-domain-location" is not in the expected format.
For example, the location URI must not contain a path part or query parameters.

Impact:
The object containing this configuration is not saved. This is an MCP configuration error.

Recommended Action:
For the object's "multi-domain-location" property, specify the URL for the virtual server location behind which the SAML service provider is located. The location must contain the "http" or "https" scheme and the hostname, for example, https://application.f5.com.


01071d29 : Virtual server (%s) requires clientssl profile (%s) to enable SSL verified handshake when FTP profile (%s) is present.

Location:
/var/log/ltm.

Conditions:
A virtual server is configured with an FTP profile and SSL profiles, and the SSL profiles have forward proxy enabled.

Impact:
The virtual server creation or modification is rejected.

Recommended Action:
None.


01071d2a : Cipher rule (%s): '%s' is not a valid %s.

Location:
/var/log/ltm

Conditions:
When creating a cipher rule, either an invalid DH Group or an invalid Signature Algorithm was specified. The error will contain which had an issue, and the exact issue.

Impact:
The cipher rule will not be created or modified.

Recommended Action:
Only use correct DH Groups and correct Signature Algorithms.


01071d2a : When OpenID Connect is enabled for OAuth profile (%s) and the alg type for %s primary key (%s) is 'HS512', the client secret for all associated Client apps with OpenID Connect enabled should be of size 64 bytes. Please re-generate the client secret for Client app (%s).

Location:
/var/log/ltm, TMSH

Conditions:
There is an OAuth Profile configuration or an OAuth Client App configuration that has:

1) "Support OpenId Connect" enabled, and
2) An ID token primary key and/or UserInfo primary key that is set as HS512, and

The size of the client secret for associated client apps is not 64 bytes in length.

Impact:
Saving the configuration fails.

Recommended Action:
Regenerate the client secret so that it is 64 bytes in length, and then save.


01071d2b : ID token lifetime (%u) for %s (%s) must be in range of (%u-%u).

Location:
/var/log/apm, GUI, CLI

Conditions:
The administrator has set an ID token lifetime out of its valid range. Both the OAuth profile and the Client App configuration have an ID token lifetime setting.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Set a valid ID token lifetime in OAuth Profile and OAuth Client App.


01071d2b : Virtual server (%s) cannot have connector profiles when allow-active-mode in FTP profile (%s) is enabled.

Location:
/var/log/ltm

Conditions:
A virtual server is configured with both an FTP profile and a connector profile, and the FTP profile with the allow_active_mode option is enabled.

Impact:
The virtual server creation or modification is rejected.

Recommended Action:
None.


01071d2c : When OpenID Connect is enabled, a JWK config must be assigned as the ID Token Primary Key for OAuth Profile (%s).

Location:
/var/log/apm, GUI, CLI

Conditions:
In OAuth profile, the ID token primary key is not selected when OpenID Connect is enabled.

Impact:
The BIG-IP system logs and displays an error message.

Recommended Action:
In the OAuth profile, set the ID token primary key when OpenID Connect is enabled.


01071d2d : When OpenID Connect is enabled, support for JWT token should be enabled for OAuth profile(%s).

Location:
/var/log/apm, GUI, CLI

Conditions:
In OAuth Profile, JWT token support is not enabled when OpenID Connect support is enabled.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
In the OAuth Profile, enable JWT token support when OpenID Connect support is enabled.


01071d2f : The OAuth profile (%s) does not allow JWK config (%s) with duplicate key-id (%s) of type (%s) within UserInfo Primary Key and Rotation Keys.

Location:
/var/log/apm, GUI, CLI

Conditions:
In an OAuth profile, UserInfo Primary Key and Rotation Keys are set to JWK config with duplicate key-id and key type.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
In the OAuth profile, do not set UserInfo Primary Key and Rotation Keys to JWK config with duplicate key-id and key type.


01071d30 : OAuth claim (%s) has invalid value (%s). For '%s' claim, allowed value is a numeric value or a valid session variable.

Location:
The save operation on an object or a configuration load operation fails.

Conditions:
Some OAuth claim (for example: updated_at) has an invalid value (that is, not a valid number or a session variable).

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Configure a specific OAuth claim (such as: updated_at) to have a valid value (that is, a valid number or a session variable).


01071d31 : Authentication type for Client app (%s) is not valid. When OpenID Connect is enabled for OAuth profile (%s) and the key type for %s primary key (%s) is 'octet', then all associated Client apps with OpenID Connect enabled should have the authentication type as 'Secret'.

Location:
/var/log/ltm, CLI

Conditions:
There is an OAuth Profile configuration or an OAuth Client App configuration that has:

1) "Support OpenId Connect" enabled, and
2) An ID token primary key and/or UserInfo primary key that is of type "Octet", and

The authentication type for the Client app is not "Secret".

Impact:
Saving the configuration fails.

Recommended Action:
Change the authentication type of the Client app to "Secret" and save the object.


01071d32 : The OAuth profile (%s) does not allow JWK config with duplicate key-id (%s) of type (%s) within %sPrimary Key (%s) and %sPrimary Key (%s).

Location:
/var/log/apm, GUI, CLI

Conditions:
In an OAuth profile, JWK with duplicate kid and key type are selected among JWT Access Token primary key, ID token primary key, or UserInfo primary key.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
In OAuth profile, do not set the JWT Access Token primary key, ID token primary key, and/or UserInfo primary key to JWK config with duplicate key-id and key type.


01071d33 : JWK config (%s) cannot be configured to use both client secret and shared secret for key type octet.

Location:
/var/log/ltm, CLI

Conditions:
A JWT key configuration is created with type "octet", and the key is configured to use both a client secret and a shared secret.

Impact:
The object is not saved.

Recommended Action:
Ensure that the JWT key configuration with type "octet" is configured to use either a client secret or a shared secret, but not both.


01071d34 : In JWT config (%s), the %s JWK config (%s) cannot be configured to use client secret when key type is octet.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A JWT key that is configured to use a client secret for type "octet" is associated as a blocked or allowed key in a JWT token configuration.

Impact:
The object is not saved.

Recommended Action:
Ensure that a JWT key configuration with type "octet" and a shared secret is associated with JWT token configuration as an allowed or blocked key.


01071d36 : JWK config (%s) is %sconfigured to use client secret for key type octet. Hence, this cannot be used as %s primary key in %s (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
This appears when:

1) A JWT key configuration of type "octet" is configured to use a client secret and it is assigned as a JWT primary key in the OAuth profile, or

2) A JWT key configuration of type "octet" is configured to use a shared secret and it is assigned as an ID Token primary key in the OAuth profile.

Impact:
The object is not saved.

Recommended Action:
If the JWT key is configured as a JWT primary key in the OAuth profile, do not configure the key to use a client secret.

If the JWT key is configured as an ID token primary key in the OAuth profile, configure the key to use a client secret.


01071d36 : The prefix (%s) is a reserved word and claim name (%s) cannot be used for the claim (%s). Please remove or change the prefix to continue.

Location:
GUI, CLI

Conditions:
An administrator is trying to configure a claim name that has a reserved prefix.

Impact:
The BIG-IP system rejects the new claim configuration.

Recommended Action:
Change or remove the reserved prefix of the claim name.


01071d37 : %s claim (%s) cannot be associated with %s (%s) since the claim name is 'address'. Please create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.

Location:
/var/log/ltm, GUI, CLI

Conditions:
An OAuth claim with a claim name address is associated as an ID Token claim or UserInfo claim in the OAuth profile or Client App configuration.

Impact:
The object is not saved.

Recommended Action:
Do not associate an OAuth claim with claim name "address" as an ID Token or UserInfo claim in an OAuth Profile or Client app configuration. Instead, create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim "address".


01071d38 : %s claim (%s) cannot be associated with OAuth Authorization agent (%s), entry (%d) since the claim name is 'address'. Please create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.

Location:
/var/log/ltm, GUI, CLI

Conditions:
An OAuth claim with claim name "address" is associated as an ID Token claims or UserInfo claim in the OAuth Authorization agent.

Impact:
The object is not saved.

Recommended Action:
Do not associate an OAuth claim with claim name "address" as an ID Token or UserInfo claim in an OAuth Authroization agent. Instead, create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim "address".


01071d39 : The claim name of the Claim (%s) cannot be changed to 'address' because this claim is part of %s claims that is associated with %s (%s). Please create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.

Location:
/var/log/ltm, GUI, CLI

Conditions:
An administrator has changed the name of the claim to "address", and the claim is associated as an ID Token or UserInfo claim in the OAuth profile or client app.

Impact:
The object is not saved.

Recommended Action:
Do not change name of the claim to "address" if the claim is associated as an ID Token or UserInfo claim in the OAuth profile or client app. Instead, create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.


01071d3a : The claim name of the Claim (%s) cannot be changed to 'address' because this claim is part of %s claims that is associated with OAuth Authorization agent (%s), entry (%d). Please create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.

Location:
/var/log/ltm, GUI, CLI

Conditions:
An administrator has changed the name of the claim to "address", and the claim is associated as an ID Token or UserInfo claim in the OAuth Authorization agent.

Impact:
The object is not saved.

Recommended Action:
Do not change name of the claim to "address" if the claim is associated as an ID Token or UserInfo claim in the OAuth Authorization agent. Instead, create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.


01071d3b : %s claim (%s) cannot be associated with %s (%s). The claim value must be set to 'true', 'false' or a valid session variable.

Location:
GUI, CLI

Conditions:
The “email_verified” and “phone_number_verified” claims are not set to “true”, “false”, or a valid session variable, and these claims are associated with an OAuth profile’s or client app’s “ID Token” or “UserInfo” claim.

Impact:
Saving a claim object fails.

Recommended Action:
Change the claim values to a recommended value, that is, "true", "false", or a valid session variable.


01071d3c : %s claim (%s) cannot be associated with OAuth Authorization agent (%s), entry (%d). The claim value must be set to 'true', 'false' or a valid session variable.

Location:
GUI, CLI

Conditions:
The "email_verified" and "phone_number_verified" claims are not set to "true", "false", or a valid session variable, and the claims are associated with OpenID-relaed claims on the OAuth Authorization agent.

Impact:
Saving a claim object fails.

Recommended Action:
Either set each claim value to a recommended value, or do not associate the claims with the OAuth Authorization agent.


01071d3d : The claim value must be set to 'true', 'false' or a valid session variable for Claim (%s) when it is attached to %s claims on %s (%s).

Location:
GUI, CLI

Conditions:
The "phone_number_verified" or "email_verified" claim is not set to "true", "false", or a valid session variable, and the claim is attached to an OAuth profile's or client app's OpenID-related claim.

Impact:
The claim object is not saved.

Recommended Action:
Set the claim values to a recommended value, that is, "true", "false", or a valid session variable.


01071d3e : The claim value must be set to 'true', 'false' or a valid session variable for Claim (%s) when it is attached to %s claims on OAuth Authorization agent (%s), entry (%d).

Location:
GUI, CLI

Conditions:
When modified, the 'phone_number_verified' or 'email_verified' claim is not set to "true", "false", or a valid session variable, and the claim is attached to an OAuth profile's or client app's OpenID-related claim.

Impact:
The claim object is not saved.

Recommended Action:
Set each claim to a recommended value, that is, "true", "false", or a valid session variable.


01071d3f : Can't find prime AVR-profile.

Location:
/var/log/audit, /var/log/ltm, GUI, CLI

Conditions:
An expected AVR base/prime profile does not exist on the system.

Impact:
This message is a sanity check to ensure that the base/prime profile for AVR was created successfully. AVR functionality might not work as expected. Also, AVR profile creation and modification might not be possible.

Recommended Action:
None.


01071d40 : Can't generate more than %d %s when collecting AVR statistics.

Location:
tmsh

Conditions:
The error appears when the user tries to add more than the maximum limit of IP addresses, URLs, countries or subnet IP addresses to the predefined lists. The current maximum limit per list is 10.

For example:
1) modify ltm profile analytics analytics ips-for-stat-collection add {172.29.54.1 172.29.54.2 172.29.54.3 172.29.54.4 172.29.54.5 172.29.54.6 172.29.54.7 172.29.54.8 172.29.54.9 172.29.54.10 172.29.54.11 172.29.54.12}


2) modify ltm profile analytics analytics urls-for-stat-collection add {/url1 /url2 /url3 /url4 /url5 /url6 /url7 /url8 /url9 /url10 /url11}

Impact:
N/A

Recommended Action:
Verify that the number of items per list after running the command will not exceed the maximum limit.


01071d41 : Can't generate a list of %s because 'collect_%s' flag is disabled.

Location:
tmsh

Conditions:
The error appears when:

1. Running the following TMSH command when the 'collect_ip' flag is disabled:
 modify ltm profile analytics analytics ips-for-stat-collection add { <ip address>}


2. Running the following TMSH command when the 'collect-geo' flag is disabled:
 modify ltm profile analytics analytics countries-for-stat-collection add {<countries>}


3. Running the following TMSH command when the 'collect-subnets' flag is disabled:
 
modify ltm profile analytics analytics subnets-for-stat-collection add {<subnet ips>}


4. Running the following TMSH command when the 'collect-url' flag is disabled:
    modify ltm profile analytics analytics urlss-for-stat-collection add {<urls>}

Impact:

Recommended Action:
Enable the specific flag and rerun the command.


01071d41 : Anti-Fraud View '%s' is invalid. View must be non-empty string with size less than %u and should contain only valid characters in the Anti-Fraud Profile '%s'.

Location:
tmsh console, /var/log/ltm

Conditions:
trying to configure an empty view ID (A.K.A view name)

Impact:
configuration failure

Recommended Action:
while configuring views, use a non-empty name


01071d42 : Can't generate list of counties because the '%s' is invalid.

Location:
CLI

Conditions:
The following TMSH command has been run with an invalid country name:
modify ltm profile analytics analytics countries-for-stat-collection add {"country name"}

Impact:
The operation to generate a list of countries fails.

Recommended Action:
Run the TMSH command with a valid country name. If the country name has multiple words, write the name in the following format: "<country name>". Use TAB to see the list of valid countries.


01071d43 : Can't generate list of urls because the '%s' URL's length is exceeded maximum %1d.

Location:
TMSH

Conditions:
The error appears when running the following TMSH command with a URL that exceeded the maximum allowed length of 255 characters:

list ltm profile analytics analytics urls-for-stat-collection add {<url>}

Impact:

Recommended Action:
Run the command with a URL that does not exceed the maximum allowed length.


01071d44 : The Traffic Matching Criteria (%s) is already in use by another Netflow Protected Server (%s).

Location:
/var/log/ltm

Conditions:
Validation error. Each Netflow Protected Server object must reference a unique Traffic Matching Criteria. A Traffic Matching Criteria cannot service more than one Netflow Protected Server.

Impact:
Validation error might lead to configuration load, upgrade, and sync failures.

Recommended Action:
Remove one of the references to Traffic Matching Criteria before assigning it to the intended Netflow Protected Server.


01071d44 : Invalid type %s for %s %s. All the %s should be the same type (IPv4 ot IPv6).

Location:
CLI

Conditions:
The user has run the following TMSH commands to add IP addresses or subnet IP addresses to the predefined list, where one or more of the IP addresses are not the same IP address version:

1. modify ltm profile analytics analytics ips-for-stat-collection add {<ip address>}

2. modify ltm profile analytics analytics subnets-for-stat-collection add {<subnet ip>}

Impact:
An error message appears.

Recommended Action:
Verify that the IP addresses/subnet IP addresses in the predefined lists are the same version.


01071d45 : Invalid Netflow Protected Server [%s] name for stopping redirection

Location:
/var/log/ltm

Conditions:
When trying to stop redirection on a non-existent Netflow Protected Server.

Impact:
Validation error.

Recommended Action:
Reference an existant Netflow Protected Server.


01071d45 : Discovery interval (%u) for OAuth provider (%s) must be greater than (%u) minutes.

Location:
/var/log/ltm

Conditions:
An attempt is made to set the discovery interval to a value that is less than 60.

Impact:
The discovery interval remains unchanged.

Recommended Action:
Change the discovery interval to a value that is greater than 60.


01071d46 : Netflow Protected Server (%s) cannot have a Traffic Matching Criteria that references a route domain.

Location:
/var/log/ltm, CLI

Conditions:
The system cannot validate the system configuration.

Impact:
The configuration fails.

Recommended Action:
In the traffic matching criteria for a Netflow Protected Server, do not reference a route domain.


01071d47 : (%s) has an invalid mask %u.

Location:
/var/log/ltm

Conditions:
Configuration validation, when an IP Address is configured with invalid mask. For example, 10.10.0.1/24 should be 10.10.0.1/32.

Impact:
Configuration exception.

Recommended Action:
Provide the correct mask.


01071d49 : Specified compatibility level-%d is too high. That level includes feature settings that are not supported for this platform.

Location:
/var/log/ltm

Conditions:
The user has set the compatibility level to one that is not allowed on the current platform.

Impact:
None.

Recommended Action:
Enter a supported compatibility level for the platform.


01071d4a : Security FlowSpec: %s: router-id(%s) is not a valid IPv4 address.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The security flowspec-route-injector profile or its neighbor is configured incorrectly.

Impact:
The related configuration will not be in the system.

Recommended Action:
None.


01071d4b : Security FlowSpec: %s: %s (%s) has mis-matched route domain (%d).

Location:
/var/log/ltm, GUI, CLI

Conditions:
The security flowspec-route-injector profile or its neighbor is configured incorrectly.

Impact:
The related configuration will not be in the system.

Recommended Action:
None.


01071d4c : Route domain (%s) can not have both 'Security Flowspec BGP' and 'Zebos BGP' routing planes enabled at the same time.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The configuration referenced in the error message prevents a configuration object from being updated.

Impact:
The relevant configuration is not updated.

Recommended Action:
Revise the configuration.


01071d4d : Security FlowSpec: %s: missing required field(s) %s.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The configuration described in the error message is invalid.

Impact:
The relevant configuration will not be updated.

Recommended Action:
Change the required field or fields.


01071d4e : Security FlowSpec: %s: must have at least one 'neighbor' specified.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The configuration described in the error message is invalid.

Impact:
The relevant configuration will not be updated.

Recommended Action:
Specify at least one neighbor.


01071d4f : Security FlowSpec: %s: The datatype (%d) for inherited fields is missing.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The configuration described in the error message is invalid.

Impact:
The relevant configuration will not be updated.

Recommended Action:
Specify the data type referenced in the error message.


01071d50 : Security FlowSpec: %s: %s is non-mutable field.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The configuration described in the error message is invalid.

Impact:
The relevant configuration will not be updated.

Recommended Action:
Fix the invalid configuration referenced in the error message.


01071d51 : Security FlowSpec: %s: %s doesn't have matched address family.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The configuration described in the error message is invalid.

Impact:
The relevant configuration will not be updated.

Recommended Action:
Fix the invalid configuration referenced in the error message.


01071d52 : The attribute (%s) for (%s) cannot be none.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A value is set to "none".

Impact:
The validation fails.

Recommended Action:
Change configuration to a valid non-zero value, or set using default keyword.


01071d54 : The value (%lld) for attribute (%s) for (%s) must be within range %s.

Location:
/var/log/ltm, CLI

Conditions:
A configured value is invalid because it is out of the allowed range.

Impact:
The configuration fails to load.

Recommended Action:
Set the value within the range specified in the error message.


01071d55 : Security FlowSpec: %s: can not refer route domain (%s) which is neither in the same partition as profile nor in /Common partition.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The route domain is not in the same administrative partition as the profile or in partition /Common.

Impact:
The relevant configuration will not be updated.

Recommended Action:
Fix the configuration so that the route domain is in the correct administrative partition.


01071d56 : Limit on the number of extended white list entries (%u) has been reached. Please modify the value of dos.maxewlsize to allow more entries.

Location:
/var/log/ltm

Conditions:
The number of extended white list entries that can be configured on Neuron platforms exceeds the value set in the db variable dos.maxewlsize.

Impact:
The configuration is rejected. Applies to Neuron platform, DOS extended white list.

Recommended Action:
Change the value of dos.maxewlsize (max value 1024) to allow more extended white list entries.


01071d57 : The %s (%s) attribute %s can only reference objects in partition %s.

Location:
/var/log/ltm, CLI

Conditions:
The user is attempting to configure an attribute that references an object in an illegal administrative partition.

Impact:
The validation fails.

Recommended Action:
Reference objects that reside in legal partitions or partition Common.


01071d59 : Cannot modify scrubber config property %s

Location:
GUI, CLI

Conditions:
An attempt was made to modify fields that are part of the key in the scrubber configuration objects.

Impact:
You cannot perform the modify operation.

Recommended Action:
None.


01071d5a : IPv4/IPv6 Next hop must be configured.

Location:
GUI, CLI

Conditions:
While creating RTBH blacklist publisher profile, the user has not provided either of the next-hop v4 or next-hop-v6 addresses for the profile, and the advertisement method for the profile is BGP.

Impact:
The configuration fails.

Recommended Action:
Provide either of the v4 or v6 next hop IP addresses.


01071d5b : Not a valid %s Address.

Location:
GUI, CLI

Conditions:
The user configures an invalid IP address to the route-advertisement-nexthop or route-advertisement-nexthop-v6 attributes in the Blacklist publisher profile.

Impact:
The configuration fails.

Recommended Action:
Fix the configuration value for the next hop or nexthop-v6 IP addresses.


01071d5c : Cannot lower compatibility level. Whitelist address-list (%s) configured on this system requires current compatibility level.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The system already has a configuration that depends on the currently-configured compatibility system level.

Impact:
The user can't lower the value of the compatibility level with an existing whitelist address list.

Recommended Action:
Remove the whitelist before the compatibility level can be lowered on a supported platform.


01071d5f : Entry already exist in extened white list(%s).

Location:
GUI, CLI

Conditions:
A user has tried to add a duplicate entry.

Impact:
The system performs validation to prevent duplicate entries.

Recommended Action:
Correct the configuration to prevent attempts to add duplicate entries.


01071d60 : %s failed with an I/O error: %s.

Location:
/var/log/ltm

Conditions:
An attempt is made to configure a WOM local-endpoint from tmsh or the GUI.

Impact:
mcpd logs the error and rolls back the transaction. The configuration associated with the transaction is not applied, and mcpd is left in the state it was in prior to the transaction. The WOM local-endpoint is not configured.

Recommended Action:
Try again. If that fails, save the current configuration and restart mcpd.


01071d61 : Failed to allocate memory at %s:%d.

Location:
/var/log/ltm

Conditions:
The mcpd daemon is out of memory, causing a memory allocation of unknown size to fail. This can occur during an attempt to process a very large transaction.

Impact:
A hard exit from mcpd will probably occur.

Recommended Action:
Consider provisioning mcpd with more memory. This will cause the TMM to have less memory for itself, but mcpd will be able to process larger and more complex configurations.


01071d62 : CMI device (%s) attempted to connect but is running an incompatibly old version of TMOS.

Location:
/var/log/ltm

Conditions:
The remote device is running an older software version that did not indicate a required DSC handshake protocol version in the message.

Impact:
Config sync is disabled between this device and another trust domain member. Config sync will remain disabled until the other device is upgraded to a compatible version.

Recommended Action:
Upgrade the other device to a compatible version and reboot the other device into the new installation volume.


01071d62 : Unsupported route-type (%d) seen for mgmt-route (%s).

Location:
/var/log/ltm

Conditions:
Management-route is an unsupported route type.

Impact:
There is a possible management-route misconfiguration.

Recommended Action:
Verify that management-route is of type Gateway, Interface, or Blackhole only.


01071d63 : CMI device (%s) attempted to connect but is running a version of TMOS with incompatible version (%s) (expected %s).

Location:
/var/log/ltm

Conditions:
The remote device is running an older software version that did not indicate a required DSC handshake protocol version in the message.

Impact:
Config sync is disabled between this device and another trust domain member. Config sync will remain disabled until the other device is upgraded to a compatible version.

Recommended Action:
Upgrade the other device to a compatible version.


01071d63 : No value specified for supersede-option: %s

Location:
/var/log/ltm

Conditions:
No value is specified to supersede the DHCP server-provided value for the tmsh supersede-option setting.

Impact:
Configuration of the supersede-option in "tmsh sys management-dhcp" fails.

Recommended Action:
Ensure that every supersede-option in "tmsh sys management-dhcp" has at least one value specified to supersede the DHCP server-provided value for the given option.


01071d65 : DNSSEC External Zone (%s) must be a descendant of DNSSEC Zone (%s).

Location:
/var/log/gtm

Conditions:
The external zone is not a descendant of the parent zone. (e.g. external zone: child.f5.com, parent: notf5.com). The parent name must be a suffix of the child name.

Impact:
The external zone must be a descendant of the parent zone in order to establish the DNSSEC chain of trust. If the parent zone name is not a suffix of the child zone name (child not descendant of parent), a chain of trust cannot be established.

Recommended Action:
Verify zone name of external zone to ensure it is a descendant of the parent zone.


01071d65 : Invalid name value (%s) specified for URL Category %s.

Location:
/var/log/ltm

Conditions:
The user is trying to create a new URL category, and the category name has an invalid start character (that is, any character within "*/-:_?=@,&()0123456789", including a character such as ".*/-:_?=@,&() ".

Impact:
The configuration is not saved and the user will be unable to create a new custom category.

Recommended Action:
Remove the invalid or special characters in the category name and then rename the category that contains the valid characters.


01071d66 : DNSSEC External Zone (%s:%s) duplicates existing DNSSEC zone (%s) with the same name (case-insensitive and unique across folders).

Location:
/var/log/gtm

Conditions:
This occurs when attempting to create an External Zone, while a DNSSEC Zone sharing the same name already exists.

Impact:
Creation of a duplicate DNSSEC Zone will fail.

Recommended Action:
Modify the existing DNSSEC Zone under the specified name, otherwise delete it before creating the External Zone. Be sure to verify if the zone you want to be created is internal or external.


01071d66 : System iRule (%s) cannot be associated to oauth server (%s).

Location:
/var/log/ltm

Conditions:
A system iRule is associated with an OAuth server.

Impact:
The configuration is invalid. System iRules are specific iRules created to solve certain use cases, which do not include association with an OAuth server.

Recommended Action:
Do not associate system iRules with an OAuth server.


01071d67 : DNSSEC External Zone (%s:%s) duplicates existing external zone (%s:%s) with the same name (case-insensitive).

Location:
/var/log/gtm

Conditions:
This occurs when attempting to create an External Zone, while an External Zone sharing the same name already exists.

Impact:
Creation of a duplicate External Zone will fail.

Recommended Action:
Modify the existing External Zone under the specified name, otherwise delete it before creating the zone again.


01071d67 : Provider type F5 only supports introspect endpoint.

Location:
/var/log/ltm, GUI, or CL, depending on where the command is for setting introspect-support to false on a provider object of type "F5".

Conditions:
introspect-support is set to "false" on provider object of type "F5".

Impact:
A provider object of type "F5" fails to create/modify when introspect-support is set to "false".

Recommended Action:
For a provider object of "F5", always set introspect-support to "true".


01071d68 : DNSSEC External Zone (%s) references a nonexistent DNSSEC zone (%s)

Location:
/var/log/gtm

Conditions:
This occurs when an External Zone being created references a non-existant parent zone.

Impact:
Creation of External Zone will fail. It must have a valid parent zone to maintain DNSSEC chain
of trust.

Recommended Action:
Verify name of External Zone and make sure it references an existing parent zone.


01071d68 : EntityID attribute of %s (%s) contains a session variable. SAML metadata exported by this object must be edited manually to replace session variables with valid hostnames before metadata is shared with external parties.

Location:
/var/log/ltm, VPE UI, CLI

Conditions:
For an Access Policy Manager (APM) Single Sign-On (SSO) saml object, the BIG-IP system has taken the role of SAML Identity Provider and the "entityID" property contains a session variable instead of a valid host name.

Impact:
SAML metadata cannot be shared with external parties.

Recommended Action:
Do one of the following:
 
- Do not use session variables when configuring the entityID property of an APM SSO saml object, or

- When exporting SAML IdP metadata produced by the configured APM SSO saml object, modify the metadata manually to replace all instances of session variables with the host name of configured IdP.


01071d69 : DNSSEC Zone %s duplicates existing external zone (%s:%s) with the same name (case-insensitive).

Location:
/var/log/gtm

Conditions:
This occurs when attempting to create a DNSSEC Zone, while an External Zone sharing the same name already exists.

Impact:
Creation of a duplicate External Zone will fail.

Recommended Action:
Modify the existing External Zone under the specified name, otherwise delete it before creating the DNSSEC zone. Be sure to verify if the zone you want to be created is internal or external.


01071d69 : Frequency for SAML IdP automation (%s) cannot be zero.

Location:
/var/log/ltm, CLI

Conditions:
An attempt was made to save a configuration with SAML IdP automation having a value of zero for the field "Frequency".

Impact:
Saving the configuration fails.

Recommended Action:
Enter a non-zero value in the "Frequency" field.


01071d6a : Unable to parse DNSSEC secure delegation record (%s:%s):%s (%s).

Location:
/var/log/gtm

Conditions:
This occurs when attempting to create an External Zone with an invalid DS Record, leading to parse failures.

Impact:
Creation of a External Zone will fail.

Recommended Action:
Verify the DS Record is has the correct format, it should follow this structure:
"zone_name ttl type class tag alg digest_type digest"
e.g:
"myzone. 86400 IN DS 46851 7 1 4a7d19625ebc07e6aad53aad043e15d578e605e8"


01071d6a : At least one metadata URL must be configured for SAML SP metadata automation (%s).

Location:
/var/log/apm or GUI

Conditions:
An administrator attempts to configure SAML SP automation service, but the automation object does not specify any URLs from where SAML metadata is to be fetched.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Specify at least one URL from where automation service will retrieve SAML metadata.


01071d6a : Client SSL profile (%s): Configured certificates are incompatible with TLS 1.3.

Location:
/var/log/ltm

Conditions:
A Client SSL profile is created that can only negotiate TLS 1.3, even though all of its associated certificates are on a FIPS or NetHSM device.

Impact:
The profile cannot be saved.

Recommended Action:
Configure the profile to negotiate TLS versions other than 1.3 or have at least one certificate that is not on a FIPS or NetHSM device.


01071d6b : DNSSEC secure delegation record (%s:%s) has DS with different owner name: %s.

Location:
/var/log/gtm

Conditions:
This occurs when attempting to create an External Zone, while the DS record owner does not match the zone name.

Impact:
Creation of a duplicate External Zone will fail.

Recommended Action:
Verify that the DS Record owner matches the zone name.


01071d6b : Frequency for SAML SP metadata automation (%s) cannot be zero.

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure SAML SP automation service, but the specified frequency of metadata fetching is invalid ("0").

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Specify a valid frequency in minutes, or keep the default value, 60.


01071d6b : Client SSL profile (%s): Configured certificates are incompatible with TLS 1.3, so TLS 1.3 will not be negotiated.

Location:
/var/log/tmm

Conditions:
A Client SSL profile is created with TLS 1.3 enabled, even though all certificates are stored on a FIPS or NetHSM device that is incompatible with TLS 1.3.

Impact:
TLS 1.3 is not negotiated.

Recommended Action:
Either disable TLS 1.3 on the profile, or include at least one certificate that is not stored on a FIPS or NetHSM device.


01071d6c : SAML SP metadata automation (%s) cannot be associated with sso saml (%s) because sso saml is already associated with SP automation (%s). SAML server can only be associated with one automation.

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure a SAML SP automation service, but the specified SSO SAML object is already used by another SP automation service.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Specify a different SSO SAML object that is not in use by other SP automation services.


01071d6c : Client SSL profile (%s): Some configured certificates are incompatible with TLS 1.3, so will not be used if TLS 1.3 is negotiated.

Location:
/var/log/ltm

Conditions:
A Client SSL profile is configured to enable TLS 1.3, even though some of the certificates are stored on a FIPS or NetHSM device.

Impact:
The certificates stored on the FIPS or NetHSM device are not used if TLS 1.3 negotiation is attempted.

Recommended Action:
Disable TLS 1.3 on the Client SSL profile, or remove the certificates that are stored on a FIPS or NetHSM device.


01071d6d : SAML SP metadata automation (%s) specifies SAML SSO server (%s) that cannot be found on the system.

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure a SAML SP automation service, but the specified SSO SAML object does not exist.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Specify an existing SSO SAML object on the system.


01071d6d : IPv6 management addresses are unsupported in 1NIC mode.

Location:
/var/log/ltm, CLI

Conditions:
The BIG-IP Virtual Edition (VE) is in 1NIC mode, and an attempt is made to add an IPv6 address as a management IP address.

Impact:
Adding an IPv6 address for a management IP address is disallowed.

Recommended Action:
Do not use IPv6 addresses for the management-ip on a 1NIC VE.


01071d6e : SAML SSO server (%s) associated SAML SP metadata automation (%s) are not in the same partition.

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure a SAML SP automation service, but the specified SSO SAML object is in a different administrative partition than the SAML SP metadata automation service.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Ensure that the specified SSO SAML object is located in the same partition as the SAML SP metadata automation service.


01071d6f : SAML SP metadata automation (%s) contains invalid metadata URL value (%s). Error (%s).

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure a SAML SP automation service, but at least one of specified metadata URLs is not valid.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Specify a valid metadata URL.


01071d6f : The Traffic Acceleration FPGA is not allowed when TAM is not provisioned.

Location:
/var/log/ltm

Conditions:
The Traffic Acceleration FPGA firmware is loaded in the configuration, but Traffic Acceleration Module (TAM) is not provisioned.

Impact:
The configuration is rejected.

Recommended Action:
Provision TAM on the system and the Traffic Acceleration FPGA firmware will automatically be loaded. The FPGA firmware does not need to be manually changed.


01071d70 : SAML SP metadata automation (%s) must have server SSL profile configured.

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure a SAML SP automation service. The administrator has specified at least one metadata URL that is protected by SSL, but has not specified a Server SSL profile to be used to connect to the remote server hosting the metadata file.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Specify a Server SSL profile in the SAML SP automation service.


01071d70 : LDAP config (%s) must either have a matching client certificate and client key, or both of these fields must be empty.

Location:
/var/log/ltm, GUI, CLI

Conditions:
LDAP configuration contains either an SSL client certificate without a matching key or an SSL key without a matching certificate.

Impact:
Configuration is not accepted, and LDAP authentication will not work.

Recommended Action:
When configuring LDAP authentication with SSL, configure both an SSL client certificate and an SSL key.


01071d71 : SAML SP metadata automation (%s) must have DNS resolver configured.

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure a SAML SP automation service, but a DNS resolver is not specified.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Configure a DNS resolver on the SAML SP automation service.


01071d71 : Can't create scheduled-report (%s). You currently have %u scheduled-reports set, while this is above the max allowed scheduled-reports (%u).

Location:
/var/log/audit, /var/log/ltm, GUI, CLI

Conditions:
A user has created too many AVR scheduled-reports. The maximum number allowed is 100.

Impact:
No additional scheduled-reports can be created.

Recommended Action:
Delete unused scheduled-reports from the system to allow for new reports to be created.


01071d72 : Metadata URL (%s) value cannot be empty in SAML SP metadata automation (%s).

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure a SAML SP automation service, but at least one of the specified metadata URLs does not contain any value.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Specify a value for the specified metadata URL. All metadata URL objects configured as part of SAML SP automation service require a URL value.


01071d72 : %s.

Location:
/var/log/ltm

Conditions:
The mcpd debug log level is enabled (via tmsh modify sys db log.mcpd.level value debug) and the user modifies sys management-ip.

Impact:
Debug messages start to log.

Recommended Action:
None.


01071d73 : SAML SP metadata automation (%s) must specify value for sso-config-saml object.

Location:
/var/log/apm or GUI

Conditions:
An administrator attempts to configure a SAML SP automation service, but an attribute specifying the SSO SAML object has not been configured.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Specify the SSO SAML object to be used by the SAML SP automation service.


01071d73 : The Traffic Accelerated virtual(%s) is required to have a destination address set

Location:
/var/log/ltm

Conditions:
The configuration contains a Traffic Acceleration Module (TAM) virtual server with either no destination address or the destination address 0.0.0.0.

Impact:
The configuration is rejected.

Recommended Action:
Add a valid Destination address to the TAM virtual server referenced in the error message.


01071d74 : SAML SP metadata automation (%s) contains duplicated URL value (%s).

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure an SAML SP automation service, but the service contains duplicated URLs.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Remove duplicated URLs from the configured AML SP automation service.


01071d74 : Anti-Fraud URL '%s' is invalid. Only SPA URLs and their views can have destination URLs in the Anti-Fraud profile '%s'.

Location:
/var/log/ltm, cli

Conditions:
There is an attempt to configure destination URLs for a protected URL that has no views.

Impact:
The configuration fails.

Recommended Action:
Only configure destination URLs either for a protected URL that has at least one view or for protected view.


01071d74 : Opening socket on interface %s failed: %s

Location:
/var/log/ltm, GUI, CLI

Conditions:
DHCP is disabled on a BIG-IP Virtual Edition (VE) that is in 1Nic mode.

Impact:
Validation fails.

Recommended Action:
Enable DHCP.


01071d75 : SAML SP connector (%s) cannot be deleted because it is managed by SP connector automation (%s).

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to manually remove the SAML SP connector object that was created by SAML SP automation.

Impact:
The SP Connector object is not removed.

Recommended Action:
There are several ways to remove SP connector objects managed by an SP automation service:

1) Modify the SAML SP automation service to remove the metadata URL that was used to created the SP automation service. Note that when you remove the metadata URL, all SP connectors associated with this URL are deleted.

2) Remove the SP automation service. This action removes all SP connectors created by the service.

3) Not recommended: Use tmsh to change the “automation-object'” property of the SAML SP connector object to “none”, and then delete the SP connector manually. Note this this option is not recommended because the automation service might recreate the SP connector object later (for example. when the service restarts or the content of the remote metadata file changes).


01071d75 : Db variable %s(%u) should be greater than %s(%u).

Location:
/var/log/ltm

Conditions:
The value of the db variable "dos.dnsnxdomain.period" is less than or equal to the value of the variable "dos.dnsnxdomain.learnperiod".

Impact:
none.

Recommended Action:
Change the value of the db variable "dos.dnsnxdomain.period" to be greater than the value of the variable "dos.dnsnxdomain.learnperiod".


01071d75 : %s IP for interface %s failed: %s

Location:
/var/log/ltm, GUI, CLI.

Conditions:
DHCP is disabled on a BIG-IP VE in 1Nic mode.

Impact:
Validation fails.

Recommended Action:
Enable DHCP.


01071d76 : SAML SSO config (%s) is assigned to a SAML resource (%s), and therefore can only have one SP connector object associated with it.

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to bind multiple SP connector objects to a SAML SSO object that is assigned to a SAML resource.

Impact:
The modified SAML SSO object configuration is not saved.

Recommended Action:
Specify a single SP connector only for a SAML SSO object that is assigned to a SAML resource. When multiple SP connectors are required, you can replicate the SAML SSO object as needed.


01071d76 : FDB MAC %s cannot be broadcast/multicast

Location:
/var/log/ltm, GUI, CLI

Conditions:
An attempt was made to add a multicast MAC address on a VLAN as a static entry to the FDB.

Impact:
Any attempt for adding a multicast MAC static FDB entry will be reported as a failure and the multicast MAC address will not be added to the FDB. For more information, see bug ID 681673 titled "tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results".

Recommended Action:
Consider adding unicast MAC addresses as static FDB entries instead.


01071d77 : SAML SSO configuration (%s) cannot specify both (%s) and (%s) at the same time.

Location:
/var/log/apm, UI, CLI

Conditions:
An administrator has configured a SAML SSO (IdP) object on the BIG-IP system and the object specifies either of the following:

1) Both the signing certificate and the session variable referring to a signing certificate.

2) Both the signing key and session variable referring to a signing key.

Impact:
The created or modified SSO object is not saved.

Recommended Action:
Specify either the signing certificate or a session variable specifying the signing certificate, but not both. The same applies to a signing key.


01071d78 : Attribute (%s) in %s (%s) must be in session variable format

Location:
/var/log/apm, UI, CLI

Conditions:
The user has changed the BIG-IP configuration, but the provided value for the relevant attribute specified in the error message is not in APM session variable format.

Impact:
The modified configuration object is not saved.

Recommended Action:
Specify the relevant attribute in APM session variable format, for example:

 "%{session.value}"


01071d79 : SAML Artifact Resolution Service (%s) is configured to sign requests. However, the correponding SAML SSO Config (%s) does not have signing %s configured. Please specify an IdP signing %s.

Location:
/var/log/apm, UI, CLI

Conditions:
An administrator has attempted to create or modify a SAML SSO (IdP) object, but either a certificate or a key is not configured on the SAML SSO object.

Impact:
The modified SAML SSO object configuration is not saved.

Recommended Action:
Configure both a signing certificate and a key on the specified SAML SSO object.


01071d79 : Interface %s cannot be used in passive/virtual-wire mode.

Location:
/var/log/ltm

Conditions:
An interface is set to Passive or Virtual Wire mode.

Impact:
The interface cannot be used in Passive or Virtual Wire mode.

Recommended Action:
Try configuring Virtual Wire or Passive mode on another port, one that is either not in use or is operating in Layer 3 (L3) mode. Note that changing the mode of a port currently operating in L3 mode to Virtual Wire mode results in changes to the network.


01071d7a : Master Key not yet ready. Delaying DNSSEC Key Generation Events for %u seconds.

Location:
/var/log/ltm

Conditions:
A DNSSEC key generation event occurs. For example, a key expires or rolls over, either before or during Master Key initialization. Generally, the only time this collision of events can occur is during a reboot or "bigstart restart" operation with a DNSSEC key that is configured to expire or roll over during the window of time that the box is offline or initializing.

Impact:
DNSSEC key generation events are delayed until the Master Key becomes available. This means the configuration will contain stale key generations until they can be successfully regenerated (that is, until the Master Key is initialized and available).

Recommended Action:
None.


01071d7b : Cannot assign access profile and both clientssl and serverssl profiles with ssl proxy enabled to the same virtual server (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
The following profiles are attached to the same virtual server:

- clientssl with "proxy ssl" enabled
- serverssl with "proxy ssl" enabled
- access profile

Impact:
The configuration with these conditions is invalid and therefore rejected.

Recommended Action:
Change any of the listed conditions.


01071d83 : Failed to configure iptables rules for config sync CGC routing: %s

Location:
/var/log/ltm

Conditions:
The cgc-setup script indicates an error when mcpd tries to initialize the iptables rules and routing for config-sync.

Impact:
Config-sync might not work. This error message will include the output of the script, which contains additional clues as to why the script failed.

Recommended Action:
Review the specific error messages for details, and engage with F5 Support, if needed.


01071d84 : Configured iptables rules for config sync CGC routing: %s

Location:
/var/log/ltm

Conditions:
This is an informational message indicating the cgc-setup script ran correctly. This message is not reported unless log.mcpd.level is set to info or debug.

Impact:
This is an informational message.

Recommended Action:
None.


01071d85 : Config sync over the management port requires big3d, which is not currently running. Config sync will not work until big3d is running.

Location:
/var/log/ltm

Conditions:
This message is reported if config-sync is configured to use the management port and mcpd fails to detect big3d running at the time mcpd sets up the config sync network sockets.

You might also see this message if big3d is in the middle of restarting when mcpd checks for it, in which case config-sync operation starts as soon as big3d starts. If you see this message for this reason, you can ignore the message, as the situation corrects itself.

Impact:
Config-sync over the management port does not work without big3d.

If you have intentionally disabled big3d, you must re-enable it or reconfigure config sync to not use the management port.

Recommended Action:
Make sure big3d is enabled or do not use the management port for config sync.


01071d93 : Unable to find customization source (%s) for customization group (%s).

Location:
When you have specified a customization source of a customization group that does not exist on the device but customization source name validation passed it.

Error might be noticeable in CLI and logs for MCPD and LTM.

Conditions:
This message appears when a customization group is created or modified, and it has a customization source. The customization source name is validated before mcpd proceeds. If it appears that mcpd passed the customization source name as valid, but it has no corresponding object or files.

Impact:
Setting invalid customization source invalidates customization and it falls back to defaults.

Recommended Action:
No workaround.


01071d93 : Profile %s the set Certificate Chain Traversal Depth (authenticate-depth), %u, is invalid. This must be 0 (infinite) or between 1 and %u inclusive.

Location:
/var/log/ltm

Conditions:
An SSL profile is being created or modified, and the authenticate depth (also known as Certificate Chain Traversal Depth) is greater than 15.

Impact:
The profile is not saved.

Recommended Action:
When creating or modifying an SSL profile, use a value between 0 through 15 inclusive in the Certificate Chain Traversal Depth field.


01071d93 : Single-ip %s - cluster member IP address %s cannot be configured for cluster %s.

Location:
/var/log/ltm

Conditions:
The cluster single management IP feature is enabled, which causes the system to disallow configuration of the cluster member IP addresses.

Impact:
The system informs the user of the reason that the attempt to configure the cluster member IP addresses is denied.

Recommended Action:
Disable the cluster single management IP feature.


01071d94 : Bot Defense Profile (%s) Micro Service (%s): Missing required field (%s).

Location:
/var/log/ltm

Conditions:
ASM is provisioned and one of required fields is missing in the tmsh command.

Impact:
The system will not store the configuration in the mcp database.

Recommended Action:
Supply the required field in the tmsh command.


01071d95 : Per-request access policy (%s) is not referenced by any existing customization group set

Location:
/var/log/ltm, GUI, CLI

Conditions:
The user has not defined a Customization Group Set for a given Per-request Access Policy.

Impact:
The modified configuration cannot be loaded. If this is the initial configuration load, the BIG-IP system is non-operational.

Recommended Action:
Correct BIGIP configuration or changes to it by checking that each explicit definition of a Customization Group Set object refers to an existing Per-Request Access Policy object.
The description of a Customization Group Set object must contain an explicit reference to the name of an existing Per-Request Access Policy object:

apm policy customization-group-set /Common/test_rap_cgs {
    access-policy /Common/test_rap
}


01071d96 : Failed to send DDL to PostgreSQL: %s

Location:
/var/log/ltm

Conditions:
The mcpd daemon is trying to populate the PostgreSQL database's structure.

Impact:
The content of the PostgreSQL database is not consistent.

Recommended Action:
None.


01071d96 : The customization group set (%s) cannot share an access policy (%s) with other customization group set (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
The user has attempted to configure two Customization Group Set objects to refer to the same Per-Request Access Policy object. This configuration is not allowed.

Impact:
The modified configuration cannot be loaded. If this is the initial configuration load, the BIG-IP is non-operational.

Recommended Action:
Correct the BIG-IP system configuration or any changes to it by checking that each explicit definition of a Customization Group Set object refers to a unique, existing Per-Request Access Policy object. The description of a Customization Group Set object must contain an explicit reference to the name of an existing Per-Request Access Policy object:

apm policy customization-group-set /Common/test_rap_cgs {
    access-policy /Common/test_rap
}


01071d97 : Anti-Fraud URL '%s' is invalid. URL path cannot have trailing slashes in the Anti-Fraud Profile '%s'.

Location:
var/log/ltm, cli

Conditions:
The name of the URL being created contains trailing slashes (in the path segment, not in query string).

Impact:
URL object creation fails.

Recommended Action:
Remove all trailing slashes from the URL's name (within the path segment only).


01071d97 : Access policy name cannot be changed in customization group set (%s)

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to change the name of the Per-Request Access Policy in an existing Customization Group Set object.

Impact:
The modified configuration cannot be loaded.

Recommended Action:
Check the name of the Per-Request Access Policy in modification commands for the named Customization Group Set object, or exclude the Access Policy name from these commands. Then repeat the modifications to the BIG-IP system configuration.


01071d98 : Customization group set (%s) does not refer to access policy

Location:
/var/log/ltm file, CLI, GUI

Conditions:
The named Customization Group Set object does not contain a Per-Request Access Policy object name. This is a mandatory attribute and must be included in any Customization Group Set object definition.
.

Impact:
The modified configuration cannot be loaded. If this is the initial configuration load, the BIG-IP system is non-operational.

Recommended Action:
Check all explicit Customization Group Set object definitions and add 'access-policy' attribute where necessary, for example:

apm policy customization-group-set /Common/test_rap_cgs {
    access-policy /Common/test_rap
}

Any Per-Request Access Policy object name can be used only once in Customization Group Set object definitions.


01071d98 : Empty IP protocol name specified for rule (%s). Please specify a valid string corresponding to the IP protocol number.

Location:
/var/log/ltm

Conditions:
A custom script or other application has passed an empty/null string for "ip_protocol_name" when configuring firewall rule. Both GUI and tmsh specify "ip_protocol_name" string along with "ip_protocol" number when configuring firewall rule.

Impact:
Firewall rule configuration fails. If this is a "create" operation, the rule is not added into the configuration. If this is a "modify" operation, the rule is not modified.

Recommended Action:
When configuring a firewall rule, modify your client script/application to always specify the "ip_protocol_name" string along with the "ip_protocol" number.


01071d9b : PEM Gx/Sd reporting volume threshold cannot be smaller than 8K bytes.

Location:
CLI

Conditions:
A user has attempted to set the reporting volume threshold to a value smaller than 8KB.

Impact:
The configuration change request is denied.

Recommended Action:
None.


01071d9c : PEM Mandatory-Action-List cannot be set when Single-Rule-Match-Mode is disabled.

Location:
GUI, CLI

Conditions:
A user has tried to modify the PEM mandatory-action-list when single-rule-match-mode is disabled.

Impact:
The configuration change request is denied and an error message is displayed.

Recommended Action:
None.


01071d9d : Address Exclusion is not supported for Security NAT translation object (%s) of type %s.

Location:
GUI, CLI

Conditions:
An attempt is made to add an exclusion to the static NAT/static PAT object. Address exclusion is supported only on a dynamic PAT translation object.

Impact:
The configuration fails.

Recommended Action:
Remove the exclusion object from the static NAT/static PAT translation object.


01071d9d : Neighbor entry (%s) can not be resolved%s.

Location:
/var/log/ltm

Conditions:
There is no directly-connected network for the address.

Impact:
The static arp/ndp entry cannot be resolved. The condition prevents either:

1) The deletion of the self IP address or static route that could strand the static ARP entry, or

2) The creation of the static ARP entry.

Recommended Action:
If you are in the process of deleting a self IP address or static route entry, delete the static arp entry first. If you are in the process of creating a static ARP entry, create the network object that would make the IP address of the static arp entry reachable.


01071d9e : Bot defense anomaly %s not found.

Location:
/var/log/ltm

Conditions:
The ASM module is provisioned, a user has used an illegal tmsh/REST command, and within the tmsh/REST command, the mentioned anomaly name does not exist in the MCP database.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.


01071d9f : Bot defense anomaly category %s not found.

Location:
/var/log/ltm

Conditions:
The ASM module is provisioned, a user is using illegal tmsh/REST commands, and within the tmsh/REST command, the mentioned category name does not exist in the MCP database.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.


01071d9f : %s.

Location:
/var/log/ltm

Conditions:
MCPd has encountered an exception condition related to sending data to one or more processes. If this happens, the connection to that process will be shut down and an error message logged.

Impact:
The process that was communicating with MCPd will have it's connection severed, and it's expected that the process will automatically reconnect or restart.

n the event that the error message is logged *because* the process disconnected as part part of normal operations, there is no impact beyond useful diagnostic information.

If this message occurs frequently, it may indicate there is a problem. This can result in interruption of traffic processing and problems managing the system.

Recommended Action:
No action needed if the system is functioning normally.

Please contact F5 support if this message is occurring frequently and system is not functioning correctly.


01071da0 : Bot defense class %s not found.

Location:
/var/log/ltm

Conditions:
The ASM module is provisioned, a user is using illegal tmsh/REST commands, and within the tmsh/REST command, the mentioned class name does not exist in the MCP database.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.


01071da0 : %s.

Location:
/var/log/ltm

Conditions:
The mcpd daemon has encountered an exception condition related to sending data to one or more processes.

The associated process might have shut down or restarted as part of normal operations. The exception can also occur when the connection between mcpd and the associated process fails for an unknown reason.

Impact:
The connection for the process that was communicating with mcpd is severed, and it's expected that the process will either reconnect or restart.

In the event that the error message is logged because the process disconnected as part part of normal operations, there is no impact beyond useful diagnostic information.

If this message occurs frequently, it might indicate there is a problem. This can result in interruption of traffic processing and problems managing the system.

Recommended Action:
No action is needed if the system is functioning normally.

Please contact F5 support if this message is occurring frequently and the system is not functioning correctly.


01071da1 : %s: When %s is (%s) and %s (%s) is %s address, %s (%s) represents '%s %s addresses'.

Location:
/var/log/ltm

Conditions:
A user has added or modified the source/destination of dos.network-whitelist entries or extended-entries.

Impact:
This message provides detailed information about the semantic meanings of ip-address 'any' and 'any6'. The meanings of 'any' and 'any6' vary depending on the value of match-ip-version.

Recommended Action:
Inspect the relevant object configuration and make sure that the semantics of 'any' and 'any6' with match-ip-version are correctly configured. To see the log, the user must set the "sys db log.mcpd.level" value to "info".


01071da2 : Virtual Server %s's Traffic Matching Criteria %s illegally shares destination address, source address, service port, and ip-protocol with Virtual Server %s's Traffic Matching Criteria %s.

Location:
/var/log/ltm, TMSH, iControl REST, GUI

Conditions:
A new virtual server has been created with traffic-matching criteria that has an IP protocol, IP address, and destination port combination that overlaps with the traffic-matching criteria of an existing virtual server.

Impact:
The system rejects the creation of the new virtual server.

Recommended Action:
Modify the traffic-matching criteria of the new virtual server to avoid overlaps.


01071da2 : Blacklist-category %s must have match type destination to enable scrubbing.

Location:
GUI, CLI

Conditions:
A user has attempted to enable scrubbing on a blacklist category using the command "modify security scrubber profile scrubber-profile-default scrubber-categories add ...", and the match type for the blacklist category is not set to the match type "Destination".

Impact:
Enabling the scrubbing on the blacklist category fails.

Recommended Action:
Modify the match type to "Destination" before enabling the scrubbing on the blacklist category.


01071da3 : Virtual Server %s's Traffic Matching Criteria %s illegally shares destination address, source address, service port, and ip-protocol with Virtual Server %s destination address, source address, service port.

Location:
/var/log/ltm, GUI, CLI, API

Conditions:
A virtual server has been created with traffic-matching criteria that has an IP protocol, IP address, and destination port combination that overlaps with an existing virtual server.

Impact:
The system rejects the creation of the new virtual server.

Recommended Action:
Modify the traffic-matching criteria of the new virtual server to avoid overlaps.


01071da3 : Cannot change match type to source or source-and-destination if scrubbing is enabled on the blacklist category. Disable scrubbing before changing the match type.

Location:
GUI, CLI

Conditions:
A user has attempted to change the match type of the blacklist category to a value other than "Destination", and the user has already enabled the scrubbing on this category.

Impact:
The modification of the match type to a value other than "Destination" fails.

Recommended Action:
Disable the scrubbing on the blacklist category before attempting to modify the match type to a value other than "Destination".


01071da4 : Uri Type %s out of its minimum %d or maximum %d characters range.

Location:
CLI

Conditions:
A user has specified a Uri Type name value and file-extensions values that are outside of the allowed range in character length. The values must fit conditions in the error message.

Impact:
The TMSH command fails, and the configuration is not saved.

Recommended Action:
Ensure that the values fit the conditions specified in the error message. See the command 'tmsh help analytics uri-type" for more information.


01071da5 : Uri Type must have at least %d %s associated with it.

Location:
CLI

Conditions:
A user has attempted to create a Uri Type without any file extensions, or has attempted to delete all values from the file-extensions list. The file-extensions list must contain at least one value.

Impact:
The TMSH command fails, and the configuration is not changed.

Recommended Action:
Ensure that the file-extensions list contains at least one value. For more information, see the command "tmsh help analytics uri-type".


01071da6 : No more than %d total file extensions can be defined (across all Uri Types).

Location:
CLI

Conditions:
A user has attempted to specify a value that exceeds the maximum number of Uri Type file-extensions allowed.

Impact:
The TMSH command fails, and the configuration is not saved.

Recommended Action:
Try to delete unused file-extensions and replace them with new ones. For more information, see the command "tmsh help analytics uri-type".


01071da7 : No more than %d total Uri Types can be defined.

Location:
CLI

Conditions:
A user has attempted to define more than the maximum number of Uri types allowed.

Impact:
The TMSH command fails, and the configuration is not saved.

Recommended Action:
Try to delete unused Uri types and replace them with new ones. For more information, see the command "tmsh help analytics uri-type".


01071da8 : File extension '%s' already exists in '%s' Uri Type.

Location:
CLI

Conditions:
A user has attempted to define file extensions that already exist on the system, thereby attempting to share the same file extensions across multiple Uri Type configuration objects.

Impact:
The TMSH command fails, and the configuration is not saved.

Recommended Action:
Ensure that you create unique file extensions across all Uri Types, rather than creating duplicates file extensions. For more information, see the command "tmsh help analytics uri-type".


01071da9 : Uri Type objects must be in the '%s' folder only.

Location:
CLI

Conditions:
A user has attempted to create a Uri Type object in a folder (administrative partition) that is not "/Common".

Impact:
The TMSH command fails, and the configuration is not saved.

Recommended Action:
Do not prefix the Uri Type name with any folder name other than "/Common/". For more information, see the command "tmsh help analytics uri-type".


01071daa : %s

Location:
CLI

Conditions:
One of the characters in the Uri Type name or file-extensions values is invalid.

Impact:
The TMSH command fails, and the configuration is not saved.

Recommended Action:
Use only allowed characters in names. For more information, see the error output. Usually these properties only support alphanumeric characters, digits, and "-" or "_", as in "[a-zA-Z0-9_-]". The Uri Type name must start with an alphanumeric character.
The file-extensions values must use lower-case characters only. For more information, see "tmsh help analytics uri-type".


01071dac : Bot signature category %s not found.

Location:
GUI, CLI, API

Conditions:
ASM is provisioned, and within the TMSH/REST command used, the mentioned category name does not exist in the MCP database.

Impact:
The configuration will not be stored in the MCP database.

Recommended Action:
None.


01071dac : Cannot change match type to destination or source-and-destination if blacklist publisher profile is attached to the category.

Location:
GUI, CLI

Conditions:
A user has tried to change the match type of the IP intelligence blacklist category, if the category has blacklist publisher configuration enabled.

Impact:
The match type is not allowed to change to destination or source-and-destination without first removing the category from the blacklist publisher.

Recommended Action:
None.


01071dad : Bot defense profile (%s) class override (%s) error: %s.

Location:
GUI, CLI, API

Conditions:
The ASM module is provisioned, and the TMSH command contains incorrect values.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.


01071dad : Policy '%s', rule '%s'; target '%s' action '%s' cannot have same fallback pool (%s) and default pool (%s).

Location:
/var/log/ltm

Conditions:
A fallback pool and the default (primary) pool in an LTM policy action have the same value.

rules {
    1 {
        actions {
              1 {
                forward
                select
                fallback-pool http_pool <------ The pool and fallback pool can't be same.
                pool http_pool
            }
        }
    }
}

Impact:
The LTM policy won't compile.

Recommended Action:
None.


01071dae : Bot Defense Profile (%s) Micro Service (%s): %s.

Location:
GUI, CLI, API

Conditions:
The ASM module is provisioned, and the TMSH command contains incorrect values.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.


01071dae : Policy '%s', rule '%s'; target '%s' action '%s' requires default pool. Please specify default pool along with fallback pool (%s).

Location:
/var/log/ltm

Conditions:
When "fallback-pool" parameter is specified without the "pool" parameter in LTM policy action.
rules {
    1 {
        actions {
              1 {
                forward
                select
                fallback-pool http_pool <---- The default pool is missing.
            }
        }
    }
}

Impact:
The LTM policy won't compile.

Recommended Action:
None.


01071daf : Bot Defense Profile (%s) Micro Service (%s) Url (%s): %s.

Location:
GUI, CLI, API

Conditions:
The ASM module is provisioned, and the TMSH command contains incorrect values.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.


01071daf : Throwing Invalid Monitor Rule Instance: %s

Location:
/var/log/ltm

Conditions:
MCPD logs this message before an "Invalid monitor rule instance identifier" error is logged.

Impact:
No impact. This is information only.

Recommended Action:
None.


01071db0 : Throwing Invalid Monitor Rule Instance: %s

Location:
/var/log/ltm

Conditions:
MCPD logs this message before an "Invalid monitor rule instance identifier" error is logged.

Impact:
No impact. This is information only.

Recommended Action:
None.


01071db0 : %s %s.

Location:
/var/log/ltm, GUI, CLI

Conditions:
Product management has configured flexible notifications in the license file. , .

Impact:
No functional impact. The BIG-IP system generates the notifications with the given string in the license file. This is a notification to customers to remind them about license renewal.

Recommended Action:
None.


01071db1 : Bot defense profile (%s) Signature (%s) should be Mobile Application Class signature.

Location:
GUI, CLI, API

Conditions:
ASM is provisioned, and the TMSH command contains incorrect values.

Impact:
The configuration will not be stored in the MCP database.

Recommended Action:
When you are defining a mobile signature on a bot defense profile, ensure that the signature is of a category that belongs to a class named "Mobile Application".


01071db1 : Throwing Invalid Monitor Rule Instance: %s

Location:
/var/log/ltm

Conditions:
MCPD logs this message before an "Invalid monitor rule instance identifier" error is logged.

Impact:
No impact. This is information only.

Recommended Action:
None.


01071db2 : Bot defense signature category illegal class (%s).

Location:
GUI, CLI, API

Conditions:
ASM is provisioned, and the values within the TMSH command are incorrect. It is illegal to set a Browser or Unknown bot defense class for a signature category.

Impact:
The configuration will not be stored in the MCP database.

Recommended Action:
None.


01071db2 : Throwing Invalid Monitor Rule Instance: %s

Location:
/var/log/ltm

Conditions:
MCPD logs this message before an "Invalid monitor rule instance identifier" error is logged.

Impact:
No impact. This is information only.

Recommended Action:
None.


01071db3 : Bot defense profile (%s) signature category override not supported for (%s) which belongs to (%s) class.

Location:
GUI, CLI, API

Conditions:
ASM is provisioned, the TMSH command contains incorrect values It is illegal to define override settings for several signature categories, for example, categories of mobile signatures.

Impact:
The configuration will not be stored in the MCP database.

Recommended Action:
None.


01071db3 : Throwing Invalid Monitor Rule Instance: %s

Location:
/var/log/ltm

Conditions:
MCPD logs this message before an "Invalid monitor rule instance identifier" error is logged.

Impact:
No impact. This is information only.

Recommended Action:
None.


01071db4 : Bot defense profile (%s) signature override not supported for (%s) which belongs to (%s) class.

Location:
GUI, CLI, API

Conditions:
ASM provisioned, and the TMSH command contains incorrect values. It is illegal to define override settings for a signature that belongs to a category that cannot be overidden, such as mobile signatures.

Impact:
The configuration will not be stored in the MCP database.

Recommended Action:
None.


01071db4 : Removing monitor rule instance: %s

Location:
/var/log/ltm

Conditions:
This message occurs under either of these conditions:

1. A monitor has been removed from a node, pool member, or a pool with one or more pool members.

2. A node, pool member, or a pool with one or more pool members that has a monitor attached is deleted.

Impact:
No impact. This is information only.

Recommended Action:
None.


01071db5 : Bot defense profile (%s) Micro Service (%s) class override (%s) error: %s.

Location:
/var/log/ltm, CLI, API

Conditions:
ASM is provisioned, and the TMSH command contains incorrect values. It is illegal to define override settings for a class on a micro service level; the exception is the "Trusted Bot" class.

Impact:
The configuration will not be stored in the MCP database.

Recommended Action:
None.


01071db5 : Saving monitor rule instance: %s

Location:
/var/log/ltm

Conditions:
A monitor is attached to a node, pool member, or a pool that contains one or more pool members.

Impact:
No impact. This is information only.

Recommended Action:
None.


01071db6 : Bot defense profile (%s) error: %s.

Location:
/var/log/ltm, CLI, API

Conditions:
ASM is provisioned, and the TMSH command contains incorrect values.

Impact:
The configuration will not be stored in the MCP database. The error is a generic template for arbitrary error messages resulting from MCP validation code; the specific error description is appended to the end of the error message after "error:".

Recommended Action:
None.


01071db6 : Creating a new monitor rule instance: %s

Location:
/var/log/ltm

Conditions:
A monitor is attached to a node, pool member, or a pool that contains one or more pool members.

Impact:
No impact. This is information only.

Recommended Action:
None.


01071dba : Warning (%s): %u bit keysize is insecure, it will be disabled in the future.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has created 512-bit RSA/DSA keys, which are insecure.

Impact:
The system displays a warning message that it might not support the creation of 512-bit RSA/SDA keys in the future.

Recommended Action:
None.


01071dba : Cannot delete SSO configuration (%s) because it is referenced by a SSO configuration select agent (%s)

Location:
/var/log/ltm, GUI

Conditions:
A user has attempted to remove an SSO configuration that is referenced by an SSO configuration select agent.

Impact:
The SSO configuration will not be deleted.

Recommended Action:
Remove all references from SSO configuration select agents to a given SSO configuration before the SSO configuration is removed. Once the references are removed, attempts to delete the SSO configuration should succeed.


01071dbc : Fail to commit due to the preset autodiscovery-enable VS number limit is %d.

Location:
CLI

Conditions:
A user has attempted to enable auto-discovery on a virtual server, which causes the number of auto-discovery-enabled virtual servers to exceed the value in the database.

Impact:
Minimal. This message is for a specific case only.

Recommended Action:
Consider modifying the BigDB variable "auto.discover.mvs.count" to the desired value.


01071dbd : Fail to change the value to be less than the current number (%d) of VS that enables auto_discovery.

Location:
CLI

Conditions:
The existing number of virtual servers that enable auto-discovery is larger than the desired value.

Impact:
Minimal.

Recommended Action:
Consider changing the desired value to be not less than the existing number, or disabling the auto-discovery service on some of the virtual servers first.


01071dbf : Setting DB variable %s to %s. Restarting services.

Location:
/var/log/ltm

Conditions:
The BIG-IP VE device (non-cloud and cloud editions) did not have a FIPS 140-2 Level 1 license, and a FIPS 140-2 Level 1 license has been procured and installed.

Impact:
Processes are restarted, and the prompt changes back to the normal prompt. No reboot is required. A new log message indicating that processes are restarting is now present.

Recommended Action:
None.


01071dbf : The requested otp source (%s) is invalid: %s

Location:
/var/log/ltm, VPE UI, CLI

Conditions:
An administrator has attempted to define a custom session variable for an invalid OTP source in an access per-session OTP verify agent.

Impact:
An OTP source field cannot be configured in a per-session OTP Verify agent. Such an attempt might lead to authentication failures for APM end users.

Recommended Action:
None.


01071dc0 : %s changing OpenSSL FIPS flag from (%d) to (%d). Restarting services.

Location:
/var/log/ltm

Conditions:
The BIG-IP VE device (non-cloud and cloud editions) did not have a FIPS 140-2 Level 1 license, and a FIPS 140-2 Level 1 license has been procured and installed.

Impact:
Processes are restarted, and the prompt changes back to the normal prompt. In particular, processes linking with the system OpenSSL's libcrypto* restart and execute FIPS 140-2-specific code paths present in libcrypto*. A new log message indicating that system OpenSSL is switching to FIPS mode and that associated processes are restarting is now present.

Recommended Action:
None.


01071dc1 : Setting DB variable %s to %s. No rebooting needed.

Location:
/var/log/tmm

Conditions:
-- A Pay-As-You-Go (PAYG) BIG-IP Virtual Edition (VE) device is being deployed.
-- A FIPS 140-2 Level 1 license is being selected in the GUI as part of the deployment process.

Impact:
The device never reboots, and the message appears as part of the boot process.

Recommended Action:
This is the correct, expected behavior for PAYG licenses only. Earlier, processes used to restart but the design has changed, and restarting no longer happens.


01071dc2 : %s changing OpenSSL FIPS flag from (%d) to (%d). No rebooting needed.

Location:
/var/log/tmm

Conditions:
-- A Pay-As-You-Go (PAYG) BIG-IP Virtual Edition (VE) device is being deployed.
-- A FIPS 140-2 Level 1 license is being selected in the GUI as part of the deployment process.

Impact:
The device never reboots, and the message appears as part of the boot process.

Recommended Action:
This is the correct, expected behavior for PAYG licenses only. Earlier, processes used to restart but the design has changed, and restarting no longer happens.


01073035 : The encryption key for OAuth profile (%s) cannot be modified directly. Use encryption secret to generate a new encryption key.

Location:
/var/log/apm, TMSH

Conditions:
If jwt-refresh-token-enc-key is specified directly.

Impact:
Object won't be saved.

Recommended Action:
Do not specify key. Instead use jwt-refresh-token-enc-secret to generate key.


01073039 : All the JWK configs in a JWT config must have unique cert-thumbprint-sha1. The cert-thumbprint-sha1 '%s' is already present in JWT config '%s'.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Misconfiguration.
Admin attempts to add a JWK config to a JWT config, and the JWK config has cert-thumbprint-sha1 that is already present in the JWT config through some other JWK config. The cert-thumbprint-sha1 must be unique within a JWT config.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
When attempting to add a JWK config to a JWT config, check that the operation will not result in a JWT config with more than one instance of the same cert-thumbprint-sha1.


01073040 : All the JWK configs in a JWT config must have unique cert-thumbprint-sha256. The cert-thumbprint-sha256 '%s' is already present in JWT config '%s'.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Misconfiguration.
Admin attempts to add a JWK config to a JWT config, and the JWK config has cert-thumbprint-sha256 that is already present in the JWT config through some other JWK config. The cert-thumbprint-sha256 must be unique within a JWT config.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
When attempting to add a JWK config to a JWT config, check that the operation will not result in a JWT config with more than one instance of the same cert-thumbprint-sha256.


010c0009 : Lost connection to mcpd - reestablishing

Location:
/var/log/ltm. Neither the Console nor the GUI provides it.

Conditions:
When SOD loses its connection to MCPD for whatever reason, this message is logged.

Impact:
SOD won't have communication with MCPD. Any device status/configuration updates wouldn't be possible until the communication is re-established.

Recommended Action:
If the connection is not re-established automatically, try restarting all services with bigstart restart.


010c0018 : Standby

Location:
/var/log/ltm. The GUI provides other prompts that indicate a device is in Standby mode; and the Console provides a prompt with Standby State in it.

Conditions:
A device goes to standby by user manual intervention, or when some other device is the active one in the failover group.

Impact:
If it is due to a user intervention, all failover objects in the device will be serviced by the next active device in the failover group, for example, traffic groups.

Recommended Action:
None.


010c0022 : Opening %s for failover monitoring

Location:
/var/log/ltm.

Conditions:
This log is informational and indicates that SOD has opened the failover serial port. This occurs on the startup of SOD. The use of the serial port for failover status is determined by the configuration of the BIG-IP.

Example:
Nov 11 07:35:13 lead info sod[6502]: 010c0022:6: Opening /dev/tty01 for failover monitoring.

Impact:
None.

Recommended Action:
None.


010c002a : Requesting tmm to resend gratuitous arps for traffic group %s.

Location:
/var/log/ltm

Conditions:
In an Active-Active scenario, once it is decided which device will become standby and which will remain active (internal logic), the active device will request tmm to resend gratuitous arp messages. When this occurs, this log message appears in the device that remained active.

Impact:
None.

Recommended Action:
None.


010c002b : Traffic group %s received a targeted failover command for %s.

Location:
/var/log/ltm

Conditions:
This log entry appears when the active device has received and is processing a targeted-failover command that is issued by an administrator for a specified traffic group.

Impact:
This is an informational log entry that indicates that the administrator has issued a failover for a specific traffic group on the active device.

Recommended Action:
None.


010c002c : Traffic group %s received a targeted failover command from cluster mate for %s.

Location:
/var/log/ltm

Conditions:
This log message appears when a blade in a cluster has received and is processing a targeted-failover command from one of the other blades in the cluster for a specified traffic group.

Impact:
This is an informational log message that indicates that the administrator has issued a failover for a specific traffic group in a cluster and this blade is processing that command.

Recommended Action:
None.


010c002d : Traffic group %s going standby via targeted failover command.

Location:
/var/log/ltm

Conditions:
This log message appears when a specified traffic group is going from active to standby, caused by a targeted-failover command that is issued by an administrator for a specified traffic group.

Impact:
This is an informational log message that indicates that the administrator has issued a targeted failover command to change a specific traffic group from an active to standby. device.

Recommended Action:
None.


010c0037 : Up service module error %s.

Location:
/var/log/ltm

Conditions:
These messages indicate that the failover daemon encountered an unexpected system call failure, and is not functioning correctly.

If the specific message is "Up service module error: .... Too many open files", then the system is probably running a version of software that contains defect Bug ID 451917 or Bug 516669.

Any other runtime errors require diagnosis.

Impact:
If this condition occurs, HA failover might not work correctly.

Recommended Action:
Depending on the root cause of the runtime error, restarting the BIG-IP device might clear the condition.

Upgrade to a BIG-IP software release that contains the fixes for Bug 451917 and Bug 516669.


010c003b : Bind fails on %s addr %s port %d error %s

Location:
/var/log/ltm

Conditions:
An invalid address has been configured as a unicast address on the device.

Impact:
The invalid unicast address cannot be used to send or receive network failover data.

Recommended Action:
Change the unicast address to be a valid management IP or self-IP.


010c003c : Connect fails on %s addr %s port %d error %s

Location:
/var/log/ltm

Conditions:
The code paths in question can only be executed if secure network failover is enabled. This error can occur if no route exists to the remote unicast address ("Network is Unreachable").

Impact:
Network failover communication to the remote unicast address does not work.

Recommended Action:
Repair the network partition.


010c003e : Offline

Location:
/var/log/ltm

If this offline state was requested by the user, the GUI provides other status fields that indicate a device is in Forced Offline mode, and the Console provides a prompt with ForcedOffline State in it.

Conditions:
It is a transitional state that is logged when the device comes up or when SOD restarts.
It will also occur when the user forces a device to stay offline.
The device encounters networking problems.

Impact:
Device won't be online. Network connectivity for services won't be available.

Recommended Action:
Bring the device back online if the offline state was a consequence of a user action.
Restart sod daemon. If that doesn't work, restart all services.


010c003f : Forced offline

Location:
/var/log/ltm

Conditions:
This log message occurs when the SOD updates an internal state to offline as a result of detecting that a traffic group has been forced offline by the admin.

Impact:
The log (level Notice) is generated by SOD after it changes an internal state for a traffic group has been forced offline and is no longer accessible to the user. This log is an informational/debug log of a SOD internal state change to forced offline and not that useful to the user.

Recommended Action:
None.


010c0044 : Command: %s

Location:
The message appears only in /var/log/ltm. It does not appear on the console or on the GUI screen.

Conditions:
This is a log entry that displays a failover command, executed by means of the GUI, tmsh, or iControl. The following examples show some of the possible logs, but not all.

The following log corresponds to making a traffic group go to standby from the GUI.
010c0044:5: Command: go standby /Common/TG2 /Common/BIGIP-2.localdomain GUI.

The following log corresponds to making a traffic group go to standby from tmsh.
010c0044:5: Command: go standby /Common/TG2 /Common/BIGIP-1.localdomain tmsh.

The following when making the BIGIP go ForcedOffline mode via tmsh
010c0044:5: Command: go offline all tmsh.

The following when making the BIGIP come back online from ForcedOffline mode via GUI
010c0044:5: Command: release offline all GUI.

The following log comes when making the BIGIP go offline from iControl
010c0044:5: Command: go offline all iControl.

Impact:
None. This is a notification that a system failover command was executed.

Recommended Action:
None.


010c0048 : Bcm56xxd and lacpd connected - links up

Location:
/var/log/ltm

Conditions:
This message is information, and is logged by SOD when the links to Bcm56xxd and lacpd are up. This is part of the normal startup process for SOD.

Example:
Nov 11 07:36:15 lead notice sod[6502]: 010c0048:5: Bcm56xxd and lacpd connected - links up.

Impact:
None

Recommended Action:
None.


010c0049 : Tmm ready - links up.

Location:
/var/log/ltm

Conditions:
This is a message from SOD to indicate that the TMM has reached the running state, and can handle passing and receiving traffic on the self-IPs often used for failover addresses.

This message is seen on initial startup, as well as if SOD or the TMM is restarted.

Impact:
None.

Recommended Action:
None.


010c0050 : Sod requests links down

Location:
/var/log/ltm

Conditions:
This is an information message that is logged during the shutdown of the SOD daemon. It indicates that the links to Bcm56xxd and lacpd have been marked down.

Example:
Nov 11 07:29:03 lead notice sod[6214]: 010c0050:5: Sod requests links down.

Impact:
None.

Recommended Action:
None.


010c0052 : Standby for traffic group %s

Location:
This log only appears in /var/log/ltm. It does not appear on the Console or the GUI.

Conditions:
When a traffic group transitions to the standby state, this log message is logged by the system.

For example when a device is released from the forced offline state; the sequence of logs includes the following:

Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0044:5: Command: release offline all GUI.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0054:5: Offline for traffic group TG2.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0054:5: Offline for traffic group traffic-group-1.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c003e:5: Offline
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c006d:5: Leaving Offline for Standby for dbvar is redundant.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0052:5: Standby for traffic group TG2.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0052:5: Standby for traffic group traffic-group-1.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0018:5: Standby
Oct 11 13:30:04 BIGIP-2 info sod[28395]: 010c0096:6: Next active for traffic group traffic-group-1.
Oct 11 13:30:04 BIGIP-2 info sod[28395]: 010c0096:6: Next active for traffic group TG2.

Impact:
None. This is a notification of what is happening with the traffic-group in the device.

Recommended Action:
None.


010c0054 : Offline for traffic group %s.

Location:
/var/log/ltm. Neither the Console nor the GUI show it.

Conditions:
When a traffic-group is about to become active or standby, it starts with the transitional state of offline, which 0is when the log appears. For example the following sequence of logs appear when the device is booting up:

Oct 11 13:00:46 BIGIP-2 notice sod[5403]: 010c0057:5: Activating traffic group TG2.
Oct 11 13:00:46 BIGIP-2 notice sod[5403]: 010c0054:5: Offline for traffic group TG2.
Oct 11 13:00:46 BIGIP-2 notice sod[5403]: 010c0057:5: Activating traffic group traffic-group-1.
Oct 11 13:00:46 BIGIP-2 notice sod[5403]: 010c0054:5: Offline for traffic group traffic-group-1.

This could also be a result of initial configuration or releasing a device from a forced offline state. A common log sequence will look like this:

Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0044:5: Command: release offline all GUI.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0054:5: Offline for traffic group TG2.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0054:5: Offline for traffic group traffic-group-1.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c003e:5: Offline
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c006d:5: Leaving Offline for Standby for dbvar is redundant.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0052:5: Standby for traffic group TG2.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0052:5: Standby for traffic group traffic-group-1.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0018:5: Standby
Oct 11 13:30:04 BIGIP-2 info sod[28395]: 010c0096:6: Next active for traffic group traffic-group-1.
Oct 11 13:30:04 BIGIP-2 info sod[28395]: 010c0096:6: Next active for traffic group TG2.

Impact:
None. This is a notification of what is happening with the traffic-group in the device.

Recommended Action:
None.


010c0055 : Forced offline for traffic group %s.

Location:
/var/log/ltm

Conditions:
This log message occurs if the SOD detects that a traffic group has been forced offline by the admin.

Impact:
The log (level Notice) is generated by SOD after a traffic group has been forced offline and is no longer accessible to the user.

Recommended Action:
The admin has forced the specified traffic group offline and the user must use other traffic groups.


010c0056 : Deactivating traffic group %s

Location:
/var/log/ltm. Neither the Console nor the GUI provide it.

Conditions:
SOD has to reactivate the traffic groups in the device when certain configuration changes occur on the box, specially at boot time. This requires a deactivate/activate sequence, and, when the deactivate occurs, this log appears.

Impact:
None. This is a notification of what is happening with the traffic group on the device.

Recommended Action:
None.


010c0057 : Activating traffic group %s

Location:
/var/log/ltm. Neither the Console nor the GUI provide it.

Conditions:
SOD has to activate the traffic groups in the device when certain configuration changes occur on the box, specially at boot time. This requires a deactivate/activate sequence, and, when the activate occurs, this log appears.

Impact:
None. This is a notification of what is happening with the traffic group on the device.

Recommended Action:
None.


010c005a : Dropping a failover packet that is too small (%u)

Location:
/var/log/ltm

Conditions:
This message indicates that a message was received by SOD on one of its failover listening addresses, but the message was not big enough to be a valid failover packet.

Impact:
Messages that arrive at the failover listening addresses that are too small to be valid are dropped. There is no other effect on system behavior beyond this.

Recommended Action:
If failover messages are not being received from another device in the failover-sync group, and these messages are present in the log, it may indicate an issue with the SOD daemon on the other device. Restarting SOD on the other device may clear the issue. If not, then support will need to be contacted.

Spurious occurrences of this log without other system issue, are not a cause for concern.


010c005b : Dropping a packet that is not a failover packet.

Location:
/var/log/ltm

Conditions:
This log message occurs if the SOD process receives a packet that is not a failover packet.

Impact:
The log (level Notice) is generated when an unknown packet is received by the SOD process and the packet is dropped.

Recommended Action:
None.


010c005e : Waiting for mcpd to reach phase base, current phase is %s

Location:
/var/log/ltm

Neither the GUI nor the console should display it.

Conditions:
This log appears when the switch over (failover) daemon is trying to establish a connection with MCP (configuration daemon). It reports the current MCPD phase in its boot-up sequence.

Impact:
None. This log is informing that MCPD is not ready yet to take any connection.

Recommended Action:
None.


010c005f : Mcpd has reached phase base, current phase is %s

Location:
/var/log/ltm

Conditions:
This is an informational message that SOD has connected to MCPD, and MCPD has reached a state where SOD can continue starting up. This is logged whenever SOD starts up and connected to MCPD and MCPD reaches at least the base phase.

Example:
Nov 11 07:35:24 lead notice sod[6502]: 010c005f:5: Mcpd has reached phase base, current phase is running.

If the following message is seen, and the "MCPD has reached phase base" is not seen afterwards, it may indicate an issue with MCPD.

Nov 11 07:35:00 localhost notice sod[6502]: 010c005e:5: Waiting for mcpd to reach phase base, current phase is platform.

Impact:
None.

Recommended Action:
None.


010c0063 : Waiting for Mcpd without a response. Try again...

Location:
/var/log/ltm

Conditions:
This log message occurs if the SOD process has not established a connection with the MCPD process.

Impact:
The log (level Notice) is generated once during every connection attempt to the MCPD process until a successful connection is established. The SOD process will not operate until this connection is established.

Recommended Action:
Investigate the state of the MCPD process and possibly try a process restart.


010c006a : Configuration CRC values disagree amongst peers. Suggest configsync peers.

Location:
/var/log/ltm
Observed in the UI Device Management "Details" status display.
In the "show cm traffic-group" command.

Conditions:
Configuration relevant to network failover is not in-sync between devices in a failover device group. This message can appear briefly when traffic-group configuration has changed but configsync has not yet completed to the other devices.

Impact:
Network failover calculations might not be correct, resulting in inconsistent (or no) selection of a next-active device, and failover to an unintended location.

Recommended Action:
Enable automatic sync for the failover device group (preferred).
Manually sync the new configuration to the device group.


010c006b : Configuration CRC values agree amongst peers

Location:
/var/log/ltm

There are other indications of configuration being out of sync between devices in the GUI and command line, but the setting and clearing of these indications are unrelated to this log message.

Conditions:
When traffic-group state from other devices is processed, this log appears if the devices in the failover-group did not previously have their configurations in sync.

Oct 13 06:59:37 BIGIP-1 notice sod[6779]: 010c006b:5: Configuration CRC values agree amongst peers.

Impact:
None: Indicates that configurations are now in-sync between devices in the failover-group.

Recommended Action:
None.


010c006c : proc stat: [0] %s

Location:
/var/log/ltm. Neither the console nor the GUI provide it.

Conditions:
SOD has a list of processes it monitors. When any of the processes goes away, this log message appears.

An example of relevant logs when tmm is restarted with bigstart restart follows:

Oct 12 10:23:14 BIGIP-2 warning sod[28395]: 01140029:4: HA proc_running tmm fails action is go offline and down links.
Oct 12 10:23:14 BIGIP-2 notice sod[28395]: 010c0050:5: Sod requests links down.
...
Oct 12 10:23:21 BIGIP-2 notice sod[28395]: 01140045:5: HA reports tmm NOT ready.
Oct 12 10:23:22 BIGIP-2 notice sod[28395]: 010c006c:5: proc stat: [0] pid:28459 comm:(tmm.0) state:S utime:93 stime:103 cutime:1 cstime:10 starttime:7709594 vsize:6928031744 rss:18225 wchan:18446744073709551615 blkio_ticks:9 [-1] pid:1887 comm:(tmm.0) state:S utime:158666 stime:34358 cutime:0 cstime:13 starttime:85235 vsize:6932230144 rss:19317 wchan:18446744073709551615 blkio_ticks:7 [-2] pid:1887 comm:(tmm.0) state:S utime:158655 stime:34355 cutime:0 cstime:13 starttime:85235 vsize:6932230144 rss:19317 wchan:18446744073709551615 blkio_ticks:7 .
Oct 12 10:23:24 BIGIP-2 notice sod[28395]: 01140030:5: HA proc_running tmm is now responding.
...
Oct 12 10:23:31 BIGIP-2 notice sod[28395]: 01140044:5: HA reports tmm ready.
Oct 12 10:23:31 BIGIP-2 notice sod[28395]: 010c0049:5: Tmm ready - links up.
Oct 12 10:23:34 BIGIP-2 notice sod[28395]: 010c006c:5: proc stat: [0] pid:27987 comm:(bigd) state:S utime:6 stime:2 cutime:13 cstime:5 starttime:7709247 vsize:47583232 rss:6415 wchan:18446744071579502277 blkio_ticks:1 [-1] pid:3648 comm:(bigd) state:S utime:1920 stime:604 cutime:12 cstime:10 starttime:176428 vsize:50548736 rss:6472 wchan:18446744071581059260 blkio_ticks:15 [-2] pid:3648 comm:(bigd) state:S utime:1920 stime:604 cutime:12 cstime:10 starttime:176428 vsize:50548736 rss:6472 wchan:18446744071581059260 blkio_ticks:15 .

The log will appear when the process goes away, and when it comes back.

Impact:
None. This log on itself only provides a notification that SOD detected a process going away. The rest of the logs relevant to the process that went away should give more information of what went wrong.

Recommended Action:
None.


010c006d : %s.

Location:
/var/log/ltm

Conditions:
Reports information about the system. It can change from release to release because it is a complete free-form log, and has no rules of what information it can convey.

Some examples are:
"Leaving Offline for Active for dbvar not redundant (tmm ready)"
"Leaving Offline for Standby for dbvar not redundant (tmm not ready)"
"Leaving Offline for Active for mate is active"
"Leaving Offline for Standby for dbvar is redundant"
"Leaving Standby for Offline for ha table offline_cond"
"Leaving Standby for Active for dbvar not redundant (tmm ready)"
"No peer active but stay put for longer."
"Leaving Standby for Active (best ha score)"
"Leaving Standby for Active (mate ha score)"

Impact:
None.

Recommended Action:
None.


010c006e : All devices in traffic group %s %s have a HA group.

Location:
/var/log/ltm

Conditions:
Two different cases for this log message.
Case 1: 'All devices in traffic group %s now have a HA group'
This case indicates that HA group is configured correctly on all devices for a traffic group.

Case 2: 'All devices in traffic group %s should have a HA group'
This case indicates that HA group is not configured correctly on all devices for a traffic group.

Impact:
Case 1 is informational, indicating that HA group is configured correctly.

Case 2 is an error condition, indicating that the configuration of HA group is not configured correctly on one or more of the devices. HA group will not operate correctly for this traffic group.

Recommended Action:
Fix the configuration of the HA group in the traffic group on all devices for case 2 log message.


010c0076 : Exceeded mcp recv soft limit: %d. Succeeded after %d messages.

Location:
/var/log/ltm

Conditions:
When SOD is starting, it establishes a connection with MCP. If initialization exceeds the expected number of messages, it will log this notification with the original expected limit and the actual number.

Impact:
None.

Recommended Action:
None.


010c0077 : Listening for unicast failover packets on address %s port %d.

Location:
/var/log/ltm

Conditions:
This message indicates that SOD is listening on the specified address and port for unicast network failover packets. It is logged when SOD starts up and begins listening for failover packets. It is also logged when a new unicast failover address is configured while SOD is running.

Impact:
None.

Recommended Action:
None.


010c007b : Deleted unicast failover address %s port %d for device %s.

Location:
/var/log/ltm

Conditions:
This log message appears when a unicast ip address is deleted on a device by the admin.

Impact:
This log message is an informational message that shows that a unicast address was deleted on a device.

Recommended Action:
None.


010c007e : Not receiving status updates from peer device %s (Disconnected).

Location:
/var/log/ltm

Conditions:
This message is logged on a peer device in the failover-sync group when it does not receive any network failover packets for the network timeout. This timeout defaults to 3 seconds.

Impact:
The device mentioned in the log message is marked as offline by the device logging the message, and is not eligible to be the next failover device.

Recommended Action:
The state of the device that was disconnected should be checked on the reported device. It could be a networking issue, a hardware issue, or an environmental issue.

Once the issue is corrected the device will start sending network failover packets and will be marked online again.


010c0082 : Sorted Load-Aware failover %s.

Location:
/var/log/ltm

Conditions:
This log message occurs if there is a change by the SOD process in the use of the internal Sorted Load-Aware failover algorithm. The message will appear if it was previously disabled and is now enabled, or if it was previously enabled and is now disabled.

Impact:
The log (level Informational) is generated once during a change in the internal algorithm state. The Load Aware algorithm is more efficient when Sorted is used, but it can only be used if all devices are capable of running it. The user cannot configure this or determine if it is in use solely by means of this log.

Recommended Action:
None.


010c0083 : No failover status messages received for %s seconds, from device %s (%s).

Location:
/var/log/ltm

Conditions:
This log message occurs when the SOD process has not received a failover packet from a peer connection during the configured timeout interval.

Impact:
The log (level Warning) is generated after an expected failover packet is not received before the configured timeout interval. This indicates that the peer is no longer sending failover updates to the SOD process, possibly indicating that the peer has become busy or is offline.

Recommended Action:
Investigate the state of the peer connection.


010c0084 : Failover status message received after %s second gap, from device %s (%s).

Location:
/var/log/ltm

Conditions:
This log message occurs when the SOD process receives a failover packet from a peer connection that it marked as no longer sending failover updates.

Impact:
This log (level Warning) is generated by a peer, which is no longer sending failover packets to the SOD process during the expected timeout interval, that has resumed sending packets. The time between packets (in seconds) is displayed.

Recommended Action:
This message is informational.


010c0085 : First failover status message received from device %s (%s).

Location:
/var/log/ltm

Conditions:
This log message occurs if the SOD process has received a message for the first time on a peer connection.

Impact:
The log (level Informational) is generated after the SOD process receives a message for the first time on a new peer connection. This log provides information to the user about this peer connection.

Recommended Action:
None.


010c0089 : Invalid go standby command. %s is not a valid traffic-group or device.

Location:
/var/log/ltm

Conditions:
If an administrator runs the cmd_sod command directly from the Linux shell, and provides an invalid argument.

Impact:
No failover.

Recommended Action:
Use the correct device or traffic group name.


010c008a : Invalid go standby command. %s is not a valid device.

Location:
/var/log/ltm

Conditions:
If an administrator runs the cmd_sod command directly from the Linux shell, and provides an invalid argument.

Impact:
No failover.

Recommended Action:
Use the correct device name.


010c008b : Unable to send to unreachable unicast address %s port %d.

Location:
/var/log/ltm

Conditions:
The failover daemon (sod) periodically sends UDP packets to other devices in the Device Service Cluster. A packet could not be sent, usually because the current routing table indicates there is no route to the destination device.

Impact:
When sod is unable to transmit Network Failover packets, other devices in the Device Service Cluster may conclude that the device is inoperative, and take over service.

Recommended Action:
Restore network connectivity between the devices.


010c008c : Previously unreachable unicast address %s port %d is now reachable.

Location:
/var/log/ltm

Conditions:
Clears the prior error condition has cleared.

Impact:
Restores normal transmission of network failover packets.

Recommended Action:
None.


010c0098 : Multicast socket connect failure: %s.

Location:
/var/log/ltm

Conditions:
An invalid multicast address is configured as the multicast-ip for a device.

Impact:
Multicast failover packets will not work on the multicast interface, thus reducing the reliability of operation in an HA cluster.

Recommended Action:
Configure a valid multicast address on all devices in the HA cluster. IPv4 multicast addresses must be in the 224.0.0.0/4 subnet and IPv6 multicast addresses must use the ff00:/8 prefix.


010c0099 : Connected to multicast group %s port %d on interface %s.

Location:
/var/log/ltm

Conditions:
The SOD high-availability (HA) daemon is able to successfully connect to the HA multicast interface configured in the device configuration.

Impact:
None.

Recommended Action:
None.


010c009a : Disconnected from multicast group %s port %d on interface %s.

Location:
/var/log/ltm

Conditions:
The SOD high-availability (HA) daemon disconnects from the multicast HA group. This can be due to the shutdown of the SOD HA daemon, or it can happen when the multicast-ip is changed.

Impact:
None.

Recommended Action:
None.


010c009b : Availability log %s failed '%s'.

Location:
/var/log/ltm

Conditions:
A read or write action to the availability log failed (for example, /var/log/availability.0).

Impact:
Gaps can be present in the availability log that might cause inaccurate system availability metrics or might prevent the display of availability metrics.

Recommended Action:
Remove the availability log or reset the stats. This will resolve the issue if you are unable to display availability metrics.


010c009c : Timer interval set to %u.%06us (was %u.%06u).

Location:
/var/log/ltm

Conditions:
The failover daemon has changed the polling interval.

Impact:
None. The system is acting normally.

Recommended Action:
None.


010c009d : Poll interval %dms, estimated %d packets/sec.

Location:
/var/log/ltm

Conditions:
Failover device group configuration has caused the failover daemon to recalculate the estimated update rate.

Impact:
None. The system is operating normally.

Recommended Action:
None.


010c009e : Config crc changed: old 0x%x new 0x%x.

Location:
/var/log/ltm

Conditions:
The high-availability configuration digest CRC has been changed due to a configuration change that affects the selection of the next-active location for traffic groups in a device service cluster.

Impact:
The message allows the user to determine which device in the device service cluster "differs" when the devices do not agree on the configuration. In this case where different nodes have different CRC values, default rules are followed.

Recommended Action:
None.


010d0005 : Chassis fan %d: status (%d) is bad

Location:
/var/log/ltm

Conditions:
A sensor determined that the fan speed is zero (0) RPM, indicating the chassis fan is not rotating.

Impact:
One or more faulty fans reduces the cooling capacity of the system, which can result in overheating issues. This log entry triggers the alarm LED to turn red and display an alert on the LCD.

Recommended Action:
Check for obstructions blocking the fan blades. Replace the fan tray for the faulty fan.


010d0006 : Chassis power supply %d has experienced an issue. Status is as follows: %s

Location:
/var/log/ltm

Appears in GUI, console, and LCD.

Conditions:
A system power supply has failed.

Impact:
In a redundant power supply system, only one power supply will be operational.

Recommended Action:
Replace the failed power supply. If the message persists, file a support ticket.


010d0009 : %s: voltage (%d) is too high

Location:
/var/log/ltm

Conditions:
A voltage sensor reading exceeded the operational limits.

Impact:
Continued operation during these conditions can produce component failure or unexpected behavior. This log triggers a red LED alarm and displays an alert on the LCD.

Recommended Action:
Contact support for resolution.


010d0010 : %s: fan speed (%d) is too low

Location:
/var/log/ltm

Appears in GUI, console, and LCD.

Conditions:
A system fan failed to operate at the minimum speed.

Impact:
Depending on the failed fan, the system could power off if chassis or CPU temperatures exceed maximum operating temperatures.

Recommended Action:
Determine the failed fan by typing 'system_check -d' at the command line. File a support ticket to diagnose and resolve this hardware problem.


010d0017 : %s: milli-voltage (%d) is too low

Location:
/var/log/ltm

Appears in GUI, console, and LCD.

Conditions:
Loss of power, or input power is out of recommended range.

Impact:
If a loss of power caused the condition, power redundancy is compromised.
If a loss of power did not cause the condition, indeterminate behavior can result.

Recommended Action:
Verify power is applied to unit.
Verify that the power is the correct input range.
Replace PSU associated with the alarm.


010e0001 : Cannot communicate with MCPD server

Location:
/var/log/ltm

Conditions:
This can be a result of BIG-IP device being very busy. The SNMP agent is unable to communicate with MCPd and thus logs this message. This situation can recover if BIG-IP device becomes less busy. Internally the SNMP requests come into the agent via the MCPd daemon. Responses back to the requester traverse the path back by means of the MCPd as well.

Impact:
All user requests either by means of the cli or the access to SNMP agents will not be honored. The SNMP data will not be retrieved as the interface to the SNMP daemon is down.

Recommended Action:
As a last option, reboot the BIG-IP device.


010e0002 : Established new connection to MCPD server

Location:
/var/log/ltm

Conditions:
This message occurs when a connection or new connection is established with the MCPD server. This message is internal to our software and is only an informational message. MCPD is the master control process daemon which has a number of connections to other processes of which one is the snmpd. When it establishes a communication channel to the snmpd process this message is printed in the log.

Impact:
An internal informational message is logged each time the mcpd communication channel is established with the snmpd.

Recommended Action:
None.


010e0004 : MCPD query response exceeding %d seconds

Location:
/var/log/ltm

Conditions:
This error message occurs when the MCPd response time is very slow. The SNMP subagent is encountering long timeouts while communicating with MCPd. The system may be very busy.

Impact:
The SNMP request fails.

Recommended Action:
One can retry the request. Also, it is worth executing an unrelated tmsh command to see if the same slow response times are seen. Wait to see if it is temporary slowdown of MCPd. Stop any of the SNMP queries that are currently running. As a last option, restart the BIG-IP device.


01100002 : alertd is going down

Location:
/var/log/ltm

Conditions:
BIG-IP device is restarting, or just the alertd daemon is stopping or restarting.

Impact:
None, informational only.

Recommended Action:
None.


01100017 : Email action is failed for toaddress %s

Location:
/var/log/ltm
LCD
SNMP Trap

Conditions:
Email notification for system alert failed to be sent.

Impact:
No additional impact to the system.

Recommended Action:
Recommendation is to review SOL3667 at AskF5 where email notification configuration is described. Make sure there are valid "To" and "From" addresses configured.


01100042 : Failed with MCPD at: %s (%s)

Location:
/var/log/ltm

Conditions:
The alertd daemon has encountered an inter-process communication error with the mcpd daemon. When this happens, there is likely a problem with mcpd either being down or too busy.

Impact:
If the error is simply "Socket read", and non-repeating, it was likely a single case of congestion and should not have long-term impact.

Most of the other errors such as "Connect", "Subscribe", "MCP msg receive", "Socket/pipe select", "Socket error event", "syslog pipe error event", or "errdefs scoket error event" indicate a failure for the alertd daemon to initialize properly. In this situation, alert generation and their associated SNMP traps are likely to be inoperational.

Recommended Action:
Issue a 'bigstart status alertd mcpd' from the CLI. If either process is not in 'run' state, or if the associated log messages are persisting, try issuing a 'bigstart restart <alertd|mcpd>' depending on whether one is malfunctioning, or perhaps both.


01100043 : logcheck Notice: %s %d

Location:
/var/log/ltm

Conditions:
1. "Disconnect mcpd". alertd disconnects from mcpd when alertd is exiting, due to a restart or the BIG-IP system shutting down.
2. "Receive alert msg from diskmonitor". alertd received a message from the disk monitoring subsystem, leading to a check for log rotation.
3. "logrotate triggered by large log <name_of_log_file> of size <size> KB -"Available disk space is <size> KB". Occurs when logrotate is running to compress logs.

Impact:
None. This is not an error condition, but normal operation. logrotate runs periodically to compress logs.

Recommended Action:
None.


01100048 : "Log disk usage still higher than %d%% after logrotate and %d times log deletion"

Location:
/var/log/ltm

Conditions:
Disk usage has surpassed the percentage threshold specified by the DB variable "logcheck.warnthres", whose default value is set at 80%. This warning is given after the system has already tried to compress or delete older log files over a number of iterations indicated in the message (default is 24 iterations).

Impact:
Disk space is running low, which could impact the system's ability to perform logging functions, receive new software for upgrades, or perform any other function requiring additional disk space.

Recommended Action:
1. Delete any unnecessary large files on the system or older logs.

Use "du" to find where the largest files are located:
du -a | sort -n -r

Inspect /shared/images for any unwanted ISO files.

Inspect /var/log for any undesirable large files.

2. Modify the "logcheck.warnthres" value if user believes that the disk usage threshold for the warning is too low.

modify sys db logcheck.warnthres Value
Values:
  [enter integer value min:0 max:100]

3. Consider adding additional storage capacity.


01100049 : logcheck Info: %s %d

Location:
/var/log/ltm

Conditions:
Informational messages that indicate DB variable values, free disk space in /var/log, and notifications that old compressed files are being deleted to free up space.

Impact:
Informational, but in some cases, might indicate a low amount of disk space free and deletion of the oldest compressed log archives in /var/log/ltm.

Recommended Action:
If message indicates deletion of old, compressed files, try deleting any unnecessary files that may be contributing to low amount of free disk space.


01100053 : %s

Location:
/var/log/ltm

Conditions:
This message occurs when a system administrator uses the command "lcdwarn -p emergency MESSAGE". In this case, the BIG-IP system logs the string "MESSAGE" and displays "MESSAGE" on the LCD pane, under priority "emergency".

Impact:
The Alert LED on the front panel of the box blinks red.

Recommended Action:
Use the command "lcdwarn -c emergency" to clear all messages of priority "emergency" from the LCD panel.


01100054 : %s

Location:
/var/log/ltm

Conditions:
This message occurs when a system administrator uses the command "lcdwarn -p critical MESSAGE". In this case, the BIG-IP system logs the string "MESSAGE" and displays "MESSAGE" on the LCD pane, under priority "critical".

Impact:
The Alert LED on the front panel of the box is solid red unless a higher priority message is also being displayed.

Recommended Action:
Run the command "lcdwarn -c critical" to clear all messages of priority "critical" from the LCD panel.


01100055 : %s

Location:
/var/log/ltm

Conditions:
This string is generated when an administrator uses the command "lcdwarn -p alert MESSAGE". In this case, the BIG-IP system logs the string "MESSAGE" and displays "MESSAGE" on the LCD panel under priority "alert".

Impact:
The Alert LED on the front panel of the box will be solid red unless a higher priority message is also being displayed.

Recommended Action:
Run 'lcdwarn -c alert' to clear all messages of priority 'alert' from the LCD panel.


01100056 : %s

Location:
/var/log/ltm

Conditions:
This string is generated when an administrator uses the command "lcdwarn -p error MESSAGE". In this case, the BIG-IP system logs the string "MESSAGE" and displays "MESSAGE" on the LCD panel under priority "error".

Impact:
The Alert LED on the front panel of the box will blink yellow unless a higher priority message is also being displayed.

Recommended Action:
Run 'lcdwarn -c error' to clear all messages of priority 'error' from the LCD panel.


01100057 : %s

Location:
/var/log/ltm

Conditions:
This string is generated when an administrator uses the command "lcdwarn -p warning MESSAGE". In this case, the BIG-IP system logs the string "MESSAGE" and displays "MESSAGE" on the LCD panel under priority "warning".

Impact:
The Alert LED on the front panel of the box will be solid yellow unless a higher priority message is also being displayed.

Recommended Action:
Run 'lcdwarn -c warning' to clear all messages of priority 'warning' from the LCD panel.


01100058 : %s

Location:
/var/log/ltm

Conditions:
An administrator has run the command 'lcdwarn -p info MESSAGE'. MESSAGE is the text string logged and displayed on the LCD panel under priority 'info'.

Impact:
None.

Recommended Action:
Run the command 'lcdwarn -c info' to clear all messages of priority 'info' from the LCD panel.


01100059 : Found db_name %s without value - reset to default %s.

Location:
/var/log/ltm

Conditions:
The user issues the command 'tmsh modify reset-to-default' against sys db variables that are in use by the alertd daemon.

Impact:
None.

Recommended Action:
None.


01100060 : trap string (%s) count (%d) (%s)");

Location:
/var/log/ltm file (debug level)

Conditions:
alertd-level debugging is enabled to test trap suppression and tune some DB variables.

Impact:
The system reports on the trap suppression handling of a message. It reports the OID and the message string being tracked, plus the count of times the strings have been seen within the suppression interval and whether the trap is being suppressed. For debugging only, this enables field support and administrators to decide if the values of their DB variables for trap suppression are correct for their environment.

Recommended Action:
If traps are either not being suppressed when you would like them to be or being suppressed when they don't want them to be, use the data reported in the log messages to adjust the values configured for the DB variables "snmp.BIG-IPtraps.suppress.interval" and "snmp.BIG-IPtraps.suppress.count".


01100061 : clear suppression map (count %d)");

Location:
/var/log/ltm file (debug log level)

Conditions:
alertd-level debugging is enabled to report when the map used to track trap suppression has been cleared.

Impact:
The map is cleared when trap suppression in disabled (that is, the db variable "snmp.bigiptraps.suppression.interval" is set to 0) or when the map has grown to 1K entries.

Recommended Action:
None.


01110001 : Error running %s

Location:
This message will be generated in the LTM log.

Conditions:
These messages will only be generated when configuration is being synchronized between a pair of devices running a version of TMOS prior to 11.0. In 11.0, a new synchronization system was introduced and this message is longer be generated.

Impact:
The sync request fails, and the other device still has the configuration prior to 11.0.

Recommended Action:
Determine why the sync failed. Disk usage on the local or peer device might be a factor, as well as differences in the base configuration on the peer device, which can cause validation errors. Those errors will be found in the peer device's logs.


01110034 : The configuration for running config-sync is incorrect.

Location:
/var/log/ltm

Conditions:
This message is only generated on versions of TMOS prior to 11.0. Any of the following conditions will cause it to be generated:

- The device is not part of a redundant pair (see DB variable failover.isredundant).
- The device does not have a peer IP configured (either configsync.peeripaddr or statemirror.peeripaddr is acceptable).
- This device is unable to reach the other device over iControl SOAP to determine that it is configured as part of a redundant pair.
- This device has the same hostname configured as the other device, or cannot reach the other device to obtain its hostname (see DB variable hostname).

Impact:
Sync is not possible until all of the above conditions are resolved.

Recommended Action:
Inspect the values of the DB variables and check for iControl connectivity between the two devices.


0114001a : HA stale %s pid %d detected.

Location:
/var/log/ltm

Conditions:
When daemons restarted, stale data was detected in the internal HA table.

Impact:
This is an informational message, indicating that stale data was detected and ignored.

Recommended Action:
None.


01140029 : HA %s %s fails action is %s.

Location:
/var/log/ltm

Conditions:
This message occurs when a component detects an HA failure condition, and requests the system to take corrective action.

The first field is the feature type, and the second field is the component name. The list of configured HA features is available through the 'show sys ha-status' command.

Impact:
The impact depends upon what corrective action is configured for the specified component.

Recommended Action:
Correct the issue that caused the component to fail.


0114002a : HA %s %s created.

Location:
/var/log/ltm

Conditions:
The creation of a new HA table entry. The first parameter is the HA table feature name, the second is the component that the feature was created for. The "show sys ha-status" command lists all the current HA Table entries.

Impact:
None. This is a debug-level informational message and is only observed if the component logging level changes from the default to 'debug'.

Recommended Action:
None.


0114002b : HA %s %s enabled.

Location:
/var/log/ltm

Conditions:
An HA Table entry is enabled for failure monitoring. The first parameter is the HA table feature name, the second is the component that the feature was created for. The "show sys ha-status" command lists all the current HA Table entries.

Impact:
None.

Recommended Action:
None.


0114002c : HA %s %s disabled.

Location:
/var/log/ltm

Conditions:
Failure monitoring is disabled for an HA Table entry. The first parameter is the HA table feature name, the second is the component that the feature was created for. The "show sys ha-status" command lists all the current HA table entries.

Impact:
Failure of the designated component will not be detected.

Recommended Action:
None.


01140030 : HA %s %s is now responding

Location:
/var/log/ltm

Conditions:
An HA error condition no longer exists for the specified feature.

Impact:
The system may be able to exit the failure condition required by the HA error condition.

Recommended Action:
None.


01140043 : Ha feature %s reboot requested

Location:
/var/log/ltm

Conditions:
This message is issued when an HA system detects that a reboot should be performed. The most common occurrences are during administrator-requested reboots or a change of boot location:

Ha feature reboot_request_t reboot requested.
Ha feature software_update reboot requested.

Other components may be administratively configured to cause a reboot on failure.

Impact:
The device reboots.

Recommended Action:
If the reboot was unintentional, identify the failing component indicated by the 'feature', and other preceding log message that references this 'feature', and determine why that component failed. If a reboot is not an appropriate action for that component failure, reconfigure it for a different action.


01140044 : HA reports tmm ready

Location:
/var/log/ltm

Conditions:
The TMM is ready to process traffic.

Impact:
It's not an error.

Recommended Action:
None.


01140045 : HA reports tmm NOT ready

Location:
/var/log/ltm

Conditions:
It occurs any time that the tmm starts (or restarts), during the period from startup until when the TMM completes initialization.

Impact:
No traffic is processed until the TMM is ready.

Recommended Action:
Wait for the TMM to become ready.


01140100 : Overdog daemon startup

Location:
/var/log/ltm

Conditions:
The system is starting up and the HA watchdog is now active.

Impact:
The system will now respond to HA error conditions.

Recommended Action:
None.


01140101 : Overdog daemon shutdown

Location:
/var/log/ltm

Conditions:
The system watchdog daemon (overdog) has been shut down, typically because the system is shutting down or rebooting.

Impact:
Watchdog monitoring is no longer active.

Recommended Action:
Wait for the system to finish shutting down.


01140102 : Overdog daemon requests reboot

Location:
/var/log/ltm

Conditions:
The overdog daemon has detected that a subsystem has requested an HA action of "reboot", and is initiating the operation.

Impact:
The system will reboot.

Recommended Action:
None.


01140103 : Watchdog touch enabled with %d seconds

Location:
/var/log/ltm

Conditions:
This message is issued when the system watchdog process (overdog) initiates the hardware watchdog feature.

Impact:
If the system becomes non-responsive, it will automatically reboot.

Recommended Action:
None.


01140104 : Watchdog touch disabled

Location:
/var/log/ltm

Conditions:
This message is issued when the hardware watchdog process (overdog) disarms the hardware watchdog and stops periodic updates. This occurs automatically when the system is already rebooting, or when the administrator disables the hardware watchdog by setting the watchdog.state DB variable to "disable".

Impact:
The hardware watchdog will not automatically reboot the system.

Recommended Action:
Enable the watchdog function by setting the watchdog.state DB variable to "enable".


01140106 : Overdog daemon calling bigstart restart

Location:
/var/log/ltm
console

Conditions:
An HA Table failover action that specifies 'restart-all' has been triggered.

Impact:
All traffic groups will fail over to a peer device, and all local services are restarted.

Recommended Action:
None.


01150216 : Notice from %s: %s

Location:
/var/log/gtm

Conditions:
This is a generic logging message for the daemon "named" that occurs when the daemon checks if the current config file or current zone file is valid, and encounters an unknown error.

Impact:
Any recent changes to the named or zone file configuration will not take effect.

Recommended Action:
Use any information presented in the message to determine what action, if any, is required. This message could indicate an error in the named config or zone files, located in the directory "/var/named/config".


01150515 : Processing Resource Record (%s:%s) failed due to error '%s'.

Location:
/var/log/gtm

Conditions:
A DNS record contains a malformed RDATA field.

Impact:
The validation fails and the DNS record is not created or parsed.

Recommended Action:
Ensure that the RDATA field is not malformed.


01150d03 : Attempting to %s loopback address %s

Location:
/var/log/gtm

Conditions:
A new IP address is being created on the tmm loopback address.

Impact:
None.

Recommended Action:
None.


01151500 : NamedWatcher: Error encountered during initialization of named configuration monitor: %s.

Location:
/var/log/gtm

Conditions:
An error has occurred during the setup of named configuration file monitoring.

Impact:
Named configuration monitoring might not be set up correctly, and changes to named.conf might not be synced.

Recommended Action:
None.


01151501 : NamedWatcher: Watching cur stat for dir:%s ts:%ld inode:%llu with id:%d.

Location:
/var/log/gtm

Conditions:
This message occurs during normal, successful monitoring of the named configuration.

Impact:
None. This is an information message only.

Recommended Action:
None.


01151502 : NamedWatcher: Error %s setting up watch for dir:%s.

Location:
/var/log/gtm

Conditions:
An error has occurred during the setup of the named configuration file monitoring.

Impact:
The named configuration monitoring might not be set up correctly, and changes to named.conf might not be synced.

Recommended Action:
None.


01151503 : NamedWatcher: Unexpected EOF %s from named configuration monitor file descriptor.

Location:
/var/log/gtm

Conditions:
An error has occured reading notification information for the named configuration file. monitor.

Impact:
The named configuration monitoring might not be set up correctly, and changes to named.conf might not be synced.

Recommended Action:
None.


01151504 : NamedWatcher: Error %s reading from named configuration monitor file descriptor.

Location:
/var/log/gtm

Conditions:
An error has occurred while reading notification information.

Impact:
A change to the named configuration might not have generated a proper notification. The named configuration monitoring might not be set up correctly, and changes to named.conf might not be synced.

Recommended Action:
None.


01151505 : NamedWatcher: Expected at least %d bytes, only %d bytes are available.

Location:
/var/log/gtm

Conditions:
A notification was not the proper length.

Impact:
The named configuration monitoring might not be set up correctly, and changes to named.conf might not be synced.

Recommended Action:
None.


01151506 : NamedWatcher: Kernel monitor overflow %s.

Location:
/var/log/gtm

Conditions:
A kernel notification buffer has overflowed. The kernel error occurred while processing the named configuration file monitoring.

Impact:
The named configuration monitoring might not be set up correctly, and changes to named.conf might not be synced.

Recommended Action:
None.


01151507 : NamedWatcher: %s monitor wd:%d len:%d events:%s dir:'%s' name:'%s'.

Location:
/var/log/gtm

Conditions:
This is an informational debug message only.

Impact:
None.

Recommended Action:
None.


01151508 : NamedWatcher: Read ignored event.

Location:
/var/log/gtm

Conditions:
This is a debug message only.

Impact:
None.

Recommended Action:
None.


0115150a : NamedWatcher: %s stat for %s ts:%ld inode:%llu.

Location:
/var/log/gtm

Conditions:
During notification processing, this debug message is generated for each file being monitored.

Impact:
None.

Recommended Action:
None.


0115150b : NamedWatcher: stat for '%s' failed:%s.

Location:
/var/log/gtm

Conditions:
A user has attempted to get status information for a file that has already been deleted.

Impact:
This is ignored because the file is no longer present.

Recommended Action:
None.


0115150c : NamedWatcher: Skipping event %s (len:%d) for '%s' because it contains the %s.

Location:
/var/log/gtm

Conditions:
During normal named configuration monitoring operations, certain changes to certain files are deliberately ignored.

Impact:
None.

Recommended Action:
None.


0115150d : NamedWatcher: Deleting watch for dir:%s with id:%d.

Location:
/var/log/gtm

Conditions:
During normal operations, zonerunner will stop the monitoring
of the named configuration files for certain operations. This message has occurred because a monitor has been deleted.

Impact:
None.

Recommended Action:
None.


01151513 : NamedWatcher: Read event for dir:'%s'.

Location:
/var/log/gtm

Conditions:
A user attempted to get read notification for a file that has already been deleted.

Impact:
This is ignored because the file is no longer present.

Recommended Action:
None.


01151515 : NamedWatcher: Dont care about event wd:%d events:%s name:'%s'.

Location:
/var/log/gtm

Conditions:
During normal named configuration monitoring operations,
certain events are deliberately ignored.

Impact:
None.

Recommended Action:
None.


01160004 : LACPD reporting error conditions

Location:
/var/log/ltm

Conditions:
LACPD system encountered an unexpected I/O error when communicating with configuration delivery system (MCPD).

Impact:
No link aggregation functionality.

Recommended Action:
Inspect the /var/log/ltm file for additional errors and warnings and try to correlate the LACPD messaging error with MCPD errors.


01160005 : LACPD reporting internal error conditions

Location:
/var/log/ltm

Conditions:
LACPD system encountered an unexpected error within the BIG-IP system, when transmitting PDUs to the Broadcom switch daemon (bcm56xxd) or requesting PDUs from bcm56xxd via HAL messaging.

Impact:
Degraded or no link aggregation functionality.

Recommended Action:
Inspect the /var/log/ltm file for additional errors and warnings, and try to correlate the LACPD messaging error with bcm56xxd errors.
Issue "tmsh show sys service bcm56xxd" and "tmsh show sys service lacpd", and verify the status of the services.


01160009 : LACPD reporting a link being added to aggregation

Location:
/var/log/ltm

Conditions:
A link was added to aggregation.

Impact:
The user configuration changed to add a new port to the LACP trunk. This message is informational only.

Recommended Action:
None.


01160010 : LACPD reporting a link being removed from aggregation

Location:
/var/log/ltm

Conditions:
A link was removed from aggregation.

Impact:
The user configuration changed to remove the port from the LACP trunk. This message is informational only.

Recommended Action:
None.


01160011 : LACPD reporting a churn condition

Location:
/var/log/ltm

Conditions:
LACP detects an operable port, but the Actor has not attached the link to an Aggregator and brought the link into operation within a bound time period. Continued failure to reach agreement can be symptomatic of device failure.

Impact:
The churn condition is informational.

Recommended Action:
Inspect the /var/log/ltm file for additional LACP errors and warnings.
Inspect the LACP configuration of the devices.


01160012 : LACPD reporting a churn condition

Location:
/var/log/ltm

Conditions:
LACP detects an operable port, but the Partner has not attached the link to an Aggregator and brought the link into operation within a bound time period. Continued failure to reach agreement can be symptomatic of device failure.

Impact:
The churn condition is informational.

Recommended Action:
Inspect the /var/log/ltm file for additional LACP errors and warnings.
Inspect the LACP configuration of the devices.


01160016 : LACP reporting an internal condition as informational message

Location:
/var/log/ltm

Conditions:
Internal LACP system has encountered an unexpected condition. Conditions can vary and be caused by but not limited to:
- Linux socket errors, which may be temporary in nature
- Device misconfiguration

Impact:
Varies considerably with specific message. It may indicate a configuration error somewhere else in the system.

Recommended Action:
Inspect the /var/log/ltm file for additional errors and warnings and try to correlate the LACP messaging with another system that may be misconfigured or malfunctioning.


01160017 : Internal Link %s is AVAILABLE.

Location:
/var/log/ltm

Conditions:
When an internal trunk's member interface is up. This should only happen on a BIG-IP version 9.0 platform (3400, 6400, 6800, 8400, or 8800).

Impact:
This is an Information only message, and not an error message. It is logged at INFO level.

Recommended Action:
None.


01160018 : Internal Link %s is UNAVAILABLE.

Location:
/var/log/ltm

Conditions:
When an internal link for an internal trunk goes down. This only applies to BIG-IP version 9.0 platforms (3400, 6400, 6800, 8400 and 8800) and should only happen when tmm or bcm56xxd goes down or is restarted.

Impact:
This is an information message on an internal link status.

Recommended Action:
None.


01160024 : %s

Location:
/var/log/ltm

Conditions:
Sample messages: warning: no receive on 0.1 for 15s (timeout=30s)
                 warning: no receive on 4.3 for 30s (timeout=60s)

This warns when the timeout reaches the halfway point for early diagnosis of potential LACPd issues when monitoring customer trunks.

Impact:
None.

Recommended Action:
Check /var/log/ltm to see if there are any other log messages that can explain lacpd issues.
Investigate lacpd statistics.


01170003 : halGetDossier returned error (%d): Dossier generation failed.

Location:
/var/log/ltm/, console

Conditions:
This error occurs whenever dossier fields like the MAC address, unique device ID (AOM ID) is empty. These fields can be empty if there is a manufacturing error, or if BMC (in case of BIG-IP iseries) or LOP (in case of BIG-IP 4000-series, 5000-series, 7000-series, 10000-series) is not responsive. The details as to which dossier field is unavailable can be seen in /var/log/ltm.

For example. in /var/log/ltm:
err chmand[837]: 012a0003:3: getAomDeviceId error: No AOM id found ...
err chmand[837]: 012a0003:3: DossierReq exception: BmcDev: getAomDeviceIdIpmiCmdDev: f5OEMCmd: command 115 (cc=193) Invalid Command

warning get_dossier[8502]: 012a0004:4: hal_request_dossier: request failed
err get_dossier[8502]: 01170003:3: halGetDossier returned error (1): Dossier generation failed.

Impact:
Without a valid dossier, one cannot license a BIG-IP system. Every time a dossier request is sent, this error will be displayed on the console and logged in /var/log/ltm.

Recommended Action:
None. Contact F5 support.


01170005 : %s stat fails: %s.

Location:
/var/log/ltm

Conditions:
The F5_API_COM interface is trying to extract information about the current version from the /VERSION file, the /proc/version file, or the Certificate-Request (CSR) file, but at least one of these files missing. (The certificate request file is usually a temporary file created in /config/ssl/ssl.csr with the file name f5-api-com.csr_<random_number>.)

Impact:
The API call fails because the required information cannot be obtained, and therefore the program fails. This error is not expected to happen and is intended to be a safeguard.

Recommended Action:
No fix is available from the API itself. Diagnose the BIG-IP system to determine the reason for the missing file.


01170012 : Unsupported argument (-%c).

Location:
/var/log/ltm

Conditions:
A user provides an unsupported argument when using the get_dossier application. The erroneous execution also provides the list of supported arguments in its output.

Impact:
get_dossier application fails to generate the dossier.

Recommended Action:
Provide arguments that are supported by the get_dossier application.


01170019 : Detected Registration Key-Less dossier generation for CSP.

Location:
/var/log/ltm

Conditions:
The BIG-IP system is licensing with an Hourly Billing license in a cloud environment supported by BIG-IP VE.

Impact:
Not an indicator of any kind of error with dossier generation or licensing.

Recommended Action:
None.


01170020 : Option -%c requires an argument.

Location:
/var/log/ltm

Conditions:
Some command-line options in get_dossier also require an argument value.

Impact:
get_dossier application fails to generate the dossier.

Recommended Action:
Must provide an argument value for get_dossier command line options that require a value.


01170021 : Invalid value (%s) passed for option (-%c).

Location:
/var/log/ltm

Conditions:
When using get_dossier, an invalid value for a command line option.

Impact:
get_dossier application fails to generate the dossier.

Recommended Action:
Provide correct values for command line options that are supported by the get_dossier application.


01180005 : Evaluation license has expired.

Location:

Conditions:
An Evaluation license has expired.

Impact:
None.

Recommended Action:
None.


01180010 : [license processing][error]: %s

Location:
/var/log/ltm

The contents of /var/log/ltm can be viewed in the GUI under System > Logs > Local Traffic.

Conditions:
This group of messages includes messages that are generated internally by the license parsing code. They include three general cases:
1) The license file contains errors
2) The parsing code contains errors
3) mcpd's license load/validation code contains errors

The probable cause for this message is an error in copying the license file, for example, introduced during a manual license installation.

Impact:
The BIG-IP system does not function until it can successfully parse and evaluate the installed license file.

Recommended Action:
Re-license the box. If re-licensing does not solve the problem, contact F5 Support.


01180017 : Subscription license has expired.

Location:
/var/log/ltm

Conditions:
A subscription-based license has expired.

Impact:
BIG-IP functionality and traffic processing is disabled.

Recommended Action:
Renew the license.


01190003 : arp_input: packet too short (%lu/%lu)

Location:
/var/log/ltm

Conditions:
The received ARP packet is invalid because the packet is too short.

Impact:
The packet will be dropped.

Recommended Action:
None.


01190004 : address conflict detected for %a (%m) on vlan %d

Location:
/var/log/ltm

Conditions:
Another node on the network issued a gratuitous ARP for an address configured on the BIG-IP device.

Impact:
An interruption for traffic using that IP is likely.

Recommended Action:
Assign a different IP address to the other node. The MAC address logged in the message can be used to identify the node.


01190007 : Neighbor update, route lookup failed, address = %la%%%u

Location:
/var/log/ltm

Conditions:
Creating a static ARP entry in which there is no route associated with that IP address.

Impact:
A static ARP entry becomes bogus in TMM, although it is still shown in the MCP database.

Recommended Action:
Before creating a static ARP entry, make sure that there is a route associated with the IP address of the static ARP entry.


01190008 : Neighbor update, route is not link type, address = %la%%%u

Location:
/var/log/ltm

Conditions:
Creating a static ARP entry in which the route associated with that IP address is not a link (interface) route.

Impact:
A static ARP entry becomes bogus in TMM, although it is still shown in the MCP database.

Recommended Action:
Before creating a static ARP entry, make sure that there is a link (interface) route associated with the IP address of the static ARP entry.


01190009 : Neighbor update failed, err = %E, address = %la%%%u, ifc name = %s

Location:
/var/log/ltm

Conditions:
Internal TMM error (e.g., out of memory) when creating a static ARP entry.

Impact:
A static ARP entry becomes irrelevant in TMM, although it is still shown in the MCP database.

Recommended Action:
Delete a static ARP entry and re-create it again.


01190010 : Neighbor delete failed, err = %E, address = %la%%%u

Location:
/var/log/ltm

Conditions:
When trying to delete an non-existing static ARP entry in TMM.

Impact:
No static ARP entry is deleted in TMM.

Recommended Action:
None.


011a0060 : Compression Stream failure: %s

Location:
/var/log/gtm

Conditions:
The system is out of memory. If this happens, the problem is probably elsewhere.

Impact:
The system is unable to monitor other GTM systems.

Recommended Action:
Use "top -a' or 'ps v | sort -k 8 -g -r | head" to look for processes occupying excessively large amounts of memory. Consider restarting said process(es), saving the core(s), and filing a bug. Note that a restart could cause a temporary service outage.


011a0300 : There was an error trying to send a DNSSEC Key Generation %s msg to MCP

Location:
/var/log/gtm

Conditions:
An existing DNSSEC Key Generation is due to rollover or expire, but gtmd encountered an issue sending the update message to mcpd.

Impact:
The existing DNSSEC Key Generation is not rolled-over and/or expired.

Recommended Action:
None.


011a0300 : There was an error trying to send a DNSSEC Key Generation %s msg to MCP

Location:
/var/log/gtm

Conditions:
An existing DNSSEC Key Generation is due to roll over or expire but gtmd encountered an issue sending the update message to mcpd.

Impact:
The existing DNSSEC Key Generation is not rolled over and/or expired.

Recommended Action:
None.


011a0302 : %s : %llu.

Location:
/var/log/gtm

Conditions:
This is a developer debug log option.

Impact:
None. The message does not appear in customer scenarios.

Recommended Action:
None.


011a0302 : There was an error trying to send a DNSSEC Zone SOA serial modify msg to MCP

Location:
/var/log/gtm

Conditions:
There is a DNSSEC Zone configured that has processed a zone transfer at some point. Then gtmd experiences an error trying to message mcp about updating a DNSSEC Zone serial number.

Impact:
DNSSEC Zone serial number might not be updated in the mcpd database.

Recommended Action:
None.


011a0305 : DNSSEC Zone %s cannot process a partial SOA serial update message

Location:
/var/log/gtm

Conditions:
TMM sent a request for a partial serial update.

Impact:
No serial update is for the given DNSSEC zone.

Recommended Action:
None.


011a0306 : Encountered error %s while trying to set a DNSSEC Key Generation event timer

Location:
/var/log/gtm

Conditions:
The user has configured automatic rolling DNSSEC Keys and there was a problem setting up a timer to roll and/or expire a DNSSEC key generation.

Impact:
A DNSSEC key might not be rolled and/or expired as reported in the configuration.

Recommended Action:
None.


011a0307 : Processing %s Event for DNSSEC Key %s, ID %llu

Location:
/var/log/gtm

Conditions:
A DNSSEC Key Generation event is about to be processed.

Impact:
None. This is informative debug output only and does not represent an issue.

Recommended Action:
None.


011a0308 : Unable to determine GTM local id, must skip processing DNSSEC Key Generation events

Location:
/var/log/gtm

Conditions:
The GTM local ID cannot be determined for the purposes of DNSSEC Key Generation event processing (list sys db gtm.peerinfolocalid == -1).

Impact:
No DNSSEC Key Generation events are processed by this BIG-IP GTM system.

Recommended Action:
None.


011a500f : %s (%s) identified as self, %s

Location:
/var/log/gtm

Conditions:
The gtmd daemon has determined that a configured GTM device or server represents the local device. This determination is made by matching any of the local self IP addresses to any IP address (including translated addresses) of the configured GTM servers/devices.

Impact:
The local gtmd instance considers the indicated device to be the local system, and makes specialized decisions in relation to that configured device (the instance does not attempt to form an iQuery connection with that device, etc.).

Recommended Action:
If the indicated device is not the one intended to match with the local system, then verify that the IP address configuration of that device is correct ("tmsh list gtm server <server_name> devices") and that the local self-IP addresses are properly configured.

If both of these fields are correctly specified and the system is still making an incorrect determination, then the command "tmsh modify sys db gtm.self value <correct_self_device_name>" can force the local system to recognize the named device as the local system. Note that the name of the device and the configured gtm.self value must match exactly, character for character. If a matching device for this field is not found, the system falls back to attempting to use the IP address; the logged message should indicate how gtmd made its determination.


011a5010 : Unable to identify which gtm server represents the local device

Location:
/var/log/gtm

Conditions:
The gtmd daemon has attempted to identify which of the configured GTM devices or servers represents the local machine and was unable to make a determination. This determination is made by matching any of the configured self IP addresses of the local device to any of the IP addresses (including translated addresses) of the configured GTM servers/devices.

Impact:
If the local machine is not able to establish which server is itself, it might be unable to establish an iQuery connection with the other GTM servers, which affects GTM config synchronization, GTM monitoring, and several other functions.

Recommended Action:
Verify that a GTM device that matches the local system is configured ("tmsh list gtm server all devices"); the GTM device should include at least one of the local system's self IP addresses.


011ad103 : BoxIP was NULL

Location:
gtm logs are reported in /var/log/gtm

Conditions:
This is a debug message printed when gtmd has attempted to find the ip address of a particular connection but found that it was NULL. This by itself does not indicate an error state and is meant to provide additional context on other issues observed on the system.

Impact:
This gtm instance will not be able to receive messages over that connection from other gtmd instances or from big3d.

Recommended Action:
It is advised to disable debug logging in gtmd if it is not required for informational purposes. This can be done via "tmsh modify sys db log.gtm.level value [desired_logging_level]"


011ae045 : XML Buffer size (%lu bytes) exceeded when attempting to send %s.

Location:
/var/log/gtm

Conditions:
The buffer exceeded 64k when a replacement iQuery connection attempt was made.

Impact:
The replacement connection continues. However, the server side of the connection (big3d) will not fully implement the "replacement" protocol. This is highly unlikely because the contents of the connection attempt buffer should never approach the limit, but the error serves as a safety check.

Recommended Action:
None.


011ae050 : SSL Context set to use cipher list '%s'\n

Location:
/var/log/gtm

Conditions:
The SSL Cipher List is set or changed on a global GTM SSL Context.

Impact:
No impact. This message is informational only.

Recommended Action:
None.


011ae051 : SSL Context set to use minimum TLS version '%s'\n

Location:
/var/log/gtm

Conditions:
The Minimum TLS Version has been set or changed on global GTMD SSL Context.

Impact:
No impact. This message is informational only.

Recommended Action:
None.


011ae052 : Using Server specific(%s) cipher list '%s'\n

Location:
/var/log/gtm

Conditions:
A GTM Server specific cipher list has been used on an iquery connection, instead of the global GTM cipher list specified in GTM globals.

Impact:
None. This message is informational only.

Recommended Action:
None.


011ae053 : Using Server specific(%s) minimum TLS version '%s'\n

Location:
/var/log/gtm

Conditions:
A GTM Server specific minimum TLS version has been set on an iquery connection instead of the value in the GTM Globals.

Impact:
None.

Recommended Action:
None.


011ae054 : New key or certificate file detected, attempting to create new SSL Context.

Location:
/var/log/gtm

Conditions:
A new key or certificate file has been placed on the BIG-IP system.

Impact:
gtmd will use the key or certificate file to create a new SSL context for new connections. This is an informational message only.

Recommended Action:
None.


011ae055 : Creating replacement iQuery connection on all servers.

Location:
/var/log/gtm

Conditions:
A user has requested that all existing iQuery connections be reconnected (that is, replaced) after changing SSL cipher list or minimum TLS version.

Impact:
None. This message is informational only.

Recommended Action:
None.


011ae056 : Creating replacement iQuery connection to server %s.

Location:
/var/log/gtm

Conditions:
A GTM Server's iquery connections have been replaced after a user request.

Impact:
None. This message is informational only.

Recommended Action:
None.


011ae057 : Creating replacement iQuery connection to ip %s.

Location:
/var/log/gtm

Conditions:
A specific iQuery connection has been reconnected/replaced because of a user request.

Impact:
None.

Recommended Action:
None.


011ae058 : iQuery connection ID:%d to Remote IP:%s replaced with connection ID:%d.

Location:
/var/log/gtm

Conditions:
An iQuery connection has been replaced/reconnected, indicating the IP Address, the old connection ID, and the new connection ID.

Impact:
None. This message is informational only.

Recommended Action:
None.


011ae059 : The specified TLS version (%s) is not a valid selection, SSL CTX not changed.

Location:
/var/log/gtm

Conditions:
The Minimum TLS Version is not a valid value.

Impact:
The desired value is not set, and the previous setting is used.

Recommended Action:
Use iqtest or openssl to test for valid values, and change the setting as appropriate.


011ae05a : The specified TLS version (%s) is not a valid selection.

Location:
/var/log/gtm

Conditions:
A user has entered a Minimum TLS Version that is invalid. The previous value is retained.

Impact:
None. The previous value continues to be used. However, if the value is not corrected, this message appears at every startup, since gtmd starts with a preprogrammed value (the default) and attempts to switch to the value that the user entered in GTM Globals.

Recommended Action:
Correct the TLS version to one of the supported strings:
TLSv1
TLSv1.1
TLSv1.2

The iqtest tool can be used to validate tls (and cipher strings)
Example:
iqtest -t tlsv2 10.100.0.1
error from gzip_ssl_ctx_init failure to set minimum tls version to tlsv2


011ae05a : The specified TLS version (%s) is not a valid selection, server (%s) value not changed.

Location:
/var/log/gtm

Conditions:
A user has entered a value for a GTM Server's TLS version list that does not match an expected value.

At this time, the expected values are:
TLSv1
TLSv1.1
TLSv1.2

Impact:
The impact is that the user-supplied value is ignored. The previous value continues to be used.

Recommended Action:
Examine the value and enter a correct value.


011ae05b : SSL Cipher List unchanged since requested value is identical to current value %s".

Location:
/var/log/gtm

Conditions:
GTM has received an update to the SSL Cipher List that is the same as the current setting.

Impact:
GTM logs the message and makes no change to internal settings.

Recommended Action:
None.


011ae05c : SSL Minimum TLS Version unchanged since requested value is identical to current value %s".

Location:
/var/log/gtm

Conditions:
GTM has received an update to the Minimum TLS version List that is the same as the current setting.

Impact:
None. GTM logs the message and makes no change to internal settings.

Recommended Action:
None.


011ae05d : Replacement iQuery connection to %s already in progresss. Ignoring request.

Location:
/var/log/gtm

Conditions:
A replacement iQuery connection has been initiated, but not finalized, and a new iquery reconnect command was issued by a user.

The timeline is:

0. There is an existing iQuery connection: Connection ID 1
1. User issues iQuery reconnect for a given iQuery connection (or all connections)
2. GTM begins the connection setup, Conn ID = 2
3. User issues another iQuery reconnect for the same connection
   GTM detects there is a replacement in progress and logs this message.
   to the requester
4. Conn ID 2 completes successfully.
5. Conn ID 1 is removed.

Impact:
None. The connection in progress runs to completion (either success or failure).

Recommended Action:
None.


011ae05e : iQuery connection ID:%d to Remote IP:%s created.

Location:
/var/log/gtm

Conditions:
A new iQuery connection has been fully established (either an initial connection or a replacement).

Impact:
None. This message is informational only and includes the connection ID, assigned by big3d, and the IP address used to connect to big3d.

Recommended Action:
None.


011ae05f : SSL Context created with cipher list '%s' and minimum TLS version '%s'.

Location:
/var/log/gtm

Conditions:
A new SSL context has been created.

Impact:
This is a "Notice" level message and lists the cipher list and minimum TLS version used to create the SSL context. The message helps a user verify that the desired cipher list and TLS version are used.

Recommended Action:
None.


011ae060 : Attempt(ignored) to replace an existing iquery connection with an invalid replacement.

Location:
/var/log/gtm

Conditions:
An attempt has been made to replace an iQuery connection with an inappropriate iQuery connection. This should not occur unless there is a bug in the code.

Impact:
The replacement attempt failed and the existing connection remains active. This is a Debug-level message.

Recommended Action:
Retry the connection.


011ae10e : Autoconf deleted link (%s)

Location:
/var/log/gtm

Conditions:
Debug logging is enabled, auto-discovery is enabled, and the auto-configuration utility has determined that a link should not exist because it does not have a matching pool member on any of the servers in the same datacenter.

Impact:
The auto-configuration utility deletes the named link.

Recommended Action:
No workaround required, this is expected behavior.

If it is desired to keep a Global Traffic Manager (GTM) link even when there is no matching member, then disable auto-discovery via the command "tmsh modify gtm global-settings general auto-discovery no".


011ae10f : Autoconf deleted linkIP (%s)

Location:
/var/log/gtm

Conditions:
Debug logging is enabled, auto-discovery is enabled, and the auto-configuration utility has determined that an IP address associated with a link should not exist. This is because a matching member does not exist on any known server in the same datacenter.

Impact:
The IP address is deleted from the associated link's list of IP addresses, and if this is the last remaining address in the list, the link is deleted.

Recommended Action:
No workaround required, this is expected behavior.

If it is desired to keep a Global Traffic Manager (GTM) link even when there is no matching member, then disable auto-discovery via the command "tmsh modify gtm global-settings general auto-discovery no".


011ae110 : Autoconf skipped deletion of link (%s) because %s

Location:
/var/log/gtm

Conditions:
Debug logging is enabled, auto-discovery is enabled, and the auto-configuration utility has determined that a link should not be deleted for the stated reason.

Impact:
None.

Recommended Action:
Disable debug logging unless it is required for other reasons. This can be done via the command "tmsh modify sys db log.gtm.level value <desired_logging_level>".


011ae111 : Autoconf skipped deletion of linkIP (%s) because member (%s) exists on box (%s)

Location:
/var/log/gtm

Conditions:
Debug logging is enabled, auto-discovery is enabled, and the auto-configuration utility has determined that an IP address should not be deleted from a link's list of addresses because the specified member exists on the specified device.

Impact:
None.

Recommended Action:
Disable debug logging unless it is required for other reasons. This can be done via the command "tmsh modify sys db log.gtm.level value <desired_logging_level>".


011ae112 : SSL Cipher List must not be empty. Previous setting remains in effect.

Location:
/var/log/gtm

Conditions:
The GTM globals cipher list is NULL or an empty string.

Impact:
The previous setting remains in effect.

Recommended Action:
Configure a value for the GTM globals cipher list.


011ae113 : SSL verification of SSL connection to: %s %s

Location:
/var/log/gtm

Conditions:
SSL verification has been started on an iQuery connection. This can happen at connection time, or after the renegotiation time as expired.

Impact:
None. This is an information message only. The message includes the IP address of the server and the certificate information.

Recommended Action:
None.


011ae114 : %s: SSL error: %s (%d) from connection %s

Location:
/var/log/gtm

Conditions:
An SSL error occurred during an SSL operation such as read, write, or connect.

Impact:
This is a general purpose error code to report the error as the SSL library specifies.

Recommended Action:
Examine the error message and attempt to address the issue.


011ae115 : SSL Minimum TLS Version must not be empty. Previous setting remains in effect.

Location:
/var/log/gtm

Conditions:
The GTM globals cipher list is NULL or an empty string.

Impact:
The previous setting remains in effect.

Recommended Action:
Configure a value for the SSL Minimum TLS Version setting.


011ae116 : Topology detected bad order value (%u) for topology entry (%s), reset order to (%u)

Location:
/var/log/gtm

Conditions:
The topology library has determined that the topology records that it contains do not conform to a complete and ordered list.

Impact:
The system re-orders the indicated topology entry. In general, when using topology-based load balancing, there might be unexpected behavior regarding the order in which topology records are processed.

Recommended Action:
Re-load the GTM configuration using the command "tmsh load sys config gtm-only". If the message still persists, it might indicate an error in the GTM configuration. Re-loading the GTM configuration overwrites the running GTM configuration with the saved GTM configuration.

Enabling longest-match ordering using the command "tmsh modify gtm global-settings load-balancing topology-longest-match yes" might also resolve this issue; however, the command will also modify the order of all configured topology records to the default ordering. Enabling longest-match ordering re-orders all topology records into the default ordering.


011ae116 : The list processing time (%d seconds) exceeded the interval value. There may be too many monitor instances configured with a %d second interval.

Location:
/var/log/gtm

Conditions:
The gtmd service attempted to process a given list of monitor probe instances before the next scheduled probing interval for this same list. Basically the monitoring timers could not fire quickly enough to process an entire probe interval list.

Impact:
Monitor flapping occurs, and/or resources are marked as down when they actually up.

Recommended Action:
Since there are too many monitor instances configured at this interval, we recommend reducing the number of monitor instances at the given interval.

For example, if all of your monitors are firing at a 10-second interval, and you are seeing this log message, try modifying some of your intervals be 9 seconds, and some to 11 seconds, leaving some still at 10 seconds. This should alleviate some of the pressure by moving monitor probes into different interval lists.


011b0203 : Error '%s' opening file %s

Location:
/var/log/ltm

Conditions:
This error indicates that the merge daemon, merged, or statistics daemon, statsd, failed to open a file to read. This error identifies the file that failed to open. For example, the message "Error 'No such file or directory' opening file /sys/block/sda/stat" could mean that a drive is defined by the operating system, but the statistics are not yet available, or are no longer available. This error could happen on disk failure.

Impact:
Statistics for the disk are not available when the file is /sys/block/sda/stat. For files in /var/rrd, historical statistics are not be available.

Recommended Action:
No known workaround is available for /sys/block/sda/stat. Rebooting or replacing the failed drive might make statistics available for a failed drive. For /var/rrd, ensure that the directory exists, and is writable and executable. Ensure that the info files in /var/rrd are readable, and that the data files are readable and writable.


011b020b : Error '%s' scanning buffer '%s' from file '%s'

Location:
/var/log/ltm

Conditions:
A round-robin database (RRD) info file is not valid. At the end of the file, there should be a checksum hash on a line that begins "#CRC " followed by a number. This line was not found.

Impact:
The RRD files store historical statistics. The invalid info file prevents certain historical statistics from being read and updated. This affects specific reporting of these statistics like TMSH show commands and TMUI statistics views.

Recommended Action:
Remove or move away the invalid info file and restart statsd. You may need to remove or move away the corresponding data file with the same prefix.


011b0233 : CACHE MISS during %s, prev=%s, curr=%s.

Location:
/var/log/ltm

Conditions:
This log will occur if a statsd query fails to find the requested data in the cache. There is an internal cache within statsd that will store previously gathered full rows of stats data, thus allowing quicker access to the user. The stats cache is a certain size. If a user queries a stat and it is not present, then a cache miss occurs. The statsd process then needs to gather the requested stats for that query.

Impact:
If there are a lot of cache misses, then a performance impact is expected.

Recommended Action:
None.


011b0236 : Merged iStats merge interval changed to be every %d seconds.

Location:
/var/log/ltm

Conditions:
Logged at Notice level when the istats merge interval is modified by changing the value of the merged.istats.merge.interval variable.

Impact:
Reports a configuration change for a user.

Recommended Action:
None.


011b0237 : Merged iStats merge interval called with %d.

Location:
/var/log/ltm

Conditions:
A debug level message logged when the istats interval has expired and there are dynamic statistics to merge.

Impact:
Informational only.

Recommended Action:
None.


011b0309 : %s %s %s

Location:
/var/log/ltm

Conditions:
This error is reported when statsd or merged gets an error from mcpd. The most common example is "tmstat_sample not ready". This message typically happens on startup when statsd requests data from mcpd but merged has not yet merged any data. This message can also occur if there is an error with the /var/tmstat/cluster directory.

Impact:
Statsd will not be able to collect historical statistics, so they will not be available to tmsh show commands and tmui views.

Recommended Action:
If the message only occurs on startup, then it can be safely ignored. Otherwise, verify /var/tmstat/cluster exists and has permissions for merged.


011b032e : Graph '%s' is not supported, possibly because it is not licensed, or a license has expired.

Location:
/var/log/ltm

Conditions:
This message generated by the statsd daemon. The daemon provides services related to statistical data.

It is possible that the license has expired or that the particular graph is not licensed. A user action is required to update the license, so that graph creation is permitted.

Impact:
The Graph is not created and the message is logged.

Recommended Action:
Either update the license or call F5 support to acquire the needed license. A "tmsh install sys license" command will install the license.


011b0600 : Error '%s' during rrd_update for rrd file '%s'

Location:
/var/log/ltm

Conditions:
An attempt to update a round-robin database (RRD) file for historical statistics failed. This error typically means that the data file is corrupt. This error can also be caused by problems with the /var/rrd directory, such as the directory is missing or does not have write and execute permissions.

Impact:
The specific historical statistics are not updated so they are no longer reliable. If the data file is corrupt, this error can also affect reading the old historical statistics, so that statistics reports like TMSH show command or TMUI statistics views might not properly report the specific statistics.

Recommended Action:
Verify that the /var/rrd directory exists, and has write and execute permission. If the directory exists with write and execute permission, remove the specific data files, and then restart statsd to recreate the file.


011b0601 : Error '%s' during rrd_graph for graph '%s'

Location:
/var/log/ltm

Conditions:
This error is logged whenever the rrdGraph function fails for any reason.

Impact:
The specific graph is not created.

Recommended Action:
Reattempt the creation. If that fails, restart statsd daemon using "bigstart restart statsd" command.


011b0816 : Statistic collection has ALREADY been started.

Location:
/var/log/ltm

Conditions:
A message is informational (not an error) and is logged when a stat collection is already initiated, and is somehow re-initiated.

This condition can occur when a device in a clustered environment transitions from the HA failover state of primary, to backup, and then back to primary within the stat collection period. Stats collection is initiated on the primary device within an HA clustered environment.

Impact:
None.

Recommended Action:
None.


011b0826 : Cluster collection start error.Exitting

Location:
/var/log/ltm

Conditions:
The statsd daemon failed to read the /config/statsd.conf file, and configure itself to collect historical statistics. This condition might be caused by this file being invalid or a problem with permissions to read the file. It might also be a problem with system resource exhaustion, where file descriptors or memory are not available.

Impact:
No historical statistics will be collected. This issue occurs in all statistics reports that include historical statistics, such as various TMSH show commands and TMUI statistics views.

Recommended Action:
Verify that the /config/statsd.conf file has read permissions and that the file exists. Verify that the file format is valid using the -p (dash p) option of /usr/bin/statsd. Verify that adequate system resources are available. After fixing the problem, restart statsd by using the command "bigstart restart statsd".


011b0900 : TMSTAT error %s: %s

Location:
/var/log/ltm

Conditions:
This error means that the merge daemon, merged, or statistics daemon, statsd, failed to query statistics. This generic error reports a range of underlying causes for the failed query. For example, the error "TMSTAT error max disk stat: read failed." can mean that a drive is defined by the operating system, but that the statistics are not yet available, or are no longer available. This can happen on disk failure. Another example is the error "TMSTAT error tmstat_query cpu_info_table: Cannot allocate memory", which can mean that merged has run out of memory.

Impact:
Statistics for a disk are not available when the error "max disk stat" occurs. For other errors, the message details indicate the statistics that are not available. For example, "cpu_info_table" indicates that the CPU usage statistics have failed.

Recommended Action:
There is no known workaround for a "max disk stat" message. Rebooting or replacing the drive might cause the operating system to make statistics available for a failed drive. For a "Cannot allocate memory" message, restarting merged might make statistics available.


011b090c : tmstat_query_rollup on table %s called

Location:
/var/log/ltm

Conditions:
If debug log is turned on for statsd, then when a stats table roll up is done, typically every 30 seconds, a log message is generated indicating which table roll up is being done.

Impact:
Lots of log messages with the log level set to Debug.

Recommended Action:
Turn off the debug log level to something like informational.


011b090e : getTMValueUNKeyed start

Location:
/var/log/ltm

Conditions:
One is trying to get a statistics value from a table that does not have a key column or the key column is ignored, for example, for a roll up query.

Impact:
No impact. This log message is informational and not an error. A roll-up query is a valid type of query where keys are not specified and data from several tables is summarized.

Recommended Action:
None.


011b090f : DNS Services request rate limiter engaged.

Location:
/var/log/ltm

Conditions:
The error message DNS Services request rate limiter engaged will appear in the /var/ltm log file when the DNS Services Requests Per Second license limit has been exceeded.

Impact:
Subsequent requests are dropped until the number of requests falls below the licensed threshold.

Recommended Action:
View the licensed DNS rate limit using the "tmsh show ltm profile dns" command.


011b0910 : DNS Services request rate limiter disengaged.

Location:
/var/log/ltm

Conditions:
The message DNS Services request rate limiter disengaged will appear in the /var/log/ltm log file when Requests Per Second returns to within the licensed limit.

Impact:
Subsequent requests are processed.

Recommended Action:
View the licensed DNS rate limit using the "tmsh show ltm profile dns" command.


011b0914 : No individual CPU information is available.

Location:
/var/log/ltm

Conditions:
On systems with HT Technology CPUs with split planes enabled, data plane tasks and control plane tasks are split and handled by separate logical cores (hyper-threads). If an error is encountered while collecting statistics on CPU usage in this environment then this message is logged.

Impact:
A transient error. No serious impact.

Recommended Action:
Subsequent statistics requests should recover from this error.


011b0999 : %s: %s

Location:
/var/ltm/log

Conditions:
This message generated by statsd. The daemon provides services related to statistical data.
These are debug logs that can only be turned on thru tmsh.

Impact:
The /var/log/ltm file starts filling up if debug is not turned off. The system does not have this enabled by default.

Recommended Action:
Change the setting through a tmsh command. For example, it can be changed to info or warn as shown below.

tmsh modify sys db log.statsd.level value info
OR
tmsh modify sys db log.statsd.level value warn
OR
tmsh modify sys db log.statsd.level value warning


011d0002 : No diskmonitor entries in database

Location:
/var/log/ltm

Conditions:
MCP is down, or the database is unavailable.

Impact:
The diskmonitor script will not run.

Recommended Action:
Check 'bigstart singlestatus mcpd' and verify it is in 'run'. If not, try rebooting the box. If the problem persists a support ticket should be filed.


011d0004 : Disk partition %s has only %d free

Location:
/var/log/ltm

Conditions:
When the BIG-IP file systems become full, the diskmonitor utility generates warning messages and traps. The diskmonitor utility script runs periodically on the BIG-IP system, alerting you if the partition space or volumes reach a defined threshold.

Impact:
- Upgrades or hotfix installations might fail to proceed.
- Daemon log messages might appear similar to the following examples:
    Couldn't write to <file> / <partition>
    Failed to open file
- System performance can degrade, for example, slow or failed disk writes can occur.

Recommended Action:
Please, refer to https://support.f5.com/kb/en-us/solutions/public/14000/400/sol14403.html for possible actions.


011e0001 : Limiting %s from %d to %d packets/sec for traffic-group %s

Location:
/var/log/ltm

Conditions:
The BIG-IP device throttles the rate of response messages that it sends in certain situations. It is a part of the DoS mechanism. This log information is generated when the BIG-IP device stops throttling the bandwidth for a class of response messages. Depending on the beginning of the log message, it indicates:
- "icmp unreach response" - throttling of ICMP unreachable responses.
- "icmp ping response" - protection from ping floods.
- "icmp tstamp response" - throttling of ICMP response timestamp responses.
- "closed port RST response" - throttling of TCP unreachable messages (no listener).
- "open port RST response" - throttling of responses about aborted TCP connections.
- "unreachable response" - a generic throttle for other kinds of messages, it also covers the specific case of IP reject.

Impact:
It is an information message. The BIG-IP device stopped throttling traffic that likely was generated by a DoS attack.

Recommended Action:
None.


011e0002 : %s: Aggressive mode %s %s (%llx) (%s %s). (%llu/%llu %s)

Location:
/var/log/ltm

Conditions:
1. db variable log.sweeper.activation.enabled is enabled.
2. The sweeper aggressive mode is activated or deactivated.

The BIG-IP device, or virtual server on BIG-IP sweeper, enters or leaves the aggressive mode and starts or stops to kill connections, reflecting the connflow load change on the BIG-IP device.

BIGIP aggressive mode is activated or deactivated, reflecting the traffic load change on BIG-IP device or the affected virtual server. If it is activated, it indicates that the BIG-IP device is overloaded by connflows in the related virtual server. If it is deactivated, it indicates that the load of connflows is reduced to normal level.

Note that if the db variable is disabled, the log will not show up.

Impact:
It is an informational message only.

Recommended Action:
The message is informational and as designed.
Reducing traffic to the BIG-IP device might prevent this message from appearing.
Turn off the db variable to turn off the log if the log is the only concern.


011e0003 : mode sweeper: %s (%llx) (%s %s) %d Connections killed

Location:
/var/log/ltm

Conditions:
1. db variable log.sweeper.activation.enabled is enabled.
2. At least one connection is killed by sweeper due to connflow overloaded on impacted BIG-IP device or the virtual server.

Note if the db variable is disabled, the log will not show up but the connection will still be killed.

Impact:
Connection gets killed by BIG-IP sweeper.

Recommended Action:
The connection gets killed by design. It might suggest that the impacted BIG-IP device or the impacted virtual server is overloaded.

Here are the options to avoid this:
1. Reduce the traffic load to BIG-IP device or affected virtual server.
2. Change eviction policy or adjust the policy parameter of the impacted virtual server.
3. Turn off the db variable to turn off the log, if the log is the only concern.


011f0001 : %s: Bad chunk state %d

Location:
/var/log/ltm

Conditions:
This error occurs due to an invalid or non-compliant HTTP chunking format, while parsing a chunked HTTP response and attempting to retrieve the chunk size. Possible conditions that trigger this error include a malformed HTTP response from the back-end web server, or a faulty LTM virtual server iRule that affects the HTTP response.

Impact:
When this error occurs, the TMM gracefully aborts (resets) the active HTTP connection with the malformed chunked response.

Recommended Action:
A workaround involves either a detailed server-side logging (on the back-end server) to track possible malformed HTTP chunked responses, or the addition of minimal instrumentation logs to the iRules that are potentially altering the HTTP response.


011f0004 : Invalid header insert profile, missing the colon separator in - %s

Location:
/var/log/tmm

Conditions:
HTTP's header insertion profile feature is used with invalid text. The expected value is of the form:

Header: Value

Impact:
The header will not be inserted.

Recommended Action:
Change the text for the inserted header to match the expected form.


011f0005 : HTTP header (%d) exceeded maximum allowed size of %d

Location:
/var/log/ltm

Conditions:
HTTP headers have a configurable size limit. The request or response includes headers that are too large. The size of headers (in bytes) exceeds the limit configured in the http profile.

Impact:
The connection will be dropped.

Recommended Action:
The size limit for http headers can be modified in the http profile.


011f0007 : %s - Invalid action:0x%x %s (%C) %s (%C)

Location:
/var/log/ltm

Conditions:
This error describes the state of the HTTP filter, and the attempted action. The IP address of the client and server (if available) are shown.

The HTTP Filter encountered an unexpected situation, for example:
- Internal Errors.
- Complex unexpected interactions between filters.
- Complex IRule interactions.
- HA desynchronization.
- RFC violations

Impact:
The connection will be dropped.

Recommended Action:
A TCP Dump might be required in order to determine the exact sequence of events required to trigger the issue. Typically, this error is triggered by an unusual situation not covered by other error messages.


011f0008 : %s - Invalid state transition to %s

Location:
/var/log/ltm

Conditions:
A faulty iRule typically triggers this error, interfering with the normal flow of events in the TMM connection flow. For example, this error can occur when forcibly closing an HTTP connection while redirecting, all within an iRule handling the HTTP request event.

Impact:
This error can result in a range of conditions: from receiving a simple, benign notification to resetting (or aborting) the active connection, depending on how the iRule handles the related connection flow events.

Recommended Action:
When this error occurs, it indicates that an iRule attempts to alter the traffic flow on a virtual server in an unexpected way. The cause can be determined with additional logging in the iRule, and examination of the invalid state transition that is logged by the error.


011f0011 : HTTP header count exceeded maximum allowed count of %d

Location:
/var/log/ltm

Conditions:
The request or response has headers that are too large. The number of headers exceeds the limit configured in the http profile.

Impact:
The connection will be dropped.

Recommended Action:
The limit for the number of http headers can be modified in the http profile. Note that increasing this limit will increase the total amount of TMM memory that can be taken by a http connection.


011f0012 : HTTP profile option %s incompatible with proxy_type. Using default instead.

Location:
/var/log/tmm

Conditions:
Some HTTP profile field options are gated by the HTTP proxy type. If the field value is disallowed, then the default will be used.

This typically occurs due to the use of non-default enforcement options when the proxy type is not "transparent".

Impact:
This is a warning that the particular profile options selected are not in effect. The default behavior will be used instead.

Recommended Action:
1) Revert the profile field value to the default, or to a value allowed by the HTTP proxy type.

2) Inherit from a HTTP profile with a different proxy type that allows the wanted values.


011f0016 : %s - Invalid action:0x%x Server sends too much data. serverside (%C) clientside (%C)

Location:
/var/log/tmm

Conditions:
The HTTP server has responded with more data than expected. It either is returning more data than indicated by the Content-Length header, or more data after the ending chunk in Chunked Encoded transfers. This behavior is not compliant with the RFC.

Impact:
The TMM has lost synchronization with the HTTP servers data stream. The BIG-IP device cannot parse headers any more. The connection to the server will be aborted.

Recommended Action:
The back-end web application should return the correct size of its content body in the Content-Length header or Chunk headers.

If the back-end is the Internet (in a forward proxy scenario), setting the "pipeline" option to passthrough might be appropriate.


011f0017 : Config error: HTTP Header Entry [%s:%d] update: agent clone failed

Location:
/var/log/tmm

Conditions:
The probable cause for this message is internal to the BIG-IP system: when an http_header_entry agent, in a per request policy in APM, is modified, failure can happen while cloning it, because the pointer to the agent entry is NULL.

Impact:
The update made to the HTTP Header Modify agent in per-request policy is lost and logs this error message.

Recommended Action:
Update to HTTP Header Modify agent in per-request policy can be made again.


01200009 : Packet rejected remote IP %*A port %d local IP %*A port %d proto %s: Connection limit exceeded.

Location:
/var/log/ltm

Conditions:
The connection has been rejected because the per-virtual connection limit has been reached.

Impact:
New connections will not be established until the open connection count falls below the limit.

Recommended Action:
None.


01200012 : Warning, connections equals limit %F, proto %s, VS %s: Connection limit reached.

Location:
/var/log/ltm

Conditions:
The connection limit for the virtual address/node address/snat address has been reached. In a single tmm system, it is the total connection limit for that tmm. In a cmp system, the tmm's connection limit is determined by the conn_limit/number of active blades. If it does not divide evenly, then the remainder is distributed among the members of low pg number blades.

The connection limit can be set by modifying "connection-limit" for an ltm virtual-address, virtual, snat-translation, node, or pool members. A value of 0 indicates no limit.

Impact:
Any future connection to this tmm for the particular address will result in it being rejected by the tmm.

Recommended Action:
Adjust the connection-limit as appropriate.


01200014 : Warning, connections equals limit %F, proto %s, RD %s: Connection limit reached.

Location:
/var/log/ltm

Conditions:
This will occur if BIG-IP reaches the maximum number of connections for the given protocol on the given route domain.

Impact:
The new connection will not be made.

Recommended Action:
None.


01200016 : Warning, node IP %*A has reached its connection limit.

Location:
/var/log/ltm

Conditions:
Connection limit has been reached on the specified Node.

Impact:
It's an information message. The user can expect TMM to refuse further connections for that Node.

Recommended Action:
Consider reviewing your configuration to possibly increase the Node connection limit if the situation is frequent.


01200017 : Warning, pool member IP %*A port %u for pool %s has reached its connection limit.

Location:
/var/log/ltm

Conditions:
Connection limit has been reached on the specified Pool Member.

Impact:
It's an information message. The user can expect TMM to refuse further connections for that Pool.

Recommended Action:
Consider reviewing your configuration to possibly increase the Pool Members connection limit if the situation is frequent.


01220001 : TCL error: %s

Location:
/var/log/tmm

This error appears in both GUI and console. The exact error message is in the printout.

Conditions:
An error occurred during iRule execution. The exact error message is in the printout.

Impact:
If the error occurred on a connection, the connection can become terminated.

Recommended Action:
To repress the error, use a catch command to prevent the error pass up.


01220002 : Rule %s: %s

Location:
/var/log/ltm

Conditions:
This error is present in the log when one of the following conditions occurs:
1. The iRule code includes a log statement which does not use any of the component, facility, and priority options.
   For example, the statement looks like:

   <some code>
   ...
   log "this is a log message without facility and priority"

2. There an error occurred during TCL compilation of the script.
   In this case, the message will include details of the error generated by the compiler
   and will be of the form "Rule <rule name> compilation failed: <compiler error here>"

Impact:
In the first case, normal log messages appear in the log with this code.

In the second case, the iRule will need to be modified to correct the error.

Recommended Action:
For the first case, it is recommended that the usage of the log command be changed to include facility and priority. For example, change the statement below:
   log "this is a log message without facility and priority"
to
   log local0.info "this is an info level log message"

For the second case, resolution is highly dependent on the error generated, but will most likely require modification
of the iRule source.


01220007 : No pending rule event found for %F

Location:
/var/log/ltm

Conditions:
This message indicates that upon resumption of iRule execution,
after a suspending operation has been executed (for example executing [table lookup key]),
the state of the flow is not as expected and is no longer in a suspending state.

A possible scenario involves an iRule that performs a side band connection as part of its logic, and has the connection reset by the peer while waiting for a response. For example, perform DNS resolution, or obtain some information from a server using HTTP request, and
wait for the answer.
When the suspending operation is completed, the flow cannot resume normal operation.

This condition should rarely be present during normal operation.

Impact:
If the flow was externally affected (terminated), it is likely not in service, so no impact is caused to traffic associated with the flow.
If the flow was not terminated, it is possible traffic associated with the flow may be impacted.

Recommended Action:
Ensure network conditions around the BIG-IP device does not contribute to this issue.

It is possible to forcibly terminate the flow if it still exists (for long held connections) by issuing the following command:
tmsh del sys conn cs-client-addr a.a.a.a cs-server-addr s.s.s.s cs-server-port p


01220008 : Unable to resume pending rule event %s for closed %F

Location:
/var/log/ltm

Conditions:
This message indicates that upon resumption of iRule execution,
after a suspending operation has been executed (for example executing [table lookup key]),
the flow is terminated due to another event.

A possible scenario involves an iRule that performs a side band connection as part of its logic, and has the connection reset by the peer while waiting for a response. For example, perform DNS resolution, or obtain some information from a server using HTTP request, and wait for the answer.
When the suspending operation is completed, the flow cannot resume normal operation.

This condition should rarely be present during normal operation.

Impact:
If the flow was externally affected (terminated), it is likely not in service, so no impact is caused to traffic associated with the flow.
If the flow was not terminated, it is possible traffic associated with the flow may be impacted.

Recommended Action:
Ensure network conditions around the BIG-IP device do not contribute to this issue.

It is possible to forcibly terminate the flow if it still exists (for long held connections) by issuing the following command:
tmsh del sys conn cs-client-addr a.a.a.a cs-server-addr s.s.s.s cs-server-port p


01220009 : Pending rule %s aborted for %F

Location:
/var/log/ltm

Conditions:
This is an information message, issued when one of the following event occurs:

A connection is torn down or aborted, where the connection has an iRule
   currently executing a suspending command (eg. [table lookup key])

Impact:
This is an information message only.

Recommended Action:
None.


01220010 : %d previous aborted rule log messages suppressed

Location:
/var/log/ltm

Conditions:
This log message is emitted under the following conditions:
1. The control used to suppress rule aborted messages is set to a non-default number greater than 1 (TBD see reference for ltm global-settings rule rule-aborted-log-ratio)
2. There were N (the number set for the control) aborted rule events.

This message indicates that the previous N occurrences of aborted rules were suppressed.
The message is generated to ensure that when the control is set to a value larger than 1 (presumably a large number), the actual number of aborted rule executions is recorded.

Impact:
When a user sets the control referred to above to a number other than 1 (and presumably large), the number of log messages in /var/log/ltm is reduced, but this message is emitted whenever a sufficient number of aborted rule executions has occurred.

In effect, the number of logged messages is reduced from 1 message per occurrence to 2 per N occurrences.

Recommended Action:
The user can set the value of the control referred to above to the default of 1 to prevent this message from appearing in the log.


01220011 : Pending rule %s aborted for context %llx

Location:
/var/log/ltm

Conditions:
An iRule using a parking command (table, after, etc) is on a virtual server. A flow on that virtual server is running the iRule and the iRule is parked, but the flow has been closed before the iRule could unpark (usually because of an abort).

Impact:
The iRule does not finish executing.

Recommended Action:
The primary recommended action is to ensure that aborts are not common for flows on virtual servers with parking iRules. The secondary recommended action is to put as much of the state changing operation of the iRule before any parking commands.


01220012 : Failed to configure rule %s for virtual %s.

Location:
/var/log/ltm

Conditions:
The system attempted but failed to find or allocate the configured listener to which an iRule is being attached.

This is and internal error not an indication of a configuration issue.

Impact:
The system fails to set up the virtual server object or its dependencies. Therefore, the configured virtual server fails to process traffic or does not have the desired iRule in effect, resulting in a service disruption.

Recommended Action:
Consider issuing the "bigstart restart" command.


01230001 : Interface %d.%d: link is up, %dMbps %s

Location:
/var/log/ltm

Conditions:
Occurs on startup as informational message about an internal interface link status. If this message doesn't occur, then likely a different issue occurred related to device initialization.

Impact:
None.

Recommended Action:
None.


01230002 : Interface %d.%d: link is down

Location:
/var/log/ltm

Not on console or in GUI

Conditions:
This message is logged when internal interfaces used to communicate with F5 internal high speed bridges transition from up to down in tmm and report to the master control process (mcp). This is not a spontaneous link failure, but a controlled action, when the tmm process is exiting.
This is an informational log on an internal link status.

This message will appear once for every internal interface when the tmm processes restart. The user can verify that the interface comes back up with the following command:
tmsh show net interface <interface_number> -hidden

At this time, there is not a corresponding message when the interface comes back up.

Impact:
None, this is informational

Recommended Action:
None.


01230032 : Interface %s not found

Location:
/var/log/ltm

Conditions:
When processing a trunk member configuration change, if the tmm can not find the interface in its interface list then it logs this message.

Impact:
The trunk configuration or status might not be configured properly and not deliver traffic.

Recommended Action:
Check the configuration. Restart system. Force-load mcp binary db (https://support.f5.com/csp/article/K13030)


01230066 : Vlan %s - untagged interface %d/%d currently in use on vlan %s

Location:
/var/log/ltm

Conditions:
This VLAN is trying to use an interface as untagged when the interface is already used as untagged on another VLAN.

Impact:
The interface will not be used.

Recommended Action:
Do one of the following: Use the interface as a tagged interface, change the interface to a tagged interface on the other VLAN, or choose a difference interface.


01230074 : Vlan %s, member %s - unsupported type %d

Location:
/var/log/ltm

Conditions:
An attempt was made to add a VLAN member that is neither an interface or a trunk.

Impact:
Requested VLAN member is not added.

Recommended Action:
Add interfaces and trunks only as VLAN members. If this error occurs when adding an interface or trunk VLAN member, file a bug.


01230087 : Vlan %s, member %s instance add error %u

Location:
/var/log/ltm

Conditions:
1. TMM is out of memory (error value in the log message will be 1 in this case).
2. There is an error in the member interface that was not caught by the configuration subsystem.

Impact:
The error can occur when configuring to add a member interface or trunk to a VLAN. When the error occurs, the error is logged, but the VLAN member configuration is allowed to proceed. The only feature impacted by this error in 13.0.0 is Layer 2 cloning (packets will not be cloned to the member interface where the error is encountered).

Recommended Action:
For error due to out of memory condition, locate processes occupying large amounts of memory, and restart if possible.


01230088 : Couldn't %s vlangroup %s

Location:
/var/log/ltm

Conditions:
This message occurs when one of the following occurs:

1) TMM is parsing a configuration message from MCP, and TMM is out of memory.

2) The system previously received an out-of-memory message. Now, the system has tried to modify a configuration that was never added, due to the previous out-of-memory condition.

Impact:
The relevant VLAN group does not receive or pass traffic.

Recommended Action:
Restart TMM. TMM will not pass traffic during the restart.


01230111 : Interface %d.%d: HSB DMA lockup on %s.

Location:
/var/log/ltm

Conditions:
The HSB hardware experiences some lockup conditions under certain circumstances.

A tmm reports that one of the internal interface that connects to the HSB DMA engine is in a bad lockup state on either the transmitter or receiver side.

Jun 14 04:46:12 slot1/BIG-IP1 crit tmm4[34471]: 01230111:2: Interface 0.5: HSB DMA lockup on transmitter failure.

Impact:
Traffic will be interrupted, and failover might be triggered. The BIG-IP system might reboot to recover. A core file might also be generated because this condition usually leads to the tmm missing heartbeats, and thus is aborted by sod.

Recommended Action:
When this condition happens, collect an HSB register dump by running the hsb_snapshot command before the BIG-IP system is rebooted, such that it may be examined by the firmware team for root cause analysis. If the condition continues, send the register dumps to the firmware team for analysis of possible hardware issues.


01230113 : "Unsupported media setting %s for interface %s"

Location:
/var/log/ltm, console

Conditions:
A media setting for an interface such as speed or duplex does not match the type supported by the physical port.

Impact:
The interface change will not occur. Normally, these settings are caught in configuration validation and not expected to be logged by tmm.

Recommended Action:
Check the configuration for the interface.


01230140 : RST sent from %A:%d to %A:%d, %s

Location:
/var/log/ltm

Conditions:
This message is logged only when the db variable tm.rstcause.log is set to TRUE.
This message includes the source address and port, destination address and port, and a description, if available. For example, "RST sent from 1.2.3.4:80 to 5.6.7.8:56789, No flow found for ACK".

Impact:
When the db variable tm.rstcause.log is enabled, performance might be affected.

Recommended Action:
This db variable tm.rstcause.log is off by default. To turn off these messages, set the db variable tm.rstcause.log to disabled (tmsh modify sys db tm.rstcause.log value disabled).


01240006 : Error querying request URI: %s

Location:
/var/log/tmm

Conditions:
Inflate or Deflate filter is enabled on the virtual server, and no URI was found in the request. This might happen if client specifies legacy HTTP version 0.9 request without a URI, or an intentionally malformed request.

Impact:
Inflate/Deflate filter logs message, but continues processing. This condition does not trigger a connection reset or other response.

Recommended Action:
Check that all requests to virtual server are supplying a valid URI.


01260000 : Profile %s: %s

Location:
/var/log/ltm

Conditions:
This message occurs in the following cases:
* Cannot load a required file (key, certificate, CRL, CA)
* Forward Proxy is enabled, but not licensed
* The supplied cipher string resulted in no ciphers
* Problems with a FIPS key
* Invalid OCSP configuration.

Impact:
Any virtual server reporting this SSL configuration will not work as expected.

Recommended Action:
The message contains details about which error occurred. Use those details to determine a course of action. For example, if the detail is `could not load key file' determine which file it cannot load and why.


01260006 : Peer cert verify error: %s (depth %d; cert %s)

Location:
/var/log/ltm

Conditions:
The peer certificate failed to validate for any number of reasons (invalid certificate, out of date, and so on).

Impact:
The SSL handshake will be aborted.

Recommended Action:
The CA file might need to be updated. More likely, the peer certificate is simply invalid. This is mostly informative.


01260008 : SSL transaction (TPS) rate limit reached

Location:
/var/log/ltm

Conditions:
The SSL license has a limited number of transactions per second, and the incoming rate exceeds this.

Impact:
Any transactions exceeding the licensed limit will be aborted.

Recommended Action:
This is mostly informational, though an, `unlimited,' license is available.


01260009 : Connection error: %s:%d: %s (%d)

Location:
/var/log/ltm

Conditions:
* Various internal errors (unexpected states)
* An attempt to initiate a handshake while a handshake is in progress
* Anytime an SSL alert is sent

Impact:
This is informative and should have no effect on an existing connection.

Recommended Action:
Informative only. No workaround.


01260010 : FIPS acceleration device failure: %s

Location:
/var/log/ltm

Conditions:
The internal FIPS card is not responding correctly to requests. This is a hardware error.

Impact:
Performance degradation to performance cessation.

Recommended Action:
There is no workaround for this issue.


01260012 : Self-initiated renegotiation attempted while renegotiation disabled: %s

Location:
/var/log/ltm

Conditions:
An SSL client or server requests renegotiation when the corresponding SSL profile has renegotiation disabled.

Impact:
Renegotiation will not happen.

Recommended Action:
Enable `renegotiation' is the associated profile.


01260013 : SSL Handshake failed for <PROTOCOL> <SRC> -> <DST>

Location:
/var/log/ltm

Conditions:
The connection is closed before the SSL handshake completes.

Impact:
This is informative only. The peer closed the connection during an SSL handshake.

Recommended Action:
Informative only.


01260014 : Cipher %x:%x negotiated is not configured in profile %s

Location:
/var/log/ltm

Conditions:
Proxy-ssl is configured on the virtual server, passthru is not enabled, and the cipher negotiated by the client and server is not supported in the SSL profile.
Note: This message is deprecated. The new message is, ``Cipher %x:%x negotiated is not supported by Proxy SSL configured in virtual server %s''.

Impact:
The connection will not be allowed.

Recommended Action:
Add the necessary ciphers to the SSL profiles, or reconfigure the SSL server to only negotiate ciphers allowed by the profiles.


01260014 : Cipher %x:%x negotiated is not configured in profile %s

Location:
/var/log/ltm

Conditions:

Impact:
The connection will not be allowed.

Recommended Action:
Add the necessary ciphers to the SSL profiles, or reconfigure the SSL server to only negotiate ciphers allowed by the profiles.


01260015 : Certificate supplied by server (subject CN: %s) was not configured on virtual: %s

Location:
/var/log/ltm

Conditions:
Proxy SSL is configured and the certificate from the SSL server does not exist in any profiles attached to the virtual.

Impact:
An alert will be sent closing the connection.

Recommended Action:
Add the SSL server's certificate to a profile connected with the virtual.


01260017 : Connection attempt to insecure SSL server (see RFC5746) aborted: %A:%d

Location:
/var/log/ltm

Conditions:
Strict renegotiation is enabled on a server-ssl profile, and the SSL server is not capable of secure renegotiation.

Impact:
The connection to the SSL server will be aborted.

Recommended Action:
Only use SSL servers that support secure renegotiation.


01260018 : Connection attempt to insecure SSL server (see RFC5746): %A:%d

Location:
/var/log/ltm

Conditions:
An SSL server does not support secure renegotiation (defined by RFC 5746).

Impact:
This is informational only.

Recommended Action:
None.


01260024 : OCSP failure on profile %s, certificate with issuer %s and serial number %lx: %s - %s

Location:
/var/log/tmm

Conditions:
This message is seen when there is a failure in fetching OCSP response.

Impact:
None.

Recommended Action:
None.


01260025 : Cipher %x:%x negotiated is not supported by Proxy SSL configured in virtual server %s

Location:
/var/log/ltm

Conditions:
Proxy-ssl is configured on the virtual server, passthru is not enabled, and the cipher negotiated by the client and server is not supported in the SSL profile.

Impact:
The connection will not be allowed.

Recommended Action:
Add the necessary ciphers to the SSL profiles, or reconfigure the SSL server to only negotiate ciphers allowed by the profiles.


01260026 : No shared ciphers between SSL peers %A.%d:%A.%d.

Location:
/var/log/ltm

Conditions:
An SSL client attempts to connect to a BIG-IP device, but none of the sent ciphers match the configured ciphers in the client-ssl profile.

Impact:
The SSL client will be unable to connect to the BIG-IP device.

Recommended Action:
Determine which ciphers the SSL client is sending, and add one or more of them to the relevant client-ssl profile.


01260034 : SSL decryption canceled.

Location:
/var/log/ltm

Conditions:
When the SSL decryption process is intentionally canceled during the SSL handshake. Usually a result of a SSL client side's terminating of an SSL connection.

Impact:
None.

Recommended Action:
None.


01260039 : Block cipher data limit exceeded.

Location:
/var/log/ltm, GUI

Conditions:
Amount of data encrypted/decrypted using block cipher exceeded its safety limit. If this happens, SSL will attempt to renegotiate. If renegotiation failed, connection will terminate.

Impact:
If SSL renegotiation is successful, there is no impact. On the other hand, if renegotiation failed, connection will be terminated.

Recommended Action:
Make sure SSL renegotiation works correctly, or avoid block cipher with lower data safety limit: 3DES.


01260042 : Negotiated ECDH ciphersuite (0x%05x : %s) not supported with FIPS or network-HSM keys configured in the SSL profile associated with the virtual server %s.

Location:
Static ECDH cipher suites are not supported on BIGIP with external network HSM and FIPS device and SSL handshake fails.

Conditions:
An attempt is made to negotiate a static, ECDH-based cipher with a netHSM or FIPS-based key/certificate.

Impact:
The SSL handshake fails.

Recommended Action:
Configure an ephemeral, ECDHE-based cipher in the SSL profile that is assigned to the virtual server.


01260043 : Skipping per-request policy because SSL Forward Proxy Bypass is disabled in the SSL profile (%s)

Location:
/var/log/ltm

Conditions:
The SSL Forward Proxy is configured, with a Per-Request Policy enabled, but the SSL Forward Proxy Bypass feature is disabled in the Client and Server SSL profiles.

Impact:
The per-request policy is not invoked with SSL data.

Recommended Action:
Enable the SSL Forward Proxy Bypass feature. We recommend "Intercept" as the default action.


01260044 : SSID is not supported with TLS 1.3.

Location:
/var/log/ltm

Conditions:
This message occurs when a client-side virtual server has ALL of the conditions below:
1. Has NO SSL profile enabled.
2. Has SSL Session ID (SSID) Persistence as one of the resources (that is, the SSID is enabled.
3. TLS 1.3 traffic is negotiated between the SSL client and the back-end SSL server, with the BIG-IP device acting as a passive listener between the client and the back-end server.

Impact:
Whenever TLS 1.3 traffic is processed and the SSID filter is enabled:
1. The filter switches to pass-through.

2. No session ID or session ticket is cached for persistence. As a result:
2a. The CLI command "tmsh show ltm persistence persist persist-records" will NOT show any of this information.
2b. No SSID persistence will be used to load-balance client traffic on to a back-end server (because there is no persistence record).

Recommended Action:
There is no solution possible with TLS 1.3. SSID is broken by the very nature of the TLS 1.3 protocol.

The only workaround possible, if SSID persistence is insisted upon, is to use TLS 1.2 between the SSL client and the SSL back-end server.


0127000c : Coalesced (%lu) requests for the previous command into 1 execution

Location:
/var/log/ltm

Conditions:
Disabled by default. When syscalld debugging is enabled, appears in /var/log/ltm.

The same syscalld command is invoked in rapid succession.

Impact:
Instead of running the command once for every request, in order to prevent the system from being overrun, syscalld will combine invocations of the same command with the same arguments.

Recommended Action:
No action required. This message does not indicate a problem.


01280045 : Debug: %s

Location:
/var/log/ltm

Conditions:
STPD is running and debug logging is enabled.

Impact:
No impact - debug messages are to aid developers.

Recommended Action:
None.


01290003 : HALMSG reporting error conditions

Location:
/var/log/ltm

Conditions:
Various logs associated with errors encountered by the hardware abstraction layer (HAL) when using the inter daemon messaging interface during startup or normal operation.
Some typical examples are:
    "HalmsgTerminalImpl_::sendMessage() Can't create HalmsgConnection_"
    "HalmsgTerminalImpl_::sendMessage() Unable to send to any %s address", str

Impact:
The HAL messaging service might not create or maintain a connection between affected daemons, for transferring messages between registered HAL messaging component end points.

Recommended Action:
The specific log indicates if the error relates to system instability, where relevant daemons might not be running or responding. If the issue persists across daemon or system restarts, file a support ticket with more specific information, as indicated in the relevant log message.


01290004 : HALMSG reporting warning conditions

Location:
/var/log/ltm

Conditions:
Internal HAL messaging system has encountered an unexpected condition. Conditions can vary and be caused by but not limited to:
- Linux socket errors, which may be temporary in nature
- File operations that encounter names that are too long
- Messages from other processes that are too long

Impact:
Varies considerably with specific warning. It might indicate a configuration error somewhere else in the system.

Recommended Action:
Inspect the /var/log/ltm file for additional errors and warnings, and try to correlate the HAL messaging error with another system that might be misconfigured.


012a0000 : "LIBHAL reporting system is unusable"

Location:
/var/log/ltm

Conditions:
During startup or normal operation, the system logs various emergency level messages associated with errors encountered by the hardware abstraction layer (HAL) daemon. Some typical examples are:

      "Automatically rebooting to complete firmware update"
      "System rebooting ..."
      "Reboot required to fix PCIe hardware failure"
      "Blade %d power DOWN effected (as requested by %d via CAN bus %d)",...

Impact:
A system reboot might be required for continued operation, due to a possible failure of the HAL daemon or because firmware was updated.

Recommended Action:
The specific log indicates whether the error is related either to expected system restarts after firmware updates or to hardware and system instability issues. If the issue persists across daemon/system restarts, file a support ticket.


012a0002 : "LIBHAL reporting critical conditions"

Location:
/var/log/ltm

Conditions:
Various critical logs associated with errors encountered by the hardware abstraction layer (HAL) daemon during startup or normal operation.
Typical examples include:
   "platform_detect: no recognized platform detected."
   "critical platform initialize failure. exiting..."
   "hal_get_dossier: space allocation error"
   "Error creating interface_bundle = %x",err
   "SSD (%s) at bay %d shelf %s: current available space (%d%%) has reached its threshold (%d%%)",...

Impact:
The HAL daemon might not be able to correctly identify the platform or publish the hardware abstraction configuration at startup, or has encountered a critical failure during normal operation.

Recommended Action:
The specific log will indicate if the error relates to platform-specific issues, or system instability. If the issue persists across daemon/system restarts, a support ticket should be filed.


012a0003 : LIBHAL reporting error conditions

Location