F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. Log Messages Reference
Supplemental Document : Log Messages Reference

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.6.0, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP Analytics

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.6.0, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP Link Controller

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.6.0, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP LTM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.6.0, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP AFM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.6.0, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP FPS

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.0, 14.0.0, 13.1.5, 13.1.4, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6

BIG-IP DNS

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0

BIG-IP Distributed Cloud Services

  • 17.1.2, 17.1.1, 17.1.0

BIG-IP APM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.6.0, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP GTM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.6.0, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP Advanced WAF

  • 13.1.1, 13.1.0

BIG-IP PEM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.6.0, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP ASM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.6.0, 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Original Publication Date: 02/17/2022 Updated Date: 12/04/2024



Log Messages List



ID Number Description
00020000 Resuming log processing at this invocation; held %d messages.
01010001 %s starting
01010004 Memory allocation failed: %s
01010007 "Config error: %s"
01010011 Persistence cookie hash failed
01010013 database size increased by %d bytes, %d total
01010019 Caught signal %d, exiting
01010020 MCP Connection %s, exiting
01010027 Unable to attach to PCI device %02x:%02x.%02x
01010028 No members available for pool %s
01010029 Clock advanced by %u ticks
01010038 Syncookie counter %d exceeded vip threshold %u for virtual = %A:%d
01010040 Clock has unexpectedly adjusted by %lld ms
01010044 "%s feature %s licensed"
01010045 Bandwidth utilization is %d Mbps, exceeded %d%% of Licensed %d Mbps
01010054 tmrouted connection %s
01010056 Syncookie counter %d exceeded vip threshold %u for virtual = %s
01010201 Inet port exhaustion on %*A to %*A%c%d (proto %d)
01010213 L3 Address LB method deprecated; using 'Least Connections' for pool %s
01010216 DNSSEC: Signature failed (%s) for RRSET (%s, %lu) with key %s, generation %llu.
01010221 Pool %s now has available members
01010225 Failure to query dns-express db (%s)
01010231 DNSSEC: Did not add RRSIGs to response RR set (owner: %s).
01010235 Inet port find called for pg %d with invalid cmp state %x
01010239 LSN error: %s
01010240 Syncookie HW mode activated, server = %A:%d, HSB modId = %d
01010241 Syncookie HW mode exited, server = %A:%d, HSB modId = %d from %s
01010250 Pool member %A:%u exceeded configured rate limit.
01010251 Virtual %s exceeded configured rate limit.
01010259 External Datagroup (%s) %s.
01010260 Hardware Error(%s): %s %s
01010273 Access policy Configuration object: [%s] not found
01010274 Access Policy and Access Policy Item join failed: [%s] not found
01010276 FTPS warning: Security policy disabled for %A%%%u:%u due to explicit FTPS mode negotiation
01010290 TCP: Memory pressure activated
01010291 TCP: Memory pressure deactivated. Dropped %llu packets, %llu bytes
01010300 BDoS: (TMM) Histogram (%p) %s for context %s (ref cnt %d).
01010301 BDoS: (TMM) %s failure for context %s - %s (error %s).
01010302 BDoS: (TMM) %s signature (%s) for context %s at idx %u (detection=%u mitigation=%u state=%s transient=%s retired=%s).
01010303 BDoS: (TMM) signature (%s) removed (at idx %u of signature table) from context %s.
01010305 BDoS: (TMM) afm_provisioned=%s dos_provisioned=%s l4_bdos_licensed=%s bdos_feature_enabled=%s detection=%s
01010307 Memory allocation failed: %s %s
01010308 Access Policy update: %s End Txn Failed (%d)
01010309 Access Policy(%s) update: Subroutine properties can be only assigned to Access policy of type subroutine
01010310 Incomplete hud chain for listener: %s
01010311 Failed to configure VDI-enabled listener %s: %En
01010313 Profile %s create failed.
01010314 profile %s update: bad profile
01010315 Agent [%s] update: Invalid event validate
01010316 Agent [%s] update: agent clone failed
01010317 Agent [%s] update: agent store failed
01010318 Agent [%s] update: agent construct failed
01010322 pem protocol profile gx modify {%s}: invalid
01010323 {%s, %s}: protocol message cannot be deleted, error %E
01010324 {%s, %s}: not found, cannot modify.
01010325 pem protocol profile radius modify {%s}: invalid
01010326 {%s, %s}: protocol message cannot be deleted, error %E
01010327 {%s, %s}: not found, cannot modify.
01010328 BDoS: (TMM) afm_provisioned=%s dos_provisioned=%s dns_bdos_licensed=%s detection=%s
01010329 BDoS: (TMM) Signature %s: threshold_mode=%s detection=%u mitigation_curr=%llu
01010330 Failed to register the Neuron App %s with the Neuron client
01010331 Neuron client %s failed with %s(%s)
01010332 Neuron application %s registered
01010342 Disabled TCP HW checksum offloading automatically disables TCP Segmentation Offload (TSO)
01010343 Syncookie SW mode activated, server = %A:%d
01010344 Syncookie SW mode exited, server = %A:%d
01010346 [LTM LB][%C]%s
01010347 DynaD activated
01010348 DynaD inactivated
01010348 Access Policy(%s) update: Customization group set can be only assigned to Access policy of type per-request
01010349 DNSSEC: Failed to parse DS record string (%s): %s
01010355 DNS: Awaiting full DNSSEC Key %s Generation %llu from MCP
01010356 %s: filter '%s' init failed.
01010364 Hybrid fixed-policy setting change: from %d to %d.
01010365 DNSSEC: Invalid value specified for DB variable %s. Using default value.
01010371 CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.
01010372 CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.
01020037 The requested %s (%s) already exists
01020066 The requested %s (%s) already exists in partition %s
0102006e IP Address %s is invalid with netmask %s, must not be the same as network address.
0102006f The string does not contain only space separated integers between 0 and 4294967295
01060001 Service detected %s for %s:%u monitor %s.
01060002 Node address detected %s for %s monitor %s.
01060110 Lost connection to mcpd with error %d, will reinit connection.
01060111 Open SSL error - %s
01060136 Received links up - monitoring starts.
01060145 Pool %s member %s monitor status %s. [ %s ] [ %s ]
01060146 Bigd PID %d, instance %d, overloaded.
01060156 Bigd PID %d, instance %d, fail to serialize 'bigd=>mcpd' message (exceed msg-length limit?): %s.
01060157 Receive string cannot be empty for reverse monitor '%s'
01060158 Disable string must be empty for reverse monitor '%s'
01070007 Received shutdown signal %d
01070043 Monitor %s parent not found.
0107004e LTM configuration is not allowed when VCMP is provisioned. Virtual server %s conflicts with VCMP.
01070069 Subscription not found in mcpd for subscriber Id %s.
01070147 Snatpool %s must reference at least one translation address.
01070151 Rule [%s] error: %s
01070165 "License file stat fails: %s."
01070259 Requested member (%s) is untagged on another VLAN
0107025d Nameserver for Wide IP Zones (%s) is not a fully qualified domain name or contains invalid characters.
0107025e Nameserver for Wide IP Zones is empty. A valid, fully qualified domain name must be specified.
01070261 Can't create a home directory for username %s (%s)
01070265 The %s (%s) cannot be deleted because it is in use by a %s (%s)
01070277 The requested %s (%s) was not found
0107028a The source address (%s) for virtual server (%s) must have a prefix length.
01070301 Pool (%s) is referenced by one or more virtual servers
0107030c Host persistence requires an HTTP profile to be associated with the virtual server
01070315 profile %s requires a key
01070318 The requested media %s for interface %s is invalid.
01070320 Snatpool %s is still referenced by a virtual server.
0107032f The vlan (%s) associated with the static route %s/%d must have a Self IP using the IPv%u protocol.
01070340 %s (%s) is referenced by one or more rules
01070341 Virtual server %s references rule %s which does not exist.
01070354 Self IP %s / %s: This network is defined on two vlans (%s and %s)
01070356 %s feature not licensed
01070392 Self IP %s / %s: This IP shares a network with %s (%s / %s).
01070394 %s in rule (%s) requires an associated %s profile on the virtual server (%s)
01070404 Add a new Publication for publisherID %s and filterType %p
01070406 Removed publication with publisher id %s
01070407 Removed information for Publication %s and filterType %p
01070408 Deleting abandoned subscriber connection for %s
01070410 Removed subscription with subscriber id %s
01070413 Updated existing subscriber %s with new filter class %llx
01070417 AUDIT - user %s - transaction #%u-%u - object %u - %s
01070418 connection %p (user %s) was closed with active requests
01070419 Platform initialization phase triggered
01070421 Base configuration initialization phase triggered.
01070424 Full configuration initialization phase triggered.
01070427 Initialization complete. The MCP is up and running
01070465 DB changed: %s, configsync needed
01070466 Received end of platform data
01070468 %s
01070596 An unexpected failure has occurred, %s, exiting...
01070599 Current management-ip (%s) has to be deleted before adding a new management-ip (%s) with the same address family.
01070604 Cannot delete IP %s because it would leave a route unreachable.
01070608 License is not operational (expired or digital signature does not match contents)
01070622 The monitor %s has a wildcard destination service and cannot be associated with a node that has a zero service
01070638 "Pool %s member %s:%u monitor status %s."
01070639 Pool %s member %s:%u session status %s.
01070640 Node %s address %s monitor status %s.
01070690 Port mirroring is not supported on this platform.
0107070e Software version not covered by service agreement. Reactivate license before continuing.
01070712 "Caught configuration exception (%d), %s."
01070727 "Pool %s member %s:%u monitor status up."
01070728 Node %saddress %s monitor status up.
01070730 Configuration restored from binary image
01070734 Configuration error: %s
01070736 Couldn't write to the user/role/partition file, %s (%d)
01070756 Diameter monitor '%s' has invalid mode '%s'
01070807 Monitor %s instance %s:%u has been %s.
01070822 "Access Denied: %s"
01070823 Read Access Denied: %s
01070827 User login disallowed: %s
01070830 The iRule (%s) cannot be deleted because it is in use by a %s (%s) %s (%s).
01070921 Virtual Server '%s' on partition '%s' %s by user '%s'.
01070927 Request failed, data provider (%s) disconnected from mcpd
01070931 Clustering quorum reached
01070933 License blob received from primary.
01070967 The specified vlan, vlangroup or tunnel (%s) cannot be removed from its default route domain (%s).
01070978 The vlan (%s) for the specified self IP (%s) must be one of the vlans in the associated route domain (%s). For example: 192.168.0.1%1234 for self IP in route-domain 1234.
01070979 The specified vlan (%s) for route domain (%s) is in use by a self IP.
01070995 get_tmstat: tmstat_sample not ready. Statsd may not be running.
01071027 Master key OpenSSL error: %s
01071029 %s
0107102d Cannot load master key file. Updating to a new master key.
01071031 %s
01071038 %s
01071047 Removing %d %s local objects from slot %d
01071070 Failed to %s file %s with error %d
01071138 The access policy (%s) has an action/macrocall item (%s) that is referenced by any rule's next item for %d time(s). Exactly one reference is allowed.
01071246 "Unable to reload the dns cache\n"
010712a5 Ha_group %s unknown %s %s.
01071321 Vlan allowed mismatch found: hypervisor (%s:%s), guest (%s:%s) and (%s:%s).
01071392 Background command '%s' failed. %s
010713b1 Cannot delete IP (%s) because it is used by the system state-mirroring (%s) setting.
010713b8 Propose change to system hostname (%s).
010713ba Propose change to default gateway (%s).
010713bc Propose change to management IP address (%s/%s).
010713c0 System state ready for hypervisor mgmt settings: (%s)
010713c1 Initial management network proposals triggered (%s)
010713c2 No new proposal values detected
010713c3 Hypervisor updating %s. Old value: (%s) New value: (%s).
010713f6 CentMgmt objects must be in the '/Common' folder
01071412 Cannot delete IP (%s) because it is used by the system config-sync setting.
0107142f Can't connect to CMI peer %s, %s
01071430 Cannot create CMI listener socket on address %s, port %d, %s
01071431 Attempting to connect to CMI peer %s port %d
01071432 CMI peer connection established to %s port %d after %d retries
01071434 No CMI peer devices configured
01071435 Disconnecting from CMI peer %s as a result of a reconfiguration
01071436 CMI listener established at %s port %d
0107143a CMI reconnect timer: %s
0107143b CMI connection debug info: %s
0107143c Connection to CMI peer %s has been removed
01071451 Received CMI hello from %s
0107146f Self-device %s address cannot reference the non-existent Self IP (%s); Create it in the /Common folder first.
01071470 Disconnecting from CMI device %s, the device is not in a trust domain
0107147f Could not read certificate file (%s)
01071485 %s (%s) content does not match the signature.
01071488 Remote transaction for device group %s to commit id %llu %llu %s %llu failed with error %s
0107149c Virtual server %s has more than one clientssl/serverssl profile but none of them is default for SNI.
010714a0 Sync of device group %s to commit id %llu %llu %s %llu from device %s complete
01071515 Unclassified domain logging on %s requires log publisher to be set.
01071528 Device group '%s' sync inconsistent, %s.
01071539 Mcpd is starting. The BIG-IP version is %s
01071587 Commit ID message ignored, %s
010715bc "The application service (%s) has strict updates enabled, the object (%s) must be updated using an application management interface."
01071653 Failed to create the (%s). The maximum allowable length of %d for name has been exceeded. The object name was (%s).
0107167d Data publisher not found or not implemented when processing request %s.
01071681 SNMP_TRAP: Virtual %s has become available
01071682 SNMP_TRAP: Virtual %s has become unavailable
0107168c Incremental sync complete: This system is updating the configuration on device group %s device %s from commit id { %llu %llu %s } to commit id { %llu %llu %s }.
0107168e Unable to do incremental sync, reverting to full load for device group %s device %s from commit id { %llu %llu %s } to commit id { %llu %llu %s }.
010716b3 A draft policy (%s) can not be applied to ACL rule (%s).
010716b4 Policy %s cannot be assigned to %s, because %s.
010716e3 Policy '%s'; an action precedes conditions in another rule.
0107172d Policy '%s' can't be applied to virtual server '%s' because it has no rules
01071764 HA order list in traffic group (%s) cleared because there is no self failover device group.
0107179a Setting DB variable %s to %s. Reboot is required for changes to take effect.
010717b3 Setting DHCP request-option to none can result in management-ip misconfiguration and loss of management connectivity.
010717b6 %s can only be used in one LSN pool or security nat source translation object. The PCP Server %s (%s) is in use by lsn pool %s.
010717dc VXLAN tunnel remote address can be configured only as any(0.0.0.0) with flooding types none and multipoint.
010717e2 Client SSL profile (%s): must have at least one set of %s.
0107183b Cannot disable LDNS cache when a Wide IP has persistence enabled.
01071860 Cannot enable feed list %s. Maximum number of enabled feed list allowed is %d.
01071863 OCSP cert-validator (%s): DNS resolver and proxy server pool can not be both empty.
01071864 OCSP cert-validator (%s): The certificate (%s) can not be used by an OCSP cert-validator as a %s, because it is currently using some cert-validator (%s) to monitor its status.
01071865 Unable to find an HTTP-based OCSP responder URL that is configured in the OCSP cert-validator (%s) or in the AIA (Authority Information Access) extension of the certificate (%s).
01071866 OCSP cert-validator (%s): Please specify a HTTP-based absolute URL for the OCSP responder.
01071867 OCSP cert-validator (%s): Both key and certificate should be specified for signing the OCSP request.
01071868 OCSP cert-validator (%s): Only prime256v1 named curve is supported for signer key.
01071869 OCSP cert-validator (%s): Security type %s is not supported for signer key.
0107186a OCSP cert-validator (%s): Signer key (%s) and signer certificate (%s) do not match.
010718e1 Only the standard-balanced-fpga firmware type is permitted in vCMP mode.
010718e3 Certificate (%s) has enabled OCSP at cert-validation-option but is not associated with any OCSP cert-validator.
010718e4 OCSP cert-validator (%s): can not use both DNS resolver and proxy server pool. Please ensure that only one of them is configured.
01071909 Anti-Fraud publisher '%s' is required to be with one destination of type '%s'.
0107190a Field '%s' cannot be empty in the Anti-Fraud profile '%s'.
01071911 %s in rule (%s) are not allowed under %s event on the %s (%s).
01071912 %s in rule (%s) requires an associated %s profile on the %s (%s).
01071913 %s in rule (%s) under %s event at %s (%s) does not satisfy cmd/event/profile requirement.
01071918 CMI device (%s) has a different version (%s) from this device (%s).
010719a8 URL parameters can be %s only when %s is enabled in the Anti-Fraud profile '%s'.
010719ac Parameter cannot be %s while it is %s in the Anti-Fraud profile '%s'.
010719b7 URL whitelist words can be selected only from malware blacklist words in the Anti-Fraud profile '%s'.
010719b7 Anti-Fraud DOM signature '%s'(hash ID) cannot be deleted as it appears in the DOM signatures whitelist in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').
010719c9 Unicast address warning (FAILOVER MAY NOT WORK): %s should be a mgmt (blade) address or non-floating self IP.
010719d6 The location '%s' cannot have empty path between leading '/' and file extension or trailing '/', and also cannot contain only '/' and '.' in the Anti-Fraud profile '%s'.
010719e7 Virtual Address %s general status changed from %s to %s.
010719e8 Virtual Address %s monitor status changed from %s to %s.
010719ea GTM changed state from %s to %s.
010719fd No IPv%s self IP exists on VLAN (%s) for static route (%s)
01071a01 URL parameters can appear only in POST request when Mobile encryption is enabled in the Anti-Fraud profile '%s'.
01071a14 device_trust_group: Requesting device data from device %s.
01071a15 device_trust_group: Sending device data to device %s.
01071a37 Anti-Fraud %s '%s' was created as %s and this setting cannot be changed.
01071a38 Wildcard %ss must have unique priorities in the Anti-Fraud profile '%s'.
01071a39 Cannot %s of explicit %s in the Anti-Fraud profile '%s'.
01071a6e Incompatible options - traffic group %s cannot have both auto-failback-enabled and the failover-method set to ha-score
01071a85 Wildcard URL cannot have %s enabled in the Anti-Fraud profile '%s'.
01071a95 Admin IP (%s/%s): Gateway (%s) for management route (%s) is not in a connected network.
01071a9a The '%s' for interface %s has been adjusted to '%s'.
01071aa6 %s bad actor cannot be enabled if per-source detection/limit pps is less than 1% of the DoS vector (%s) %s setting for %s.
01071aa7 %s bad actor per-source detection/limit pps cannot be greater than the Dos vector (%s) %s setting for %s.
01071acc Cannot enable maintenance mode when device is forced offline.
01071acd The requested device (%s) was not found in self failover device group (%s).
01071ad3 The requested provision module (%s) is not compatible with already provisioned module (%s).
01071ad4 LSN pool %s shares the same name as security nat source translation object. LSN iRules that take in 'pool name' as an argument would default to LSN objects
01071ad9 Security NAT Source Translation object %s shares the same name as LSN pool. LSN iRules that take in 'pool name' as an argument would default to LSN objects.
01071af3 URL parameters cannot be entangled for Mobile while no parameter is encrypted for Mobile in the Anti-Fraud profile '%s'.
01071af8 The firewall rule UUID cannot be modified by user once it's created.
01071af8 The firewall rule UUID (%s) already exists in other rules.
01071af9 The specified firewall rule UUID (%s) is diffrent from exists rule UUID.
01071aff AOM webui is not available in this release.
01071b00 AOM vkvm is not available in this release.
01071b1d The %s (%s) cannot be created because the %s secret generation failed due to (%s).
01071b27 Scope name cannot be empty for OAuth Authorization agent %s.
01071b28 Scope name (%s) associated with OAuth Authorization agent (%s) is not defined under OAuth scope.
01071b29 %s entry refers to invalid OAuth Authorization agent %s, entry %d.
01071b2c The client app (%s) that is associated with the %s (%s) does not exist.
01071b3b Notice: Purging initiated for OAuth DB Instance (%s). Time taken for DB purging depends on the amount of data; BIG-IP performance may be affected during this time. Only expired tokens will be removed.
01071bad The certificate (%s) can not simultaneously use a cert-validator (%s) and be configured as the %s of a cert-validator (%s).
01071bbd SSL profile (%s): When CRL configuration name (%s) is specified, both static CRL file (%s) and Allow-Expired-CRL settings are not allowed.
01071bcd Security NAT Source Translation object (%s) cannot use both Self IP and DSLITE tunnel for PCP configuration.
01071bd1 Inbound CMI connection from IP (%s) denied because it came from VLAN (%s), not from expected VLAN (%s).
01071bd6 %s (%s): Cannot enable Device-ID without enabling Bot Signatures and the 'Search Engine' Bot Signature Category.
01071bd8 The tag-mode for requested member %s has to be 'none' on platforms that do not support QinQ.
01071be4 port-fwd-mode value of interface (%s) is not compatible with vlan (%s) member interface (%s).
01071be5 Member interface (%s) of trunk (%s) not found.
01071be6 port-fwd-mode value of interface (%s) is not compatible with trunk (%s) member interface (%s).
01071bed The URL (%s) belongs to Custom Category (%s) has invalid type as regex-match and not supported yet.
01071bee SSLv2 is no longer supported and has been removed. The 'sslv2' keyword in the cipher string has been ignored.
01071bf0 Vlan %s c-tag %s is out of range.
01071bf1 Vlan %s tag %d is out of range.
01071bf6 Cannot change FIPS name on busy guest: %s.
01071bf7 Invalid URL format %s in CA-bundle manager %s. Check help page.
01071bf8 Bundle manager %s cannot use a certificate file object %s that depends on itself. This would cause a cyclic dependency.
01071bf9 CA-bundle management trace: CA-bundle %s depends on %s.
01071bfa CA-bundle manager %s does not exist.
01071bfb The default CA-bundle manager %s cannot be deleted.
01071bfc The default CA-bundle manager %s cannot be changed.
01071bfd The default CA-bundle manager %s cannot change the exclude-url or exclude-bundle sets.
01071bfe The port number must be removed from %s, and set separately.
01071bfe %s: %s can't be deleted because %s.
01071bff The trusted CA-bundle must be provided in CA-bundle manager %s in order to download from URLs.
01071c00 The requested certificate file object %s for %s was not found.
01071c01 Object %s cannot be used in both include and exclude sets in CA-bundle manager %s.
01071c02 CA-bundle URL %s in CA-bundle manager %s only supports HTTPS.
01071c03 F5 CA-bundle %s cannot be dynamically managed.
01071c04 Cannot find device group (%s).
01071c05 Cannot find Policy Sync object definition file (%s).
01071c06 Cannot find Policy Sync object list file (%s).
01071c07 Cannot find Policy Sync data file (%s).
01071c08 Cannot determine whether agent type %s is appropriate for access policy (%s) of type %s because it is not attached to apm profile access using access-policy property.
01071c09 Cannot determine whether agent type %s is appropriate for access policy (%s) of type %s because visibility is not properly defined.
01071c0a Cannot determine whether agent type %s is appropriate for access policy (%s) of type %s parent of access policy (%s) of type %s because it is not attached to apm profile access using access-policy property.
01071c0b Cannot determine whether agent type %s is appropriate for access policy (%s) of type %s parent of access policy (%s) of type %s because visibility is not properly defined.
01071c0c Categories can't be assigned without selecting dynamic bwc policy.
01071c0d Default attribute consuming service (%s) must be present in the list 'attribute-consuming-services' of apm saml aaa (%s)
01071c0e Attribute consuming service session variable and object cannot be configured at the same time in agent (%s)
01071c0f Attribute consuming service variable (%s) in agent (%s) is not in session variable format
01071c10 'attribute-name' must be configured for attribute (%s) in attribute-consuming-service (%s)
01071c11 All attribute names must be unique within attribute-consuming-service (%s). Provided attribute name (%s) is not unique
01071c12 attribute-consuming-service (%s) must specify at least one attribute
01071c13 attribute-consuming-service-index (%d) in aaa saml server (%s) conflicts with index of existing service (%s). Please provide unique index.
01071c14 'service-name' value must be configured in attribute-consuming-service (%s)
01071c15 aaa saml server must be configured before attribute consuming service can be specified
01071c16 SAML agent (%s) specifies attribute consuming service (%s) that is not configured in aaa saml server (%s)
01071c18 Attribute consuming service (%s) cannot be removed from aaa saml server (%s) because service is set as default
01071c19 The requested username source (%s) is not a valid session variable.
01071c1a The requested password source (%s) is not a valid session variable.
01071c1b Virtuals Servers in the same listener group can have different profiles. Modifying the profiles in the listener will not update the profiles in the Virtual Servers. To update the profiles in Virtual servers, modify the Virtual Servers individually.
01071c1c You cannot delete the nodejs version (%s).
01071c1d You cannot modify the nodejs version (%s).
01071c1e Cannot perform Protocol inspection update: %s
01071c1f Protocol Inspection compliance inspection %s requires valid value: %s
01071c20 Too many Protocol Inspection profiles. Up to %d supported.
01071c22 Modifying predefined Protocol Inspection profiles are not allowed.
01071c23 Creating predefined Protocol Inspection profiles are not allowed.
01071c24 Deleting predefined Protocol Inspection inspections are not allowed.
01071c25 Modifying predefined Protocol Inspection inspections are not allowed.
01071c27 Protocol Inspection internal error: %s.
01071c28 Invalid Protocol Inspection snort signature: %s.
01071c2a Creating/Modifying Protocol Inspection compliance enums are not allowed.
01071c2b Deleting Protocol Inspection services are not allowed.
01071c2c Creating/Modifying Protocol Inspection services are not allowed.
01071c2d The VLAN (%s) tag is %u. The port-fwd-mode value of %s (%s) must be set to (%s).
01071c2e The VLAN (%s) can have at most %u member because member (%s) port-fwd-mode value is (%s).
01071c2f The requested VLANGROUP (%s) can have at most %u member(s) because VLAN members have virtual-wire members.
01071c30 Vlan (%s) is not compatible with member vlan in VLANGROUP (%s).
01071c31 The VLANGROUP (%s) mode and the VLAN (%s) member (%s) port-fwd-mode are not compatible.
01071c32 The VLANs must have the same tag in VLANGROUP (%s) when they have l2wire member.
01071c32 The VLANs must have the same tag in VLANGROUP (%s) when they have virtual-wire member.
01071c33 The VLAN (%s) tag (%u) cannot be modified %s '4096'.
01071c34 The requested member (%s) is already configured as a member of VLAN (%s) with tag (%d). A member can belong to only one VLAN for a given tag.
01071c34 The requested member (%s) is already configured as a member of VLAN (%s) with tag (%u). A member can belong to only one VLAN for a given tag.
01071c35 The VLAN (%s) has %s interface while the VLAN (%s) has %s interface. Interfaces of VLANs that are in the same 'virtual-wire' VLANGROUP (%s) must have the same taggedness.
01071c36 The SelfIP (%s) cannot associate with %s (%s) with (%s) interface.
01071c37 %s: %s is not supported on this platform (%s).
01071c38 Rule Profiler object %s requires log publisher to be specified.
01071c38 Modify of ephemeral %s (%s) is not permitted.
01071c3a Route MTU for (%s) below minimum %u.
01071c3a Invalid FQDN node %s: %s.
01071c52 Routing object (%s) cannot have both items: %s.
01071c55 Invalid as-path (%s): %s.
01071c56 Invalid as-path entry (%s) for as-path (%s): %s.
01071c58 Virtual server %s is in ALG mode. Must not use static source translation, as used by attached profile %s.
01071c5c Cannot disable AJAX encryption for URL '%s' while parameter '%s' has AJAX mapping enabled in the Anti-Fraud profile '%s'.
01071c5c AJAX encryption or both AJAX integrity and strong integrity must be enabled for URL '%s' while parameter '%s' has AJAX mapping enabled in the Anti-Fraud profile '%s'.
01071c5d AJAX mapping '%s' for parameter '%s' cannot start or end with a '.' in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').
01071c5e Anti-Fraud parameter '%s' is invalid. Enabling AJAX mapping for parameter requires that either 1. AJAX encryption and either value substitution or Real-Time Encryption or parameter encryption enabled 2. Full and Enhanced AJAX Data Manipulation Check enabled in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').
01071c5f Cannot %s when %s in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').
01071c60 DynaD private key generation failed ('%s').
01071c61 DynaD public key generation failed ('%s').
01071c62 DynaD failed to decrypt private key. Re-generating.
01071c63 DynaD development mode requires an F5 development license.
01071c64 DynaD signature verification failed ('%s').
01071c65 DynaD cannot activate unsigned instrumentation.
01071c66 The VLAN (%s) member (%s) must be tagged when the tag is '4096'.
01071c67 The PEM rating group id needs to be greater than Zero. Rating group %s cannot use rating group id %d because it is invalid.
01071c68 Profile %s's SSL client certificate constrained delegation CA key is missing.
01071c69 Profile %s's SSL client certificate constrained delegation CA cert is missing.
01071c6a Profile %s's SSL client certificate constrained delegation peer-cert-mode is invalid.
01071c6b Profile %s supports only RSA key and certificate for SSL client certificate constrained delegation.
01071c6c Profile %s's SSL client certificate constrained delegation key is missing.
01071c6d Profile %s's SSL client certificate constrained delegation CA key and certificate do not match
01071c6e PKCS11d (re)initialized. Re-connecting to network-HSM PKCS11d.
01071c72 Policy '%s', rule '%s'; %s SSL server profile %s not found.
01071c73 F5 Service Connector %s validation error: %s.
01071c74 F5 MFA Configuration %s validation error: %s.
01071c75 F5 MFA User Verification Agent %s validation error: %s.
01071c76 F5 MFA Device Registration Agent %s validation error: %s.
01071c77 Issuer is required for JWT config (%s).
01071c78 Invalid %s (%s) in JWT config (%s). The value %s.
01071c79 Self-issued token is not allowed (%s) for JWT config (%s).
01071c7a In JWT config (%s), same signing algorithm is present in both allowed signing algorithms and blocked signing algorithms. This is not allowed.
01071c7b OAuth Provider (%s) references OAuth JWT Config (%s) that does not exist.
01071c7c When key-type is '%s', '%s' must be present for jwk-config (%s).
01071c7d The JWK config (%s) with key-type '%s' cannot contain an empty '%s'.
01071c7e The field (%s) is not relevant to key-type '%s' and thus cannot be present for jwk-config (%s).
01071c7f Certificate key file must be referenced when passphrase is present for jwk-config (%s).
01071c80 JWT access token lifetime (%u) for %s (%s) must be in range of (%u-%u).
01071c81 JWT refresh token lifetime (%u) for %s (%s) must be in range of (%u-%u).
01071c82 OpenID Connect Configuration Endpoint URL (%s) for %s (%s) must end with (%s).
01071c83 (%s) (%s) load failed due to %s
01071c85 (%s) key-type (%u) does not match certificate (%s) type (%u).
01071c86 The %s must be provided in base64url encoded format for jwk-config (%s).
01071c87 The claim name (%s) of claim (%s) cannot contain spaces.
01071c88 The word (%s) is a reserved word and cannot be used as claim name for the claim (%s).
01071c89 The %s claim name (%s) is already in use by agent %s for this entry.
01071c8a The %s claim (%s) that is associated with the %s (%s) does not exist.
01071c8b The %s claim name cannot be empty for OAuth Authorization agent %s.
01071c8c %s claim name (%s) associated with OAuth Authorization agent (%s) is not defined under OAuth claim.
01071c8d %s cannot be empty because %s for %s (%s).
01071c8e %s in %s (%s) is not an allowed URL: %s
01071c8f The %s (%s) associated to %s (%s) is not a valid %s.
01071c90 JWT config %s to be associated with JWK config (allowed keys) %s does not exist.
01071c91 In JWT config %s, allowed keys '%s' do not exist. Use a valid JWK config for allowed keys.
01071c92 In JWT config (%s), the same JWK config (%s) is present in both allowed keys and blocked keys. This is not allowed.
01071c93 JWT config %s to be associated with JWK config (blocked keys) %s does not exist.
01071c94 In JWT config (%s), blocked keys '%s' do not exist. Use a valid JWK config for blocked keys
01071c95 JWT Provider List %s to be associated with OAuth Provider %s does not exist.
01071c96 In JWT Provider List %s, OAuth Provider %s does not exist. Use a valid OAuth Provider for providers attribute.
01071c97 Error generating JWT encryption key using secret.
01071c98 The JWK config (%s) associated to %s (%s) can contain public key types only (such as, rsa, elliptic-curve).
01071c99 The OAuth profile (%s) does not allow JWK config (%s) with duplicate key-id (%s) of type (%s).
01071c9a The JWK config (%s) containing algorithm (%s) does not match key type (%s).
01071c9b The JWK config (%s) associated to %s (%s) contains an invalid signing algorithm.
01071c9c The JWK config (%s) associated to %s (%s) can only be used for signing.
01071c9d The JWK config (%s) associated to %s (%s) requires certificate key configuration.
01071c9e The encryption secret is needed to generate an encryption key for OAuth profile (%s).
01071c9f Allowed signing algorithms list cannot be empty in JWT config (%s) for Issuer (%s).
01071ca0 When the %s flag is enabled, OAuth Provider (%s) must have %s JWT config attached for the JWT provider list (%s)
01071ca1 The JWK config (%s) associated to %s (%s) was auto-generated and is meant for Client/Resource Server purposes only.
01071ca2 When jwt-token is enabled, a JWK config must be assigned as the Primary Key for OAuth Profile (%s).
01071ca3 Error loading cert-chain (%s) associated to JWK config (%s)%s
01071ca4 Invalid certificate order within cert-chain (%s) associated to JWK config (%s).
01071ca5 The JWK config (%s) associated to OAuth %s (%s) failed trust verification with trusted CA bundle (%s).
01071ca6 Only '%s' token validation mode is allowed for OAuth %s agent '%s'.
01071ca7 JSON web token '%s' already exists in Provider List '%s'. The change you are trying to make is not allowed because it would result in a provider list that contains more than one instance of the same JSON web token.
01071ca8 JSON web key '%s' already exists in Provider List '%s'. The change you are trying to make is not allowed because it would result in a provider list that contains more than one instance of the same JSON web key.
01071ca9 OAuth parent profile's jwt-refresh-token-enc-secret attribute cannot be modified.
01071caa The encryption key for OAuth profile (%s) cannot be specified directly. Use encryption secret to generate a new encryption key and make sure that jwt-token is enabled.
01071cab The JWK config (%s) associated to %s (%s) requires key ID configuration.
01071cac When more than one JWK config of key-type '%s' is present in a JWT config, all the keys of that key-type must have key-id or cert-thumbprint-sha1 or cert-thumbprint-sha256 present.
01071cad All the JWK configs in a JWT config must have unique key-id for each key-type. The key-id '%s' for key-type '%s' is already present in JWT config '%s'.
01071cae %s (%s) for OAuth profile (%s) should be unique across other OAuth Authorization Server endpoints.
01071caf The issuer cannot be modified for autodiscovered JWT config '%s'.
01071cb0 Cannot enable Real-Time Encryption when a custom encryption function is specified in the Anti-Fraud URL '%s'.
01071cb0 For autodiscovered JWT config '%s', you can move algorithms between the allowed and blocked lists only.
01071cb1 JWK config '%s' is autodiscovered, JWT config '%s' is not. An autodiscovered JWK config can be added to an autodiscovered JWT config only.
01071cb2 For autodiscovered JWT config '%s', you can move autodiscovered keys between the allowed and blocked lists only.
01071cb3 Autodiscovered JWK config '%s' cannot be modified.
01071cb4 Autodiscovered JWT config cannot be modified for OAuth Provider '%s'.
01071cb5 Autodiscovered JWT config '%s' is associated with OAuth Provider '%s'. It cannot be added to Provider '%s'.
01071cb6 Support for at least Opaque or JWT token should be enabled for OAuth profile (%s).
01071cb7 The auto-generated attribute for %s '%s' cannot be modified.
01071cb8 The auto-generated attribute for %s '%s' cannot be specified.
01071cb9 Claim value cannot be empty for OAuth claim (%s).
01071cba %s claim value associated with OAuth claim (%s) cannot be empty for OAuth Authorization agent %s, entry %d.
01071cbb The JWK config (%s) containing algorithm (%s) does not match curve (%s) for elliptic-curve.
01071cbc The last-discovery-time cannot be specified while creating Provider '%s'.
01071cbd The last-discovery-time cannot be modified for Provider '%s'.
01071cbe When use auto JWT config is enabled, OAuth Provider (%s) must have trusted CA present.
01071cbf The JWK Config (%s) cert field cannot be empty if cert-key (%s) is specified.
01071cc0 %s (%s): Traffic Scrubbing Advertisement Duration must be more than zero.
01071cc1 %s (%s): RTBH Advertisement Duration must be more than zero.
01071cc2 Cannot enable both %s and %s for parameter '%s' in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').
01071cca Dos Signature (%s): %s is not user settable field.
01071ccb %s (%s): Attacked dst can not be enabled if per-destination detection/limit pps is less than 0.1%% of the corresponding vector setting.
01071ccc %s (%s): Attacked dst per-destination detection/limit pps cannot be greater than the corresponding vector setting.
01071cd4 %s: %s can't be deleted because %s.
01071cd5 %s: %s can't be modified because %s.
01071cd6 Dos Signature (%s): %s is not allowed to be reset by user once it is specified.
01071cd9 Field-list contains an invalid/duplicate value.
01071cdc Security static PAT %s translation object '%s' address (%s) is overlapping with another address (%s) located in '%s' PAT %s translation object.
01071cdd Traffic-group (%s) is referenced by security NAT Policy (%s) and cannot be deleted.
01071cde Traffic-group (%s) is referenced by security source translation (%s) and cannot be deleted.
01071cdf %s (%s): Dos vector (%s) does not support Attacked destination DOS attack detection.
01071ce3 %s (%s) cannot be set to (%s) when %s (%s) is set to (%s)
01071ce4 %s (%s): %s feature is not supported for %s attack type.
01071ce5 %s (%s): %s cannot be enabled if %s is not enabled for %s attack type.
01071ce6 The value (%s) is invalid. Valid TTL is %s.
01071ce7 Cannot configure Advertisement TTL while scrubbing is in progress.
01071ce8 The VLAN %s has the same tag %u as VLAN %s. So the port-fwd-mode of the interface associated with the VLAN must be set to l2wire.
01071ce8 The VLAN (%s) has the same tag %u as VLAN (%s). So the port-fwd-mode of the interface associated with the VLAN must be set to virtual-wire.
01071ce9 The Scrubber Route Domain (%s) has a destination IP (%s) that overlaps with (%s).
01071ceb Operation failed for CA bundle manager %s due to other pending operation.
01071cec Ignoring unknown tag (%u) in %s message.
01071ced MQTT monitor '%s' must have a username when password is configured.
01071cee Virtual %s cannot use FastL4 hash persistence profile %s when protocol is not TCP.
01071cef Policy (%s) of type %s cannot have subroutine-properties attached, policy type must be %s.
01071cf0 DNS resolver must be configured for SAML metadata automation object (%s).
01071cf1 SAML metadata automation object (%s) should have only one 'connection-properties' attribute configured.
01071cf2 apm sso saml (%s) contains empty value in saml-attribute (%s).
01071cf3 Authorize redirect request (%s) must always use 'GET' method.
01071cf4 Invalid %s for Monitor Test (%s) conflicts with monitor value (%s)
01071cf5 Invalid state (%s) for Monitor Test target (%s) marked for cleanup
01071cf6 The current provisioning does not support the TurboFlex profile. Please provision LTM first or choose another profile suggested on the help page.
01071cf7 The chosen turboflex is not licensed, therefore the change cannot be made.
01071cf9 The provision module %s requires TurboFlex profile %s. Please either un-provision the module or choose the required profile. For more information, please see 'tmsh help sys turboflex' on the command line, or look at the 'Help' tab on the TurboFlex page under Resource Provisioning.
01071cfb Please get the Advanced Protocols or FIX add-on license to enable FIX features.
01071cfc %s changing OpenSSL FIPS flag from (%d) to (%d). Reboot is required for changes to take full effect.
01071cfc %s changing OpenSSL FIPS flag from (%d) to (%d). Reboot is required for changes to take full effect.
01071cfd The VLAN (%s) tag %u cannot be modified to %u once the VLAN is created. Please delete and re-create it.
01071cfe %s (%s): AutoMitigate %s %u must be lower than AutoMitigate ceiling %u.
01071cff %s (%s): AutoMitigate %s 'infinite' must be lower than AutoMitigate ceiling %u.
01071d00 Maximum response size (%u) for OAuth provider (%s) must be in range of (%u-%u).
01071d01 Invalid value (%s) for profile %s field %s. Only integers between 0 and 4294967295 are permitted.
01071d02 Size of field '%s' for monitor '%s' exceeds allowed maximum of %d bytes.
01071d03 Encryption object is too big.
01071d04 Encryption failed.
01071d05 %s is not a valid IP address or hostname.
01071d06 Overlapping %s IP addresses (%s) is in NAT policy '%s', rule '%s'.
01071d07 The VLANGROUP (%s) is composed of VLAN (%s) of tag %u with %s member (%s). A similar VLANGROUP must be created first and be composed of VLAN of tag '4096' with member (%s).
01071d08 Connectivity profile (%s) does not exist.
01071d09 Management auto-lasthop (%s) can't be disabled on a 1-NIC platform.
01071d09 Invalid multicast address '%s' specified for multicast-ip.
01071d0a adm: %s
01071d0a Policy (%s) of type %s cannot have per-req-policy-properties attached, policy type must be %s.
01071d0b adm: %s
01071d0b Configuration error: Virtual Server (%s) with Access Profile of type sslo is not compatible with profile of type (%s).
01071d0c adm: %s
01071d0c Configuration error: Access Profile of type sslo is not compatible with exchange profile.
01071d0d adm: %s
01071d0d Configuration error: Virtual server (%s) cannot be used for connector profile (%s), type must be internal.
01071d0e Global ASM health alerts configurations error: %s
01071d0e Configuration error: Connector profile (%s) cannot be attached to virtual server (%s) when per-request policy (%s) is attached to this virtual server. Attach service connect agent to the per-request policy instead.
01071d0f Configuration error: Virtual server (%s) used by connector profile (%s) must have a service profile attached.
01071d10 Configuration error: Virtual server (%s) used by connector profile (%s) with inline service profile (%s) must have a splitsession client profile attached.
01071d12 Cannot delete the Anti-Fraud URL '%s' since it is referenced by the Anti-Fraud View '%s' in the Anti-Fraud Profile '%s'.
01071d13 Anti-Fraud Base URL '%s' must exist before creating the Anti-Fraud View '%s' in the Anti-Fraud Profile '%s'.
01071d14 '%s' can be modified only for a 'Base URL', while the Anti-Fraud URL '%s#%s' is a 'View URL' in the Anti-Fraud Profile '%s'.
01071d15 Configuration error: access log configuration (%s) is part of system configuration, so it cannot be deleted.
01071d16 DNS profile (%s) cannot have both edns0 client subnet insertion and the DNS cache enabled simultaneously.
01071d16 Configuration error: sslo log configuration (%s) is part of system configuration, so it cannot be deleted.
01071d17 DNS profile (%s) inherits options from DNS profile (%s) and cannot have both edns0 client subnet insertion and the DNS cache enabled simultaneously.
01071d18 The IP::port(%s:%d) to be dedicated, can't be shared. Refer pools(%s, %s)
01071d19 The IP(%s) to be dedicated, can't be shared.
01071d1a The dedicated snatpool member address (%s) matches a selfip address (%s)
01071d1b The VIP(%s) needs pool(%s) or snatpool(%s) as dedicated for Accelerated traffic only
01071d1b Virtual server (%s) requires clientssl profile when the ftps-mode in FTP profile (%s) is require.
01071d1c The VIP(%s) in DSR mode, expect source-address-translation type(%d) as none
01071d1d The TrafficAcceleration profile(%s) does not support persist-mode(%d)
01071d1e The VIP(%s) does not support persistence profiles(%s) because it is dedicated for traffic-acceleration
01071d1f The VIP(%s) does not support last hop pools because it is dedicated for traffic-acceleration
01071d20 The Pool(%s) does not support load-balancing mode(%u) because it is in use for traffic-acceleration
01071d23 MQTT multiple peers on %s %s not supported.
01071d24 MQTT %s %s refers to non-existing %s %s.
01071d25 \'%s\' at rule %s is %s by virtual server %s of type %s.
01071d25 Error configuring Virtual Server (%s). Connection mirroring is not supported in combination with an IMAP profile.
01071d26 Error configuring Virtual Server (%s). Connection mirroring is not supported in combination with an POP3 profile.
01071d27 Error parsing SAML assertion consumer service url: (%s) in SAML SP connector (%s)
01071d28 'sp-location' in SAML SP connector (%s) is set to internal-multi-domain, but the virtual server where SP is located is not specified in 'multi-domain-location' property.
01071d28 Virtual server (%s) requires clientssl profile (%s) to enable SSL forward proxy when FTP profile (%s) is present.
01071d29 Multidomain location (%s) of SAML SP connector (%s) is invalid: (%s). Location must begin with http or https and must contain hostname with no path.
01071d29 Virtual server (%s) requires clientssl profile (%s) to enable SSL verified handshake when FTP profile (%s) is present.
01071d2a Cipher rule (%s): '%s' is not a valid %s.
01071d2a When OpenID Connect is enabled for OAuth profile (%s) and the alg type for %s primary key (%s) is 'HS512', the client secret for all associated Client apps with OpenID Connect enabled should be of size 64 bytes. Please re-generate the client secret for Client app (%s).
01071d2b ID token lifetime (%u) for %s (%s) must be in range of (%u-%u).
01071d2b Virtual server (%s) cannot have connector profiles when allow-active-mode in FTP profile (%s) is enabled.
01071d2c When OpenID Connect is enabled, a JWK config must be assigned as the ID Token Primary Key for OAuth Profile (%s).
01071d2d When OpenID Connect is enabled, support for JWT token should be enabled for OAuth profile(%s).
01071d2f The OAuth profile (%s) does not allow JWK config (%s) with duplicate key-id (%s) of type (%s) within UserInfo Primary Key and Rotation Keys.
01071d30 OAuth claim (%s) has invalid value (%s). For '%s' claim, allowed value is a numeric value or a valid session variable.
01071d31 Authentication type for Client app (%s) is not valid. When OpenID Connect is enabled for OAuth profile (%s) and the key type for %s primary key (%s) is 'octet', then all associated Client apps with OpenID Connect enabled should have the authentication type as 'Secret'.
01071d32 The OAuth profile (%s) does not allow JWK config with duplicate key-id (%s) of type (%s) within %sPrimary Key (%s) and %sPrimary Key (%s).
01071d33 JWK config (%s) cannot be configured to use both client secret and shared secret for key type octet.
01071d34 In JWT config (%s), the %s JWK config (%s) cannot be configured to use client secret when key type is octet.
01071d36 JWK config (%s) is %sconfigured to use client secret for key type octet. Hence, this cannot be used as %s primary key in %s (%s).
01071d36 The prefix (%s) is a reserved word and claim name (%s) cannot be used for the claim (%s). Please remove or change the prefix to continue.
01071d37 %s claim (%s) cannot be associated with %s (%s) since the claim name is 'address'. Please create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.
01071d38 %s claim (%s) cannot be associated with OAuth Authorization agent (%s), entry (%d) since the claim name is 'address'. Please create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.
01071d39 The claim name of the Claim (%s) cannot be changed to 'address' because this claim is part of %s claims that is associated with %s (%s). Please create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.
01071d3a The claim name of the Claim (%s) cannot be changed to 'address' because this claim is part of %s claims that is associated with OAuth Authorization agent (%s), entry (%d). Please create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.
01071d3b %s claim (%s) cannot be associated with %s (%s). The claim value must be set to 'true', 'false' or a valid session variable.
01071d3c %s claim (%s) cannot be associated with OAuth Authorization agent (%s), entry (%d). The claim value must be set to 'true', 'false' or a valid session variable.
01071d3d The claim value must be set to 'true', 'false' or a valid session variable for Claim (%s) when it is attached to %s claims on %s (%s).
01071d3e The claim value must be set to 'true', 'false' or a valid session variable for Claim (%s) when it is attached to %s claims on OAuth Authorization agent (%s), entry (%d).
01071d3f Can't find prime AVR-profile.
01071d40 Can't generate more than %d %s when collecting AVR statistics.
01071d41 Can't generate a list of %s because 'collect_%s' flag is disabled.
01071d41 Anti-Fraud View '%s' is invalid. View must be non-empty string with size less than %u and should contain only valid characters in the Anti-Fraud Profile '%s'.
01071d42 Can't generate list of counties because the '%s' is invalid.
01071d43 Can't generate list of urls because the '%s' URL's length is exceeded maximum %1d.
01071d44 The Traffic Matching Criteria (%s) is already in use by another Netflow Protected Server (%s).
01071d44 Invalid type %s for %s %s. All the %s should be the same type (IPv4 ot IPv6).
01071d45 Invalid Netflow Protected Server [%s] name for stopping redirection
01071d45 Discovery interval (%u) for OAuth provider (%s) must be greater than (%u) minutes.
01071d46 Netflow Protected Server (%s) cannot have a Traffic Matching Criteria that references a route domain.
01071d47 (%s) has an invalid mask %u.
01071d49 Specified compatibility level-%d is too high. That level includes feature settings that are not supported for this platform.
01071d4a Security FlowSpec: %s: router-id(%s) is not a valid IPv4 address.
01071d4b Security FlowSpec: %s: %s (%s) has mis-matched route domain (%d).
01071d4c Route domain (%s) can not have both 'Security Flowspec BGP' and 'Zebos BGP' routing planes enabled at the same time.
01071d4d Security FlowSpec: %s: missing required field(s) %s.
01071d4e Security FlowSpec: %s: must have at least one 'neighbor' specified.
01071d4f Security FlowSpec: %s: The datatype (%d) for inherited fields is missing.
01071d50 Security FlowSpec: %s: %s is non-mutable field.
01071d51 Security FlowSpec: %s: %s doesn't have matched address family.
01071d52 The attribute (%s) for (%s) cannot be none.
01071d54 The value (%lld) for attribute (%s) for (%s) must be within range %s.
01071d55 Security FlowSpec: %s: can not refer route domain (%s) which is neither in the same partition as profile nor in /Common partition.
01071d56 Limit on the number of extended white list entries (%u) has been reached. Please modify the value of dos.maxewlsize to allow more entries.
01071d57 The %s (%s) attribute %s can only reference objects in partition %s.
01071d59 Cannot modify scrubber config property %s
01071d5a IPv4/IPv6 Next hop must be configured.
01071d5b Not a valid %s Address.
01071d5c Cannot lower compatibility level. Whitelist address-list (%s) configured on this system requires current compatibility level.
01071d5f Entry already exist in extened white list(%s).
01071d60 %s failed with an I/O error: %s.
01071d61 Failed to allocate memory at %s:%d.
01071d62 CMI device (%s) attempted to connect but is running an incompatibly old version of TMOS.
01071d62 Unsupported route-type (%d) seen for mgmt-route (%s).
01071d63 CMI device (%s) attempted to connect but is running a version of TMOS with incompatible version (%s) (expected %s).
01071d63 No value specified for supersede-option: %s
01071d65 DNSSEC External Zone (%s) must be a descendant of DNSSEC Zone (%s).
01071d65 Invalid name value (%s) specified for URL Category %s.
01071d66 DNSSEC External Zone (%s:%s) duplicates existing DNSSEC zone (%s) with the same name (case-insensitive and unique across folders).
01071d66 System iRule (%s) cannot be associated to oauth server (%s).
01071d67 DNSSEC External Zone (%s:%s) duplicates existing external zone (%s:%s) with the same name (case-insensitive).
01071d67 Provider type F5 only supports introspect endpoint.
01071d68 DNSSEC External Zone (%s) references a nonexistent DNSSEC zone (%s)
01071d68 EntityID attribute of %s (%s) contains a session variable. SAML metadata exported by this object must be edited manually to replace session variables with valid hostnames before metadata is shared with external parties.
01071d69 DNSSEC Zone %s duplicates existing external zone (%s:%s) with the same name (case-insensitive).
01071d69 Frequency for SAML IdP automation (%s) cannot be zero.
01071d6a Unable to parse DNSSEC secure delegation record (%s:%s):%s (%s).
01071d6a At least one metadata URL must be configured for SAML SP metadata automation (%s).
01071d6a Client SSL profile (%s): Configured certificates are incompatible with TLS 1.3.
01071d6b DNSSEC secure delegation record (%s:%s) has DS with different owner name: %s.
01071d6b Frequency for SAML SP metadata automation (%s) cannot be zero.
01071d6b Client SSL profile (%s): Configured certificates are incompatible with TLS 1.3, so TLS 1.3 will not be negotiated.
01071d6c SAML SP metadata automation (%s) cannot be associated with sso saml (%s) because sso saml is already associated with SP automation (%s). SAML server can only be associated with one automation.
01071d6c Client SSL profile (%s): Some configured certificates are incompatible with TLS 1.3, so will not be used if TLS 1.3 is negotiated.
01071d6d SAML SP metadata automation (%s) specifies SAML SSO server (%s) that cannot be found on the system.
01071d6d IPv6 management addresses are unsupported in 1NIC mode.
01071d6e SAML SSO server (%s) associated SAML SP metadata automation (%s) are not in the same partition.
01071d6f SAML SP metadata automation (%s) contains invalid metadata URL value (%s). Error (%s).
01071d6f The Traffic Acceleration FPGA is not allowed when TAM is not provisioned.
01071d70 SAML SP metadata automation (%s) must have server SSL profile configured.
01071d70 LDAP config (%s) must either have a matching client certificate and client key, or both of these fields must be empty.
01071d71 SAML SP metadata automation (%s) must have DNS resolver configured.
01071d71 Can't create scheduled-report (%s). You currently have %u scheduled-reports set, while this is above the max allowed scheduled-reports (%u).
01071d72 Metadata URL (%s) value cannot be empty in SAML SP metadata automation (%s).
01071d72 %s.
01071d73 SAML SP metadata automation (%s) must specify value for sso-config-saml object.
01071d73 The Traffic Accelerated virtual(%s) is required to have a destination address set
01071d74 SAML SP metadata automation (%s) contains duplicated URL value (%s).
01071d74 Anti-Fraud URL '%s' is invalid. Only SPA URLs and their views can have destination URLs in the Anti-Fraud profile '%s'.
01071d74 Opening socket on interface %s failed: %s
01071d75 SAML SP connector (%s) cannot be deleted because it is managed by SP connector automation (%s).
01071d75 Db variable %s(%u) should be greater than %s(%u).
01071d75 %s IP for interface %s failed: %s
01071d76 SAML SSO config (%s) is assigned to a SAML resource (%s), and therefore can only have one SP connector object associated with it.
01071d76 FDB MAC %s cannot be broadcast/multicast
01071d77 SAML SSO configuration (%s) cannot specify both (%s) and (%s) at the same time.
01071d78 Attribute (%s) in %s (%s) must be in session variable format
01071d79 SAML Artifact Resolution Service (%s) is configured to sign requests. However, the correponding SAML SSO Config (%s) does not have signing %s configured. Please specify an IdP signing %s.
01071d79 Interface %s cannot be used in passive/virtual-wire mode.
01071d7a Master Key not yet ready. Delaying DNSSEC Key Generation Events for %u seconds.
01071d7b Cannot assign access profile and both clientssl and serverssl profiles with ssl proxy enabled to the same virtual server (%s).
01071d83 Failed to configure iptables rules for config sync CGC routing: %s
01071d84 Configured iptables rules for config sync CGC routing: %s
01071d85 Config sync over the management port requires big3d, which is not currently running. Config sync will not work until big3d is running.
01071d93 Unable to find customization source (%s) for customization group (%s).
01071d93 Profile %s the set Certificate Chain Traversal Depth (authenticate-depth), %u, is invalid. This must be 0 (infinite) or between 1 and %u inclusive.
01071d93 Single-ip %s - cluster member IP address %s cannot be configured for cluster %s.
01071d94 Bot Defense Profile (%s) Micro Service (%s): Missing required field (%s).
01071d95 Per-request access policy (%s) is not referenced by any existing customization group set
01071d95 FipsUserMgr Error: %s.
01071d96 Failed to send DDL to PostgreSQL: %s
01071d96 The customization group set (%s) cannot share an access policy (%s) with other customization group set (%s).
01071d97 Anti-Fraud URL '%s' is invalid. URL path cannot have trailing slashes in the Anti-Fraud Profile '%s'.
01071d97 Access policy name cannot be changed in customization group set (%s)
01071d98 Customization group set (%s) does not refer to access policy
01071d98 Empty IP protocol name specified for rule (%s). Please specify a valid string corresponding to the IP protocol number.
01071d9b PEM Gx/Sd reporting volume threshold cannot be smaller than 8K bytes.
01071d9c PEM Mandatory-Action-List cannot be set when Single-Rule-Match-Mode is disabled.
01071d9d Address Exclusion is not supported for Security NAT translation object (%s) of type %s.
01071d9d Neighbor entry (%s) can not be resolved%s.
01071d9e Bot defense anomaly %s not found.
01071d9f Bot defense anomaly category %s not found.
01071d9f %s.
01071da0 Bot defense class %s not found.
01071da0 %s.
01071da1 %s: When %s is (%s) and %s (%s) is %s address, %s (%s) represents '%s %s addresses'.
01071da2 Virtual Server %s's Traffic Matching Criteria %s illegally shares destination address, source address, service port, and ip-protocol with Virtual Server %s's Traffic Matching Criteria %s.
01071da2 Blacklist-category %s must have match type destination to enable scrubbing.
01071da3 Virtual Server %s's Traffic Matching Criteria %s illegally shares destination address, source address, service port, and ip-protocol with Virtual Server %s destination address, source address, service port.
01071da3 Cannot change match type to source or source-and-destination if scrubbing is enabled on the blacklist category. Disable scrubbing before changing the match type.
01071da4 Uri Type %s out of its minimum %d or maximum %d characters range.
01071da5 Uri Type must have at least %d %s associated with it.
01071da6 No more than %d total file extensions can be defined (across all Uri Types).
01071da7 No more than %d total Uri Types can be defined.
01071da8 File extension '%s' already exists in '%s' Uri Type.
01071da9 Uri Type objects must be in the '%s' folder only.
01071daa %s
01071dac Bot signature category %s not found.
01071dac Cannot change match type to destination or source-and-destination if blacklist publisher profile is attached to the category.
01071dad Bot defense profile (%s) class override (%s) error: %s.
01071dad Policy '%s', rule '%s'; target '%s' action '%s' cannot have same fallback pool (%s) and default pool (%s).
01071dae Bot Defense Profile (%s) Micro Service (%s): %s.
01071dae Policy '%s', rule '%s'; target '%s' action '%s' requires default pool. Please specify default pool along with fallback pool (%s).
01071daf Bot Defense Profile (%s) Micro Service (%s) Url (%s): %s.
01071daf Throwing Invalid Monitor Rule Instance: %s
01071db0 Throwing Invalid Monitor Rule Instance: %s
01071db0 %s %s.
01071db1 Bot defense profile (%s) Signature (%s) should be Mobile Application Class signature.
01071db1 Throwing Invalid Monitor Rule Instance: %s
01071db2 Bot defense signature category illegal class (%s).
01071db2 Throwing Invalid Monitor Rule Instance: %s
01071db3 Bot defense profile (%s) signature category override not supported for (%s) which belongs to (%s) class.
01071db3 Throwing Invalid Monitor Rule Instance: %s
01071db4 Bot defense profile (%s) signature override not supported for (%s) which belongs to (%s) class.
01071db4 Removing monitor rule instance: %s
01071db5 Bot defense profile (%s) Micro Service (%s) class override (%s) error: %s.
01071db5 Saving monitor rule instance: %s
01071db6 Bot defense profile (%s) error: %s.
01071db6 Creating a new monitor rule instance: %s
01071dba Warning (%s): %u bit keysize is insecure, it will be disabled in the future.
01071dba Cannot delete SSO configuration (%s) because it is referenced by a SSO configuration select agent (%s)
01071dbc Fail to commit due to the preset autodiscovery-enable VS number limit is %d.
01071dbd Fail to change the value to be less than the current number (%d) of VS that enables auto_discovery.
01071dbf Setting DB variable %s to %s. Restarting services.
01071dbf The requested otp source (%s) is invalid: %s
01071dc0 %s changing OpenSSL FIPS flag from (%d) to (%d). Restarting services.
01071dc5 The Group SIDs session variable name in AAA Kerberos agent (%s) is empty
01071dc6 The Group SIDs session variable name '%s' in AAA Kerberos agent (%s) is invalid
01071dc7 The %s session variable name in AAA Active Directory agent (%s) is empty
01071dcd Keytab file is not specified for AAA Active Directory Server (%s)
01071dce Service name is not specified for AAA Active Directory Server (%s)
01071dd4 DOS Profile (%s) cannot be attached to Zone as it is BDOS enabled.
01071dd8 SIP cannot be enabled on the DOS profile (%s) as it is already attached to zone.
01071dd9 VLAN (%s) cannot be attached to Zone (%s) as it is part of another Zone (%s) which is also has DOS profile attached.
01071ddc DOS Profile (%s) cannot be attached to the Zone as SIP is enabled on the profile.
01071ddc DOS Profile (%s) cannot be attached to the Zone (%s) as the profile has Bad Actor/Attacked Destination Detection enabled.
01071dde Log profile (%s) cannot be found.
01071de0 Dos profile (%s) cannot be attached to Protected-zone as BDOS is enabled.
01071de3 Vector Threshold Mode cannot be enabled on the DOS profile (%s) as it is already attached to a Protected-zone.
01071de4 DNS cannot be enabled on the DOS profile (%s) as it is already attached to zone.
01071de5 DOS Profile (%s) cannot be attached to the Zone as DNS is enabled on the profile.
01071e02 DOS profile (%s) not found.
01071e03 Maximum (%s) can be attached per Zone containing DOS profiles.
01071e09 DOS Profile (%s) cannot be attached to zone as threshold mode is not Fully Manual.
01071e0d Security log profiles '%s' and '%s' cannot be associated simultaneously with a Zone '%s', since they have same or mutually exclusive parts enabled.
01071e0e Security log profiles '%s' and '%s' cannot be associated simultaneously with a Zone '%s', since they both have local logging enabled.
01071e0f DOS profile (%s) cannot be attached to the Zone (%s) as the Zone has one or more VLANs that are part of other Zones and a VLAN cannot be a member of more than one Zone which have DDoS protections enabled.
01073035 The encryption key for OAuth profile (%s) cannot be modified directly. Use encryption secret to generate a new encryption key.
01073039 All the JWK configs in a JWT config must have unique cert-thumbprint-sha1. The cert-thumbprint-sha1 '%s' is already present in JWT config '%s'.
01073040 All the JWK configs in a JWT config must have unique cert-thumbprint-sha256. The cert-thumbprint-sha256 '%s' is already present in JWT config '%s'.
010c0009 Lost connection to mcpd - reestablishing
010c0018 Standby
010c0022 Opening %s for failover monitoring
010c002a Requesting tmm to resend gratuitous arps for traffic group %s.
010c002b Traffic group %s received a targeted failover command for %s.
010c002c Traffic group %s received a targeted failover command from cluster mate for %s.
010c002d Traffic group %s going standby via targeted failover command.
010c0037 Up service module error %s.
010c003b Bind fails on %s addr %s port %d error %s
010c003c Connect fails on %s addr %s port %d error %s
010c003e Offline
010c003f Forced offline
010c0044 Command: %s
010c0048 Bcm56xxd and lacpd connected - links up
010c0049 Tmm ready - links up.
010c0050 Sod requests links down
010c0052 Standby for traffic group %s
010c0054 Offline for traffic group %s.
010c0055 Forced offline for traffic group %s.
010c0056 Deactivating traffic group %s
010c0057 Activating traffic group %s
010c005a Dropping a failover packet that is too small (%u)
010c005b Dropping a packet that is not a failover packet.
010c005e Waiting for mcpd to reach phase base, current phase is %s
010c005f Mcpd has reached phase base, current phase is %s
010c0063 Waiting for Mcpd without a response. Try again...
010c006a Configuration CRC values disagree amongst peers. Suggest configsync peers.
010c006b Configuration CRC values agree amongst peers
010c006c proc stat: [0] %s
010c006d %s.
010c006e All devices in traffic group %s %s have a HA group.
010c0076 Exceeded mcp recv soft limit: %d. Succeeded after %d messages.
010c0077 Listening for unicast failover packets on address %s port %d.
010c007b Deleted unicast failover address %s port %d for device %s.
010c007e Not receiving status updates from peer device %s (Disconnected).
010c0082 Sorted Load-Aware failover %s.
010c0083 No failover status messages received for %s seconds, from device %s (%s).
010c0084 Failover status message received after %s second gap, from device %s (%s).
010c0085 First failover status message received from device %s (%s).
010c0089 Invalid go standby command. %s is not a valid traffic-group or device.
010c008a Invalid go standby command. %s is not a valid device.
010c008b Unable to send to unreachable unicast address %s port %d.
010c008c Previously unreachable unicast address %s port %d is now reachable.
010c0098 Multicast socket connect failure: %s.
010c0099 Connected to multicast group %s port %d on interface %s.
010c009a Disconnected from multicast group %s port %d on interface %s.
010c009b Availability log %s failed '%s'.
010c009c Timer interval set to %u.%06us (was %u.%06u).
010c009d Poll interval %dms, estimated %d packets/sec.
010c009e Config crc changed: old 0x%x new 0x%x.
010d0005 Chassis fan %d: status (%d) is bad
010d0006 Chassis power supply %d has experienced an issue. Status is as follows: %s
010d0009 %s: voltage (%d) is too high
010d0010 %s: fan speed (%d) is too low
010d0017 %s: milli-voltage (%d) is too low
010e0001 Cannot communicate with MCPD server
010e0002 Established new connection to MCPD server
010e0004 MCPD query response exceeding %d seconds
01100002 alertd is going down
01100017 Email action is failed for toaddress %s
01100042 Failed with MCPD at: %s (%s)
01100043 logcheck Notice: %s %d
01100048 "Log disk usage still higher than %d%% after logrotate and %d times log deletion"
01100049 logcheck Info: %s %d
01100053 %s
01100054 %s
01100055 %s
01100056 %s
01100057 %s
01100058 %s
01100059 Found db_name %s without value - reset to default %s.
01100060 trap string (%s) count (%d) (%s)");
01100061 clear suppression map (count %d)");
01110001 Error running %s
01110034 The configuration for running config-sync is incorrect.
0114001a HA stale %s pid %d detected.
01140029 HA %s %s fails action is %s.
0114002a HA %s %s created.
0114002b HA %s %s enabled.
0114002c HA %s %s disabled.
01140030 HA %s %s is now responding
01140043 Ha feature %s reboot requested
01140044 HA reports tmm ready
01140045 HA reports tmm NOT ready
01140100 Overdog daemon startup
01140101 Overdog daemon shutdown
01140102 Overdog daemon requests reboot
01140103 Watchdog touch enabled with %d seconds
01140104 Watchdog touch disabled
01140106 Overdog daemon calling bigstart restart
01150216 Notice from %s: %s
01150515 Processing Resource Record (%s:%s) failed due to error '%s'.
01150a51 %s/%s change detected %s.
01150a52 Sync Zones Parameters: Ciphers = %s, Use expired CRL = %s, Use Not Yet Active CRL = %s, Use Revoked Certificates = %s, Validation Depth = %s
01150d03 Attempting to %s loopback address %s
01151500 NamedWatcher: Error encountered during initialization of named configuration monitor: %s.
01151501 NamedWatcher: Watching cur stat for dir:%s ts:%ld inode:%llu with id:%d.
01151502 NamedWatcher: Error %s setting up watch for dir:%s.
01151503 NamedWatcher: Unexpected EOF %s from named configuration monitor file descriptor.
01151504 NamedWatcher: Error %s reading from named configuration monitor file descriptor.
01151505 NamedWatcher: Expected at least %d bytes, only %d bytes are available.
01151506 NamedWatcher: Kernel monitor overflow %s.
01151507 NamedWatcher: %s monitor wd:%d len:%d events:%s dir:'%s' name:'%s'.
01151508 NamedWatcher: Read ignored event.
0115150a NamedWatcher: %s stat for %s ts:%ld inode:%llu.
0115150b NamedWatcher: stat for '%s' failed:%s.
0115150c NamedWatcher: Skipping event %s (len:%d) for '%s' because it contains the %s.
0115150d NamedWatcher: Deleting watch for dir:%s with id:%d.
0115150f NamedWatcher: Watch added for dir %s with ts:%ld with id:%d
01151510 NamedWatcher: Watch added for file:%s in dir:%s with ts:%ld, inode:%llu.
01151511 NamedWatcher: Watch removed for file %s in dir %s.
01151512 NamedWatcher: Watch removed for dir %s.
01151513 NamedWatcher: Read event for dir:'%s'.
01151513 NamedWatcher: Watch already exists for dir %s.
01151514 NamedWatcher: Watch already exists for file:%s in dir:%s.
01151515 NamedWatcher: Dont care about event wd:%d events:%s name:'%s'.
01151515 NamedWatcher: Error %s setting up watch for dir:%s.
01151516 NamedWatcher: No matching watch for dir:%s with id:%d.
01151517 NamedWatcher: No matching event type:%s for file:%s in dir:%s with id:%d.
01151518 NamedWatcher: event->len == %d.
01151519 NamedWatcher: Initializing...
01160004 LACPD reporting error conditions
01160005 LACPD reporting internal error conditions
01160009 LACPD reporting a link being added to aggregation
01160010 LACPD reporting a link being removed from aggregation
01160011 LACPD reporting a churn condition
01160012 LACPD reporting a churn condition
01160016 LACP reporting an internal condition as informational message
01160017 Internal Link %s is AVAILABLE.
01160018 Internal Link %s is UNAVAILABLE.
01160024 %s
01170003 halGetDossier returned error (%d): Dossier generation failed.
01170005 %s stat fails: %s.
01170012 Unsupported argument (-%c).
01170019 Detected Registration Key-Less dossier generation for CSP.
01170020 Option -%c requires an argument.
01170021 Invalid value (%s) passed for option (-%c).
01180005 Evaluation license has expired.
01180010 [license processing][error]: %s
01180017 Subscription license has expired.
01190003 arp_input: packet too short (%lu/%lu)
01190004 address conflict detected for %a (%m) on vlan %d
01190007 Neighbor update, route lookup failed, address = %la%%%u
01190008 Neighbor update, route is not link type, address = %la%%%u
01190009 Neighbor update failed, err = %E, address = %la%%%u, ifc name = %s
01190010 Neighbor delete failed, err = %E, address = %la%%%u
011a0011 SYNC Possible conflicting config changes between %s (%s) and %s (me), both at timestamp %llu. Config changes ignored.
011a0060 Compression Stream failure: %s
011a0061 License is not operational
011a0300 There was an error trying to send a DNSSEC Key Generation %s msg to MCP
011a0300 There was an error trying to send a DNSSEC Key Generation %s msg to MCP
011a0302 %s : %llu.
011a0302 There was an error trying to send a DNSSEC Zone SOA serial modify msg to MCP
011a0305 DNSSEC Zone %s cannot process a partial SOA serial update message
011a0306 Encountered error %s while trying to set a DNSSEC Key Generation event timer
011a0307 Processing %s Event for DNSSEC Key %s, ID %llu
011a0308 Unable to determine GTM local id, must skip processing DNSSEC Key Generation events
011a0309 DNSSEC DEBUG: %s.
011a0309 Failed to create new DNSSEC Key Generation %s:%llu due to %s.
011a030a Failed to import DNSSEC Key Generation %s:%llu due to %s.
011a030b Failed to delete DNSSEC Key Generation with handle: %s due to %s.
011a030c Postponing expiration of DNSSEC Key Generation %s:%llu as the next generation not created yet.
011a030d Canceling expiration of the latest DNSSEC Key Generation %s:%llu, resetting events of the Key.
011a030e Action execution of DNSSEC Key Generation %s:%llu takes too long, canceling the action.
011a030f Action of DNSSEC Key Generation %s:%llu failed or canceled, re-runing the action.
011a0310 Action of DNSSEC Key Generation %s:%llu failed or canceled, all attempts are exhausted.
011a0311 Failed to join worker-thread of DNSSEC Key Generation.
011a0312 Failed to initiate session with FIPS card.
011a0313 Key size %u is not suported by FIPS card.
011a0314 FIPS card failed to generate RSA pair for DNSSEC Key Generation.
011a0315 FIPS card failed to delete private part of DNSSEC Key Generation.
011a0316 FIPS card failed to import private part of DNSSEC Key Generation.
011a0317 Failed to %s PEM file %s for FIPS card.
011a0318 Failed to rename file %s to %s for FIPS card.
011a0319 Failed to initiate session with Thales.
011a031a Key size %u is not suported by Thales.
011a031b Thales failed to generate RSA pair for DNSSEC Key Generation.
011a031c Failed to get %s key from Thales after RSA pair generation.
011a031d Thales failed to delete private part of DNSSEC Key Generation: %s.
011a031e Failed to re-encrypt DNSSEC Key Generation %s:%llu.
011a031f DNSSEC Key Generation %s:%llu created: %s and %s.
011a0320 DNSSEC Key Generation %s:%llu imported to local FIPS card under identifier: %s.
011a0321 DNSSEC Key Generation %s:%llu removed: expired or removed from config.
011a0322 DNSSEC Key Generation %s:%llu expired.
011a500f %s (%s) identified as self, %s
011a5010 Unable to identify which gtm server represents the local device
011a6006 SNMP_TRAP: VS %s (ip:port=%s) (Server %s) state change %s --> %s (%s)
011ad103 BoxIP was NULL
011ae045 XML Buffer size (%lu bytes) exceeded when attempting to send %s.
011ae050 SSL Context set to use cipher list '%s'\n
011ae051 SSL Context set to use minimum TLS version '%s'\n
011ae052 Using Server specific(%s) cipher list '%s'\n
011ae053 Using Server specific(%s) minimum TLS version '%s'\n
011ae054 New key or certificate file detected, attempting to create new SSL Context.
011ae055 Creating replacement iQuery connection on all servers.
011ae056 Creating replacement iQuery connection to server %s.
011ae057 Creating replacement iQuery connection to ip %s.
011ae058 iQuery connection ID:%d to Remote IP:%s replaced with connection ID:%d.
011ae059 The specified TLS version (%s) is not a valid selection, SSL CTX not changed.
011ae05a The specified TLS version (%s) is not a valid selection.
011ae05a The specified TLS version (%s) is not a valid selection, server (%s) value not changed.
011ae05b SSL Cipher List unchanged since requested value is identical to current value %s".
011ae05c SSL Minimum TLS Version unchanged since requested value is identical to current value %s".
011ae05d Replacement iQuery connection to %s already in progresss. Ignoring request.
011ae05e iQuery connection ID:%d to Remote IP:%s created.
011ae05f SSL Context created with cipher list '%s' and minimum TLS version '%s'.
011ae060 Attempt(ignored) to replace an existing iquery connection with an invalid replacement.
011ae106 The monitor probing frequency has been adjusted because more than %d synchronous monitors were detected.
011ae10e Autoconf deleted link (%s)
011ae10f Autoconf deleted linkIP (%s)
011ae110 Autoconf skipped deletion of link (%s) because %s
011ae111 Autoconf skipped deletion of linkIP (%s) because member (%s) exists on box (%s)
011ae112 SSL Cipher List must not be empty. Previous setting remains in effect.
011ae113 SSL verification of SSL connection to: %s %s
011ae114 %s: SSL error: %s (%d) from connection %s
011ae115 SSL Minimum TLS Version must not be empty. Previous setting remains in effect.
011ae116 Topology detected bad order value (%u) for topology entry (%s), reset order to (%u)
011ae116 The list processing time (%d seconds) exceeded the interval value. There may be too many monitor instances configured with a %d second interval.
011ae117 Unable to process DB Variable (%s)
011ae118 Master Key encryption failed: %s.
011ae119 Master Key decryption failed: %s.
011ae11a Master Key updated, re-encrypting private texts of DNSSEC Key Generations.
011ae200 CRL file %s created, enabling CRL validation on all remote iQuery connections.
011ae201 CRL file %s removed, disabling CRL validation on all remote iQuery connections.
011ae203 CRL file %s contains no CRLs, or an invalid CRL. Remote iQuery connections may be rejected.
011ae206 CRL from issuer %s will expire on %s.
011ae207 Using expired CRL form issuer %s.
011ae209 Using not yet active CRL from issuer %s.
011ae20a CRL not found for certificate with subject %s from issuer %s.
011ae20b Certificate with subject %s from issuer %s is revoked.
011ae20c Certificate with subject %s from issuer %s will not be rejected due to revocation status.
011ae20d Error in %s: Cannot get current time.
011ae20e Will reverify all SSL connections in %ld seconds.
011ae20f Certificate validation failure. The iQuery connection to %s has been closed.
011ae210 Unable to verify the iQuery connection to %s: Cannot verify the peer certificate.
011ae211 %s: Error converting time
011b0203 Error '%s' opening file %s
011b020b Error '%s' scanning buffer '%s' from file '%s'
011b0233 CACHE MISS during %s, prev=%s, curr=%s.
011b0236 Merged iStats merge interval changed to be every %d seconds.
011b0237 Merged iStats merge interval called with %d.
011b0309 %s %s %s
011b032e Graph '%s' is not supported, possibly because it is not licensed, or a license has expired.
011b0600 Error '%s' during rrd_update for rrd file '%s'
011b0601 Error '%s' during rrd_graph for graph '%s'
011b0816 Statistic collection has ALREADY been started.
011b0826 Cluster collection start error.Exitting
011b0900 TMSTAT error %s: %s
011b090c tmstat_query_rollup on table %s called
011b090e getTMValueUNKeyed start
011b090f DNS Services request rate limiter engaged.
011b0910 DNS Services request rate limiter disengaged.
011b0914 No individual CPU information is available.
011b0999 %s: %s
011b1100 FIPS Device: Temperature approaching maximum range (%dC).
011b1101 FIPS Device: Temperature met or exceeded critical range (%dC).
011b1102 FIPS Device: Temperature returned to normal range (%dC).
011b1103 FIPS Device: Resetting statistics to synchronize counts.
011b1104 FIPS Device: Unable to read or recreate FIPS data file for statistics history.
011b1105 FIPS Device: Deleting FIPS statistics TMSTAT segment.
011b1106 FIPS Device: Could not initialize statistics, timer not started.
011d0002 No diskmonitor entries in database
011d0004 Disk partition %s has only %d free
011e0001 Limiting %s from %d to %d packets/sec for traffic-group %s
011e0002 %s: Aggressive mode %s %s (%llx) (%s %s). (%llu/%llu %s)
011e0003 mode sweeper: %s (%llx) (%s %s) %d Connections killed
011f0001 %s: Bad chunk state %d
011f0004 Invalid header insert profile, missing the colon separator in - %s
011f0005 HTTP header (%d) exceeded maximum allowed size of %d
011f0007 %s - Invalid action:0x%x %s (%C) %s (%C)
011f0008 %s - Invalid state transition to %s
011f0011 HTTP header count exceeded maximum allowed count of %d
011f0012 HTTP profile option %s incompatible with proxy_type. Using default instead.
011f0016 %s - Invalid action:0x%x Server sends too much data. serverside (%C) clientside (%C)
011f0017 Config error: HTTP Header Entry [%s:%d] update: agent clone failed
01200009 Packet rejected remote IP %*A port %d local IP %*A port %d proto %s: Connection limit exceeded.
01200012 Warning, connections equals limit %F, proto %s, VS %s: Connection limit reached.
01200014 Warning, connections equals limit %F, proto %s, RD %s: Connection limit reached.
01200016 Warning, node IP %*A has reached its connection limit.
01200017 Warning, pool member IP %*A port %u for pool %s has reached its connection limit.
01220001 TCL error: %s
01220002 Rule %s: %s
01220007 No pending rule event found for %F
01220008 Unable to resume pending rule event %s for closed %F
01220009 Pending rule %s aborted for %F
01220010 %d previous aborted rule log messages suppressed
01220011 Pending rule %s aborted for context %llx
01220012 Failed to configure rule %s for virtual %s.
01230001 Interface %d.%d: link is up, %dMbps %s
01230002 Interface %d.%d: link is down
01230032 Interface %s not found
01230066 Vlan %s - untagged interface %d/%d currently in use on vlan %s
01230074 Vlan %s, member %s - unsupported type %d
01230087 Vlan %s, member %s instance add error %u
01230088 Couldn't %s vlangroup %s
01230111 Interface %d.%d: HSB DMA lockup on %s.
01230113 "Unsupported media setting %s for interface %s"
01230140 RST sent from %A:%d to %A:%d, %s
01240006 Error querying request URI: %s
01260000 Profile %s: %s
01260006 Peer cert verify error: %s (depth %d; cert %s)
01260008 SSL transaction (TPS) rate limit reached
01260009 Connection error: %s:%d: %s (%d)
01260010 FIPS acceleration device failure: %s
01260012 Self-initiated renegotiation attempted while renegotiation disabled: %s
01260013 SSL Handshake failed for <PROTOCOL> <SRC> -> <DST>
01260014 Cipher %x:%x negotiated is not configured in profile %s
01260014 Cipher %x:%x negotiated is not configured in profile %s
01260015 Certificate supplied by server (subject CN: %s) was not configured on virtual: %s
01260017 Connection attempt to insecure SSL server (see RFC5746) aborted: %A:%d
01260018 Connection attempt to insecure SSL server (see RFC5746): %A:%d
01260024 OCSP failure on profile %s, certificate with issuer %s and serial number %lx: %s - %s
01260025 Cipher %x:%x negotiated is not supported by Proxy SSL configured in virtual server %s
01260026 No shared ciphers between SSL peers %A.%d:%A.%d.
01260034 SSL decryption canceled.
01260045 Certificate with subject name (%s) and serial number (%s) is revoked
0127000c Coalesced (%lu) requests for the previous command into 1 execution
01280045 Debug: %s
01290003 HALMSG reporting error conditions
01290004 HALMSG reporting warning conditions
012a0000 "LIBHAL reporting system is unusable"
012a0002 "LIBHAL reporting critical conditions"
012a0003 LIBHAL reporting error conditions
012a0004 LIBHAL reporting warning conditions
012a0005 LIBHAL reporting normal but significant condition
012a0006 LIBHAL reporting informational
012a0007 LIBHAL reporting debug-level messages
012a0012 Blade %d is about to be powered off!
012a0013 Blade %d hardware sensor critical alarm: %s
012a0016 Blade %d hardware sensor notice: %s
012a0017 Chassis power module %d turned on
012a0019 Chassis power module %d is on.
012a0021 Chassis power module %d absent.
012a0022 %s
012a0023 %s
012a0024 %s
012a0025 %s
012a0026 %s
012a0027 %s
012a0028 %s
012a0029 %s
012a0030 %s
012a0031 %s
012a0032 %s
012a0033 %s
012a0034 %s
012a0035 %s
012a0036 %s
012a0037 %s
012a0038 %s
012a0039 %s
012a0040 %s
012a0041 %s
012a0042 %s
012a0043 %s
012a0044 %s
012a0045 %s
012a0046 Chassis power module 1 turned on.
012a0047 Chassis power module 2 turned on.
012a0048 Chassis power module 3 turned on.
012a0049 Chassis power module 4 turned on.
012a0050 Chassis power module 1 turned off.
012a0051 Chassis power module 2 turned off.
012a0052 Chassis power module 3 turned off.
012a0053 Chassis power module 4 turned off.
012a0054 Chassis power module 1 absent.
012a0055 Chassis power module 2 absent.
012a0056 Chassis power module 3 absent.
012a0057 Chassis power module 4 absent.
012a0058 Chassis with %d blades (%d W) may be inadequately powered - increase active number of power supplies
012a0059 Chassis power module %d is unidentified.
012a0060 Power supplies do not match.
012b0021 Executable %s version '%s'.
012b0022 Executable %s version is newer than %s.
012b0023 Executable %s SELinux context error (%s).
012b101e Dropping a message received from an unknown connection type from %s.
012b101f Deleted connection %s.
012b2007 %s: Begin xml broadcast
012b2008 %s: End xml broadcast
012b2009 Skipped xml broadcast to: %s reason: %s
012b200a Failed to send xml message: %s
012b3005 Error encountered while opening SSL certificates %s.
012b3007 SSL Context created using minimum TLS version %s, SSL cipher list '%s'.
012b3008 SSL Context Cipher list set to: %s.
012b3009 SSL Context minimum TLS Version set to: %s.
012b300a SSL Cipher list converted from:'%s' to:'%s'
012b300a SSL Context Cipher list converted from:'%s' to:'%s'
012b300b Replacing iQuery connection (%s:%d) with connection (%s:%d)
012b300c iQuery connection with id %d not found.
012b300d Error setting SSL Cipher list to: %s, previous value (%s) remains in effect.
012b300e SSL Error: %s on connection to %s.
012b300f Error setting SSL Context options.
012b3010 The specified TLS version (%s) is not a valid selection, SSL CTX not changed.
012b3011 Found an unexpected connection of type %d when looking for a GTM connection.
012b3014 Routine renegotiation of SSL connection with %s completed.
012b3100 CRL file %s created, enabling CRL validation on all remote iQuery connections.
012b3101 CRL file %s removed, disabling CRL validation on all remote iQuery connections.
012b3102 CRL file %s was updated, replacing iQuery CRLs.
012b3103 CRL file %s contains no CRLs, or an invalid CRL. Remote iQuery connections may be rejected.
012b3104 Unable to allocate memory for crl: %s.
012b3104 %s: out of memory.
012b3105 CRL from issuer %s has expired.
012b3106 CRL from issuer %s will expire on %s.
012b3107 Using expired CRL from issuer %s.
012b3108 CRL from issuer %s is not yet active, will become active %s.
012b3109 Using not yet active CRL from issuer %s.
012b310a CRL not found for certificate with subject %s from issuer %s.
012b310b Certificate with subject %s from issuer %s is revoked.
012b310c Certificate with subject %s from issuer %s will not be rejected due to revocation status.
012b310d Error in %s: Unable to get current time.
012b310e Will reverify all SSL connections in %ld seconds.
012b310f Unable to reverify the iQuery connection to %s: Cannot verify the peer certificate.
012b3110 Certificate validation failure. The iQuery connection to %s has been closed.
012b3111 %s: Error converting time
012b400b Moved %d pending and %d active probers from connection %u to connection %u
012b7010 No Route Domain support, cannot create a listener for Route Domain %u.
012c0004 Lost connection with MCP: %d ... Exiting
012c0010 BCM56XXD driver error
012c0011 BCM56XXD SDK error
012c0012 BCM56XXD info
012c0013 BCM56XXD starting
012c0014 SAMPLE: bcm56xxd - Exiting...
012c0015 Link: %s is %s
012c0016 BCM56XXD SDK info
012c0023 Optic in wrong port
012c0024 Optic Warning
012c0025 F5 Optics not supported on platform
012d0007 Lost connection with MCP: %08x
012e0029 The configuration was successfully loaded.
01300001 RAMCACHE Initialize - Not enough memory available to create the cache. Please try reducing the cache size and max entries
01300002 RAMCACHE Response - Too many Cache-Control headers in response, max is %d.
01300003 RAMCACHE - Header too long. Header %d of length %d exceeds the max %lu bytes.
01310027 ASM subsystem error (%s,%s): %s
01330024 Regular expression compilation failed on recv string: %s
01330025 Unable to get a session to cache for %s:%d
01340001 HA Connection with peer %la:%d for traffic-group %s established.
01340002 HA Connection with peer %la:%d for traffic-group %s lost
01340003 Cluster error: %s
01340004 HA Connection detected dissimilar peer: local npgs %u, remote npgs %u, local npus %u, remote npus %u, local pg %u, remote pg %u, local pu %u, remote pu %u. Connection will be aborted.
01340007 HA Connection with peer %la:%d for traffic-group %s closing.
01340009 HA reconnect with peer %la:%d for traffic-group %s postponed.
01340012 HA context missing for %s on virtual %s
01360008 ERROR: Cannot connect to GWM server %s; Will try it again in 30 seconds.
01380002 Certificate '%s' in file %s will expire on %s
013a0004 %s
013a0005 %s
013a0006 %s
013a0007 %s
013a0008 %s
013a0014 %s
013a0015 %s
013a0016 %s
013a0018 "%s"
013a0019 %s
013a0020 %s
013a0024 %s
013b0004 %s
013b0008 %s
013c0004 %s
013c0006 %s
013d0006 cand done
013e0000 Tcpdump starting locally on %la:%u from %la:%u
013e0001 Tcpdump starting bcast on %la:%u from %la:%u
013e0002 Tcpdump stopping on %la:%u from %la:%u
013e0005 Tcpdump starting remote to %A from %A
013e0006 Tcpdump to %A failed to connect : %E
013e0007 Tcpdump stopping remote to %A from %A
013e0008 Tcpdump ICMP error Type:%d Code:%d from %A
013e0009 Tcpdump DPT session end error provider:%s id:%d err:%d
013e000d AUDIT - %s
01410000 %s
01410004 RTSP: client_port and server_port not paired
01410005 RTSP: client_port and server_port not specified
01410006 RTSP: multicast not compatible with unicast or interleaved
01410007 RTSP: incompatible port specifications
01410008 RTSP: no multicast port(s) specified
01410009 RTSP: no multicast address specified
0141000a RTSP: Expiring active RTP peer connection
0141000b RTSP: Expiring active RTCP peer connection
0141000c RTSP: Expiring active RTP connection
0141000d RTSP: Expiring active RTCP connection
0141000e RTSP: release RTP peer conn flow
0141000f RTSP: release RTCP peer conn flow
01410010 RTSP: release RTP conn flow
01410011 RTSP: release RTCP conn flow
01410012 RTSP: Can't create RTP endpoints: %E
01410013 RTSP: Can't create RTCP endpoints: %E
01410014 RTSP: Failed to set up sa_entry on client
01410015 RTSP: Can't find a port for media connections
01420001 %s
01420002 SAMPLE: tmsh - AUDIT - pid=13324 user=root query_partitions=all update_partition=Common module=(tmos)# status=[Command OK] cmd_data=list ltm virtual idnshare3-139
01420003 "%s"
01420004 %s
01420006 %s
01420007 Certificate '%s' in file %s expired on %s
01420008 Certificate '%s' in file %s will expire on %s
01420010 %s
01460005 SAMPLE: promptstatusd - mcpd.running(1) held, wait for mcpd
01460006 SAMPLE: promptstatusd - semaphore tmm.running(1) held
01460007 SAMPLE: promptstatusd - semaphore tmm.running(1) released
01470000 iSession: Connection error: %s:%u: %s:%d
01470002 iSession: tunnel %F: connection error: deduplication: unrecognized control message %d
01470006 iSession: tunnel %F: internal error: %s:%d: %s: %E; connection aborted
01470007 iSession: internal error: %s:%d: %s: %E
01480001 %s
01480002 %s
01480010 Got a message(%d) for a non existent flow
01480024 Can't bind the flow, waiting for config response on channel %s
01480031 headers limited to %d bytes
01480052 Profile %s missing plugin_type field.
01480053 Profile %s missing tmi_type field.
01480054 Command %s not registered.
01490510 %s: Initializing Access with max global concurrent access session limit: %d
01490523 {{Access Profile, %s}{Partition, %s}{Session ID, %s}{Max Concurrent Sessions, %d}} "#0:#1:#2: Initializing Access with max global concurrent connectivity session limit: #3"
01490526 %s: Initializing Access with max global concurrent connectivity session limit: %d
01490541 Access using device name: %s and device ID: %.*s.
01490555 %s: Initializing Access with max global concurrent url filtering session limit: %d
01490570 PPP listener local address %A tunnel nexthop is NULL
01490572 %s: API Protection feature is %s
01490573 %s: Ephemeral Authentication feature is %s.
014b0002 RADIUS: %s error %lE
014c0001 DIAMETER: %s error: %lE
014c000f DIAMETER: Invalid AVP length: %d
014c0010 DIAMETER: Invalid AVP code
014c0010 DIAMETER: Invalid AVP length: %d
014c0011 DIAMETER: Invalid AVP code
014c0012 DIAMETER: Invalid event
014c0013 DIAMETER: Retransmission triggered by timeout for message: AppId %lu HopByHopId %lu from %s
014c0014 DIAMETER: Retransmission triggered by result code %d for message: AppId %lu HopByHopId %lu from %s
014c0015 DIAMETER: Retransmission triggered by iRule (note '%s') for message: AppId %lu HopByHopId %lu from %s
014c0016 DIAMETER: Retransmission generated an error answer of %d for message: AppId %lu HopByHopId %lu EndToEndId %lu from %s
014c0017 DIAMETER: Retransmission retransmitted request message: AppId %lu HopByHopId %lu from %s
014c0018 DIAMETER: Message dropped after routing error %s: AppId %lu HopByHopId %lu EndToEndId %lu from %s
014c0019 DIAMETER: Error answer of %d generated after routing error %s: AppId %lu HopByHopId %lu EndToEndId %lu from %s
014c001a DIAMETER: Message added to Retransmission queue: AppId %lu HopByHopId %lu from %s
014c001b DIAMETER: Message removed from Retransmission queue: AppId %lu HopByHopId %lu EndToEndId %lu from %s
014c001c DIAMETER: Deleting stale pending request entry: original HopByHopId %lu outgoing HopByHopId %lu persistence key %s expected from %A
014c001d DIAMETER: Unexpected answer message arrived: HopByHopId %lu from %A
014c001e DIAMETER: Dropping late answer for original request after request retransmitted: HopByHopId %lu from %A
014c001f DIAMETER: %s transport window for retransmission queue %c or proxy queue %c
014c0020 DIAMETER: Looped message detected from peer %s
014c0022 DIAMETER: Forced down pool member %A:%u as BIG-IP received DPR from it
014c0023 DIAMETER: Disabled pool member %A:%u as BIG-IP received DPR from it
014e0001 mysql failure detected, attempting to restart mysql (attempt %d).
014e0003 mysql service back online.
014e0007 mysqlhad starting to monitor mysqld
014f0001 %s
014f0002 %s
014f0004 %s
014f000e Becoming primary cluster member
014f0013 Script (%s) generated this Tcl error: (%s)
014f0017 Perpetual handler (%s) exited with failure
01510003 %s
01510004 %s
01510005 SAMPLE: vcmpd - VDisk (LBEMP-LOTWAN01.img/1): Failed to save info file - /shared/vmdisks/LBEMP-LOTWAN01.info
01510007 %s
01510011 vCMP guest %s powered off.
01530007 %s started ===============================
0153000c Error writing scratch database(%s), serving database is unchanged. zxfrd will exit and restart.
0153002c An instance of zxfrd (pid: %d) is already running! Exiting
01531003 Failed to sign zone transfer query for zone %s using TSIG key %s
0153100c Failed on receive of %d bytes for transfer of zone %s (%s)
0153100e Transfer of zone %s failed with rcode (%s).
01531010 Transfer of zone %s failed b/c there are no records
01531015 Failed to retrieve next RR in %s for zone %s
01531018 Failed to transfer zone %s from %s, will attempt %s
0153101b Ignoring NOTIFY for zone %s due IXFR in progress
0153101c Handling NOTIFY for zone %s
0153101f %s Transfer of zone %s from %s succeeded
01531023 Scheduling zone transfer in %ds for %s from %s
01531025 Serials equal (%d); transfer for zone %s complete
0153102a Failed connect callback to %s for transfer of zone %s
0153102d Notify request from %s not in allow-notify-list. Ignoring.
0153102e Error %s during socket %s.
0153102f Timed out waiting for transfer data for zone %s.
01531030 Kicking read timer for zone %s.
01531031 Setting read timer for zone %s.
01531032 There is an existing zone transfer scheduled for zone %s from %s, not re-scheduling.
01531033 There is a backlogged zone transfer scheduled for zone %s from %s, not adding another.
01531105 Zone %s expired. Zone will be unavailable until the next successful zone transfer.
0153120c Zone %s saved to scratch DB with SOA Serial %d.
01531300 Cluster status changing from %s to %s
0153e0f7 Lost connection to mcpd
01550004 Critical:
01550005 Critical:
01550006 Critical:
01570004 %s
015a0000 SAMPLE: devmgmtd - Initial trust configuration created
015a0004 "%s"
015c0004 %s
015c0009 IP Reputation has no license currently
015c0010 Initial load of IP Reputation database has been completed
015e0002 [pg:%d pu:%d] %s: %s
015e0004 [pg:%d pu:%d] %s: %s
015f0028  
015f0029  
015f0029 date_time, management_ip_address, bigip_hostname, device_product, device_vendor, device_version, msg_name, nps_name, bits_per_second, packets_per_second, connections_per_second, total_bits_per_po, total_packets_per_po, total_connections_per_po
015f0030  
015f0031  
015f0032  
015f0033  
01630002 (%s) (%s)
01660009 %s
01660010 %s
01660011 %s
01660012 %s
01660013 %s
01660014 %s
01660015 Interface %s. Non-F5 branded optics are not supported
01660016 %s
01670003 Inbound entry %A,%d,%A,%A found
01670006 [%u.%u] DNAT Picked :%A,%d
01670009 Inbound connection :%A,%d is active
01670010 Inbound entry:%A%%%d:%d, ds-lite remote:%A local:%A timeout:%d for key:%A%%%d:%d proto:%d added. ha mirrored: %s
01670016 No inbound entry found for %A%%%u:%u proto:%u
01670019 "DNAT configuration: %s"
01670020 DNAT connection: %s
01670021 [%u.%u] LSN Pool %s has no usable translation address for DNAT
01670028 LSN pool(%s) inbound route domain id %d\n
01670029 Translation failed: %s is unsupported.\n
01680027 netHSM: Thales RFS error [%s].
01680028 netHSM: Cannot load HSM vendor library [%s] with error [%s].
01680029 netHSM: Failed login: password[%s]. Error[%lu].
01680030 netHSM: Failed to allocate space [%lu] for [%s].
01680031 netHSM: The session with the network-hsm is invalid.
01680032 netHSM: PKCS11d stopped. Verify password, and restart PKCS11d.
01680033 netHSM: BigDB error [%d][%s].
01680034 netHSM: Key name is too long (>=255).
01680035 netHSM: PKCS11d (re)initialization is not complete.
01680036 netHSM: Unknown HSM vendor [%s].
01680037 netHSM: Failed to create ec key for key %llu
01680038 netHSM: Failed to set ec group for key %llu
01680039 netHSM: Failed to create ec point for key %llu
01680040 netHSM: Failed to find partition with label '%s' on the netHSM.
01680041 Failed to add key to cache index %lu; err %d. Cache size %lu.
01680042 Failed to find key handle for %s key with %s '%s'.
01680043 Failed to find key attribute [%s] for key with handle [%llu] .
01680044 Thread [%lu] successfully connected to partition labeled '%.*s' in slot '%lu'.
01680045 Nethsm: number of slots %u
01680046 pkcs11d loading key handles.
01680047 pkcs11d invalidating key handles.
01680048 %s: pkcs11_rv=0x%08lx, %-26s.
01680049 [PKCS11D][%u]:%s:%d: %s
01680050 %s
01680051 %s.
01680052 %s.
01690000 SAMPLE: evrouted - shutdown cleanly
016b0002 Rewrite: %s
016e0002 Execution of action '%.*s' failed, error %E
016e0005 Unable to resume pending policy event on connflow %F
016e0006 Pending policy event missmatch found for %F
01700000 PPTP CALL-REQUEST id;%d from;%A%%%u to;%A nat;%A%%%u ext-id;%d
01700001 PPTP CALL-START id;%d from;%A%%%u to;%A nat;%A%%%u ext-id;%d
01700002 PPTP CALL-END id;%d reason;%d from;%A%%%u to;%A nat;%A%%%u ext-id;%d
01700005 Error creating PPTP-GRE local flows, error %E.
01700009 Unable to locate flow %F.
0170000a Received an unexpected PPTP Control Message(%s) while processing connflow %F. Reason: %s.
0170000b Connflow(%F) has no peer, ignoring.
01700020 Unable to locate PPTP GRE flow with %s key %d while processing connflow %F.
01700021 Unable to retrieve layer 3 header from packet while processing connflow %F.
01700023 Connflow (%F) ignoring an unexpected MPI remote flow response.
01700028 Unable to find serverside PPTP flow for clientside flow %F.
01700029 PPTP DSLITE-CALL-REQUEST id;%d from;%A%%%u,%A%%%u to;%A nat;%A%%%u ext-id;%d
01700030 PPTP DSLITE-CALL-START id;%d from;%A%%%u,%A%%%u to;%A nat;%A%%%u ext-id;%d
01700031 PPTP DSLITE-CALL-END id;%d reason;%d from;%A%%%u,%A%%%u to;%A nat;%A%%%u ext-id;%d
01700032 PPTP DSLITE-CALL-FAILED id;%d reason;%d from;%A%%%u,%A%%%u to;%A nat;%A%%%u ext-id;%d
01740018 Profile PCP error: Invalid operation for %s.
01740023 Profile PCP error: PCP %s missing from message.
01740036 PCP: Invalid %s Option length, Expected %lu, Found %d - Client %A rtid %d
01740039 PCP Request: Client %A - OpCode %s(%d), Lifetime:%u, Packet Length:%lu
017b0009 IVS (connecting from parent %F): Internal virtual server %s received injected message %s with data %#x
017c0003 tmm IPsec: Tunnel down %A - %A
017c0004 tmm IPsec: Tunnel up %A - %A
017c0005 listener binding ERR=%d %s listener %s %A:%d FAIL
017c0006 NOTE: avoid common IPsec v1 and v2 tunnel local addr
017c0007 IPsec Tunnel UP destination(%A) source(%A) reqid(%d)
017c0008 IPsec Tunnel DOWN destination(%A) source(%A) reqid(%d)
017e0004 GTP: Failed to parse message err (%E) flow (%C)
017e0005 GTP: Failed to parse header extension err (%E)
017e0006 GTP: Failed to parse element err (%E)
017e0007 GTP: Failed to parse group element err (%E) internal parent id (%u)
017e0008 GTP: Failed to allocate message err (%E)
017e0009 GTP: Failed to pullup (%d) bytes err (%E)
017e0010 GTP: Failed to move (%d) bytes err (%E)
017e0011 GTP: Failed in header cache err (%E) type (%u) len (%u)
017e0012 GTP: End of header contains invalid byte (%u)
017e0013 GTP: Version (%u) is invalid
017e0014 GTP: Element type (%u) is invalid or not supported
017e0015 GTP: Message len (%u) does not match buffer len (%u)
017e0016 GTP: Element to be parsed len (%u) does not match buffer len (%u)
017e0017 GTP: Payload offset (%u) + len (%u) does not match buffer len (%u)
017e0018 GTP: Message received (%u) is too short, expect %lu
017e0019 GTP: Header length (%u) is too short, expect %lu
017e0020 GTP: Number of elements (%lu) is beyond the limit (%lu)
017e0021 GTP: Number of BCD digits (%d) is higher than limit (%lu)
01810004 %s
01810007 "%s"
01810008 %s
01820004 %s
01830003 Unable to find a flow for remote vtep %A%%%u, tunnel name = %s.
01830004 Tunnel output has a potential loop for remote endpoint %A%%%u, tunnel name = %s.
01850027 MR: Proxy missing for %s %s
01850028 MR: Message drop due to wrong Hop-by-Hop ID (%u)
01850028 MR: Message dropped due to wrong Hop-by-Hop ID (%u) or End-to-End ID (%u)
01850033 MR: Message dropped because ingress queue full (flow %F)
01850034 MR: Ingress buffer full, closing TCP window (flow %F)
01850035 MR: Ingress buffer draining, opening TCP window (flow %F)
01850036 MR: Passthru_mode state %s side connection: %F is torn down or aborted, reason: %lE
01850037 MR: Server side connection %F is established and in passthru_enabled state
01850038 MR: Router %s iRule scope is per %s
01850039 MR: Diameter: Performing dynamic route lookup, destination host %.*s
0185003a MR: Diameter: Dynamic route lookup failed for %.*s (Reason: %E)
0185003b MR: Diameter: Dynamic route added for %.*s
0185003c MR: Diameter: Dynamic route for %.*s set to delete in %d seconds
0185003d MR: Diameter: Dynamic route for %.*s deleted
0185003e MR: Diameter: Dynamic route for %.*s updated, generation %d
0185003f MR: Priority set by the iRule MR::message priority, %d is out of range [1-4]. Changing it to the default value %d
01850040 MR: RATELIMIT Traffic rate in %s, crossed %s %s of configured threshold on %s
01850041 MR: RATELIMIT message id %llu delayed on %s
01850042 MR: RATELIMIT message id %llu returned on %s
01850043 MR: RATELIMIT message id %llu dropped on %s
01850044 MR: RATELIMIT message id %llu dropped due to exceeding delay on %s
01850046 MR: RATELIMIT slot %d : accumulated count : %ld
01850047 MR: RATELIMIT total count : %d
01850048 MR: Wrong pmbr_rem value is calculated. pmbr_rem: %lu, total active npus: %u
01860000 MR SIP: %s returned error: %lE
01860001 MR SIP: %s
01860002 MR SIP: Missing header %s in the message
01860003 MR SIP: Decrypt branch parameter failed with error : %lE
01860004 MR SIP: Encrypt branch parameter failed with error : %lE
01860005 MR SIP: %s
01860006 MR SIP: Invalid config attribute %s in profile %s
01860007 MR SIP: Generated response was not sent '%d - %s' (%F)
01860008 MR SIP: Generated response SENT '%d - %s' (%F)
01860009 MR SIP: Media flow creation (%F)<->(%F) failed due to collision
0186000a MR SIP: Parse error reading number for %s value near %d. Status Code %d
0186000b MR SIP: Parse error bad sip protocol version in headline near %d. Status Code %d
0186000c MR SIP: Parser error invalid or malformed uri in headline near %d. Status Code %d
0186000d MR SIP: Parser error invalid headline near %d. Status Code %d
0186000e MR SIP: Parser error too many header near %d. Status Code %d
0186000f MR_SIP: Parser error extraneous header field near %d. Status Code %d
01860010 MR_SIP: Parser error header too large near %d. Status Code %d
01860011 MR_SIP: Parser error missing header code %d. Status Code %d
01860012 MR_SIP: Parser error CSEQ method does not match headline tag %s : %s. Status Code %d
01860013 MR_SIP: Parser max-forwards value has reached zero. Status Code %d
01860014 MR_SIP: Server in maintence mode. Status Code 503
01860015 MR_SIP: Loop detected. Status code 482
01860016 MR_SIP: Missing Media Connection atributes. Status Code 488
01860017 MR_SIP: Too many media sessions %d / %d. Error Code %d
01860018 MR_SIP: Ingress message queue full, current message dropped (flow %K)
01860019 MR_SIP: Ingress message queue full, closing TCP window (flow %K)
0186001a MR_SIP: Ingress message queue draining, opening TCP window (flow %K)
01860026 MR SIP: invalid address: %A
01860027 MR SIP: Rejecting SIP registration request due to PBA Block timeout blackout. %d seconds left in block, %d-second blackout period
01860028 MR SIP: Backdown of SIP registration request expiry due to PBA Block timeout. %d -> %d in message
01860029 MR SIP: Re-writing SIP REGISTER response expiration value from registrar due to PBA Block timeout. %d -> %d
0186002a MR_SIP: Non-SIP message received. Client connection %F is in fail_open_enabled state
0186002a MR_SIP: Non-SIP message received. Client connection %F is in passthru_enabled state
0186002b MR_SIP: Server side connection %F is established and in fail_open_enabled state
0186002b MR_SIP: Server side connection %F is established and in passthru_enabled state
0186002b MR_SIP: Media flow creation (%F)<->(%F), flow index %u, timeout %u s
0186002c MR_SIP: Fail_open_enabled state %s side connection: %F is torn down or aborted, reason: %lE
0186002c MR_SIP: Passthrough_enabled state %s side connection: %F is torn down or aborted, reason: %lE
0186002c MR_SIP: Media flow creation (%F)<->(%F) failed with error: %lE
0186002d MR_SIP: Media flow deletion (%F)<->(%F)
0186002e MR_SIP: Subscriber registration created: subscriber URI %s
0186002f MR_SIP: Subscriber registration deleted: subscriber URI %s
01860030 MR_SIP: Subscriber registration updated: subscriber URI %s, lifetime %u s
01860031 MR_SIP: Non-Registered Subscriber registration created: subscriber URI %s
01860032 MR_SIP: Non-Registered Subscriber registration updated: subscriber URI %s, lifetime %u s
01860034 MR_SIP: Routing to topmost Route Header address and port: %A:%d
01860035 MR_SIP: %s mode with SIP ALG
01890008 Postgres stopped with a non-zero status (%d).
0189000b Shutting down postgres.
018e0002 %s
018e0005 Exiting, received shutdown signal
018e0017 %s
018e001d %s
018e001e %s
01900006 Profile SCTP error: SCTP %s missing from message.
01900020 SCTP %s association (%F) confirmed peer transport address %la.
01900021 SCTP %s association (%F) peer transport address %la not confirmed, path %F inactive.
01900022 SCTP %s association (%F) %s path %F failed (path-retransmit-exceeded).
01900023 SCTP %s association (%F) %s path %F failed (destination unreachable).
01900024 SCTP %s association (%F) path %F restored.
01900025 SCTP %s association (%F) primary path changed to %F.
01900026 SCTP %s association (%F) path %F usable.
01900027 SCTP %s association (%F) %s path %F not usable (path-retransmit-exceeded).
01900028 SCTP %s association (%F) %s path %F not usable (destination unreachable).
01900029 SCTP %s association (%F) failed (association-retransmit-exceeded).
01900030 SCTP %s association (%F) initialization failed (init-retransmit-exceeded).
01900031 SCTP %s association (%F) aborted by peer.
01900032 SCTP %s association (%F) aborted (%s).
01900035 SCTP %s association %s (%F) path %F restored.
01910001 Tmrouted starting.
01910014 FATAL error: non_initial state (%d) and some state vars are unknown (cluster: %d, primary: %d)
01910030 FATAL error: failed to set timer %p at %s:%d
01910031 FATAL error: failed to clear timer %p at %s:%d
01910032 FATAL error: attempt to set already active timer %p at %s:%d
01910033 FATAL error: attempt to clear inactive timer %p at %s:%d
01910034 FATAL error: attempt to clear wrong timer %p at %s:%d
01910035 FATAL error: timer array exceeded
01910036 FATAL error: RHI failed to send %s request.
01910037 Tmrouted clean up timed out while shutting down.
01910050 error on cluster socket %d in state %d: %s
01910202 failed to add attribute %u to NETLINK message. got: %d need: %zu
01910204 memory allocation failed for %s: trying %zu bytes
01910300 HA daemon heartbeat disabled. Last value is %u.
01910301 HA daemon heartbeat enabled with %us period. Last value is %u.
01910600 Suppressing route %s matching admin network.
01910601 Unsuppressing route %s matched previous admin network.
01910602 Failed to suppress route %s matching admin network.
01910603 Withdrawing route %s matching admin network not suppressed.
01910604 New route %s matching admin network already suppressed.
01940007 "Failed to allocate the errdefs tmconf handle!"
0194000b "errdefs: error adding local syslog destination %s; check the configuration for missing elements."
0194000c "errdefs: error adding remote syslog destination %s; check the configuration for missing elements."
0194000d "errdefs: error adding remote hsl destination %s; check the configuration for missing elements."
0194000e "errdefs: error adding fslog destination %s; check the configuration for missing elements."
0194000f "errdefs: error adding alertd destination %s; check the configuration for missing elements."
01940010 "errdefs: failed to add splunk destination %s -- the delivering destination %s probably doesn't exist or contains errors."
01940011 "errdefs: error adding IPFIX destination %s; check the configuration for missing elements."
01940012 "errdefs: failed to add splunk destination %s -- the delivering destination %s probably doesn't exist or contains errors."
01940019 "Unable to connect to MCPD, will try again in 30 seconds."
0194001d Errdefsd is starting.
01940022 errdefs: error adding management port destination %s; check the configuration for missing elements.
01960002 netHSM: Failed to login to network HSM with login_status[%lu].
01960004 netHSM: Failed login: password[%s]. Error[%lu].
01960005 netHSM: The session with the network-hsm is invalid.
01960005 netHSM: The session with the network-hsm is invalid.
01960006 netHSM: Failed to open file [%s].
01960007 netHSM: Unknown client [%d].
01960008 netHSM: Thales RFS error [%s].
01960009 netHSM: Failed to allocate space [%u] for [%s].
01960010 netHSM: Unknown HSM vendor [%s].
01960011 netHSM: BigDB error [%d][%s].
01960012 netHSM: PKCS11d (re)initialization is not complete.
01960013 netHSM: PKCS11d stopped. Verify password, and restart PKCS11d.
01960014 netHSM: Error: %s.
01960014 netHSM: Key name is too long (>=255).
01960015 netHSM: Input string(%s) is too long (>=255).
01960016 netHSM: Failed to create ec key for key %llu
01960017 netHSM: Failed to set ec group for key %llu
01960018 netHSM: Failed to create ec point for key %llu
01960020 %s: file name too long (module: %s, dir: %s).
01960021 dlopen returned %s for module %s.
01960022 module %s is invalid (attach function missing).
01960023 %s(): mod_err = 0x%x
01960030 N3FIPS: Couldn't get curve id for key %PRId64 (%s, err=%u)
01960031 N3FIPS: Couldn't create group for curve id %u
01960032 N3FIPS: Couldn't get group order for curve id %u
01960033 N3FIPS: Couldn't get qx/qy for key %PRId64 (%s, err=%u)
01960034 N3FIPS: Couldn't read qx/qy for key %PRId64
01960035 N3FIPS: Couldn't export key %PRId64 (%s)
01960036 N3FIPS: Couldn't set the ec group for key %PRId64
01960037 N3FIPS: Couldn't retrieve curve id for label '%s'
01960038 N3FIPS: Couldn't assign ec_key to pkey for label '%s'
01960039 N3FIPS: Couldn't convert to bio_key.
01960040 N3FIPS: Couldn't read from the bio_key.
01960041 N3FIPS: Couldn't import private key (err=%u, reason='%s').
01960042 N3FIPS: Unsupported curve id %u.
01960043 N3FIPS(mem): Couldn't create octet string for key %PRId64
01960044 N3FIPS(mem): Couldn't export key %PRId64
01960045 N3FIPS(mem): Couldn't create ec key for key %PRId64
01960047 N3FIPS(mem): Couldn't create memory BIO.
01960048 N3FIPS(mem): Couldn'tgenerate a PEM buffer.
01960049 N3FIPS(mem): Failed to allocate PEM string of %zu bytes.
01960050 N3FIPS(mem): Couldn't duplicate ec_key for label '%s'
01960051 N3FIPS(mem): Couldn't allocate pkey for label '%s'
01960052 N3FIPS(mem): Couldn't allocate bio_key for label '%s'
01960053 N3FIPS(mem): Couldn't allocate bin_key for label '%s'
01960054 N3FIPS(mem): Couldn't allocate a FIPS request record.
01a30018 (%s). err(%d)(%s)
01a30019 read error (%s)/(%d)/(%d) (%d)(%s)
01a3001a write error (%s)/(%d)/(%d)(%d)(%s)
01a3001b Collecting pool member %s status monitor: %d session: %d
01a30025 The database has become inconsistent!
01a30040 Reconnected to TAM server after %d attempts
01a3004b Missing rd(%s) for vlan(%s)
01a3004c Virtual server (%s) is configured with unexpected virtual server type (%d)
01a3004d Error: load balance mode invalid for pool %s used by virtual %s - changed to Round Robin load balancing
01a3004e Error (%s) node(%s)
01a3004f node(%s) state(%s)
01a30050 Failed to post from(%s) to(%s) message (%d)/(%s) error: (%s)
01a30051 Failed to alloc (%s) for (%d)bytes context(%s) err(%d)/(%s)
01a40000 Failed to create IVS (%s).
01a40001 Failed to create OCSP context - %s, with error: %E.
01a40002 Failed to create OCSP request with OCSP object(%s), certificate(%s).
01a40003 HTTP status code of OCSP response(%d) indicates failure to obtain the response for certificate(%s).
01a40004 OCSP validation result of certificate(%s): OCSP response - (%s), certificate status - (%s), lifetime - %u.
01a40008 Unable to build certificate trust chain for profile %s
01a40008 %s
01a40009 Certificate(%s) has expired, or is going to expire in less than a week.
01a50024 Node to corrupt %s is invalid
01a50027 The revoke option is only available on VE platforms.
01a50031 Manifest created is larger than 512K: %u
01a50033 Unable to parse the manifest with a json parser.
01a50034 Failed to get variables from mcpd: %s
01a50035 Failed to to connect to mcpd.
01a50100 Error: Failed to store EULA in %s.
01a50101 Error: Failed to install backup file %s to %s.
01a50102 Error: Failed when calling /usr/bin/chcon for %s.
01a50111 Error: Server busy, retry in %d seconds.
01a60001  
01a70028 The platform was not found in %s.
01a70029 CCN is unsupported on vcmp guests.
01a70077 Error: OpenSSL PEM_read_bio_PrivateKey failed read key %s.
01a70095 Error: OpenSSL EVP_PKEY_get1_RSA failed.
01a70096 Error: OpenSSL RSA_check_key(%s) failed.
01a70097 Error: OpenSSL BN_new failed.
01a70098 Error: OpenSSL RAND_file_name failedo_RSAPrivateKey.
01a70121 Error: Failed while getting the status, %s.
01a70122 Error: Failed to obtain auto-check/auto-phonehome status.
01a70131 Error: Failed to obtain certificate cache path.
01a70132 Error: Failed while gettting the certificate cache path, %s.
01a70133 Error: Failed to obtain key cache path.
01a70134 Error: Failed while gettting the key cache path, %s.
01a70141 Error: Can't connect to mcp, %s.
01a70151 Error: OpenSSL RAND_status failed.
01a70152 Error: OpenSSL RSA_new failed.
01a70153 Error: OpenSSL BN_set_word failed.
01a70154 Error: OpenSSL RSA_generate_key_ex failed.
01a70155 Error: OpenSSL RAND_write_file failed.
01a70156 Error: OpenSSL PEM_write_bio_RSAPrivateKey for key %s failed.
01a70170 Error: Failed to obtain key passphrase from mcpd for key %s.
01a70171 Error: system call to tmsh save sys config.
01a70172 Error: Failed to create cached key file.
01a70173 Error: Failed to create cached certificate file.
01a70180 Error: Attempted to get cloud environment when not on cloud.
01a70181 Error: Failed to communicate with %s to obtain metadata.
01a90007 dynconf setrlimit %d failure: %s.
01a90008 dynconf setrlimit %d error: %s %d.
01aa0000 ICAP (%F): Incomplete message body received from server
01aa0001 ICAP (%F): Unexpected status code %u received from server
01aa0002 ICAP (%F): Server responded 204 beyond or without preview ('Allow: 204' is not supported)
01aa0003 ICAP (%F): Parsing ICAP response headers failed
01aa0004 ICAP (%F): Parsing ICAP chunked response body failed
01aa0005 ICAP (%F): Status code %u received from server
01aa0006 ICAP (%F): Response completed after request completed - connection may be reused by 'oneconnect'
01aa0007 ICAP (%F): Response completed before request - request truncated and oneconnect reuse disabled
01aa0008 ICAP (%F): An IVS result was imposed during iRule event %s - ICAP transaction terminated
01aa0009 ICAP (%F): An iRule parked at event %s
01aa0010 ICAP (%F): Processing message %s failed: %s
01aa0011 ICAP (%F): Processing ingress from IVS failed: %s
01aa0012 ICAP (%F): Processing egress from server failed: %s
01aa0013 ICAP: Client-facing state transition %s -> %s
01aa0014 ICAP: Server-facing state transition %s -> %s
01ad0001 Monitor Agent TMM %u: channel could not be opened: error %s(%s)
01ad0003 Monitor Agent TMM %u: channel could not be authenticated: error %s(%s)
01ad0013 Monitor Agent TMM %u: failed to handle %s message: MID %u, error %s(%s)
01ad0014 Monitor Agent TMM %u: created activity: MID %u, proto %s, endpoint %A:%u, monitor %s
01ad0015 Monitor Agent TMM %u: failed to create activity: proto %s, endpoint %A:%u, monitor %s
01ad0016 Monitor Agent TMM %u: deleted activity: MID %u, monitor %s
01ad0017 Monitor Agent TMM %u: sent probe: MID %u
01ad0018 Monitor Agent TMM %u: failed to send probe: MID %u, monitor %s
01ad0019 Monitor Agent TMM %u: received probe response: MID %u, reason %s(%s), info %#x
01ad0020 Monitor Agent TMM %u: probe response timeout: MID %u
01ad0021 Monitor Agent TMM %u: created/enlarged monitor table for %u entries
01af0004 Traffic rejected for hornet virtual (%s)
01b00001 %s: class name (%s) field name (%s)
01b00002 internal error - %s
01b00003 Full sync for devicegroup %s on connection %p complete; sending updated sync.
01b00004 There is an unfinished full sync already being sent for device group %s on connection %p, delaying new sync until current one finishes.
01b00005 Incremental sync request received for device group (%s) from device (%s) cannot be processed because an earlier incremental sync request failed.
01b10000 DSCPROXY: failed to allocate new %s.
01b10001 DSCPROXY: Attempting connect - remote_ip %A, local_ip %A, port %d.
01b10001 Failed to restart nslcd: %s
01b10002 DSCPROXY: Connection attempt failed to %la port %u: %E.
01b10003 DSCPROXY: Connection with peer %la:%d failed TLS handshake.
01b10004 DSCPROXY: Connection with peer %la:%d closed.
01b10005 DSCPROXY: Connection with peer %la:%d lost.
01b10006 DSCPROXY: Reconnect with peer %la:%d stuck in delay.
01b10007 DSCPROXY: %s connection with peer %la:%d established.
01b10008 DSCPROXY: Cannot connect to peer because local address is %s (%la) and remote address is %s (%la).
01b30001 Failed to configure iptables rules for config sync CGC routing: %s
01b30002 Configured iptables rules for config sync CGC routing: %s
01b30003 Config sync over the management port requires big3d, which is not currently running. Config sync will not work until big3d is running.
01b40001 A cipher group must be configured when TLS 1.3 is enabled (validation failed for %sprofile %s).
01b40002 Configuration error: sslo log configuration (%s) is part of system configuration, so it cannot be deleted.
01b40017 Configuration error: Virtual Server (%s) with Access Profile of type sslo is not compatible with profile of type (%s).
01b40018 Configuration error: Access Profile of type sslo is not compatible with exchange profile.
01b4001d The listen-ip or listen-port must not be zero in splitsession server profile %s for virtual server %s.
01b4001e The peer-ip or peer-port must not be zero in splitsession client profile %s for virtual server %s.
01b4001f Invalid value (%s) for profile %s field %s. Only integers between %d and %d are permitted.
01b40020 Invalid retransmission queue limits (high = %d, low = %d) High must be greater than low, and as they represent percentages, they both must be between 0 and 100.
01b40021 Invalid unroutable options selected. Only one of 'Discard' and 'Respond' may be selected.
01b40023 Virtual Server (%s) cannot use both an Access profile and an Anti-Fraud profile.
01b40024 Virtual Server (%s) of type Internal contains an HTTP profile. It must also contain a Service profile.
01b40025 Virtual Server (%s) contains a Fraud Protection profile and a Service profile. The Service profile must be of type F5 Module.
01b40027 On profile (%s) with GMSSL enabled: no-tls, no-ssl, and no-dtls must be selected.
01b40028 On profile (%s): Invalid SSL option (%s) found.
01b40029 Client SSL profile (%s): %s is not RSA %s. To add non-RSA cert/key, please use [cert-key-chain add].
01b4002a Client SSL profile (%s):%s and profile %s options cannot be specified together.
01b4002b Client SSL profile (%s): the profile has no RSA cert/key pair that can be modified. To add RSA cert/key, please use [cert-key-chain add].
01b4002c Client SSL profile (%s): inherit-cert-key-chain and cert/key can not be set together.
01b4002d Client SSL profile (%s): SM2 certitificate and key type is incompatible with other crtificate and key types.
01b4002e Client SSL profile (%s): SM2 certificate and key type is incompatible with SSL forward proxy mode.
01b4002f Client SSL profile (%s): un-licensed certificate and key type.
01b40030 Client SSL profile (%s): cert-key-chain (%s): SM2 certificate and key can not be used as forward proxy CA.
01b40033 Server SSL profile (%s): SM type %s (%s) is not allowed in a serverSSL profile.
01b40034 Clieint SSL profile (%s): Un-licensed type %s (%s).
01b40035 Cipher Group (%s): %s can not be used with other %s together in one cipher group.
01b40036 SSL profile (%s): A cipher group must be configured when GMSSL is enabled.
01b40037 Virtual Server (%s): GMSSL clientSSL profile (%s) and non-GMSSL clientSSL profile (%s) cannot be configured in the same virtual server.
01b40039 %s critical message rate limit threshold (%u) must be greater than major message rate limit threshold (%u).
01b4003c The addresses within the specified address list(%s) have different route domains.
01b4003e Server SSL Profile (%s): %s response control cannot be set to mask when forward proxy is disabled
01b4003f VLAN(%s) and tmc have different route-domain
01b40040 TMC(%s) and %s have different route domain.
01b40041 Policy: '%s' Rule '%s' Condition '%s', Option 'use case sensitive string comparison' not supported for data type '%s'.
01b40042 The virtual server %s cannot support SSL persistence since SSL profile %s has zero cache-size.
01b40042 Cannot add record to an external data group (%s).
01b40043 Traffic-group of Virtual-address(%s) associated with Virtual Server(%s) cannot be updated.
01b40044 Virtual Server(%s) cannot have Virtual-address(%s) associated with different traffic groups.
01b40046 Base profile (%s) may not be assigned to a virtual server (%s)
01b40047 Cannot create TDR filter '%s' inside TDR profile '%s', maximum limit 255 reached.
01b40048 TDR filter '%s' has invalid TDR format %s (%s)
01b40049 MR RateLimit profile '%s' has invalid configuration (%s).
01b4004b DNS Cache dlv-anchors has been deprecated, removing from the configuration.
01b4004c Invalid Transparent Nexthop configuration,VLAN (%s) %s
01b50001 VE 1NIC Self IP configuration error: %s
01b50002 The label '%s' is longer than the %u characters specified by the PKCS11 Standard.
01b50003 Certificate (%s) is not generated from the key (%s).
01b50004 Certificate signing request (%s) is not generated from the key (%s).
01b50005 Key (%s) access requires passphrase.
01b50009 Certificate order manager (%s) certificate authority (%s) requires client certificate and key to access the account.
01b50010 Certificate order manager (%s) fields (%s) should be empty for the selected certificate authority (%s).
01b50011 Certificate order manager (%s) empty order-info. Please provide a valid order-info corresponding to the CA.
01b50012 Certificate order manager (%s) invalid order-info for Certificate Authority (%s).\n%s.
01b50015 Certificate order manager (%s) certificate authority (%s) order-info field (%s) value (%s) is not valid. Allowed values are (%s).
01b50016 Certificate order manager (%s) certificate authority (%s) order-info field (%s) value (%s) is not valid. An Integer value is expected.
01b50017 Certificate order manager (%s) certificate authority (%s) order-info field (%s) value (%s) is not valid. An integer value within range (%d-%d) is expected.
01b50018 Certificate order manager (%s) CA certificate (%s) is invalid. %s.
01b50019 Certificate order manager (%s) client certificate key pair is mismatched.\n%s
01b50020 Key (%s) cert-order-manager revoke-reason should not be empty for certificate revoke.
01b50020 Key (%s) cert-order-manager cannot be deleted when order-status is in 'pending'.
01b50021 Key (%s) cert-order-manager association is being deleted while order-type (%s) is in progress.
01b50022 Key (%s) cert-order-manager order-status should be in 'pending' to check-status.
01b50022 Key (%s) cert-order-manager order-status should not be in 'pending' while deleting key.
01b50022 Key (%s) cert-order-manager order-id should be valid to download a certificate.
01b50023 Key (%s) is being deleted while order-type (%s) is in progress.
01b50027 Key (%s) changing order-type to (%s) is not allowed as there is order-type (%s) in progress.
01b50028 Key (%s) cert-order-manager order-type(%s) needs a valid certificate signing request (CSR) with name (%s). %s
01b50029 CSR (%s) is being deleted while key (%s) cert-order-manager order-type (%s) is in progress.
01b50030 Key (%s) cert-order-manager current order-type (%s) cannot be canceled.
01b50032 Certificate order manager (%s) base-url should not include authentication information.
01b50033 Certificate order manager (%s) additional header %s. Expected configuration '%s'".
01b50034 Certificate order manager (%s) internal proxy should not be empty.
01b50034 Key (%s) Certificate order manager (%s) authority (%s) requires challenge passphrase for submitting the order.
01b50035 Key (%s) cert-order-manager certificate authority (%s) order-passphrase requirements not met.%s
01b50036 Key (%s) cert-order-manager order-passphrase not required for certificate authority (%s).
01b50037 Key (%s) cert-order-manager order-type should not be changed along with check-status.
01b50037 Key (%s) cert-order-manager order-type should not be changed while downloading certificate.
01b50038 Certificate order manager (%s) CA certificate should not be empty.
01b50039 Key (%s) certificate order manager order-id should not be empty while making a renewal order.
01b50040 System generated key (%s) should not be associated with certificate order manager.
01b50041 Certificate order management is disallowed on key (%s) as its folder (%s) is associated with a sync-only device-group (%s). This operation is allowed on folders associated with sync-failover device-group or if the device-group on the folder is set to none.
01b50042 Certificate order manager (%s) - Certificate authority is not allowed to be modified. Please create a new certificate order manager if a different certificate authority is needed.
01b50043 Certificate order manager (%s) has invalid (%d) validity-days. %s
01b50044 No symmetric unit key found for guest %s.
01b50045 Generating symmetric unit key failed (%s).
01b50046 Encrypting symmetric unit key failed.
01b50047 Setting DB variable %s to %s. No rebooting needed.
01b50047 The system auth source type (%s) does not support rewrite system-auth for update on auth password policy.
01b50048 Certificate order manager (%s) certificate authority (%s) security token is invalid. %s
01b50048 %s changing OpenSSL FIPS flag from (%d) to (%d). No rebooting needed.
01b60001 No cipher match found in '%s'
01b60002 No TLS version match found in '%s'
01b60003 QoS Round-trip time and Hops can't both have non-zero values.
01b60004 DNSSEC External Zone (%s) must be a descendant of DNSSEC Zone (%s).
01b60005 DNSSEC External Zone (%s:%s) duplicates existing DNSSEC zone (%s) with the same name (case-insensitive and unique across folders).
01b60006 DNSSEC External Zone (%s:%s) duplicates existing external zone (%s:%s) with the same name (case-insensitive).
01b60007 DNSSEC External Zone (%s) references a nonexistent DNSSEC zone (%s)
01b60008 DNSSEC Zone %s duplicates existing external zone (%s:%s) with the same name (case-insensitive).
01b60009 Unable to parse DNSSEC secure delegation record (%s:%s):%s (%s).
01b6000a DNSSEC external secure delegation record (%s:%s) has DS with different owner name: %s.
01b6000b At least one ds-algorithm must be specified.
01b6000c DNSSEC External Zone (%s) must contain at least one DS record string.
01b6000d DNSSEC External Zone (%s) contains a duplicate DS record (%s).
01b6000e DNSSEC External Zone (%s) DS record string (%s) contains a non-IN class type (%s). It must be 'IN'.
01b6000f DNSSEC External Zone (%s) DS record string (%s) contains a non-DS resource record type (%s). It must be 'DS'.
01b60010 DNSSEC External Zone (%s) DS record string (%s) contains an invalid digest type (%s). It must be an integer in the range of 1 - 2.
01b60011 DNSSEC External Zone (%s) DS record string (%s) contains an invalid key tag (%s). It must be an integer in the range of 0 - 65535 and match that of the corresponding DNSKEY RR.
01b60012 DNSSEC External Zone (%s) DS record string (%s) contains an invalid DNSKEY algorithm (%s). It must be an integer in the range of 3 - 255 and match that of the corresponding DNSKEY RR.
01b60013 DNSSEC External Zone (%s) DS record string (%s) contains an invalid TTL (%s). It must be an integer in the range of 0 - 2147483647.
01b60014 DNSSEC External Zone (%s) DS record string (%s) is missing the DNSKEY digest.
01b60015 Topology order value (%u) ignored because longest match is enabled.
01b60016 Cannot specify order (%u) that is greater than the number of topology records (%u)
01b60018 DS record is not a valid attribute for external insecure zone %s
01b60019 DNSSEC SEP Record is missing %s.
01b6001a DNSSEC FIPS manager could not parse %s key file (%s)
01b6001b Handling request for dnssec generation of key %s with id %llu. %s.
01b6001c Failed to handle request for new dnssec key generation: Invalid primary key in request for DNSSEC Key Generation.
01b6001d Failed to handle request for new dnssec key generation: Non existent key %s.
01b6001e Invalid control character %u found in GTM object with name %s.
01b6001f DNS monitor '%s' has invalid parameter value '%s'
01b60020 Found invalid configuration for DNSSEC zone %s %s RR types.
01b60020 Failed to decrypt private text of DNSSEC Key Generation %llu of key %s.
01b60021 Configured DNSSEC Zone %s bitmap types are missing required default RR types. Required defaults are %s.
01b60021 DNSSEC Key %s cannot have manual key management and HSM at the same time.
01b60022 Last resort pool name not specified for Wide IP %s
01b60023 Last resort pool type not specified for Wide IP %s
01b60024 DNSSEC Key %s of ECDSA algorithm not supported for Thales HSM.
01b60025 The bit-width field is not applicable for ECDSA algorithms.
01b70001 Per-request policy (%s) should have only one per-req-policy-properties object
01b70002 Policy (%s) of type %s cannot have per-req-policy-properties attached, policy type must be %s.
01b70003 Discovery interval (%u) for OAuth provider (%s) must be greater than (%u) minutes.
01b70005 oneshot_macro attribute for the requested object (%s) can be set to true only for access policy of type per request macro and per request sslo macro.
01b70008 JWK config (%s) is configured to use client secret for key type octet. Hence, this cannot be used as %s in %s (%s).
01b7000b OAuth claim object (%s) has an invalid value (%s). When claim-type is set to '%s', allowed value is %s or a valid session variable.
01b7000c Access Profile or Per-Request Policy cannot be attached to virtual (%s) when API Protection profile is attached.
01b7000d In API Protection Profile (%s), Last Generated Path ID value (%d) must be greater than or equal to its previous value (%d).
01b7000e In API Protection Profile (%s), Last Generated Path ID should be provided when setting Path ID manually(%d) in the children Path object.
01b7000f In API Protection Profile (%s), Path ID (%d) in the children Path object should not be greater than Last Generated Path ID (%d) value.
01b70010 In API Protection Profile (%s), children Path object has path_id modified to '%d'. Updating Path ID for an exisitng API Protection Profile Path object is not allowed.
01b70011 Access profile (%s) is of type api-protection and cannot be attached via the access profile link. API protection profiles must be directly attached to the Virtual Server.
01b70012 Per request policy (%s) is of type api-protection and cannot be attached via the per request policy link. API protection profiles must be directly attached to the Virtual Server.
01b70013 Once an access profile has been associated to an API Protection profile (%s), a new access profile (%s) cannot be attached.
01b70014 Once a per request policy has been associated to an API Protection profile (%s), a new per-request policy (%s) cannot be attached.
01b70015 Access profile (%s) attached to the API protection profile (%s) must be of type api-protection.
01b70016 Per request policy (%s) attached to the API protection profile (%s) must be of type api-protection.
01b70017 API Server (%s) cannot be attached to two API protection profiles (%s and %s).
01b70018 DNS Resolver must be attached if a server is present on API protection profile (%s).
01b7001a In API Protection Profile (%s), Path ID (%d) is not allowed. Path ID must be unique for the API protection profile.
01b7001b In API Protection Profile (%s), Path ID (%d) value is out of bounds. Valid value must be between (0) and (%d).
01b7001c In API Protection Profile (%s), path ID cannot be generated for child path object. Maximum allowed value (%d) is reached
01b7001d Response (%s) cannot be attached to two API protection profiles (%s and %s).
01b7001e Default response cannot be empty in API protection profile (%s).
01b7001f Default response (%s) must be a part of responses associated with the API protection profile (%s).
01b70020 API Protection base profile (%s) cannot be modified or deleted.
01b70021 Invalid URL (%s) for API Server (%s): %s.
01b70022 If URL (%s) is of https scheme, serverssl profile must be present in API Server (%s).
01b70023 Status code cannot be empty in Response Config (%s).
01b70024 Status string cannot be empty in Response Config (%s).
01b70025 Response Config (%s) cannot have 'Connection' header present.
01b70026 Response Config (%s) cannot have 'Content-Length' header present.
01b70027 In API Server Selection Agent (%s), Server (%s) selected must be part of servers associated with the API protection Profile (%s).
01b70028 %s (%s) cannot be configured to use SSO Config (%s) since the SSO method is not supported for API Protection. Use SSO Config with SSO method configured for one of 'HTTP Basic', 'Kerberos' or 'OAuth Bearer'.
01b70029 In %s Agent (%s), Response (%s) selected must be part of responses associated with the API protection Profile (%s).
01b7002a Invalid URI (%s) in Path (ID = %d) for API Protection Profile (%s): %s.
01b7002b Method cannot be empty in Path (ID = %d) for API Protection Profile (%s).
01b7002c This combination of URI (%s) and method (%s) must be unique in API Protection Profile (%s).
01b7002d In API Protection profile (%s), Response (%s) cannot be deleted since it is used in %s (%s).
01b7002e In API Protection Profile (%s), Server (%s) cannot be deleted since it is used in %s (%s).
01b7002f %s (%s) cannot be attached to two API protection profiles (%s and %s).
01b70030 Status code (%s) in Response Config (%s) does not contain valid session variable.
01b70031 Status string (%s) in Response Config (%s) does not contain valid session variable.
01b70032 Header (%s) in Response Config (%s) does not contain valid session variable.
01b70033 Header value (%s) in Response Config (%s) does not contain valid session variable.
01b70034 Response body (%s) in Response Config (%s) does not contain valid session variable.
01b70035 The virtual server (%s) must have an HTTP profile assigned to it before you can associate an API protection profile.
01b70036 You cannot associate the base API protection profile with the virtual server (%s).
01b70037 Header name and header value in response (%s) cannot be empty.
01b70038 In the API Protection Profile (%s), the path (ID = %d) refers to an API Server (%s) that is not part of this profile.
01b70039 In SSO config '%s',scope value(%s) contains invalid characters. Valid values are session variables or ASCII character set (0x21/ 0x23-0x5B/ 0x5D-0x7E).
01b7003a OpenID Connect should not be enabled for '%s' grant in agent '%s'
01b7003b Unable to find customization source (%s) for customization group (%s).
01b7003c Deletion of customization source (%s) is prohibted. Object must always be present.
01b7003d Per-request access policy (%s) is not referenced by any existing customization group set
01b7003e The customization group set (%s) cannot share an access policy (%s) with other customization group set (%s).
01b7003f Access policy name cannot be changed in customization group set (%s)
01b70041 DoS profile (%s) is already referenced by another API protection profile.
01b70041 %s profile (%s) is already referenced by another API protection profile.
01b70041 In API Protection Profile (%s), the Base Path (%s) is invalid: uri path must start with a '/' and cannot contain invalid characters.
01b70042 DoS profile (%s) is already attached to a virtual server.
01b70042 %s profile (%s) is already attached to a virtual server.
01b70042 When force-authn is set to session-var-setting, force-authn-session-var cannot be empty in agent (%s)
01b70043 Bot defense profile (%s) is already referenced by another API protection profile.
01b70043 Another DoS profile is already attached to virtual server (%s).
01b70043 Force-authn session variable (%s) in agent (%s) is not in session variable format
01b70044 Bot defense profile (%s) is already attached to a virtual server.
01b70044 Cannot attach DoS profile to virtual server (%s). It is assigned to API protection profile (%s)
01b70044 API Rate Limiting Config (%s) contains invalid Quota Interval (%d). Quota Interval must be between 1 and 60 minutes.
01b70045 Cannot dettach DoS profile from virtual server (%s). It is assigned to the attached API protection profile
01b70045 API Rate Limiting Config (%s) contains invalid Spike Interval (%d). Spike Interval must be between 1 and 60 seconds.
01b70046 API Rate Limiting Config (%s) contains invalid Max Quota Requests (%s). Max Quota Requests must be a valid number or a subsession /perflow variable.
01b70047 API Rate Limiting Config (%s) contains invalid Max Spike Requests (%s). Max Spike Requests must be a valid number or a subsession /perflow variable.
01b70048 API Rate Limiting Config (%s) cannot be attached to two API protection profiles (%s and %s).
01b70049 API Rate Limiting Key (%s) cannot be attached to two API protection profiles (%s and %s).
01b7004a In API Protection Profile (%s), Rate Limiting Config (%s) cannot be deleted since it is used by one or more Rate Limiting Configuration entry in API Rate Limiting Agent (%s).
01b7004b In API Rate Limiting Agent (%s), Rate Limiting Config (%s) selected must be part of rate limiting configurations associated with the API protection Profile (%s).
01b7004c In API Rate Limiting Agent (%s), Weight assigned (%d) to Rate Limiting Config (%s) is invalid. Weight must be greater than 0 and less than the Quota/ Spike limit value in corresponding Rate Limiting Config.
01b7004d In API Protection Profile (%s), the Black/White list (%s) refers to Rate Limiting Key (%s), which is required to exist in the same profile.
01b7004e Key Name (%s) configuration is invalid for the Rate Limiting Key (%s). Key Name must be unique for all the Rate Limiting Keys in an API Protection Profile (%s).
01b7004f In the API Protection Profile (%s), a Rate Limiting Config (%s) refers to an API Rate Limiting Key (%s) that is not part of this profile.
01b70050 In API Rate Limiting Config (%s), Max Quota Requests is required when Enable Quota is true
01b70051 In API Rate Limiting Config (%s), Max Spike Requests is required when Enable Spike Limit is true
01b70052 In API Protection Profile (%s), Rate Limiting Key (%s) cannot be deleted since it is an auto-generated key.
01b70053 API Rate Limiting Key (%s) cannot be deleted as it is associated with Rate Limiting Config (%s).
01b70054 Rate Limiting Config (%s) must have a Rate Limiting Key attached when associated to an API Protection Profile (%s).
01b70055 In the API Protection Profile (%s), the Blacklist or Whitelist (%s) must have an API Rate Limiting Key attached.
01b70056 %s (%s) associated with %s (%s) does not exist.
01b70057 Empty Rate Limiting Config. Must select a rate limiting configuration associated with the API protection Profile.
01b70058 API Protection Profile (%s) had an unexpected default rate limiting response (%s) during upgrade.
01b70059 APM must be provisioned when a Virtual Server is using an API Protection Profile (%s) that has a reference to the access profile.
01b7005b APM Network Access (%s) DNS name (%s) is not a valid domain name.
01b7005c Not allowed to create or modify SWG Scheme (%s) because the swg-scheme object is deprecated.
01b7005d Ephemeral Authentication (%s) requires using either LDAP or RADIUS authentication, or both.
01b7005d The requested otp source (%s) is invalid: %s
01b7005e Expiry time (%u) of the password for Ephemeral Authentication (%s) must be in the range of %u-%u.
01b7005f Minimum length (%u) of the password for Ephemeral Access Configuration (%s) must be at least %u.
01b70060 Maximum length (%u) of the password for Ephemeral Access Configuration (%s) cannot be larger than %u.
01b70061 Minimum length (%u) of the password must be less than or equal to the maximum length (%u) for Ephemeral Access Configuration (%s).
01b70062 Minimum length (%u) of %s must be an integer no larger than %u for Ephemeral Access Configuration (%s).
01b70063 Total number of uppercase, lowercase, digits, and special characters (%u) exceeds the maximum length (%u) of the password for Ephemeral Access Configuration (%s).
01b70064 Special characters (%s) should only include these characters %s for Ephemeral Access Configuration (%s).
01b70065 The special characters (%s) in the password have a duplicate character (%c) for Ephemeral Access Configuration (%s).
01b70066 The number of special characters in the password (%u) is less than the minimum number required (%u) for Ephemeral Access Configuration (%s).
01b70067 Ephemeral Authentication cannot be empty in Ephemeral Access Configuration (%s).
01b70068 The %s (%s) associated with %s (%s) is not a valid %s.
01b70069 User LDAP DN session variable is required in Ephemeral Access Configuration (%s) because LDAP is enabled in %s.
01b7006a If using Single Sign-On (%s), you can select only one authentication method for ephemeral authentication (%s).
01b7006b TCP profile must be present on both client-side and server-side of virtual server (%s) when LDAP Auth profile is attached.
01b7006c Proxy user DN is mandatory in LDAP Auth profile (%s).
01b7006d Proxy user password is mandatory in LDAP Auth profile (%s).
01b7006e Ephemeral Access Configuration cannot be empty in virtual server (%s) when LDAP Auth profile is attached.
01b7006f Pool configuration is mandatory in virtual server (%s) when LDAP Auth profile is attached.
01b70070 User DN (%s) should not be present in both bypass user list and deny user list in LDAP Auth profile (%s).
01b70071 Profile (%s) should not be attached to virtual server (%s) when LDAP Auth profile is attached.
01b70072 LDAP Auth base profile (%s) cannot be modified.
01b70073 LDAP Auth base profile (%s) cannot be attached to virtual server (%s).
01b7007c Host group is mandatory for a host group entry in RADIUS Client (%s).
01b7007e Privilege level (%d) is invalid for vendor (%s) in RADIUS Client (%s): Host group (%s). Allowed levels: %s
01b70083 Portal Access resource(%s) should have Ephemeral Authentication flag enabled as Ephemeral access config(%s) is supplied for Virtual Server(%s)
01b70084 Webtop link(%s) should have Ephemeral Authentication flag enabled as Ephemeral access config(%s) is supplied for Virtual Server(%s)
01b70085 Samesite cookie value changed in %s. Enable it for change to take effect.
01b70086 SSH Security Configuration (%s) is system built-in. Cannot modify/delete it.
01b70087 The cipher (%s) is already in use by SSH Security Configuration (%s).
01b70088 The key exchange (%s) is already in use by SSH Security Configuration (%s).
01b70089 The hmac (%s) is already in use by SSH Security Configuration (%s).
01b70090 The compression (%s) is already in use by SSH Security Configuration (%s).
01b70091 SSH Security Configuration (%s) must contain at least one cipher entry.
01b70092 SSH Security Configuration (%s) must contain at least one key exchange method entry.
01b70093 SSH Security Configuration (%s) must contain at least one hmac entry.
01b70094 SSH Security Configuration (%s) must contain at least one compression entry.
01b70095 SSH Security Configuration (%s) requires at least one cipher entry. Cannot delete cipher (%s).
01b70096 SSH Security Configuration (%s) requires at least one key exchange entry. Cannot delete key exchange method (%s).
01b70097 SSH Security Configuration (%s) requires at least one hmac entry. Cannot delete hmac (%s).
01b70098 SSH Security Configuration (%s) requires at least one compression entry. Cannot delete compression (%s).
01b70099 SSH Security Configuration must be specified in Ephemeral Access Configuration (%s).
01b70100 The SSH Security Configuration (%s) associated with Ephemeral Access Configuration (%s) does not exist.
01b70101 The compression algorithm (%s) cannot be used along with the existing compression algorithms (%s) for SSH Security Configuration (%s).
01b90001 AJAX encryption or both AJAX integrity and strong integrity must be enabled for URL '%s' while parameter '%s' has AJAX mapping enabled in the Anti-Fraud profile '%s'.
01b90001 Security FlowSpec: %s: route domain (%s) is already used by %s.
01b90005 %s: The number of custom signatures (%d) is over limit (%d).
01b90006 Dos signature %s: '%s' is not applicable for %s and should be kept as the default value, '%s'.
01b90007 Dos signature %s: '%s' is not allowed to be modified %s.
01b90008 Dos profile %s: cannot be deleted because %s.
01b90009 %s: The associated custom signature (%s) is not a custom Dos persistent signature.
01b9000a %s: shareability-state cannot be changed to not-shareable because it is referred by %s.
01b9000b %s: The associated custom signature (%s) is not a shareable or doesn't have matching parent-profile.
01b9000c %s: The associated custom signature (%s) only can be referred by %s.
01b9000d Dos signature %s: The signature's partition (%s) doesn't match its '%s' partition (%s).
01b90014 Cannot edit response page %s while its type is Default.
01b9001c Bot signature category %s not found.
01b9001d Bot defense profile (%s) class override (%s) error: %s.
01b9001e Bot Defense Profile (%s) Micro Service (%s): %s.
01b9001f Bot Defense Profile (%s) Micro Service (%s) Url (%s): %s.
01b90020 Bot defense profile (%s) anomaly override (%s): %s.
01b90021 Bot defense profile (%s) Signature (%s) should be Mobile Application Class signature.
01b90022 Bot defense signature category illegal class (%s).
01b90023 Bot defense profile (%s) signature category override not supported for (%s) which belongs to (%s) class.
01b90024 Bot defense profile (%s) signature override not supported for (%s) which belongs to (%s) class.
01b90025 Bot defense profile (%s) Micro Service (%s) class override (%s) error: %s.
01b90026 Bot defense profile (%s) error: %s.
01b90027 Only one place directive may be specified for firewall rule (%s) per transaction.
01b90028 Internal error #%u in firewall rule ordering
01b90029 There is a loop in firewall rule ordering specified with place_before and place_after options in the following rules: %s
01b9002b Inconsistency in Anti-Fraud log profile: %s.
01b9002c Security FlowSpec: %s: %s is not user settable field.
01b9002d Security FlowSpec: %s: %s are mutual exclusive fields. They cannot be specified simultaneously.
01b9002e Security FlowSpec: %s: 'expiry-time' (%s) is invalid. It is earlier than current time (%s).
01b9002f Security FlowSpec: %s: The rule can not be created since the sum of current system advertised flowspec routes (%d) and user defined routes in database (%d) would exceed the max flowpsec route limit (%d) as per profile (%s) configuration.
01b90030 Security FlowSpec: %s: The value (%d) for %s is outside the acceptable value set [range %d - %d (inclusive)].
01b90031 Security FlowSpec: %s: %s must be configured when %s is redirect.
01b90032 Security FlowSpec: %s: %s (%s) and %s (%s) must be the same type (IPv4 or IPv6).
01b90033 Security FlowSpec: %s: For port range, beginning port (%d) can not be greater than end port (%d).
01b90034 Security FlowSpec: %s: The rule can not be created or changed to persisted one since total number of persisted rules in MCP database (%d) would exceed the max allowed in database limit (%d) as per profile (%s) configuration.
01b90035 %s cannot be changed to %s because the number of persisted rules of profile %s in MCP database is already %d.
01b90036 Security FlowSpec: %s: can not refer %s which is neither in the same partition as profile nor in /Common partition.
01b90037 Blacklist Publisher Profile (%s): %s is invalid.
01b90038 Security FlowSpec: %s: port argument is not allowed for non-port-based protocol (%d).
01b90039 Security FlowSpec: %s: The protocol (%d) is not supported.
01b9003a Security FlowSpec: %s: The max flowspec route limit can not be decreased since the sum of current system advertised flowspec routes and user defined routes in database (%d) would exceed the specified max flowpsec route limit (%d).
01b9003b Security FlowSpec: %s: IP fragement can't be specified with IPv6 Flowspec rule (%s).
01b9003c Multiple extension header types defined in policy %s, rule %s. Only one extension header type per rule supported.
01b9003d Extension header type %s used more than once in policy %s. Extension header type that doesn't support additional values can be used only once per policy.
01b9003e Value %u associated with extension header type %s used more than once in policy %s. Any (Extension header type, value) pair can be used only once per policy.
01b9003f Specifying values for extension header type %s is not supported, but values specified in policy %s, rule %s.
01b90040 Aggregate log rate for security packet filter cannot be greater than %u.
01b90045 Firewall Zone configuration %s exceeds maximum allowed limit of %d.
01b90047 %s: %s is not supported.
01b90048 %s: Configuration cannot be modified because %s.
01b90049 The %s (%s) for %s (%s) has the incorrect number of 0-bits set for the given address/prefixlen.
01b9004a Inconsistency in Anti-Fraud log profile: %s.
01b9004b Inconsistency in the Anti-Fraud DOM signature '%s'(hash ID): %s in the Anti-Fraud profile '%s'.
01b9004c Log publisher '%s' used by Anti-Fraud log profile '%s' can have only Remote HSL, Splunk or Syslog destinations.
01b9004d Anti-Fraud parameter '%s' is invalid. Enabling CSS selector for parameter requires: 1. either Full AJAX encryption or AJAX integrity enabled 2. parameter type is explicit in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').
01b9004e No other maximum length can be greater than maximum request length (%u) in HTTP Security profile '%s'.
01b90050 (%s, %s) %s (%s) must have match type (%s) to enable %s.
01b90055 Dos Signature (%s): %s can be %s when %s is %s.
01b90056 %s (%s): %s must set to %s when %s is set.
01b90062 Specified next hop vlan '%s' for NAT policy '%s' rule '%s' has a different route domain(%d) than currently configured route domain(%d) in destination address (%s).
01b90063 Unable to create source-translation object %s as EIF timeout can be set only if inbound-mode is endpoint-independent-filtering.
01b90065 Modifying dos.icmp6msgtype1 not supported on Smartnic devices.
01b90066 Modifying dos.icmp6msgtype2 not supported on Smartnic devices.
01b90067 Modifying dos.tcp.allow.unknown.opt1 not supported on Smartnic devices.
01b90068 Modifying dos.tcp.allow.unknown.opt2 not supported on Smartnic devices.
01bb0001 Route domain configuration error: %s
01bb0002 %s - sadc
01bb0005 Raising ICMP monitor priority is not supported on this platform (%s).
01bb0006 ICMP monitor priority feature not supported in vCMP mode.
01bf0004 Creating/Modifying Protocol Inspection compliance map are not allowed.
01bf0005 Deleting Protocol Inspection compliance map are not allowed.
01bf0006 Dependency failed between Protocol Inspection profile %s and the profile %s for the virtual %s, \'%s\' field must be enabled for %s
01bf0007 Creating/Modifying Protocol Inspection service config object is not allowed.
01bf0008 Deleting Protocol Inspection compliance service config is not allowed.
01bf0009 Creating/Modifying Protocol Inspection service config map is not allowed.
01bf0010 Deleting Protocol Inspection service config map is not allowed.
01bf0011 Deleting Protocol Inspection service config enums is not allowed.
01bf0012 Creating/Modifying Protocol Inspection service config enums is not allowed.
01bf0013 Creating/Modifying predefined Protocol Inspection common-config meta objects is not allowed.
01bf0014 Deleting predefined Protocol Inspection common-config meta objects is not allowed.
01bf0015 Creating/Modifying predefined Protocol Inspection common-config compliances is not allowed.
01bf0016 Deleting predefined Protocol Inspection common-config compliances is not allowed.
01bf0017 Creating/Modifying predefined Protocol Inspection common-config service configs is not allowed.
01bf0018 Deleting predefined Protocol Inspection common-config service configs is not allowed.
01bf0019 Protocol Inspection service config %s requires valid value: %s
01bf0020 Protocol Inspection common-config is not defined.
01bf0021 Mismatch for service config(%s) and compliance/signature service version(%s)
01c00001 Please modify the addresses of cluster members only through the cluster component.
01c80025 CONNECTOR: L7 get protocol failed
01c80026 CONNECTOR: L7 get protocol wrong type %d
01c80027 CONNECTOR: Cannot allocate memory for %s
01c80028 CONNECTOR: Create and insert node for connflow %F, proxy %s, listener %s, profile %s
01c80029 CONNECTOR: Error creating node for connflow %F, proxy %s, profile %s [%s]
01c80030 CONNECTOR: Send Perform-Method to connector %s, method-id %u
01c80031 CONNECTOR: Teardown/abort connector %s, profile %s, message %s
01c80032 CONNECTOR: Listener %s, profile %s connect to service entry virtual server %s
01c80033 CONNECTOR: Listener %s, profile %s service %s entry ingress, ingress bytes %u
01c80033 CONNECTOR: Listener %s, profile %s, service connection result %u
01c80034 CONNECTOR: Listener %s, profile %s connected to service entry virtual server %s
01c80035 CONNECTOR: Listener %s, profile %s initialize connection
01c80036 CONNECTOR: Listener %s, profile %s service returned bytes %u
01c80036 CONNECTOR: Uninitialize service connection
01c80037 CONNECTOR: Listener %s, profile %s, state %s, process message %s
01c80038 CONNECTOR: Listener %s, profile %s enqueue service connect to %s
01c80039 CONNECTOR: Listener %s, profile %s dequeue service connect [hold=%s ingress-len=%u]
01c80040 CONNECTOR: State %s event %s [external event %s]
01c80040 CONNECTOR: Listener %s, profile %s dequeue service connect [error=%u]
01c80041 CONNECTOR: Listener %s, profile %s forward events [%s%s%s] to service %s
01c80042 CONNECTOR: encountered error: %E File: %s Function: %s, Line: %d
01c90000 MR MQTT: %s returned error: %lE
01c90002 MR MQTT: Keepalive timeout resulted in connection close.
01c90003 MR MQTT: Broker connection being reused.
01c90004 MR MQTT: Parser error (%E), connection will be closed.
01c90005 MR MQTT: Ingress buffer full, closing TCP window (flow %F)
01c90006 MR MQTT: Ingress buffer draining, opening TCP window (flow %F)
01cb0029 Error: signature generation fails for '%s'.
01cb0030 Error: signatures rotation fails for '%s'.
01cc0000 Config error: Agent Rate Limiting Config Entry [%s:%d] update: agent clone failed
01cc0000 NATS server returned error: '%.*s'
01cc0000 Peer (%s) delay %d ms %s the %s threshold %d ms
01cc0001 The number of messages sent to the peer (%s) %d msgs/sec %s the %s rate limit threshold %d msgs/sec
01cc0002 The number of messages from the peer (%s) %d msgs/sec %s the %s rate limit threshold %d msgs/sec
01cc0003 Peer (%s) errors percentage %d %s the %s threshold %d percentage
01cc0004 Peer (%s) timeouts percentage %d %s the %s threshold %d percentage
01cc0006 Peer (%s) connection state has changed: %s
01cc0008 telemd setrlimit %d error: %s %ld.
01d40003 Geo_Redundancy: Reload failed: %s (%E)
01d40004 Geo_Redundancy: Session DB update failed: %E
01d40007 Geo_Redundancy: Message dropped, %s, %E
01d40008 Geo_Redundancy: Unknown GEO message received, %d
01d40009 Geo_Redundancy: Can't send message, %s, %d
01d4000a Geo_Redundancy: unexpectedly disconnected %s
01d4000b Geo_Redundancy: status set to offline
01d4000c Geo_Redundancy: status set to connected
01d4000d Geo_Redundancy: status set to reload sending
01d4000e Geo_Redundancy: status set to reload receiving
01d40010 Geo_Redundancy: watchdog has expired
01d40028 Error: LogIntegrity run is prohibited from '%s'.
01d70002 Warn: %s
01d70002 %s
01d70003 Info: %s
01d70004 MR_RATELIMIT: message id %s dropped on %s
01d70004 Error '%s' opening pid file '%s'.
01d70006 Fork failed: %s
01d70007 Error '%s' attempting to chdir to '%s'
01d70008 Error '%s' opening file %s
01d70010 Error '%s' sending signal '%d' to process '%d'.
01d70011 Insufficient memory, allocation failed.
01d70012 Error dispatching event
01d70013 Initial subscription for system configuration failed with error '%s'
01d70014 Unexpected tag '%s' in msg
01d70016 No more space to add MCP tag.
01d70017 Add MCP tag after compacted.
01d70018 No more space to add MCP object.
01d70019 MCP tags already compacted.
01d70020 MCP objects already compacted.
01d70021 No more space to compact MCP objects.
01d70024 Error calling setsockopt on mcp fd: '%s'.
01d70025 Connection to mcpd failed with error '%s'
01d70026 Cannot find tag '%s' in message
01d70027 %s %s %s
01d70029 %s %s %s
01d70030 %s: Unexpected tag '%s' in msg
01d70031 Error fetching disk space
01d70032 Unable to fetch disk space : %s
01d70033 Disk usage at \\var\\log: %d%%, Configured threshold %d%%
05000017 Attr(%attr/%s) is unknown under (%parent/%s)
05000018 client(%client/%s) last response code(%responsecode/%s) result(%result/%d)(%resultmsg/%s) request_id(%requestid/%d)
05000019 client(%client/%s) last request code(%requestcode/%s) request_id(%requestid/%d)
0501001e Failed to call sem_post. ctx(%context/%s) client(%client/%s) Error: (%error/%d)((%strerr/%s))
05010022 message-post failure(%failure/%s) from (%user/%s)
05010023 Internal pipe operation (%op/%s) failed client(%client/%s) ((%errno/%d)/(%sterrror/%s)) bytes (%expect/%d)/(%done/%d)
05010024 Session inactive for (%user/%s) failed (%ctx/%s)
05020039 Expect only one busy block, as min-upd > config-switch (%count/%d) (%sequences/%s)
05020061 Failed to init ha
05020062 Failed to exit ha
05020063 Failed to send heartbeat to update ha
05020065 Cannot find PM(%pm/%s) for status update for VIP(%vip/%s)
05020067 Unhandled message(%msg/%s) reason(%reason/%s)
05020068 stats reset failed (%reason/%s)
05020069 SNAT detected for pm(%pm/%s) when DSR mode is enabled on vip(%vip/%s)
0503000a Class (%class/%s) was not requested
0503000b Hornet response error (%error/%d) (%msg/%s)
0503000c Neuron rule programming failure. Operation: (%op/%s) Rule Text: (%text/%s) Error: (%error/%s)
05030011 nexthop update failed with err ((%err/%s))
05030012 vlan update failed with err ((%err/%s))
05030013 virtual update failed with err ((%err/%s))
05030014 Pool-member update failed with err ((%err/%s))
05030015 Self-IP update failed with err ((%err/%s))
05030016 SNAT-pool-member update failed with err ((%err/%s))

 

Log Messages Details

00020000 : Resuming log processing at this invocation; held %d messages.

Location:
/var/log/ltm

Conditions:
The following messages are not the actual log messages.

        00020000:6: Re-enabling general logging; held %d messages
        00020000:6: Cumulative log rate exceeded! Throttling all non-debug logs.

You should locate the unthrottled versions, which will look like one of the following:

        00020000:6: Developer error: unrecognised logging variable '$vname'!
        00020000:6: Developer error: unrecognised logging domain in '$prodsub'!

It would also help to have the name of the process that logged the message.

These messages occur when a feature tries to log, read, or write a control flag for a logging product or subset that does not exist (the initial four digits of a log number). It is also possible that these logs are being generated by code that is attempting to map command line options, GUI elements, db variables, etc., to log control variables.

Impact:
If these messages are coming from a feature, that feature is not successfully logging. If these messages are coming from some kind of bridge between command line options, GUI elements, db variables, or log control variables, then the knob or control does not work.

Recommended Action:
If these messages are the result of a miscoded feature, then the feature has never been able to send logs, and there is no work-around for the problem.

If these messages are the result of a miscoded control knob (command line option, GUI element, db variable, etc.), then that control knob will not work, but the associated logs can still be controlled via Common Logging Framework objects (Publishers, Destinations, and Filters).

In either case, please file a bug.

01010001 : %s starting

Location:
/var/log/ltm

Conditions:
Example:
01010001:5: pgo_use x86_64 padc TMM Version 13.0.0.0.0.1622 starting

The message is emitted at 'notice' priority, and is an announcement that the given TMM instance has started. It is always emitted, and provides the target, architecture, and build version for the TMM executable.

Impact:
The appearance of this message indicates system health. Its presence is useful for locating the point in the logs where TMM instances start.

Recommended Action:
None.

01010004 : Memory allocation failed: %s

Location:
/var/log/ltm

Conditions:
This error occurs when there is not enough free memory left in the system to allocate the required amount for a software module.

Impact:
The impact could range from some of the functionality being briefly delayed until more memory becomes available to a significantly more damaging issue, such as the system failing to allocate memory for new connections, causing the system to become unusable.

Recommended Action:
If possible, provision more memory to TMM.
Use 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Consider restarting said process(es), saving the core(s), and filing a bug.

01010007 : "Config error: %s"

Location:
/var/log/ltm

Conditions:
The following configuration error messages point to a failure in setting up internal services necessary for the Network Access feature in APM to work.
- Config error: Access forwarding virtual create failed.
- Config error: Access HTTP forwarding virtual create failed.

The following configuration error message points to a failure in setting up internal services necessary for the Portal Access feature in APM to work.
- Config error: Access portal virtual create failed.

Impact:
Network Access feature in APM will not work.
- Config error: Access forwarding virtual create failed.
- Config error: Access HTTP forwarding virtual create failed.

Portal Access feature in APM will not work.
- Config error: Access portal virtual create failed.

Recommended Action:
This issue might be a result of invalid configuration. Please reload configuration using 'tmsh load sys config'. The output of config reload should be without error.

01010011 : Persistence cookie hash failed

Location:
/var/log/ltm

Conditions:
This error can occur when, for a given persistence profile, a cookie hash entry (in the profile's persistence table) is either invalid or becomes stale, compared to the expected HTTP cookie header in the server side response from a pool member requiring persisted connections. The length of the HTTP cookie header probably exceeds the offset of the cookie hash specified in the persistence profile.

Impact:
This error indicates an invalid cookie hash persistence entry and, as a result, connections might not be persisted for the expected pool or pool members. Instead the default load-balancing method is applied.

Recommended Action:
Either of the following actions can help to solve the problem:
1. Correct the cookie hash entry in the persistence profile, by changing the cookie hash offset or length, to accommodate the HTTP cookie in the server side response for the correct parsing of the cookie hash.
2. Change the HTTP cookie header in the server side response, on the pool member requiring persistent connections, to accommodate the expected cookie hash in the related persistence profile.

01010013 : database size increased by %d bytes, %d total

Location:
/var/log/ltm

Conditions:
This message is an informative message that is logged when the BIG-IP configuration database needs to be extended. It does not necessarily reflect an error.

Impact:
None.

Recommended Action:
None.

01010019 : Caught signal %d, exiting

Location:
/var/log/ltm

Conditions:
Example:
01010019:5: Caught signal 2, exiting

The message is emitted at 'notice' priority, and is an announcement that the TMM has received either a SIGINT (2) or a SIGKILL (15) signal. The most common way to send TMM one of these signals is with the 'kill' command from the BIG-IP device's root shell.

The 'kill' command requires the process identifier ("pid") for the targeted executable. To find the list of pids for TMM, from the root shell, enter the following command:

cat /var/run/tmm.*.pid | sort -un

On a running BIG-IP system, one or two pids will be displayed. Choose either pid, substituting the number into the command "kill -INT ____". For example:

[root@bigip:Active:Standalone] log # cat /var/run/tmm.*.pid | sort -un
20050
[root@bigip:Active:Standalone] log # kill -INT 20050
[root@bigip:Active:Standalone] log # Jan 26 16:12:14 bigip emerg logger: Re-starting tmm
Jan 26 16:12:14 bigip emerg logger: Re-starting tmm1
Jan 26 16:12:14 bigip emerg logger: Re-starting tmm2
Jan 26 16:12:14 bigip emerg logger: Re-starting tmm3
Jan 26 16:12:14 bigip emerg logger: Re-starting tmm4
Jan 26 16:12:14 bigip emerg logger: Re-starting tmm5
Jan 26 16:12:14 bigip emerg logger: Re-starting tmm6
Jan 26 16:12:15 bigip emerg logger: Re-starting tmm7
# grep 01010019 /var/log/ltm
Jan 26 16:12:13 bigip notice tmm[20050]: 01010019:5: Caught signal 2, exiting

Impact:
When a TMM process instance receives a SIGINT or SIGKILL signal, all TMM instances are restarted immediately. No core file is produced. On systems where multiple TMM processes are running, tmm.start will detect the termination of any of its child TMM process instances and display the following message:

notice tmm.start: /etc/bigstart/scripts/tmm.start caught SIGCHILD, sending SIGTERM to all remaining tmms

This assures that if any TMM process is terminated for any reason, all TMM processes are restarted.

Recommended Action:
It is abnormal for SIGINT or SIGKILL to be sent to a process. If this message is seen in the logs, it indicates that a TMM process received the indicated signal. F5 Networks is not aware of any way this can occur, other than through the action of a root user at the bash shell prompt. Blocking access to the root ("Advanced") shell, or selecting Appliance Mode in the BIG-IP license should eliminate the possibility of seeing this message.

01010020 : MCP Connection %s, exiting

Location:
/var/log/ltm

Conditions:
MCP connection is closed, aborted, or expired after tmm saw any data coming from mcp. It might happen due to any connectivity problems between tmm and mcp or mcp being down.

Impact:
It is a critical error for TMM. It restarts. Attempts to reconnect will be made after that.

Recommended Action:
Verify that mcpd is up, and consider restarting it. Inspect /var/log/ltm to find mcpd messages pointing to the reason of failure.

01010027 : Unable to attach to PCI device %02x:%02x.%02x

Location:
/var/log/ltm

Conditions:
At startup, tmm attaches to several hardware acceleration devices (network devices such as kernel interfaces, HSB DMA engines, ssl crypto, and compression devices). Any failure to initialize a device results in the 'Unable to attach' with the specific PCI bus:slot.func coordinates.

Impact:
Device will not be used by tmm and could impact traffic passing, or result in fallback to software compression or crypto.

Recommended Action:
Restart tmm. System reboot. Potential RMA.

01010028 : No members available for pool %s

Location:
/var/log/ltm

Conditions:
The probable cause for this message is external to the BIG-IP system: the pool members (servers) are all either down or unreachable. Additionally, this message could also be caused by a hardware or software issue on the BIG-IP itself.

Impact:
Services that require access to members of the given pool log errors and cease to function.

Recommended Action:
Find and correct the server access problem following typical server connectivity debugging processes.

01010029 : Clock advanced by %u ticks

Location:
/var/log/ltm

Conditions:
This message will be logged if the tmm clock is modified by more than 100 ticks at once after tmm is ready. This could indicate a situation where the TMM might be preempted or has a lagging clock, or an NTP message was received with a large difference in time.

Impact:
The tmm common ticks which affects flow timeouts, TCP timestamps etc will be abruptly incremented.

Recommended Action:
After ensuring that the time/NTP server is correctly set on the blade(s) and chassis, reboot the BIG-IP once to ensure that the tmms are correctly synchronized to the NTP time.

01010038 : Syncookie counter %d exceeded vip threshold %u for virtual = %A:%d

Location:
/var/log/ltm

Conditions:
A virtual server is under high load such that the outstanding SYN cookie threshold is reached. The threshold is configured with the default-vs-syn-challenge-threshold LTM global-settings connection property.

Impact:
While the per-virtual server SYN cookie threshold is reached, SYN cookies will not be issued on the virtual server. Connections will be established without SYN cookies.

Recommended Action:
Investigate whether the traffic load is normal or excessive. The SYN cookie threshold might be reached due to a normal spike in traffic or an attack.

01010040 : Clock has unexpectedly adjusted by %lld ms

Location:
/var/log/ltm

Conditions:
Internal TMM clock adjustment occurred.

Impact:
TMM might be unable to converge on an accurate representation of its internal time. TMM clock has been advanced by more ticks than expected. This can indicate that TMM has been preempted or has a lagging clock.

Recommended Action:
If this message occurs routinely, contact support.

01010044 : "%s feature %s licensed"

Location:
/var/log/ltm

Conditions:
This message does not necessarily denote a problem. It displays the license status of BIG-IP device's component.
When status for component X is "licensed", this log displays the message:
Component X is licensed.
When the component is not licensed, the message is:
Component X is NOT licensed.

Impact:
If the message is "Component X is licensed", there is no impact. It is an informative message.
If the message is "Component X is not licensed", then you cannot use the mentioned component/feature.

Recommended Action:
If you want to use a component that is not currently licensed, you need to activate the license.

01010045 : Bandwidth utilization is %d Mbps, exceeded %d%% of Licensed %d Mbps

Location:
/var/log/ltm

Conditions:
This message appears when the system is using more bandwidth that it was licensed to use.

Impact:
The system will not perform at its full potential with a limited license.

Recommended Action:
A license with better bandwidth utilization would stop this message from appearing.

01010054 : tmrouted connection %s

Location:
/var/log/ltm

Conditions:
The connection between the tmrouted daemon and TMM has been lost.

Impact:
This is expected behavior during shutdown or restart. If it occurs during normal operation examine system log files for indications as to the behavior of the tmrouted daemon, which likely restarted. If the tmrouted deamon restarts, dynamic routing will be interrupted.

Recommended Action:
Look for tmrouted corefiles and tmrouted log messages in /var/log/ltm.

01010056 : Syncookie counter %d exceeded vip threshold %u for virtual = %s

Location:
/var/log/ltm

Conditions:
A virtual server configured with traffic-matching-profile is under high load such that the outstanding SYN cookie threshold is reached. The threshold is configured with the default-vs-syn-challenge-threshold LTM global-settings connection property.

Impact:
While the per-virtual server SYN cookie threshold is reached, SYN cookies will not be issued on the virtual server. Connections will be established without SYN cookies.

Recommended Action:
Investigate whether the traffic load is normal or excessive. The SYN cookie threshold might be reached due to a normal spike in traffic or an attack.

01010201 : Inet port exhaustion on %*A to %*A%c%d (proto %d)

Location:
/var/log/ltm

Conditions:
This error appears on a system when an unused ephemeral port cannot be found by using the ephemeral port search criteria. Variables specify the lost IP address and port connection due to this condition. The search criteria defaults to 16 random attempts, with 16 linear attempts. A single IP address can choose from about 64k ports, so not finding a port indicates that the system is using over 60k ports. The exact number of ports in use is unknown, because the algorithm discovers open ephemeral ports through a methodology, instead of counting ports. The results of the algorithm are approximately 64k ports.

Impact:
When this error occurs, the port-find functionality fails and the connection is lost.

Recommended Action:
There is no workaround for this error. The algorithm stops when this error is written to /var/log/ltm. To mitigate this condition, a warning message is available in BIG-IP version 12.0, indicating that the port-find functionality is heavily loaded (statistically 80% to 90% of the 64k ports in use). You can use an SNMP trap to alert this message, and inform the client to add more virtual IP's the system, relieving the heavily loaded connections.

01010213 : L3 Address LB method deprecated; using 'Least Connections' for pool %s

Location:
/var/log/ltm

Conditions:
A virtual server is configured with L3 Address load balancing method.

Impact:
The Least Connections load balancing method will be used instead of the deprecated L3 ADDR load balancing method.

Recommended Action:
Set the virtual server load balancing method to Least Connections. or other desired load balancing method.

01010216 : DNSSEC: Signature failed (%s) for RRSET (%s, %lu) with key %s, generation %llu.

Location:
/var/log/ltm

Conditions:
Unable to sign RRSet. See error for more details. Typically this is due to the device running out of memory, but could also be due to the device experiencing a heavier than usual load.

Impact:
RRSet will not be signed.

Recommended Action:
If this is memory related, use the command 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Consider restarting said process(es), saving the core(s), and filing a bug.

01010221 : Pool %s now has available members

Location:
/var/log/ltm

Conditions:
A pool with no available members now has available members. The pool may have had no available members due to administrative action, monitors, connection limits, or other constraints on pool member selection.

Impact:
This indicates that traffic is now load-balanced to the available member as desired.

Recommended Action:
None.

01010225 : Failure to query dns-express db (%s)

Location:
/var/log/ltm

Conditions:
This log messages covers a variety of errors that indicate a query to the DNS Express database was not successful. The possible reasons include the database not being readable and malformed queries.

Impact:
Generally, a query in this situation will continue to be processed according to the DNS Profile configuration. An AXFR request to the BIG-IP will result in either a SERVFAIL or FORMERR response to the requesting client.

Recommended Action:
This message should be used in conjunction with other log messages to determine impact to the system.

01010231 : DNSSEC: Did not add RRSIGs to response RR set (owner: %s).

Location:
/var/log/ltm

Conditions:
Tmm has detected that it should have signed a dns response with a dnssec key but didn't add a resource record signature.

Impact:
The current dns response will be dropped.

Recommended Action:
The message indicates a problem signing a resource record using a dnssec key. Other log messages might indicate why a particular key failed to sign the resource record, and should be investigated to verify that the information associated with the dnssec keys is correct.

01010235 : Inet port find called for pg %d with invalid cmp state %x

Location:
It can happen when current TMM's CMP state is invalid or the target TMM is down.

Conditions:
This error message appears when a TMM runs port find for a target TMM that is not active based on current CMP state. A TMM in BIGIP is identified as {PG, PU}. PG refers to slot index and PU refers to TMM index on the slot. This error message complains the PG of the target TMM is down based on current CMP state.

Impact:
It might cause flow connections to fail.

Recommended Action:
No workaround. Reboot if the problem persists.

01010239 : LSN error: %s

Location:
LTM log

Conditions:
An LSN pool is configured, but the CGNAT module is not licensed and provisioned.

Impact:
The CGNAT configuration is ignored by TMM until the CGNAT module is licensed and provisioned. No other negative impacts.

Recommended Action:
License and provision the CGNAT module.

01010240 : Syncookie HW mode activated, server = %A:%d, HSB modId = %d

Location:
/var/log/ltm

Conditions:
This message indicates that the BIG-IP device has detected a syncookie DOS attack and activated hardware syncookie protection mode on the HSB.

Impact:
This is an information message regarding hardware syncookie protection state on the BIG-IP device. it does not indicate any operation error. Refer to https://support.f5.com/csp/article/K14813 for more information on detecting and mitigating DoS/DDoS attacks.

Recommended Action:
None.

01010241 : Syncookie HW mode exited, server = %A:%d, HSB modId = %d from %s

Location:
/var/log/ltm

Conditions:
When HSB exits hardware syncookie protection mode on the BIG-IP device. It indicates that the BIG-IP device detects that the syncookie DOS attack has stopped.

Impact:
This is an information message regrading hardware syncookie protection state on the BIG-IP device. It is not an error message. Refer to https://support.f5.com/csp/article/K14813 for more information on detecting and mitigating DoS/DDoS attacks.

Recommended Action:
None.

01010250 : Pool member %A:%u exceeded configured rate limit.

Location:
/var/log/ltm

Conditions:
If this message appears, the configured number of allowed new connections per second for pool member has been exceeded.

Impact:
New connections for pool member are created faster than allowed in configuration. The BIG-IP device prevented an excessive number of connection requests to this pool member. Connections still might have been established after a retry to the other pool member.
This might indicate that the pool member is a target for more connections than it was configured to handle. If all pool members report this problem at the same time, the virtual server might be experiencing a high-demand traffic event or be under Denial of Service (DoS) attack.

Recommended Action:
Rate limit can be changed as described in Manual: Setting Connection Limits (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-2-1/30.html).

01010251 : Virtual %s exceeded configured rate limit.

Location:
/var/log/ltm

Conditions:
If this message appears, the configured number of allowed new connections per second for virtual server has been exceeded.

Impact:
New connections for virtual server are created faster than allowed in configuration. Thus, the BIG-IP device prevented an excessive number of connection requests. This might indicate that virtual server is during high-demand traffic event or under Denial of Service (DoS) attack.

Recommended Action:
Rate limit can be changed as described in Manual: Setting Connection Limits (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-2-1/30.html).

01010259 : External Datagroup (%s) %s.

Location:
/var/log/tmm.x, where x indicates the tmm thread number.

Conditions:
All variants of the message are related to operations on externals datagroups (see ttps://devcentral.f5.com/articles/the101-irules-101-datagroups-amp-tables ). These operations are conducted by an administrator through a configuration interface (web GUI, tmsh CLI, or by script) and include datagroup creation, update, and deletion.

- "queued" and "queued for update": This is not an error. The message indicates that tmm started processing external datagroup file (for datagroup creation or update, respectively).

- "creation finished" and "update finished": This is not an error. The message indicates that tmm successfully finished processing external datagroup file (for datagroup creation or update, respectively).

- "deleted": This is not an error. The message indicates that processing of external datagroup file was cancelled, because datagroup was deleted.

- "failed": Processing of external datagroup file failed. Either tmm is out of memory or a TCL error occurred.

Impact:
Only a "failed" message indicates an error: An external datagroup was not created nor updated (depending on operation requested).

Recommended Action:
For a "failed" message: Check for excessive memory usage using 'ps aux --sort -rss | head'. Consider restarting the processes consuming too much memory. If there is no excessive memory usage, file a bug. Try re-issuing datagroup operation.

01010260 : Hardware Error(%s): %s %s

Location:
/var/log/tmm.n, where n is the specific TMM on the BIG-IP that detected the problem.

Conditions:
Occurs when the driver for the Cavium NITROX security co-processor detects a hardware failure.

Impact:
Hardware offloading of SSL traffic will stop and all SSL processing will be done in software. This may result in a performance degradation.

Recommended Action:
Shutdown (power off) the BIG-IP and then restart it. If the problem occurs again, please contact F5 Support for assistance.

01010273 : Access policy Configuration object: [%s] not found

Location:
/var/log/apm

Conditions:
This message will never appear in a good BIG-IP policy configuration environment. This can appear only if an access policy configuration in the BIG-IP system gets corrupted for some reason. The situation it is reporting, when it receives an access policy item modification or deletion (which should have an association with it parent "access policy" object), but could not find its parent "access policy" object.

Impact:
None.

Recommended Action:
Edit the BIG-IP access policy config and remove reported access policy item.

01010274 : Access Policy and Access Policy Item join failed: [%s] not found

Location:
/var/log/apm

Conditions:
This error might appear during a resolve relation between "access policy item" and "access policy". Each access policy has one or more access policy items. At the end of access policy configuration modification process, it is required to resolve all relationships between access policy items within access policy. During this process, if any relationship is broken, mostly due to configuration corruption, it reports this error.

Impact:
There is no direct impact on the system, as it ignores the missing relationship. However, the access policy might not work the way it supposed to, as the reported "access policy item" will not appear in the configuration.
This situation will appear only if the BIG-IP access policy configuration gets corrupted.

Recommended Action:
Edit the access policy and reload.

01010276 : FTPS warning: Security policy disabled for %A%%%u:%u due to explicit FTPS mode negotiation

Location:
/var/log/ltm

Conditions:
When we enter explicit FTPS mode, the ASM profile must be disabled; otherwise, it tries to evaluate encrypted data to make firewall decisions.

Impact:
The configured ASM profile cannot function.

Recommended Action:
Reconfiguration is required. Don't use FTPS with ASM. Refer to the following devcentral article: https://devcentral.f5.com/articles/ftps-offload-via-irules

01010290 : TCP: Memory pressure activated

Location:
/var/log/ltm

Conditions:
TMM has used more memory than the threshold specified in the sys db variable TM.TCPMemoryPressure.lowater (in percent).

Impact:
TCP memory pressure has been reached. TMM might drop payload data or entire packets until memory usage falls below the threshold.

Recommended Action:
Occasionally seeing this message is not necessarily an issue, but might indicate that the TMM needs more available memory. Restarting the TMM might be sufficient to reduce the TMM's memory usage, but the messages are likely to return if the TMM does not have enough memory. Methods to increase the memory available to the TMM include increasing the provisioning level of the LTM module, reducing the amount of traffic directed towards the BIG-IP system, and (on vCMP guests and VE) increasing the memory allocated to the BIG-IP system. TMM memory usage can be observed with the "tmstat" command.

01010291 : TCP: Memory pressure deactivated. Dropped %llu packets, %llu bytes

Location:
/var/log/ltm

Conditions:
TMM was using more memory than the threshold specified in the sys db variable TM.TCPMemoryPressure.lowater (in percent), and memory usage is now below the threshold.

Impact:
TCP memory pressure had been reached, and has now subsided. TMM dropped payload data and/or entire packets as specified in the message.

Recommended Action:
Occasionally seeing this message is not necessarily an issue, but might indicate that the TMM needs more available memory. Restarting the TMM might be sufficient to reduce the TMM's memory usage, but the messages are likely to return if the TMM does not have enough memory. Methods to increase the memory available to the TMM include increasing the provisioning level of the LTM module, reducing the amount of traffic directed towards the BIG-IP system, and upgrading the memory of the BIG-IP system. TMM memory usage can be observed with the "tmstat" command.

01010300 : BDoS: (TMM) Histogram (%p) %s for context %s (ref cnt %d).

Location:
/var/log/bdosd.log

Conditions:
BDoS (dynamic-signature) is enabled/disabled per context.

Impact:
None. This is a log message that displays histogram memory ref count state and is logged only when log.tmm.level is set to level Debug.

Recommended Action:
To disable logging this message, change log.tmm.level to a log level other than Debug.

01010301 : BDoS: (TMM) %s failure for context %s - %s (error %s).

Location:
/var/log/bdosd.log

Conditions:
TMM fails to create BDoS histogram memory for a specific context (device or virtual server) when dynamic-signature feature is enabled on that context. This might happen mainly due to OOM condition.

Impact:
This error message indicates that TMM is unable to enforce the BDoS dynamic-signature feature for the specific context for which the message is logged.

Recommended Action:
None.

01010302 : BDoS: (TMM) %s signature (%s) for context %s at idx %u (detection=%u mitigation=%u state=%s transient=%s retired=%s).

Location:
/var/log/bdosd.log

Conditions:
A new (AFM) BDoS dynamic signature is generated (or an existing signature is updated) by the AFM bdosd daemon during an attack, and the signature create/update message is sent to the tmm daemon for enforcement.

Impact:
None. This is an informational/debug message that is logged only if log.tmm.level is set to level Debug.

Recommended Action:
To disable logging this message, change log.tmm.level to a log level other than Debug.

01010303 : BDoS: (TMM) signature (%s) removed (at idx %u of signature table) from context %s.

Location:
/var/log/bdosd.log

Conditions:
A BDoS dynamic signature is being removed via a remove message received from the bdosd daemon.

Impact:
None. This informational/debug message is logged in TMM only if log.tmm.level is set to level Debug.

Recommended Action:
None.

01010305 : BDoS: (TMM) afm_provisioned=%s dos_provisioned=%s l4_bdos_licensed=%s bdos_feature_enabled=%s detection=%s

Location:
/var/log/bdosd.log

Conditions:
Debug log message that displays AFM/DHD module provision status, as well as l4bdos feature flag license state.

Impact:
None. This is an informational/debug message that is logged whenever if log.tmm.level is set to debug level.

Recommended Action:
None.

01010307 : Memory allocation failed: %s %s

Location:
/var/log/ltm

Conditions:
The message can appear during crypto operations if an allocation request fails to deliver the requested block size.

Impact:
This is an out-of-memory condition. The primary response is to drop the flow associated with the failed allocation request.

Recommended Action:
None.

01010308 : Access Policy update: %s End Txn Failed (%d)

Location:
/var/log/apm, GUI

Conditions:
This error is triggered due to some error in MCPD or in the communication with MCPD. The error represents something observed by a consumer and hence, the source of the error (either in the producer or framework) cannot be ascertained easily.

Impact:
Creation or update of a Per-Request Access policy or its components might not occur.

Recommended Action:
This might be a transient error and might succeed on retry. If this is due to problems in MCPD, restarting MCPD might be necessary.

01010309 : Access Policy(%s) update: Subroutine properties can be only assigned to Access policy of type subroutine

Location:
/var/log/ltm

Conditions:
A subroutine-properties object (tmsh list apm policy subroutine-properties) has been associated with an access-policy object (includes per-request policies and access policy macros) that is not of type subroutine. This is an invalid configuration.

Impact:
This is an invalid configuration. The policy might fail to execute as expected

Recommended Action:
Find the access-policy object and remove the subroutine-properties from it.

01010310 : Incomplete hud chain for listener: %s

Location:
/var/log/ltm

Conditions:
A virtual server has been changed so that the client-side and server-side protocol profiles assigned to the virtual server are the same profile.

Impact:
The virtual server will be ignored, that is, connections to the virtual server will not be accepted.

Recommended Action:
Check the virtual server's client-side and server-side profile configuration and try again.

01010311 : Failed to configure VDI-enabled listener %s: %En

Location:
/var/log/ltm

Conditions:
For a virtual server on a specific VLAN with a VDI profile assigned, an attempt has been made to enable TCP connection redirections.

Impact:
An attempt to create or update a VDI-enabled virtual server will fail. The specifier in the format string will, in this case, give a particular error code to what has actually happened.

Recommended Action:
No known workaround. It is recommended to escalate to F5 if this error happens repeatedly.

01010313 : Profile %s create failed.

Location:
/var/log/ltm

Conditions:
A generic error in tmm profile update handler.

Impact:
The profile update operation might have not been completed successfully.

Recommended Action:
Check your profile update operation for a possible error.

01010314 : profile %s update: bad profile

Location:
/var/log/ltm

Conditions:
The tmm receives a profile update message, but the profile cannot be found.
The profile could have been already deleted or the create operation failed.

Impact:
The system might not function as expected.

Recommended Action:
Check that profile creation, updates, and deletions follow the expected sequence.

01010315 : Agent [%s] update: Invalid event validate

Location:
/var/log/ltm

Conditions:
The update event received by the TMM is not one of the recognized types. This can indicate a serious communication problem between the TMM and MCPD.

Impact:
Agent update was not processed.

Recommended Action:
None.

01010316 : Agent [%s] update: agent clone failed

Location:
/var/log/ltm

Conditions:
While processing an update to an agent, the TMM attempted to copy an existing agent object, but this cloning process failed.

Impact:
The agent was not successfully cloned, so the policy did not properly load into TMM. End-users might experience resets.

Recommended Action:
Updating the agent again might allow the agent to properly load.

01010317 : Agent [%s] update: agent store failed

Location:
/var/log/ltm

Conditions:
The TMM attempted to add the agent object to a collection, but failed. The failure could be due to memory pressure. It could also be due to finding a duplicate entry.

Impact:
The updated agent was not added to the collection, so the dataplane will not be able to find the updated agent. The old configuration might be used, or the dataplane might fail to find an instance of the agent object, resulting in resets.

Recommended Action:
None.

01010318 : Agent [%s] update: agent construct failed

Location:
/var/log/ltm

Conditions:
Agent construction failed. This could be due to memory pressure, or failure to retrieve fields from MCP.

Impact:
An update of agent failed to process. An old configuration might be used, or the dataplane might fail to find an instance of the object, resulting in resets.

Recommended Action:
None.

01010322 : pem protocol profile gx modify {%s}: invalid

Location:
/var/log/ltm

Conditions:
An attempt has been made to modify a non-existent Gx protocol profile.

Impact:
The Gx protocol profile modification operation will fail. There should be no impact to ongoing services.

Recommended Action:
Check for a valid Gx protocol profile prior to performing any operations on it.

01010323 : {%s, %s}: protocol message cannot be deleted, error %E

Location:
/var/log/ltm

Conditions:
An attempt has been made to modify a non-existent Gx protocol message within a valid Gx protocol profile.

Impact:
The Gx protocol message modification within a Gx protocol profile will fail. There should be no impact to ongoing services.

Recommended Action:
Check for a valid Gx protocol message in a Gx protocol profile prior to performing any operations on it.

01010324 : {%s, %s}: not found, cannot modify.

Location:
/var/log/ltm

Conditions:
An attempt has been made to modify a non-existent RADIUS or Gx protocol message within a valid protocol profile.

Impact:
The RADIUS or Gx protocol message modification within a protocol profile will fail. There should be no impact to ongoing services.

Recommended Action:
Check for a valid RADIUS or Gx protocol message in a protocol profile prior to performing any operations on it.

01010325 : pem protocol profile radius modify {%s}: invalid

Location:
/var/log/ltm

Conditions:
An attempt has been made to modify a non-existent RADIUS protocol profile.

Impact:
The RADIUS protocol profile modification will fail. There should be no impact to ongoing services.

Recommended Action:
Check for a valid RADIUS protocol profile prior to performing any operations on it.

01010326 : {%s, %s}: protocol message cannot be deleted, error %E

Location:
/var/log/ltm

Conditions:
An attempt was made to delete a RADIUS protocol message that has some deletion restrictions on it. One such restriction could be an invalid or unconfigured message.

Impact:
The RADIUS protocol message deletion will fail. There should be no impact to ongoing services.

Recommended Action:
Check for a valid RADIUS protocol message prior to performing any operations on it.

01010327 : {%s, %s}: not found, cannot modify.

Location:
/var/log/ltm

Conditions:
An attempt has been made to modify a non-existent RADIUS or Gx protocol message within a valid protocol profile.

Impact:
The RADIUS or Gx protocol message modification within a protocol profile will fail. There should be no impact to ongoing services.

Recommended Action:
Check for a valid RADIUS or Gx protocol message in a protocol profile prior to performing any operations on it.

01010328 : BDoS: (TMM) afm_provisioned=%s dos_provisioned=%s dns_bdos_licensed=%s detection=%s

Location:
/var/log/bdosd.log

Conditions:
Debug log message that displays AFM/DHD module provision status as well as dns_bdos feature flag license state.

Impact:
None. This is an informational/debug message that is logged whenever log.tmm.level is set to debug level.

Recommended Action:
To disable logging this message, change log.tmm.level to non-debug level.

01010329 : BDoS: (TMM) Signature %s: threshold_mode=%s detection=%u mitigation_curr=%llu

Location:
/var/log/bdosd.log

Conditions:
There is an ongoing DDoS attack.

Impact:
The debug log message shows the current threshold mode, detection and mitigation (rate limit) values for an existing AFM BDoS signature that is being used to mitigate a DDoS attack. This message is logged only if log.tmm.level is set to level Debug.

Recommended Action:
To disable the log message, change log.tmm.level to a log level other than Debug.

01010330 : Failed to register the Neuron App %s with the Neuron client

Location:
/val/log/ltm

Conditions:
A tmm reports that it can not register with the neurond daemon:

May 25 07:28:06 mewtwo err tmm2[14613]: 01010330:3: Failed to register the Neuron App neuron_client_tmm_bigproto with the Neuron client

The neurond is not running or enabled. Check the neurond logs and running status.

Impact:
The function in the application that tries to register with the Neuron daemon will not be available.

Recommended Action:
None.

01010331 : Neuron client %s failed with %s(%s)

Location:
/var/log/ltm

Conditions:
Neuron daemon reports the failure and the reason for the failure of an API call from the application that initiates the API call:

May 11 06:24:15 i10800-R22-S20 err tmm[25098]: 01010329:3: Neuron client neuron_client_tmm_epva_fix failed with client request submit(client connection is busy (has outstanding requests))

The neuron daemon cannot finish the API request from the client, and the Neuron SDK returns an error code that corresponds to the error message sent back to the client.

Impact:
The client functions that are specified in the API cannot complete. The application might retry or bail out, depending on the application implementation, which might affect the application functions that depend on Neuron.

Recommended Action:
There is no workaround without interrupting the operation. The neurond daemon might be restarted to see if the Neuron chip can recover.

01010332 : Neuron application %s registered

Location:
/var/log/ltm

Conditions:
Informational message showing that an application that requires Neuron functionality has successfully registered with the Neuron daemon:

May 11 06:24:15 i10800-R22-S20 notice tmm[25098]: 01010332:3: Neuron application bigproto registered

An application that requires Neuron functionality registered with the Neuron daemon during startup time.

Impact:
None.

Recommended Action:
None.

01010342 : Disabled TCP HW checksum offloading automatically disables TCP Segmentation Offload (TSO)

Location:
/var/log/ltm

Conditions:
A BigDB variable for TCP HW checksum offloading (tm.tcpudptxchecksum value software-only) is disabled.

Impact:
The BIG-IP system automatically disables TCP Segmentation Offload (TSO), thereby preventing an incorrect configuration.

Recommended Action:
None.

01010343 : Syncookie SW mode activated, server = %A:%d

Location:
/var/log/ltm

Conditions:
The SYN cookie feature is enabled on a BIG-IP Virtual Edition (VE) platform, and the system has detected a SYN flood attack.

Impact:
The platform enters software SYN cookie protection mode. When this happens, packets on this virtual server are validated for SYN cookies in order to protect the system from SYN flood attacks.

Recommended Action:
None.

01010344 : Syncookie SW mode exited, server = %A:%d

Location:
/var/log/ltm

Conditions:
The SYN cookie feature is enabled on a BIG-IP Virtual Edition (VE) platform, and the system has detected a SYN flood attack.

Impact:
The platform enters software SYN cookie protection mode. When the platform exits the SYN cookie state, the platform returns to a normal operation state.

Recommended Action:
None.

01010346 : [LTM LB][%C]%s

Location:
/var/log/ltm

Conditions:
The new "LB::enable_decisionlog" iRule command has been executed on a virtual server. This command is intended to help F5 Engineering Services debug LTM load-balancing issues.

Impact:
Extra logging to /var/log/ltm occurs, possibly resulting in reduced performance.

Recommended Action:
This message is for debugging LTM load-balancing issues, and does not need a workaround. It only appears when explicitly enabled. It is recommended that this feature only be enabled with the guidance of F5 Engineering Services.

01010347 : DynaD activated

Location:
/var/log/ltm

Conditions:
The DynaD feature is activated via the associated tmsh command (tmsh modify sys dynad instrumentation <script> active true).

Impact:
The system logs a notification message to indicate that an attempt was made to activate the DynaD feature.

Recommended Action:
None.

01010348 : DynaD inactivated

Location:
/var/log/ltm

Conditions:
This log message occurs when the DynaD feature is inactivated via the associated tmsh command (tmsh modify sys dynad instrumentation <script> active false).

Impact:
The system logs a notification message to indicate that an attempt was made to inactivate the DynaD feature.

Recommended Action:
None.

01010348 : Access Policy(%s) update: Customization group set can be only assigned to Access policy of type per-request

Location:
/var/log/ltm

Conditions:
A customization-group-set object (tmsh list apm policy customization-group-set) has been associated with an access-policy object (includes per-request policies and access policy macros) that is not of type per-request policy.

Impact:
This is an invalid configuration. The policy might fail to execute as expected.

Recommended Action:
Find the customization-group-set object and correct access-policy name in it or delete this object. Then reload the BIG-IP configuration.

01010349 : DNSSEC: Failed to parse DS record string (%s): %s

Location:
/var/log/ltm

Conditions:
When BIG-IP signs both the zone and the parent zone, it should respond to DS queries directly. This issue occurs when adding a DS record for a zone when the DS record doesn't have proper format, resulting in parse failures.

Impact:
Failure to add DS Record

Recommended Action:
Verify the format of the DS Record has proper format.

01010355 : DNS: Awaiting full DNSSEC Key %s Generation %llu from MCP

Location:
var/log/ltm

Conditions:
A DNSSEC key generation is in the process of being created, but tmm hasn't yet received the crypto portion that it needs for signing.

Impact:
This is a log level notice message and does not represent an error. It is signalling that a given DNSSEC key generation cannot be used to sign responses until the full DNSSEC key generation is received by tmm. This generally takes a second or two, at most, to be resolved.

Recommended Action:
None.

01010356 : %s: filter '%s' init failed.

Location:
/var/log/ltm

Conditions:
The initialization of a traffic filter has failed.

Impact:
The filter won't work, and traffic might be denied or dropped.

Recommended Action:
If the virtual server causing the filter to fail is known, delete and recreate the virtual server. Otherwise, reload the configuration.

01010364 : Hybrid fixed-policy setting change: from %d to %d.

Location:
/var/log/ltm

Conditions:
TMM is starting or the command "tmsh modify sys crypto acceleration-strategy fixed-ratio <value>" is run to set the new value.

Impact:
None. This is an informational message for the crypto operation offload hybrid-mode setting change.

Recommended Action:
None.

01010365 : DNSSEC: Invalid value specified for DB variable %s. Using default value.

Location:
/var/log/ltm

Conditions:
You supplied an invalid string when configuring the db variable field list of DNS resource record types used in NSEC3 responses, for either apex or under-apex DNSSEC zone queries.

Impact:
The NSEC3 types bitmap field used in a response is the listed default value, if the db variable field is invalid/configured.

Recommended Action:
Make sure the db variable field follows the format of a lowercase, space-separated list of DNS RR types.

01010371 : CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.

Location:
The /var/log/ltm file.

Conditions:
The message is logged when:

-- A special feature, controlled by db key tmm.cdp.requirematchingstates, is enabled.
-- The feature has detected a potential internal interface failure.

This is a feature that can be enabled by BIG-IP Administrators on multi-blade standalone VIPRION units that belong to a pool on an upstream load-balancer. In no other case should this feature be enabled.

For more information, see ID 841469: Application traffic may fail after an internal interface failure on a VIPRION system :: https://cdn.f5.com/product/bugtracker/ID841469.html.

Impact:
When the feature is triggering, it causes all new conections to be rejected (as if the system was in maintenance mode). The intent of this feature is to allow the upstream load-balancer to detect that the unit is unavailable and pick a healthier member from its pool to service requests.

Recommended Action:
No workaround necessary, as the feature is simply doing its job. However, the BIG-IP Administrator should review the status of the internal interfaces, and if one is suspected defective, contact F5 Support to obtain further assistance and/or organize a replacement.

For more information, see ID 841469: Application traffic may fail after an internal interface failure on a VIPRION system :: https://cdn.f5.com/product/bugtracker/ID841469.html.

01010372 : CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.

Location:
The /var/log/ltm file.

Conditions:
The message is logged when:

-- A special feature, controlled by db key tmm.cdp.requirematchingstates, is enabled.
-- The feature has detected that an internal interface previously found not to be working is now functional again (or the BIG-IP Administrator has just disabled the aforementioned feature).

This is a feature that can be enabled by BIG-IP Administrators on multi-blade standalone VIPRION units that belong to a pool on an upstream load-balancer. In no other case should this feature be enabled.

For more information, please refer to: ID 841469: Application traffic may fail after an internal interface failure on a VIPRION system :: https://cdn.f5.com/product/bugtracker/ID841469.html.

Impact:
When the feature is triggering, it causes all new connections to be rejected (as if the system was in maintenance mode). The intent of this feature is to allow the upstream load-balancer to detect the unit is unavailable and pick a healthier member from its pool to service requests.

Recommended Action:
No workaround necessary, as the feature is simply doing its job. However, the BIG-IP Administrator should review the status of the internal interfaces, and if one is suspected defective contact F5 Support to obtain further assistance and/or organize a replacement.

For more information, please refer to: ID 841469: Application traffic may fail after an internal interface failure on a VIPRION system :: https://cdn.f5.com/product/bugtracker/ID841469.html

01020037 : The requested %s (%s) already exists

Location:
/var/log/ltm

Conditions:
A client is attempting to create a non-partitioned object that already exists in the database. The primary key for the object must be unique.

Impact:
The client's transaction will fail.

Recommended Action:
Change the value used for the object's primary key, and resubmit the transaction.

01020066 : The requested %s (%s) already exists in partition %s

Location:
/var/log/ltm

Also, UI interfaces when a transaction fails.

Conditions:
This error message occurs when attempting to create something that already exists. This can happen in a variety of ways.

(1) Simple user error. Attempt to create an object that shares the same name or identifier. For example, creating two pools with the name 'poolA'. A less obvious one is uniqueness constraints, for example ltm node's address must be unique across all partitions.

(2) Reconfigure an iApp. iApp reconfigure tends to perform delete followed by create. Ordering internally matters for logical dependencies, and can come into conflict with referential integrity constraints.

(3) If a transaction contains multiple actions over a single object. For example, if you deleted an HTTP monitor `m1` followed by creating an HTTPS monitor, naming it `m1`, then attempted to sync. Other ways of creating such transactions can be done by using tmsh transactions functionality or merge loading of configuration.

Impact:
This can cause a validation error, sync to fail, or iApp deployment to fail.

Recommended Action:
(1) If a transaction contains multiple actions over a single object, separate them into two transactions. For example, if you deleted an HTTP monitor `m1` followed by creating an HTTPS monitor, naming it `m1`, and then attempted to sync.

(2) If it is an iApp, please open a support ticket.

0102006e : IP Address %s is invalid with netmask %s, must not be the same as network address.

Location:
Wherever log local0 points when mcp unittests are being run.

Conditions:
Unit test is run.

Impact:
None.

Recommended Action:
None.

0102006f : The string does not contain only space separated integers between 0 and 4294967295

Location:
/var/log/ltm

Conditions:
Generated by the LocalLB.ProfileDiameterSession and LocalLB.ProfileDiameterRouter iControls.
The error will be logged if the user attempts to store a number greater than 4294967295 or less than 0.

Impact:
When the error occurs, the iControl will send an error message and will not store the values in mcp.

Recommended Action:
The workaround is to make sure all the values stored by these iControls fall within the range of 0-4294967295.

01060001 : Service detected %s for %s:%u monitor %s.

Location:
/var/log/ltm

Conditions:
Example:
Service detected UP for my_service:80 monitor my_monitor_name.

This message is logged for each pool member when a change is detected for its associated monitor status. Possible status might be: "UP", "DOWN", "ENABLED", "DISABLED".

Impact:
This message might not itself indicate an error, as it merely reports the detected status-change. For example, an "UP" status upon system-start is to be expected, as is a change to "DISABLED" or "ENABLED" resulting from user-initiated action (such as user action through the xui or tmsh).

However, an unexpected "DOWN" status not resulting from intentional user-initiated action might indicate an issue, such as a failed server resource or an improperly configured monitor.

Recommended Action:
This message might not itself indicate an error, but a notification of a pool member status change due to monitor results, or user-initiated action. If an unexpected "DOWN" status is reported, the user should verify the server resource availability and ensure correct monitor configuration.

01060002 : Node address detected %s for %s monitor %s.

Location:
/var/log/ltm

Conditions:
Example:
Node address detected UP for 10.10.0.1 monitor my_monitor_name.

This message is logged for each node when a change is detected for its associated monitor status. Possible status may be: "UP", "DOWN", "ENABLED", "DISABLED".

Impact:
This message might not itself indicate an error, as it merely reports the detected status-change. For example, an "UP" status upon system-start is to be expected, as is a change to "DISABLED" or "ENABLED" resulting from user-initiated action (such as user-action through the xui or tmsh).

However, an unexpected "DOWN" status not resulting from intentional user-initiated action might indicate an issue, such as a failed node or an improperly configured node monitor.

Recommended Action:
This message might not itself indicate an error, but a notification of a node status change due to monitor results, or user-initiated action. If an unexpected "DOWN" status is reported, the user should verify the node availability and ensure correct monitor configuration.

01060110 : Lost connection to mcpd with error %d, will reinit connection.

Location:
/var/log/ltm

Conditions:
Example:
Lost connection to mcpd with error <some-error>, will reinit connection.

This message is logged when 'bigd' fails to successfully read a message from 'mcpd'. The 'bigd' process will then shut down and restart to attempt re-connection to 'mcpd'.

The 'mcpd' process might have halted due to system error, or manual administrator intervention. Under normal system behavior, if the 'mcpd' process has crashed, it will automatically be restarted and the 'bigd' process will successfully re-connect. This error-message might indicate the loss of communication with the 'mcpd' process while it is restarting.

Impact:
The 'bigd' process exists to report to the 'mcpd' process resource health (resulting from probe-responses or lack thereof for monitored resources). This message indicates 'bigd' has lost connection to 'mcpd', and thus must re-establish that connection.

Recommended Action:
No user intervention is required, as 'bigd' will attempt to re-establish its connection with 'mcpd'. Confirm the 'mcpd' process is successfully running, and is not halted due to manual administrator intervention or load-failure of an improper configuration.

01060111 : Open SSL error - %s

Location:
/var/log/ltm

Conditions:
SSL/TLS warning or error in communications.

Impact:
The impact will be encountered by the daemon that is logging the error, usually bigd. If bigd is the daemon logging the error, it means that a monitor is failing the SSL/TLS connection in the way described in the log text. The monitor will mark the pool members down for all pools it is associated with.

Recommended Action:
Determine which monitor is generating the errors by isolating the pool members that are failing. For more information on determining which pool member is failing, see SOL13768: Identifying which pool members are failing an SSL/TLS handshake.

Once you have identified the affected https monitor, first see SOL12531: Troubleshooting health monitors.

Check the monitor's cipher list to ensure that the cipher list is compatible with the pool members that it is connecting to. Do not put TLSv1_0 in the cipher list. Test your cipher list by running 'openssl ciphers <cipherlist>' at the command line using the cipher list from the monitor. For more information, see SOL16526: Configuring the SSL cipher strength for a custom HTTPS health monitor.

If you have a custom monitor connecting to a server running an old version of openssl, read SOL17183: The HTTPS monitor may incorrectly mark pool members down due to SSL SessionTicket Extension.

01060136 : Received links up - monitoring starts.

Location:
/var/log/ltm

Conditions:
Example (v11.6.0, and earlier):
Received links up - monitoring starts.

Example (v11.6.1, and later):
(_set_db_variable): adaptive tmstat logging enabled: true

This message is logged in v11.6.0, and earlier, when the 'bigd' process receives a "links-up" message indicating that monitoring can proceed, at which point 'bigd' begins monitoring (sending probes and processing responses).

This is an indication of proper behavior. When 'bigd' starts, it waits for an initial "links-up" message to indicate gateways are configured. Otherwise, sending monitor-probes might cause false gateway failsafe failovers to occur, and generate false monitor failures. After receiving the "links-up" message, any gateway failsafe failovers or monitor failures are genuine.

Starting in v11.6.1, this message is removed. However, a similar message is inserted to note status-changes, as follows:

Example:
"(_set_db_variable): adaptive tmstat logging enabled: true"

Impact:
This message is not an error, but a notification that 'bigd' began its logging (sending probes and processing responses).

Recommended Action:
None.

01060145 : Pool %s member %s monitor status %s. [ %s ] [ %s ]

Location:
/var/log/ltm

Conditions:
Example:
Pool my_pool member my_member1 monitor status up. [ my_member1: UP, my_member2: UP %s ] [ was down ]

This message is logged when a status change is detected in a pool member. The message reports the parent pool name, the new pool member status, the status of all pool member peers, and the previous status for this pool member that had the status-change.

Possible pool member status includes: "unchecked", "checking", "forced up", "up", "down", "forced down", "irule down", "down", "down; waiting manual resume", "disabled", "checking".

Impact:
This message might not itself indicate an error, as it merely reports the detected status-change. For example, a pool member will typically transition through several status-changes upon system-start such as "unchecked"=>"checking"=>"up". Similarly, user-initiated actions (such as through the xui or tmsh) might forcibly set the status to "forced down" or "disabled".

However, an unexpected "down" status might indicate an issue, such as a failed server resource, or an improperly configured pool member or monitor.

Recommended Action:
This message might not itself indicate an error, but a notification of a pool member status change. If an unexpected "down" status is reported, the user should verify the server resource availability, and ensure a correct pool member and monitor configuration.

01060146 : Bigd PID %d, instance %d, overloaded.

Location:
/var/log/ltm

Conditions:
The system posts this message whenever bigd indicates excessive load. It occurs when the bigd daemon's ability to complete monitoring tasks is challenged by the number of monitor instances, the frequency of probe intervals, or the complexity of pool member/node types.

Impact:
bigd might fail to service monitors in a timely fashion, which might result in 'flapping' nodes/pool members (where the node/pool member goes down and back up even though the server itself has not gone down).

Recommended Action:
You can mitigate overload issues in the following ways:
 Reduce the number of monitor instances.
 Increase the probe time to probe less often.
 Switch monitored pool members/nodes to simpler, lower-overhead monitors (e.g., ICMP instead of HTTP, or HTTP instead of HTTPS).

01060156 : Bigd PID %d, instance %d, fail to serialize 'bigd=>mcpd' message (exceed msg-length limit?): %s.

Location:
/var/log/ltm

Conditions:
The 'bigd' service has attempted to send a message to the 'mcpd' service that exceeds the maximum message size limit.

Impact:
This is a diagnostic message, and does not itself indicate an error. The user need not perform any action, and the system will continue monitor logging.

Recommended Action:
None.

01060157 : Receive string cannot be empty for reverse monitor '%s'

Location:
/var/log/ltm

Conditions:
Attempting to use a monitor on a node or pool member, where the monitor is a reverse monitor and the receive string is empty.

Impact:
The monitor instance will fail to run in bigd.

Recommended Action:
Enter a receive string or use a different monitor.

01060158 : Disable string must be empty for reverse monitor '%s'

Location:
/var/log/ltm

Conditions:
Attempting to use a monitor on a node or pool member, where the monitor is a reverse monitor and the disable string is non-empty.

Impact:
The monitor instance will fail to run in bigd.

Recommended Action:
Clear the disable string or use a different monitor.

01070007 : Received shutdown signal %d

Location:
/var/log/ltm

Conditions:
Mcpd logs this notice as a result of receiving a SIGTERM (15), SIGINT (2), or SIGHUP (1) signal.

SIGTERM is sent on behalf of `bigstart restart mcpd` when issued on the command line by the user.

Impact:
Mcpd will restart, which subsequently causes multiple daemons to restart as well.

Recommended Action:
Do not use `bigstart restart mcpd`.

01070043 : Monitor %s parent not found.

Location:
/var/log/ltm

Conditions:
Example:
Jan 26 14:10:21 localhost err mcpd[5090]: 01070043:3: Monitor /Common/foo parent not found.

This message reports a failure to create a new monitor because the referenced parent-monitor does not exist (from which the new monitor was to copy default-parameters). The following command generates this error:

tmsh create ltm monitor http foo defaults-from MyMonitorNoExist

...error in '/var/log/ltm':
Jan 26 14:10:21 localhost err mcpd[5090]: 01070043:3: Monitor /Common/foo parent not found.

In this case, the 'foo' monitor is not created because the parent 'MyMonitorNoExist' did not exist.

Impact:
No operation occurred (the create-monitor attempt fails, and the configuration is not modified).

Recommended Action:
When creating a new monitor that uses 'defaults-from', an existing monitor of the appropriate type should be specified.

0107004e : LTM configuration is not allowed when VCMP is provisioned. Virtual server %s conflicts with VCMP.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Creating or enabling virtual servers while VCMP is provisioned.

Impact:
Virtual server can't be used when VCMP is provisioned.

Recommended Action:
Delete all virtual servers when VCMP is provisioned.

01070069 : Subscription not found in mcpd for subscriber Id %s.

Location:
/var/log/ltm

Conditions:
The system process named in the message is attempting to unmark itself as a subscriber, but has specified a subscriber name that it had not previously used.

This message occurs during system shutdown or restart.

Impact:
No user impact. This message implies that there is a defect in TMOS, but a comparatively minor one. There is no risk of system instability or dropped traffic.

Recommended Action:
None.

01070147 : Snatpool %s must reference at least one translation address.

Location:
/var/log/ltm

Conditions:
Example:
Snatpool my_pool must reference at least one translation address.

A SNAT pool is configured, and set as active; but has no SNAT pool members.

Impact:
The configuration failed to load, and the SNAT pool is unavailable.

Recommended Action:
User should set the empty SNAT pool to inactive, or add pool members. Alternatively, user could configure SNAT without pools, such as for 'standard' (explicitly specifying the translation address) or 'automap' (allowing the system to auto-assign from the BIG-IP device's existing self-IP addresses), or 'intelligent' (SNAT mapping implemented within an iRule).

After configuration repair, the configuration can be reloaded and the SNAT pool should be available (no reboot is required).

01070151 : Rule [%s] error: %s

Location:
/var/log/ltm or GUI.

Conditions:
This is a general TCL parsing error message caused when validating iRules.
The TCL error itself is present in the log message and includes information about the offending code, which quickly allows resolution in most cases.

The message can be triggered whenever an iRule is updated:
- either using the GUI by clicking update;
- saving the edited iRule when using the tmsh commend (for example, edit ltm rule <x>)

Errors will appear in the GUI or the ltm log file and examples include:
Rule [<rule_name>] error: <rule_name>:1: error: [parse error: missing close-brace][{ set port [TCP::local_port] if { $p == 443) log local0.info]
Rule [<rule_name>] error: <rule_name>:1: error: [command is not valid in the current scope][set sp [class match -value [string tolower [IP::local_addr]] equals dg_test ]]
Rule [<rule_name>] error: <rule_name>:2: error: [unexpected extra argument "="][TCP::local_port = 443]
Rule [<rule_name>] error: <rule_name>:9: error: [missing a script after "else"][]
Rule [<rule_name>] error: <rule_name>:3: error: ["invalid argument local0"][log local0 "MATCH OK"]
Rule [<rule_name>] error: <rule_name>:8: error: [invalid keyword "{ log local0. "in CLIENT_ACCEPTED" if { $cond }" must be: priority timing][when CLIENT_ACCEPTED { { log local0. "in CLIENT_ACCEPTED" if { $cond }" ]

Impact:
Updating of the iRule will not be performed and corresponding logic changes will not be applied to any associated virtual servers.
The iRule code needs to be corrected prior to successful update.

Recommended Action:
Inspect the error message and locate the error in the iRule code.
Once located, correct the error. The correction depends on the contents of the error generated.

For simple syntax errors like 'missing brace' or 'unexpected extra argument', inspect the code around the designated error line indicated in the log message and ensure braces ('{') are paired, and commands used (for example, [TCP::local_port]) have the correct number of arguments.

For errors that involve use of the wrong commands, ensure that the commands are valid to use in the current setting (for example, PEM commands require PEM to be licensed).

Some errors might be caused due to incorrectly referenced configuration objects. A common case is referring to a Data Group that is not yet configured when the iRule is updated. In these cases, ensure that the dependent configuration objects exist and that the references in the iRules are using the correct names.

01070165 : "License file stat fails: %s."

Location:
/var/log/ltm

Conditions:
The file /config/bigip.license doesn't exist or there are errors accessing the file.

Impact:
The BIG-IP system is not licensed.

Recommended Action:
License the BIG-IP system or check the file /config/bigip.license.

01070259 : Requested member (%s) is untagged on another VLAN

Location:
/var/log/ltm

Conditions:
A VLAN is configured with an interface as an untagged member. When an additional vlan is configured with the same interface as an untagged member, the configuration will fail with this error message.

Impact:
VLAN configuration will fail.

Recommended Action:
You must correct your VLAN configuration. Either remove the interface from the previously configured VLAN, where it appears as an untagged member, or add it to the new VLAN as a tagged member.

0107025d : Nameserver for Wide IP Zones (%s) is not a fully qualified domain name or contains invalid characters.

Location:
/var/log/gtm

Conditions:
The value of GTM Globals Nameserver is not a fully-qualified domain name, or it contains invalid characters.

Impact:
The GTM Globals Nameserver value needs to a fully-qualified domain name, such as ns.example.com. The default value will be used for all Nameserver records that ZoneRunner automatically created. The default value is "this.name.is.invalid."

Recommended Action:
Choose a valid domain name that is registered to the user's domains.

0107025e : Nameserver for Wide IP Zones is empty. A valid, fully qualified domain name must be specified.

Location:
GUI, CLI

Conditions:
A user has modified the GTM global settings and left the "WideIP Zone Nameserver" field empty.

Impact:
The settings are not updated.

Recommended Action:
Do not leave the "WideIP Zone Nameserver" field empty.

01070261 : Can't create a home directory for username %s (%s)

Location:
LTM log.

Conditions:
The reason for the failure is described in the parenthesized portion of the message.

Impact:
The user is created, but the user cannot log in.

Recommended Action:
No general workaround. The error described in the message is required to determine this information.

01070265 : The %s (%s) cannot be deleted because it is in use by a %s (%s)

Location:
/var/log/ltm

Conditions:
Mcpd will log this when a client is attempting to delete a configuration that is currently being used by another configuration object.

Impact:
The transaction will fail and rollback; mcpd will be in the state it was in just prior to attempting the transaction.

Recommended Action:
Remove or reconfigure the object that is referencing the configuration object that you want to delete.

01070277 : The requested %s (%s) was not found

Location:
In tmsh or the GUI, as the response to a request to create or modify configuration.

Conditions:
The user referred to a configuration object that does not exist.

Impact:
The requested change failed validation and no change to the configuration occurred.

Recommended Action:
Correct the spelling of the object name or choose a different object.

0107028a : The source address (%s) for virtual server (%s) must have a prefix length.

Location:
/var/log/ltm

Conditions:
Example:
The source address (10.10.0.5) for virtual server (my_server) must have a prefix length.

This message is logged upon configuration load when a virtual server is missing its prefix length, which is required to identify the virtual server subnet.

The virtual server is configured in CIDR notation including the IP address and prefix length, such as 192.168.100.0/24. The prefix length (mentioned in the message) is the number of bits set in the network mask, such as a prefix length of 24 associated with a subnet mask of 255.255.255.0.

Impact:
The configuration for this virtual server failed to load (because its configuration is improper), and this virtual server is unavailable.

Recommended Action:
User should configure the virtual server with its IP address and prefix length (in CIDR notation, such as 192.168.100.0/24), and reload the configuration.

01070301 : Pool (%s) is referenced by one or more virtual servers

Location:
/var/log/ltm

Conditions:
This message is logged when a user-initiated attempt is made (such as through xui or tmsh) to delete a pool that is currently referenced by one or more virtual servers. Deleting a pool that is still referenced by a virtual server is not permitted, as it would result in a (dangling) foreign key reference from the virtual server to the now-deleted pool.

Note that this message is removed in v11.5.0 (and thus is reported only in v11.4.1 and earlier). In v11.5.0 and later, validation of foreign keys from a virtual server to a pool is performed differently, thereby removing this message from the codebase.

Impact:
No action is taken, and the pool is not deleted (the pool is unchanged). This message merely logs the rejection of the user-initiated attempt to delete a pool.

Recommended Action:
User should first remove the pool references by any virtual server, and then delete the pool. When the pool is not referenced by any virtual server, the pool delete operation will successfully complete and this error message will not be logged.

0107030c : Host persistence requires an HTTP profile to be associated with the virtual server

Location:
/var/log/ltm, GUI

Conditions:
A virtual server has been configured to use HTTP Host persistence. That virtual server has no HTTP profile attached to it.

Impact:
The configuration is inconsistent, and will fail to load.

Recommended Action:
Add an HTTP profile to the virtual server requiring HTTP Host persistence. Or choose another kind of persistence profile that doesn't require an HTTP profile on the virtual server.

01070315 : profile %s requires a key

Location:
/var/log/ltm

Conditions:
A 'key' is missing from the cert-key-chain object that is associated with a clientSSL profile. Or, 'key' is missing from the server SSL profile, when 'cert' is present.

Impact:
This results in mcpd validation failure of the specific clientSSL/serverSSL profile, resulting in failure of mcpd operation/transaction.

Recommended Action:
In order to fix the issue, user needs to add 'key' to cert-key-chain object in clientSSL profile, or to the serverSSL profile.

01070318 : The requested media %s for interface %s is invalid.

Location:
/var/log/ltm

Conditions:
The user attempts to set the media on an interface to an invalid type.

Impact:
The change does not take effect.

Recommended Action:
Do not attempt to set the interface media to an invalid value.
Use "tmsh list net interface X media-capabilities" command to see a list of accepted media values for interface X.

01070320 : Snatpool %s is still referenced by a virtual server.

Location:
/var/log/ltm

Conditions:
User-initiated action (such as through tmsh or xui) attempted to delete a SNAT pool that is still being referenced by a virtual server or SNAT.

Impact:
No action occurred, and the attempt to delete the SNAT pool failed (the SNAT pool is unaffected).

Recommended Action:
User should first remove the SNAT pool from being referenced by the virtual server or SNAT object. A subsequent attempt to delete the SNAT pool will then succeed.

0107032f : The vlan (%s) associated with the static route %s/%d must have a Self IP using the IPv%u protocol.

Location:
/var/log/ltm, GUI, console

Conditions:
The system is attempting to create a static route when none of the self-IP addresses for the static route are on the same interface and the addresses do not use the same IP protocol format (IPv4 or IPv6).

Impact:
The system cannot create a static route.

Recommended Action:
Create all self-IP addresses for the static route on the same interface and ensure that the addresses use the same IP protocol format.

01070340 : %s (%s) is referenced by one or more rules

Location:
/var/log/ltm

Conditions:
One common problem is, an object is to be deleted, but it is still referenced actively, because there are multiple references to one object.

Impact:
Because of this error, the user action will fail. For example, if there are multiple references to an object and user attempts to delete it, the system does not delete it.

Recommended Action:
User needs to search for the object indicated in the message across the iRules, and remove the object dependency before deleting the object.

01070341 : Virtual server %s references rule %s which does not exist.

Location:
/var/log/ltm

Conditions:
A configuration load or change contains a virtual server that references a rule that does not exist.

Impact:
The rule associated with the virtual server could not be found, and is not active.

Recommended Action:
User should confirm the rule exists when referenced by a virtual server. Confirm that the rule exists, and that the name referenced by the virtual server is spelled correctly.

01070354 : Self IP %s / %s: This network is defined on two vlans (%s and %s)

Location:
/var/log/ltm, console, and GUI.

Conditions:
The self IP being created is on a network that is in a different VLAN than the one specified during self IP creation.

Impact:
MCPD will prevent the self IP address from being created until the conflict is resolved.

Recommended Action:
Create the self IP in the current VLAN.

01070356 : %s feature not licensed

Location:
/var/log/ltm
The contents of /var/log/ltm may be viewed in the GUI under System > Logs > Local Traffic. These messages are of the form "<FEATURE_NAME> feature not licensed." The <FEATURE_NAME> list of items regularly increases with each release.

Conditions:
These messages occur whenever mcpd queries the license for a feature flag that is not in the license. This message typically occurs during configuration validation.

Impact:
There is no single consistent BIG-IP action, or easily counted set of actions, associated with these messages. In general, however, the feature named in the message does not function, and the BIG-IP system might not achieve the Active operational state.

Recommended Action:
Upgrade the license to support the requested features. Downgrade the BIGIP software to a version that does not require the unlicensed features, or modify the configuration to remove objects that depend on the unlicensed features. The probable cause for these messages is using a configuration file from a more feature-rich license, or the release of BIG-IP software with a less feature-rich license or software image.

01070392 : Self IP %s / %s: This IP shares a network with %s (%s / %s).

Location:
/var/log/ltm, console, and GUI.

Conditions:
The self IP being created conflicts with the admin address of the BIG-IP device.

Impact:
MCPD will prevent the self IP address from being created with the conflicting address.

Recommended Action:
Either create the self IP with a different address, or correct the conflicting admin address of the BIG-IP device.

01070394 : %s in rule (%s) requires an associated %s profile on the virtual server (%s)

Location:
/var/log/ltm

Conditions:
A configuration load contains a rule associated with a virtual server, but the required profile was not found on that virtual server. The intended profile might be present in the virtual server, but was misspelled in the rule, or the required profile was not associated with the virtual server.

Note that this message is used only on v11.6.1, and earlier.

Impact:
The configuration failed to load, and the rule is not in effect.

Recommended Action:
User should change the rule to reference a profile present on the virtual server. Confirm that the identified profile in the rule is properly spelled, and that the profile is associated with the virtual server. The configuration might then be reloaded (a reboot is not required).

01070404 : Add a new Publication for publisherID %s and filterType %p

Location:
/var/log/ltm

Conditions:
A system process has started up and connected to mcpd. This process is registering as a publisher, meaning that mcpd acts as a proxy for certain user commands that require obtaining data from this process. For example, when the user runs the command 'show sys connection', this will be forwarded to TMM instances, and their responses will be forwarded back to the user's shell.

Impact:
This message does not indicate a problem with the system.

Recommended Action:
None.

01070406 : Removed publication with publisher id %s

Location:
/var/log/ltm

Conditions:
A system process is removing itself as a publisher. See error catalog item 620989 for a description of the publishing mechanism.

Impact:
This message does not indicate a problem with the system. The most common case it would be seen is a shutdown or reboot of the system. If the publishing process is exiting unexpectedly, it will generate its own log messages.

Recommended Action:
None.

01070407 : Removed information for Publication %s and filterType %p

Location:
/var/log/ltm

Conditions:
A system process is removing itself as a publisher, but only for certain types of messages. It remains a publisher for other types of messages. See error catalog item 620989 for a description of the publishing mechanism.

Impact:
This message does not indicate a problem with the system.

Recommended Action:
None.

01070408 : Deleting abandoned subscriber connection for %s

Location:
/var/log/ltm

Conditions:
A system service has restarted and subscribed to mcpd objects without cleaning up after itself in its previous instantiation.

Impact:
This indicates a problem that is resolving itself. mcpd is not impacted, although whatever caused the other process to restart might be a concern. That failure would log its own error messages.

Recommended Action:
None.

01070410 : Removed subscription with subscriber id %s

Location:
/var/log/ltm

Conditions:
A system process is ending its subscription to mcpd objects. This is the mechanism by which this process is informed about updates to the configuration.

This is a clean unsubscription, so the system is likely shutting down or restarting.

Impact:
This message does not indicate an error.

Recommended Action:
None.

01070413 : Updated existing subscriber %s with new filter class %llx

Location:
/var/log/ltm

Conditions:
A system process is changing the set of configuration objects about which it is concerned. This is the mechanism by which this process is informed about updates to the configuration.

Impact:
This message does not indicate an error.

Recommended Action:
None.

01070417 : AUDIT - user %s - transaction #%u-%u - object %u - %s

Location:
/var/log/audit

Conditions:
Auditing changes made to configuration in mcpd.

Impact:
Not an error.

Recommended Action:
None.

01070418 : connection %p (user %s) was closed with active requests

Location:
/var/log/ltm

Conditions:
Two possible conditions:

* A system service is connected to mcpd and has started a transaction, but not written anything to it for five minutes, indicating that it likely is no longer using it.

* A connection was closed while mcpd had not yet finished responding to it.

Impact:
This message might indicate a minor TMOS bug, but one that is likely to quickly resolve with no impact.

Recommended Action:
None.

01070419 : Platform initialization phase triggered

Location:
/var/log/ltm

Conditions:
mcpd logs this message as a result of entering the first of four initialization phases.

Impact:
This is the expected behavior of a healthy mcpd on startup.

Recommended Action:
None.

01070421 : Base configuration initialization phase triggered.

Location:
/var/log/ltm

Conditions:
mcpd is starting up from configuration files, as opposed to being restored from a binary file. The binary file either did not exist prior to mcpd starting or it may have been corrupted.

Base configuration initialization phase is #2 of 4 total initialization phases.

Impact:
Restoring from configuration files on startup is part of normal operation, and as a result, mcpd should become fully operational (contingent upon successful completion).

Recommended Action:
None.

01070424 : Full configuration initialization phase triggered.

Location:
/var/log/ltm

Conditions:
mcpd is starting up from configuration files, as opposed to being restored from a binary file. The binary file might not have existed prior to mcpd starting, or it might have been corrupted.

Impact:
Restoring from configuration files on startup is part of normal operation; as a result, mcpd should become operational.

Recommended Action:
None.

01070427 : Initialization complete. The MCP is up and running

Location:
/var/log/ltm

Conditions:
mcpd successfully completed initialization, which means all configuration loaded and reached a running phase.

Impact:
mcpd function as designed

Recommended Action:
None.

01070465 : DB changed: %s, configsync needed

Location:
/var/log/ltm

Conditions:
If a BIG-IP device is in an HA pair, config sync autodetect is enabled, and a db variable is modified.

More specifically, if the following db variables are set:
  1. failover.isredundant value true
  2. configsync.autodetect value enabled

Impact:
No impact. This is information only.

Recommended Action:
Disable config sync autodetect or ignore.

01070466 : Received end of platform data

Location:
/var/log/ltm

Conditions:
Mcpd logs this message in response to receiving the end_platform_id request from chmand. This is a normal part of the boot process, and is the result of chmand publishing platform info to an initialized mcpd. This message can be seen every time mcpd starts up.

Impact:
Mcpd can now perform actions that require the platform object, such as install the VCMP n-stage validator. This is expected behavior.

Recommended Action:
None.

01070468 : %s

Location:
/var/log/ltm

Conditions:
A transaction to change the configuration successfully completes and the log.mcpd.level db variable is set to debug.

Impact:
None.

Recommended Action:
None.

01070596 : An unexpected failure has occurred, %s, exiting...

Location:
/var/log/ltm

Conditions:
mcpd has reached an unrecoverable error.

Impact:
mcpd will restart, along with most other system services. Traffic will be lost.

Recommended Action:
Often this will resolve itself after one restart. If not, removing the binary database (rm -vf /var/db/mcp*) is another common cause for some instances of this error.

01070599 : Current management-ip (%s) has to be deleted before adding a new management-ip (%s) with the same address family.

Location:
/var/log/ltm

Conditions:
The user attempts to create a sys management-ip of an address family that is already configured.

Impact:
The configuration operation fails.

Recommended Action:
Delete the clashing management-ip before adding the correct one.

01070604 : Cannot delete IP %s because it would leave a route unreachable.

Location:
/var/log/ltm

Conditions:
When removing a self-ip, and the address is the only way in which a static route can be reached, the deletion would strand the route.

Impact:
The condition prevents a static route from being removed.

Recommended Action:
Remove any static route that utilizes the self-ip, and try the deletion again.

01070608 : License is not operational (expired or digital signature does not match contents)

Location:
/var/log/ltm

Conditions:
*) This message is logged when the license was not reactivated before an upgrade, and the license's check service date is older than the release date of the install.

*) This message is logged when the license has been modified, or the digital signature does not match the contents.

Impact:
The BIG-IP system is not licensed.

Recommended Action:
If a support contract is current, reactivate the license. Reactivation can be performed from the GUI on a running boot location, or by using tmsh (tmsh install sys license).

01070622 : The monitor %s has a wildcard destination service and cannot be associated with a node that has a zero service

Location:
Associating a pool member with a zero port with a monitor that requires a port generates error message in question.

Conditions:
Pool member with zero port; associated monitor that requires a port (for example TCP or HTTP).

Impact:
Monitors that require a destination port cannot be associated with pool members where the port is unspecified or zero.

Recommended Action:
Assure that the pool member has a non-zero specified port.

01070638 : "Pool %s member %s:%u monitor status %s."

Location:
/var/log/ltm

Conditions:
Example:
Pool my_pool member 10.10.0.5:80 monitor status forced down.

This message is logged when a status change is detected for the pool member, resulting in the pool member being in a status other than 'up'. Possible status values are: 'unchecked', 'node down', 'down', 'forced down', 'up and awaiting man resume', 'iRule down', 'inband down', 'FQDN down'. Note that the 'up' status is not listed, because this message is not reported when the pool member status is 'up'.

The pool member status is dependent upon the virtual server configuration, and the configuration and health status results for associated monitors.

Impact:
This message might not itself indicate an error, because it merely reports the detected pool member status change. For example, user-initiated action (such as through the xui or tmsh) might explicitly change the pool member status (such as to 'forced down' for maintenance). However, an unexpected 'down' status might indicate a configuration or resource availability issue.

Note also that the parent pool status might be unchanged as a result of this pool member status change, as long as the threshold is not exceeded for the number of available pool members required for the parent pool to be available.

Recommended Action:
If an unexpected 'down' status is reported, verify the pool member configuration, the configuration of associated pool member monitors, and the resource availability to ensure pool member availability.

01070639 : Pool %s member %s:%u session status %s.

Location:
/var/log/ltm

Conditions:
Example:
Pool my_pool member my_member:80 session status forced disabled.

This message is logged when "session-status" is changed, such as from user action to "enable" or "disable". Possible status includes: 'enabled', 'node disabled', 'disabled', and 'forced disabled'.

Impact:
This message is a log-notification only when the pool member session status changes.

Recommended Action:
This is not an error, but a notification of a pool member status change that records the resulting status.

01070640 : Node %s address %s monitor status %s.

Location:
/var/log/ltm

Conditions:
Example:
Node my_node address 10.10.0.1 monitor status forced down.

This message is logged when a status change is detected for the node, resulting in the node being in a status other-than 'up'. Possible status values are: 'unchecked', 'node down', 'down', 'forced down', 'up and awaiting man resume', 'iRule down', 'inband down', 'FQDN down'. Note that the 'up' status is not listed, because this message is not reported when the node status is 'up'.

The node status is dependent upon node configuration and heath results for associated node monitors.

Impact:
This message might not itself indicate an error, as it merely reports the detected node status change. For example, user-initiated action (such as through the xui or tmsh) might explicitly change the node status (such as to 'forced down' for maintenance). However, an unexpected 'down' status might indicate a configuration or resource availability issue.

Recommended Action:
This message might not itself indicate an error, but a notification of a node status change due to monitor results, or user-initiated action. If an unexpected 'down' status is reported, verify the node configuration, the configuration of associated node monitors, and the resource availability to ensure node availability.

01070690 : Port mirroring is not supported on this platform.

Location:
/var/log/ltm

Conditions:
This occurs if you configure port mirroring on a platform that does not support port mirroring.

Impact:
You will not be able to configure port mirroring.

Recommended Action:
None.

0107070e : Software version not covered by service agreement. Reactivate license before continuing.

Location:
/var/log/ltm
The contents of /var/log/ltm can be viewed in the GUI under System->Logs->Local Traffic.

Conditions:
The BIG-IP software version used was released after the Service Check Date specified in the license.

Impact:
The BIG-IP system is not usable in this state. You must either upgrade the license, to one for the installed software version, or revert to a BIG-IP software version that the current license supports.

Recommended Action:
You must either upgrade the license, to one for the installed software version, or revert to a BIG-IP software version that the current license supports.

01070712 : "Caught configuration exception (%d), %s."

Location:
/var/log/ltm

Conditions:
MCPD logs this error in response various configuration issues that might arise while attempting to process a transaction. The nature of the issue could be caused by any number of runtime scenarios, for example, "can't get class information from schema repository", "invalid MAC address", "Can't get class definition while retrieving sub classes", etc.

Impact:
MCPD will stop processing the current transaction and roll back to the last valid state.

Recommended Action:
Depending on the message being logged, modify the configuration that caused the error, and then attempt to submit the transaction again.

01070727 : "Pool %s member %s:%u monitor status up."

Location:
/var/log/ltm

Conditions:
Example:
Pool my_pool member 10.10.0.5:80 monitor status up.

This message is logged when a status change is detected for the pool member, resulting in the pool member being marked 'up'. The pool member status is dependent upon virtual server configuration, and the configuration and health results from associated monitors.

Impact:
This message is not an error, but merely reports the detected 'up' pool member status. This message is expected upon system start, where properly configured pool members transition to an 'up' status.

Recommended Action:
None.

01070728 : Node %saddress %s monitor status up.

Location:
/var/log/ltm

Conditions:
Example:
Node my_node address 10.10.0.1 monitor status up.

This message is logged when a status change is detected for the node, resulting in the node being marked 'up'. The node status is dependent upon node configuration and health results for associated node monitors.

Impact:
This message is not an error, but merely reports the detected 'up' node status. This message is expected upon system start, where properly configured nodes transition to an 'up' status.

Recommended Action:
None.

01070730 : Configuration restored from binary image

Location:
/var/log/ltm

Conditions:
Mcpd loaded the configuration from a binary image format on disk.

Impact:
The binary image is considered to be saved in a valid state, so restoring from the binary means that the BIG-IP system does not run validation and business logic, as it typically would when processing configuration (/config/*.conf) files.

Recommended Action:
Loading from binary is typically a desirable behavior as it's faster than processing configuration files; however, if one wanted to run business logic and validation, you could remove the binary file and restart mcpd, for example,

rm -f /var/db/mcpdb.*
bigstart restart mcpd

01070734 : Configuration error: %s

Location:
/var/log/ltm

This error appears in the GUI, as a result of a configuration update.

Conditions:
This error is a validation exception, usually occurring when a user attempts to update the configuration.

The most common ways for user error include:

1) Invalid naming.
No keywords, empty names, special characters, etc.

2) Invalid value for an attribute.
Can be value ranges, NULL constraints, and other defined domains.

3) Dependency required.
Let X and Y be two different classes. When an X is configured, a related Y must be configured.

4) Invalid reference to another object.
Can be a permissions problem, a NULL constraint, or the object referenced doesn't exist.
Let X and Y be two different classes. X must configure an X.a. When X.a references Y, Y must exist and X must be allowed to refer to Y.

5) Logical constraints of attributes.
Let X be a class. When X.a is configured, X.b must not be configured.

Impact:
A transaction can fail upon encountering this exception.

Recommended Action:
Check the configuration update and correct the issue.

01070736 : Couldn't write to the user/role/partition file, %s (%d)

Location:
/var/log/ltm, and in tmsh

Conditions:
There is some error writing the user role partition file, which indicates a disk error. The error message includes errno from the failed operation, which might give more specific information about the cause.

Impact:
The transaction containing changes to the user role partition file is rolled back. If the error persists, changes to user roles and partition access will be impossible.

Recommended Action:
Examine the errno in the error message to determine more information about the root cause, and resolve that.

01070756 : Diameter monitor '%s' has invalid mode '%s'

Location:
/var/log/ltm

Conditions:
Whenever MCP identifies that the mode configuration parameter of the diameter monitor is invalid before it stores in the MCP database.

Impact:
Does not update the specified value for the mode configuration parameter of the diameter monitor.

Recommended Action:
None.

01070807 : Monitor %s instance %s:%u has been %s.

Location:
/var/log/ltm

Conditions:
Examples:
Monitor my_http instance 10.10.0.2:80 has been enabled.
Monitor my_http instance 10.10.0.2:80 has been disabled.

This message is logged when the user changes the monitor instance status to either 'enabled' or 'disabled', such as through tmsh or the xui. A 'disabled' monitor sends no health-check probes, and thus does not contribute to an indication of the resource's health. Disabling a monitor does not otherwise impact availability of the monitored resource.

Impact:
This message is log-notification only when the monitor instance status is changed between 'enabled' and 'disabled'.

Recommended Action:
This is not an error, but a notification of monitor instance status change that records the resulting status.

01070822 : "Access Denied: %s"

Location:
/var/log/ltm, CLI, GUI

Conditions:
User attempts to read, modify, or delete a config that they do not have access to, per the partition access settings, or attempts to perform an action that is not allowed for the role. The error message describes more precisely what access was denied.

Impact:
User is prevented from doing things they are not authorized to do.

Recommended Action:
If the user needs access to config or actions, then the user must be given sufficient partition/role access.

01070823 : Read Access Denied: %s

Location:
/var/log/ltm, shown in tmsh

Conditions:
A user attempts to query objects or stats in a partition to which the user does not have read access, or attempts to query non-partitioned objects but does not have non-partitioned read access.

Impact:
User is not able to read the desired objects or stats.

Recommended Action:
If the user needs read access to the objects or stats, then the user must be given a role on the appropriate partition with read access.

01070827 : User login disallowed: %s

Location:
/var/log/ltm

Conditions:
Attempt to log in as a user with no partition access specified.

Impact:
Unable to log in as user with no partition access specified. Such a user has no access.

Recommended Action:
Specify partition-access for every user account that needs access to the BIG-IP device.

01070830 : The iRule (%s) cannot be deleted because it is in use by a %s (%s) %s (%s).

Location:
When an iRule is configured under a firewall policy rule, deleting that iRule should report an exception.

Conditions:
-- AFM is provisioned.
-- An iRule is configured under a firewall rule.
-- You attempt to delete that iRule.

Impact:
Cannot delete an iRule configured under a firewall rule. This is correct behavior.

Recommended Action:
None.

01070921 : Virtual Server '%s' on partition '%s' %s by user '%s'.

Location:
/var/log/ltm

Conditions:
A user (with sufficient permissions) has enabled or disabled a virtual server.

Impact:
The virtual server is either enabled or disabled as requested; the network service(s) provided by the virtual server were either made available or made unavailable.

Recommended Action:
This is a user requested action, not an issue with the product.

01070927 : Request failed, data provider (%s) disconnected from mcpd

Location:
/var/log/ltm

Conditions:
The system process named in the message is attempting to unmark itself as a publisher, but has specified a publisher name that it had not previously used. See error catalog item 620989 for a description of the publishing mechanism.

This message occurs during system shutdown or restart.

Impact:
No user impact. This message implies that there is a defect in TMOS, but a comparatively minor one. There is no risk of system instability or dropped traffic.

Recommended Action:
None.

01070931 : Clustering quorum reached

Location:
/var/log/ltm

Conditions:
Any chassis platform during normal start up.

Impact:
This message indicates that the 'quorum' stage of the chassis clustering algorithm has been reached.

Recommended Action:
None.

01070933 : License blob received from primary.

Location:
/var/log/ltm

Conditions:
On a cluster with more than one member.

Impact:
None.

Recommended Action:
None.

01070967 : The specified vlan, vlangroup or tunnel (%s) cannot be removed from its default route domain (%s).

Location:
/var/log/ltm

Conditions:
When trying to remove VLAN or VLAN-GROUP from default route-domain, without attaching to another route-domain.

Impact:
Validation error, no operation impact. Action will be prevented.

Recommended Action:
None.

01070978 : The vlan (%s) for the specified self IP (%s) must be one of the vlans in the associated route domain (%s). For example: 192.168.0.1%1234 for self IP in route-domain 1234.

Location:
/var/log/ltm, console, and GUI.

Conditions:
When the self IP VLAN is not one of the VLANs in the route-domain, where the route domain is extracted based on the self IP address format.

Impact:
MCPD will prevent the self IP address from being created with the designated VLAN.

Recommended Action:
Verify that the route domain, as specified in the self IP address has the right VLANs as its members.

01070979 : The specified vlan (%s) for route domain (%s) is in use by a self IP.

Location:
/var/log/ltm

Conditions:
When attempting to remove a VLAN that still has a SelfIp association.

Impact:
VLAN is prevented from removal until the SelfIp in question is moved or removed.

Recommended Action:
Move the SelfIp(s) associated with the VLAN to other VLANs.

01070995 : get_tmstat: tmstat_sample not ready. Statsd may not be running.

Location:
/var/log/ltm

Conditions:
This warning message can appear while attempting to query statistics from a segment, subscribing to the segment directory fails. Typically this will occur if the statsd is not ready. Other less likely cases include a problem with resources, such as no memory available.

Impact:
Query of segment will fail.

Recommended Action:
In a typical case, the query can be retried when the statsd is ready. Then it succeeds. In the case of a resource problem, the statsd will need to be restarted.

01071027 : Master key OpenSSL error: %s

Location:
/var/log/ltm

Conditions:
These logs indicate that there is a problem with the BIG-IP device's secure vault feature, device group mutual authentication, or OpenSSL processing of those features. They come in two types.

These logs indicate a problem with openssl processing itself, such as an out-of-memory condition.
Master key OpenSSL error: Unit Key Generation fails!
Master key OpenSSL error: Key decrypt update
Master key OpenSSL error: Key decrypt final
Master key OpenSSL error: Master decrypt update
Master key OpenSSL error: Master decrypt final
Master key OpenSSL error: RSA public encrypt error
Master key OpenSSL error: b64_decode BIO_read error
Master key OpenSSL error: Cannot find proper algorithm
Master key OpenSSL error: Cannot create new X509 certificate
Master key OpenSSL error: Setting certificate version to SSL v3"
Master key OpenSSL error: Cannot allocate a pub_key type
Master key OpenSSL error: Cannot create new ASN1 type.
Master key OpenSSL error: Key size mismatch with PKCS1 padding size
Master key OpenSSL error: Cannot convert signature to data stream
Master key OpenSSL error: Error signing certificate
Master key OpenSSL error: Loading unit key: Error converting data blob to key.
Master key OpenSSL error: AES256 Symmetric Unit Key Generation fails!

These logs pertain to a corrupt master key, unit key, device group certs/keys, or HA certs/keys failures.
Master key OpenSSL error: Cannot open key store
Master key OpenSSL error: Cannot open key store RSA
Master key OpenSSL error: Cannot load %s (/.unit[1,2].key, /unit[1,2].crt, /master.[1,2], /master, /.unitkey, /temp, /master.recovery, /var/www/unitkeys/unit.crt)
Master key OpenSSL error: Cannot read master key
Master key OpenSSL error: Key encrypt
Master key OpenSSL error: Master encrypt
Master key OpenSSL error: Cannot save master key for peer.
Master key OpenSSL error: Symmetric Unit Key encrypt
Master key OpenSSL error: Symmmetric Unit Key decrypt
Master key OpenSSL error: Cannot open unit certificate file.
Master key OpenSSL error: Cannot read unit certificate file.
Master key OpenSSL error: Cannot write unit cert
Master key OpenSSL error: (/.unit[1,2].key, /unit[1,2].crt, /master.[1,2], /master, /.unitkey, /temp, /master.recovery, /var/www/unitkeys/unit.crt)
Master key OpenSSL error: Peer Certificate file

Impact:
Loading or syncing configurations with encrypted attributes will fail.

Recommended Action:
Reset the device trust group or the HA group. Or, reload a backup UCS file as described in K9420.
https://support.f5.com/csp/#/article/K9420

01071029 : %s

Location:
/var/log/ltm

Conditions:
1. These log messages pertain to the unit key and possible issues it may encounter.
Unit key SHA1 function failed.
Unit key hash does not match! Possible key corruption or tampering. Retry ...
Unit key read failed! Retry ...
Unit key read failed! back off to platform phase...
SecureVault encountered issue with reading Unit key from SEEPROM. Try rebooting the system...
Removing corrupt key header.
Cannot open unit key store
Unit key write to hal failed.
Unit key write verify failed.
Cannot load unit key
No Unit Key Found
Failed to encrypt the unit key
Loading unit key: Error converting data blob to key.

2. These log messages relate to the unit keys encryption of the master key:
Save Master Key aborted -- cannot load unit key.
Failed to encrypt the master key
save_master_key(master): Not ready to save yet -- no master key
save_master_key(master): Not ready to save yet -- no unit key
Couldn't retrieve the old master key.
Master Key not present.
Failed to encrypt the Master key

3. These log messages relate to attempts to change the master key.
Invalid master key
Attempted to rekey with a blank master key
Save Master Key aborted -- cannot determine unit id!
Cannot determine failover unit ID

4. This message is a general error.
b64_decode BIO_read error

5. This log message relates to the custom password db variable for encrypted attributes.
Custom Key not present. Please set the security.custompassword db variable.

Impact:
Possible issues using the secure vault feature.

Recommended Action:
1 and 2. Attempt to reboot the system. If the problem is not resolved, contact F5 support.
3. Attempt to change the key with a valid key.
4. None.
5. Set the security.custompassword db variable.

0107102d : Cannot load master key file. Updating to a new master key.

Location:
/var/log/ltm

Conditions:
The master key file does not exist or has been corrupted.

Impact:
Previous configurations with encrypted attributes using the old master key will be unloadable.

Recommended Action:
Upload a backup ucs file.
https://support.f5.com/csp/#/article/K9420

01071031 : %s

Location:
/var/log/ltm

Conditions:
When one of the system auth db variables SystemAuth.DisableRootLogin or SystemAuth.DisableBash is changed to "false" (turning off the security feature) or when the db variable SystemAuth.PrimaryAdminUser is modified, a message is logged indicating that a security setting has changed and the user account that made the change:

Security setting systemauth.disablerootlogin has been disabled by user admin
Security setting systemauth.disablebash has been disabled by user admin
Security setting systemauth.primaryadminuser has been modified from admin to newadmin by user admin

Impact:
None.

Recommended Action:
None.

01071038 : %s

Location:
/var/log/ltm

Conditions:
1. The following log entries occur during changes to the master key or aspects of the changing process.
Loading keys from the file.
Unit key read from the hardware.
Attempting Master Key migration to new unit key.
Master Key updated by user <user>
Unit key hash on write: <hash value>
Reloading the RSA unit to support config roll forward.
Read the unit key file if exists.
Loading master key from database object!

2. The following log entries relate to loading the unit key from the hardware, if these are different, there is an issue with the hardware.
Unit key hash from key header: <hash value>
Unit key hash computed from read key: <hash value>

3. The following log entries indicate that the master key is missing or corrupted:
Unable to load master key from database. Configuration object was null.
Unable to load master key from database. Empty master key attribute.
Unable to load master key from database. Master key decode fails.
Secondaries couldn't load master key from the file.
Secondaries couldn't load master key from the database.

Impact:
1. No impact.
2. Attempt rebooting the BIG-IP.
3. Recreate the master key

Recommended Action:
None.

01071047 : Removing %d %s local objects from slot %d

Location:
/var/log/ltm

Conditions:
mcpd logs this message in response to removing configuration objects associated with a chassis slot. This can happen as the result of a cluster member being disabled or going down. Interfaces and trunk working members, for example, which are associated with the cluster member are then removed.

Impact:
This is expected behavior. The removed configuration objects will be unavailable for a given slot until the blade has been restored.

Recommended Action:
None.

01071070 : Failed to %s file %s with error %d

Location:
/var/log/ltm

Conditions:
Mcpd logs this message in response to two events:
1. Failing to change permissions to read-only for file BigDB.dat
2. Failing to open file BigDB.dat

Both issues will be accompanied by an errno number. The first corresponds to the return value of chmod. The second corresponds to an error produced while attempting to construct an ofstream.

Impact:
The impact of failing to change permissions to read-only is that BigDB.dat can still be written to. This may be inconsequential, but it could also lead to unexpected behavior.

If mcpd fails to open BigDB.dat, it will throw an exception and core.

Recommended Action:
Unknown at this time. The workaround depends on what errno is given with the failure.

01071138 : The access policy (%s) has an action/macrocall item (%s) that is referenced by any rule's next item for %d time(s). Exactly one reference is allowed.

Location:
/var/log/ltm or TMSH

Conditions:
Access policy has incorrect topology. This might happen during access policy creation/modification by TMSH commands or script, at access policy import, or at configuration loading/verification.

Impact:
Access policy with incorrect topology is not created/modified.

Recommended Action:
If the message appears during access policy creation/modification by TMSH script, it is necessary to check the script used and correct it to exclude the invalid "next item" clause in API rules.
If the message appears during access policy import or configuration loading, there is no simple workaround. It is not recommended to try to use a broken configuration.
Manual editing of configuration files or exported access policy archive might be necessary, but it must not be done without explicit support recommendations.

01071246 : "Unable to reload the dns cache\n"

Location:
/var/log/ltm

Conditions:
This message can appear when dnscached failed to reload configuration files. Most likely that happens during the BIG-IP device startup, when dnscached is not started yet, but the command to reload configuration already executed.

Impact:
dnscached might have an invalid configuration or is not configured.

Recommended Action:
When the BIG-IP device is fully started, you can restart dnscached to reload the configuration:
tmsh modify sys db dns.cache value disable
tmsh modify sys db dns.cache value enable

To verify current status of dnscached, please use command:
tmsh list sys db dns.cache

010712a5 : Ha_group %s unknown %s %s.

Location:
/var/log/ltm, tmsh

Conditions:
The administrator has attempted to add a non-existent pool, trunk, or cluster object to an ha-group.

Impact:
The ha-group configuration is not modified.

Recommended Action:
Specify an existing pool, trunk, or cluster object for the HA group.

01071321 : Vlan allowed mismatch found: hypervisor (%s:%s), guest (%s:%s) and (%s:%s).

Location:
/var/log/ltm on a VCMP guest

Conditions:
A VLAN in a VCMP guest matches either the name or tag of a VCMP-host published VLAN. This usually happens when a VCMP-published VLAN is modified in the VCMP guest.

Impact:
This log message will appear in /var/log/ltm to advise a VCMP guest administrator about the mismatch.

Recommended Action:
Ensure that your VLAN configuration is as you expect, and consider modifying your VLAN configuration on either your host or your guest to resolve this error. Support usually recommends making VLAN changes on the VCMP host, which are then published to the VCMP guest in this case.

01071392 : Background command '%s' failed. %s

Location:
/var/log/ltm

Conditions:
Many components use this to execute a command. If the command fails, this message is logged for the command.

Impact:
Many components use this to execute a command. Actual impact depends on the command.

Recommended Action:
Many components use this to execute a command. A workaround might not be needed, or depends on the command.

Debug information might be obtained by setting mcpd's log level to info.

010713b1 : Cannot delete IP (%s) because it is used by the system state-mirroring (%s) setting.

Location:
/var/log/ltm, console, and GUI.

Conditions:
When trying to delete a self IP, but self IP is referenced in mirroring settings.

Impact:
Prevent the self IP from being deleted, until the mirroring setting no longer references the self IP.

Recommended Action:
Remove the self IP from the mirroring setting before trying to delete the self IP again.

010713b8 : Propose change to system hostname (%s).

Location:
/var/log/ltm

Conditions:
This message is logged by mcpd when vCMP hypervisor proposed a hostname change.

Impact:
None.

Recommended Action:
None.

010713ba : Propose change to default gateway (%s).

Location:
/var/log/ltm

Conditions:
This log message occurs on a VCMP guest when the VCMP guest starts, and when a user on the VCMP hypervisor changes the management gateway of the VCMP guest.

Impact:
None.

Recommended Action:
None.

010713bc : Propose change to management IP address (%s/%s).

Location:
/var/log/ltm

Conditions:
This message is logged on a VCMP guest when either of the following occurs:
1) When the VCMP guest starts
2) When a user on the VCMP hypervisor changes the management address of the VCMP guest.

Impact:
None. This log message is informational.

Recommended Action:
N/A

010713c0 : System state ready for hypervisor mgmt settings: (%s)

Location:
/var/log/ltm

Conditions:
This message is displayed during normal start-up on a VCMP guest when the VCMP guest received a management address or hostname from the VCMP host.

Impact:
This log message informs the user whether or not the VCMP guest is ready to install the management network and hostname config proposed by the VCMP host

Recommended Action:
None.

010713c1 : Initial management network proposals triggered (%s)

Location:
/var/log/ltm

Conditions:
Mcpd is initializing the hypervisor admin network settings. This generally happens upon system startup, re-licensing, or when the system status goes from down to up.

Impact:
There is no expected immediate impact of this message. The message merely indicates that mcpd has begun performing an operation and that there are no expected side effects until that operation is complete.

Recommended Action:
None.

010713c2 : No new proposal values detected

Location:
/var/log/ltm

Conditions:
Mcpd processed a message to update the settings for the admin network parameters or cluster floating interface (address, gateway address, or hostname), however, the message contained no new or changed information.

Impact:
No changes will be made to the admin network parameters or cluster floating interface.

Recommended Action:
If a change to the admin network parameters or cluster floating interface was intended, verify that the correctly changed information has been provided through the chosen configuration method.

010713c3 : Hypervisor updating %s. Old value: (%s) New value: (%s).

Location:
/var/log/ltm

Conditions:
This message is displayed during normal start-up on a VCMP guest when the VCMP guest received a management address or hostname from the VCMP host.

Impact:
The VCMP guest might install the proposed configuration depending on its current configuration.

Recommended Action:
None.

010713f6 : CentMgmt objects must be in the '/Common' folder

Location:
/var/log/ltm

Conditions:
Prior to version 11.1.0, using the cm device command to add a device to the system outside of devmgmtd.

Impact:
None.

Recommended Action:
None.

01071412 : Cannot delete IP (%s) because it is used by the system config-sync setting.

Location:
/var/log/ltm, console, and GUI.

Conditions:
When trying to delete a self IP, but self IP is referenced in config sync settings.

Impact:
Prevent the self IP from being deleted, until the config sync settings no longer reference the self IP.

Recommended Action:
Remove the self IP from the config sync setting before trying to delete the self IP again.

0107142f : Can't connect to CMI peer %s, %s

Location:
/var/log/ltm reports "Can't connect to CMI peer %s, %s"

tmsh show cm sync-status shows the connection state

tmsh prompt will show whether devices are connected. States include 'connected' or 'disconnected'.

Conditions:
Internal Conditions:
- socket failures, for example, create, setting socket options, failure to connect or poll on file descriptor.
- TMM on the local side has not yet established a listener (or failed to bind the socket)

External Conditions:
- The other device isn't ready, for example, the TMM on the other side hasn't been initialized to receive connections.
- General network failures (e.g. switch failure, cable failure, power outage, etc.)

Impact:
This generally is not a BIG-IP system error; it indicates external network failures. The BIG-IP will attempt to reconnect to peers till there's a successful connection.

Recommended Action:
This error is usually seen as a result of external network problems, but can be a symptom of internal problems such as mcpd running out of memory, the kernel running out of file descriptors, or mcpd restarting. This error is usually seen as a result of external network problems, but can be a symptom of internal problems such as mcpd running out of memory, the kernel running out of file descriptors, or mcpd restarting.

To check file descriptors: sysctl fs.file-nr

If mcpd runs out of memory or restarts, it should be logged in /var/log/ltm.

The config-sync connection uses port 6699, which is then routed and tunneled through tmm which establishes an ssl connection on port 4353 to the peer.

To check if the config sync listener exists and whether there are peer connections over the config-sync connection:
    lsof -i | grep 6699

This should produce something like the following:
mcpd 6594 root 20u IPv6 1004016 TCP 10.20.0.1:6699 (LISTEN)
mcpd 6594 root 106u IPv6 1004433 TCP 10.20.0.1:6699->10.20.0.2:49485 (ESTABLISHED)
mcpd 6594 root 108u IPv6 1004454 TCP 10.20.0.1:40654->10.20.0.2:6699 (ESTABLISHED)

This indicates that the local BIG-IP has successfully created a listener, and is listening for peer connections, and that there are two connections for each peer device (one in each direction). This might help you determine which connection failed to connect.

To inspect the unencrypted CMI traffic on the BIG-IP:
    tcpdump -nn -l -i <config sync vlan>:h port 6699
To check file descriptors: sysctl fs.file-nr

If mcpd runs out of memory or restarts, it should be logged in /var/log/ltm.

The config-sync connection uses port 6699, which is then routed and tunneled through tmm which establishes an ssl connection on port 4353 to the peer.

To check if the config sync listener exists and whether there are peer connections over the config-sync connection:
    lsof -i | grep 6699

This should product something like the following:
mcpd 6594 root 20u IPv6 1004016 TCP 10.20.0.1:6699 (LISTEN)
mcpd 6594 root 106u IPv6 1004433 TCP 10.20.0.1:6699->10.20.0.2:49485 (ESTABLISHED)
mcpd 6594 root 108u IPv6 1004454 TCP 10.20.0.1:40654->10.20.0.2:6699 (ESTABLISHED)

This indicates that the local BIG-IP has successfully created a listener and is listening for peer connections and that there are two connections for each peer device (one in each direction). This may help you determine which connection failed to connect.

To inspect the unencrypted CMI traffic on the BIG-IP:
    tcpdump -nn -l -i <config sync vlan>:h port 6699

01071430 : Cannot create CMI listener socket on address %s, port %d, %s

Location:
This will show in /var/log/ltm, and the CMI section of the prompt status will stay Disconnected.

Conditions:
Unable to create and bind the TCP connection used for listening to incoming CMI connections. The message will include strerror(3) output describing the problem.

Impact:
CMI will remain disconnected.

Recommended Action:
If the error string contains 'Cannot assign requested address', then ensure that a route exists to the remote device's configsync-ip.

01071431 : Attempting to connect to CMI peer %s port %d

Location:
/var/log/ltm

Conditions:
mcpd is starting up and attempting to set up a CMI connection to another device in the trust domain.

Impact:
This is not an error message. Other later messages will indicate whether this succeeded or failed.

Recommended Action:
None.

01071432 : CMI peer connection established to %s port %d after %d retries

Location:
/var/log/ltm

Conditions:
This device has successfully created a CMI connection to another device in the trust domain. This happens on mcpd startup or after a previous disconnection.

Impact:
This is not an error message. Configuration synchronization is now possible with the named device.

Recommended Action:
None.

01071434 : No CMI peer devices configured

Location:
/var/log/ltm

Conditions:
A device is in a DSC trust domain with other devices, but no config sync addresses have been configured.

Impact:
The device will be unable to connect to peers to sync configuration.

Recommended Action:
The user might be able to configure the configsync-ip on the local device to resolve the issue. If multiple devices are in this state, it might require the user to reset the trust on all of the devices, configure the configsync-ip individually, and then re-add the devices to the trust domain.

01071435 : Disconnecting from CMI peer %s as a result of a reconfiguration

Location:
/var/log/ltm

Conditions:
The CMI configuration has changed, requiring mcpd to intentionally disconnect from the named device. If it makes sense for the configuration change, it will attempt to reconnect shortly.

Impact:
If this happens because you removed a device from trust, there is no impact. If you modified the CMI configuration but left the device in place, you will not be able to sync the configuration until the device has reconnected.

Recommended Action:
None.

01071436 : CMI listener established at %s port %d

Location:
/var/log/ltm

Conditions:
mcpd is initializing and successfully created a listener that can accept incoming CMI connections.

Impact:
This is not an error message. This part of the system is healthy. mcpd can now accept incoming CMI connections.

Recommended Action:
None.

0107143a : CMI reconnect timer: %s

Location:
This message appears in /var/log/ltm, but only when mcpd debug logging is enabled.

Conditions:
There are two possible versions of this message.

The following message occurs when the device loses its CMI connection to at least one other device, and is starting up a timer to try reconnecting every five seconds:
CMI reconnect timer: enabled because at least one device is disconnected

Once the condition is cleared, the following message occurs to indicate that the reconnect timer is canceled:
CMI reconnect timer: disabled because all peers are connecting or connected

Impact:
mcpd is unable to make a CMI connection to at least one other device. The prompt status will also show as Disconnected.

Recommended Action:
Investigate why the connection is failing. The other device might either be unreachable or having an error of its own. Run 'show cm sync-status' to see exactly which device is disconnected.

0107143b : CMI connection debug info: %s

Location:
/var/log/ltm

Conditions:
MCPD log level is set to 'debug'. Debugging message related to CMI inter-device configuration synchronization. Usually this message indicates a change in state, such as a device connecting or disconnecting.

Impact:
Generally low. If the system is in an error state, a higher priority message will be logged at the same time.

Recommended Action:
None.

0107143c : Connection to CMI peer %s has been removed

Location:
/var/log/ltm

Conditions:
The CMI connection to another device has disconnected, either due to a problem with the other device or with the link itself.

Impact:
Synchable configuration will not be sent to the device in question until the connectivity problem is resolved.

Recommended Action:
If this is unexpected, inspect the log on the other process to determine what may be going wrong.

01071451 : Received CMI hello from %s

Location:
/var/log/ltm

Conditions:
Another device has established a CMI connection to this device.

Impact:
This is not an error message. CMI configuration sync will now be possible between the two devices.

Recommended Action:
None.

0107146f : Self-device %s address cannot reference the non-existent Self IP (%s); Create it in the /Common folder first.

Location:
/var/log/ltm, tmsh

Conditions:
The administrator has attempted to define a configsync or mirror-ip address that is not a valid self-ip.

Impact:
The operation fails and the address is not set.

Recommended Action:
Create the self-ip prior to using it as a configsync or mirror-ip address.

01071470 : Disconnecting from CMI device %s, the device is not in a trust domain

Location:
/var/log/ltm

Conditions:
This error occurs when another device attempts to create a CMI connection (that is, the mcpd for the additional device is starting up), and the device name it announces is unrecognized. This issue can occur if the device was removed from CMI while it was offline. Alternately, this error can occur if another device attempts to create a CMI connection, and there is no self device. During normal operation, this error is impossible.

Impact:
The BIG-IP system refuses to accept the connection. Sync will not occur, usually the expected behavior, because this message occurs if CMI was deconfigured on one device but the other devices were not informed.

Recommended Action:
Log on to the device attempting to connect, and remove it from its trust domain. Log on to any other devices in the trust domain and remove the device object. If desired, re-add the device to the trust domain.

0107147f : Could not read certificate file (%s)

Location:
This error message is displayed on the user interface, such as XUI or TMSH.

Conditions:
If you have scripts (such as iRule, CLI, APL or App Template scripts) and want to sign them for read-only protection, as part of the signing process, and the provided certificate cannot be read by BIG-IP system, this error message is displayed.

Impact:
When this message appears, verify that the certificate is correct and available before applying the signature.

Recommended Action:
When this message appears, verify that the certificate is correct and available before applying the signature.

01071485 : %s (%s) content does not match the signature.

Location:
/var/log/ltm, CLI, GUI

Conditions:
The signature on an AplScript, AppTemplate, CliShellScript, or iRule object does not match its contents.

Impact:
Configuration changes including the mismatched signature/content will be rejected.

Recommended Action:
None.

01071488 : Remote transaction for device group %s to commit id %llu %llu %s %llu failed with error %s

Location:
/var/log/ltm

Conditions:
This message occurs when this device sends a Config Sync to another device, and validation fails remotely on that device. This message includes another log message that provides more information.

This message indicates a legitimate misconfiguration, and provides an action to take that is related to the synchronized objects.

One common example applies to a floating self IP. The self IP object is required to name a VLAN on which it listens. A VLAN of the same name must exist on the other device, as well.

Impact:
The remote device aborted the Config Sync transaction, and did not acquire any of its changes.

Recommended Action:
This message can include a more specific error, which you can reference in the error catalog for resolution.

0107149c : Virtual server %s has more than one clientssl/serverssl profile but none of them is default for SNI.

Location:
/var/log/ltm

Conditions:
The virtual server is configured to securely host (such as through HTTPS) multiple DNS hostnames, but none of the profiles are the default, and the virtual server configuration has unchecked the "Require Peer SNI Support", thereby permitting client connections not using SNI support.

This is an error because a default profile is required to identify the SSL certificate to be provided from the virtual server to the client when an incoming client connection requests an unrecognized hostname, or when the client does not support the Server Name Identification extension (SNI, RFC 4366) to the TLS protocol.

Impact:
The virtual server configuration fails to load, and the virtual server is unavailable.

Recommended Action:
User should configure the server to select a default SSL profile for SNI, for each of one Client SSL profile and one Server SLL profile, or enable the feature to, 'Require Peer SNI support'. The configuration should then load successfully (a reboot is not required).

010714a0 : Sync of device group %s to commit id %llu %llu %s %llu from device %s complete

Location:
/var/log/ltm

Conditions:
The mcpd log level is set to 'notice' or 'debug', a device is in a trust domain with at least one other peer, and the peer synced a device group.

Impact:
The local device has updated the last sync information of the peer for a particular device group.

Recommended Action:
Set the db variable log.mcpd.level to 'notice' or any other more restrictive level.

01071515 : Unclassified domain logging on %s requires log publisher to be set.

Location:
tmsh, GUI

Conditions:
When configuring Unclassified domain logging in a classification profile, without any log profile assigned to classification profile.

Impact:
Unclassified domain logging is not available through classification HSL.

Recommended Action:
Attach log profile to classification profile.

01071528 : Device group '%s' sync inconsistent, %s.

Location:
/var/log/ltm, tmsh

Conditions:
This can be reported via:
"tmsh show /cm sync-status"

A device is in a DSC device group and a configuration sync failed.

Impact:
The configuration is unable to propagate to the peer.

Recommended Action:
There should be additional information in the message to indicate why the sync failed. There may also be additional logs in /var/log/ltm.

See also: tmsh show /cm sync-status

01071539 : Mcpd is starting. The BIG-IP version is %s

Location:
/var/log/ltm

Conditions:
mcpd is starting. This happens as a normal result of restarting the daemon or simply first time boot.

Impact:
This is normal and expected behavior. Mcpd should begin to progress through initialization phases.

Recommended Action:
None.

01071587 : Commit ID message ignored, %s

Location:
/var/log/ltm

Conditions:
This message occurs when a device receives a commit ID update (that is, a config change) from a peer, but the commit ID is missing the originator field.

Impact:
No known negative impact.

Recommended Action:
To examine the commit IDs from a peer, you can run tmsh run /cm sniff-updates.

010715bc : "The application service (%s) has strict updates enabled, the object (%s) must be updated using an application management interface."

Location:
GUI, CLI

Conditions:
An application service has strict updates enabled, and you are trying to manage associated objects outside of the application management interface.

Impact:
Any changes that you make directly to objects associated with the application service will be lost.

Recommended Action:
Update the objects through the iApp menu in the BIG-IP Configuration utility or through the tmsh sys appplication service. An alternative is to access the application service through the iApp menu, view the advanced properties, and disable strict updates for the service so that you can manage associated objects directly. However, if you use the iApp to make changes later, the changes that you made directly will be lost.

01071653 : Failed to create the (%s). The maximum allowable length of %d for name has been exceeded. The object name was (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
Attempt to create a TSIG key, Nameserver, or Cache with a name containing more than 255 characters.

Impact:
The TSIG key, Nameserver, or Cache is not created.

Recommended Action:
When creating TSIG key, Nameserver, or Cache, make sure the length of the name is within 255 characters.

0107167d : Data publisher not found or not implemented when processing request %s.

Location:
/var/log/ltm

Conditions:
Possible causes of this error include:
- Statsd daemon might not be running yet.
- Mcpd received a bad request.
- A stats publisher is not available to handle the request.

Impact:
Impact can potentially include:
- No stats available.
- Certain requests are not be processed by Mcpd.

Recommended Action:
(1) Ensure that statsd daemon is running. `bigstart status statsd merged`
(2) Ensure that the publishing daemon is running. For example, if the error is logged when you run `tmsh show net arp`, determine whether the TMM is up by running `bigstart status tmm`.

If any of the daemons are down, run `bigstart start <daemon>`.

If all daemons are running, then neither of the two cited daemons is the cause. Instead, the cause might be an internal issue related to a malformed request, in which case you should file a support ticket.

01071681 : SNMP_TRAP: Virtual %s has become available

Location:
/var/log/ltm

Conditions:
This message is logged when the virtual server becomes "available", transitioning from some other status. Note that this indicates the virtual server is now "status-green", transitioning from some other status such as "unchecked-blue" or "unavailable-red".

Impact:
This message is log-notification only when the virtual server status is changed to be available (status "green"). This is not an error, as this virtual server is established as correctly configured to receive new client connections.

Recommended Action:
This is not an error, but a notification of a virtual server status change that has now become available.

01071682 : SNMP_TRAP: Virtual %s has become unavailable

Location:
/var/log/ltm

Conditions:
Example:
SNMP_TRAP: Virtual my_server has become unavailable

This message is logged when the virtual server becomes "unavailable", transitioning from some other status. Note that this indicates the virtual server is now "status-red", transitioning from some other status such as "available-green" or "unchecked-blue".

Impact:
This message is log-notification only when the virtual server status is changed to be unavailable (status "red"). Because the virtual server is unavailable, no new client connections will be established to this virtual server.

Recommended Action:
This is a notification of a virtual server status change for a virtual server has now become unavailable. The unavailable-status (i.e., "red") might be an indication of an error, such as when the required number of pool members are unavailable due to configuration error or one-or-more pool member failures.

0107168c : Incremental sync complete: This system is updating the configuration on device group %s device %s from commit id { %llu %llu %s } to commit id { %llu %llu %s }.

Location:
/var/log/ltm

Conditions:
A device in a DSC device group is able to successfully construct an incremental sync message requested by a peer.

Impact:
This is information about a successful operation.

Recommended Action:
None.

0107168e : Unable to do incremental sync, reverting to full load for device group %s device %s from commit id { %llu %llu %s } to commit id { %llu %llu %s }.

Location:
/var/log/ltm

Conditions:
The device is in a DSC device group with incremental sync enabled.

If a peer device requests an incremental sync, and the local device is unable to reconstruct the series of incremental syncs out of the sync cache from the commit_id specified by the peer, it will revert to a full sync.

This usually occurs because the cache is full and prior commit_id transactions have been dropped to make space.

The cache can be inspected by an Administrator via:
tmsh show cm device-group <device group name> incremental-config-sync-cache

The size of the cache can be set/checked per device group:
tmsh list cm device-group <device group name> incremental-config-sync-size-max

Impact:
Syncing may take a longer to complete. If automatic syncing is enabled, and many changes are made to configuration in the device group, this could cause mcpd to become unresponsive and in extreme cases run out of memory and core.

Recommended Action:
If a user is seeing this message, it's recommended to increase the size of the incremental sync cache and/or reduce the size and frequency of config changes.

010716b3 : A draft policy (%s) can not be applied to ACL rule (%s).

Location:
/var/log/ltm

Conditions:
An unpublished L7 policy is being assigned to an AFM ACL rule.

Impact:
Configuration validation, no impact.

Recommended Action:
Publish the L7 policy before assigning it to the AFM ACL rule.

010716b4 : Policy %s cannot be assigned to %s, because %s.

Location:
/var/log/ltm

Conditions:
An L7 policy is not compatible with a destination object, for example, when a non-classification policy is being assigned to an AFM ACL rule.

Impact:
Preventive configuration validation, no impact.

Recommended Action:
Attach only compatible L7 policies to a destination object.

010716e3 : Policy '%s'; an action precedes conditions in another rule.

Location:
/var/log/ltm

Conditions:
A Best-Match CPM policy has an action in one or more of its rules that is not guaranteed to follow a condition in one or more rules. (The rules containing the action and condition may be different.)

Impact:
The policy will not load.

Recommended Action:
Change the Best-Match policy so that the actions occur in events that are compatible with the conditions. Actions must always occur after conditions.

If action events are not guaranteed to follow conditions, then a programatic solution is available via iRules. The situation where the action's event is encountered before the condition event can be handled in an arbitrary way by the iRule.

0107172d : Policy '%s' can't be applied to virtual server '%s' because it has no rules

Location:
The error message is visible in the web user interface, TMSH/CLI console, and the LTM log (/var/log/ltm).

Conditions:
The error message is triggered by the attempt of a user driven action to create or modify an LTM policy without specifying policy rules.

Impact:
Directing the user to create or modify an LTM policy within the required validation conditions, in this case by specifying policy rules for the LTM policy.

Recommended Action:
The user action should follow the correct steps while creating or modifying an LTM policy, by adding at least a validation rule to the LTM policy.

01071764 : HA order list in traffic group (%s) cleared because there is no self failover device group.

Location:
/var/log/ltm

Conditions:
When a device is no longer a member of a sync-failover group, any ha-order list specified for any traffic group is automatically cleared.

Impact:
None. Expected behavior because of a configuration change.

Recommended Action:
None.

0107179a : Setting DB variable %s to %s. Reboot is required for changes to take effect.

Location:
/var/log/ltm

Conditions:
On a BIG-IP non-Virtual Edition (VE) device or hardware device that does not have a FIPS 140-2 Level 1 license, a FIPS 140-2 Level 1 license has been procured and installed.

-- BIG-IP non-VE or hardware device does not have a FIPS 140-2 Level 1 license.
-- A FIPS 140-2 Level 1 license is procured and installed.
-- The prompt changes to 'REBOOT REQUIRED'.

Impact:
The system prompt changes to 'REBOOT REQUIRED'. The device must be rebooted for the new license settings to take effect.

Recommended Action:
None.

010717b3 : Setting DHCP request-option to none can result in management-ip misconfiguration and loss of management connectivity.

Location:
/var/log/ltm

Conditions:
- Using DHCP to configure management-ip, management-route, DNS, hostname, etc. in a BIG-IP.
- Setting DHCP request-option to none using "tmsh modify sys management-dhcp sys-mgmt-dhcp-config request-options none".

Impact:
As request-options specify the management options that a dhclient running on BIG-IP device requests from the dhcp server in the network, setting request-options to none could result in a BIG-IP device not receiving any configuration (mgmt-ip, mgmt route, dns etc) crucial for management connectivity.

Recommended Action:
DHCP servers can be configured with "authoritative" setting, in which case, it would always provide dhclient with a fixed set of configuration, even if it receives an empty request-options list from dhclient.

010717b6 : %s can only be used in one LSN pool or security nat source translation object. The PCP Server %s (%s) is in use by lsn pool %s.

Location:
GUI, CLI

Conditions:
If PCP Server is already in use by one of the LSN Pools for FW NAT Source translation objects and the user is configuring the same PCP server on another LSN Pool or FW NAT source translation object, user will see this MCP validation error.

Impact:
Creation/Modificaton of the LSN Pool or FW NAT Source translation object would fail unless the user modifies the PCP server field.

Recommended Action:
None.

010717dc : VXLAN tunnel remote address can be configured only as any(0.0.0.0) with flooding types none and multipoint.

Location:
GUI, /var/log/ltm

Conditions:
When configuring a non-multicast VXLAN tunnel in which the tunnel remote-address is set to non-zero address.

Impact:
MCP validation blocks this improper configuration for non-multicast VXLAN tunnels and displays this error message.

Recommended Action:
For non-multicast VXLAN tunnels, the user has to set the tunnel remote-address to 'any' (0.0.0.0).

010717e2 : Client SSL profile (%s): must have at least one set of %s.

Location:
/var/log/ltm

Conditions:
The user has configured a Client SSL profile improperly.

Impact:
The profile configuration does not specify a certificate/key pair, and is therefore disallowed.

Recommended Action:
Specify a certificate/key pair in the Client SSL profile configuration.

0107183b : Cannot disable LDNS cache when a Wide IP has persistence enabled.

Location:
/var/log/ltm

Conditions:
During a GTM configuration load or while processing a configuration modification, MCPD received a message to set the LDNS cache to disabled but there exists at least one wideip that has persistence enabled.

Impact:
The LDNS cache is required for wideip persistence, therefore MCPD will set the LDNS cache to enabled.

Recommended Action:
The LDNS cache must be enabled for wideip persistence to function; therefore, it is advised that either wideip persistence must be disabled or the LDNS cache must remain enabled.

The following tmsh command will disable persistence for all wideips of the specified record type:
tmsh modify gtm wideip <wideip_record_type> all persistence disabled

01071860 : Cannot enable feed list %s. Maximum number of enabled feed list allowed is %d.

Location:
log/UI/TMSH, GUI

Conditions:
When trying to enable more than 8 urldb feedlist entries for custom url categorization.

Impact:
Only the first 8 feedlist entries will work.

Recommended Action:
Remove one or more feedlist entries from 8 already enabled feedlist entries, if a new one is needed.

01071863 : OCSP cert-validator (%s): DNS resolver and proxy server pool can not be both empty.

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
The user is trying to create an OCSP cert-validator, but assigning neither a DNS resolver nor a proxy server pool to the OCSP validator.

Impact:
None.

Recommended Action:
Specify either a DNS resolver or a proxy server pool for the OCSP cert-validator.

01071864 : OCSP cert-validator (%s): The certificate (%s) can not be used by an OCSP cert-validator as a %s, because it is currently using some cert-validator (%s) to monitor its status.

Location:
/var/log/ltm

Conditions:
The error message is not being used.

Impact:
None.

Recommended Action:
None.

01071865 : Unable to find an HTTP-based OCSP responder URL that is configured in the OCSP cert-validator (%s) or in the AIA (Authority Information Access) extension of the certificate (%s).

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
An OCSP validator is assigned to a certificate, but no OCSP responder URL is found in either the OCSP validator's configuration or the certificate's AIA (Authority Information Access) extension.

Impact:
None.

Recommended Action:
Either configure the OCSP responder URL for the OCSP validator, or use a certificate that contains the AIA extension that specifies the OCSP responder's URL.

01071866 : OCSP cert-validator (%s): Please specify a HTTP-based absolute URL for the OCSP responder.

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
The user is trying to configure an invalid URL address (not starting with http://) as the responder URL of an OCSP cert-validator.

Impact:
None.

Recommended Action:
Configure an OCSP responder URL to the OCSP cert-validator that starts with "http://".

01071867 : OCSP cert-validator (%s): Both key and certificate should be specified for signing the OCSP request.

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
The user is trying to configure only the signer key (without a signer certificate) or only the signer certificate (without a signer key) to an OCSP cert-validator. Signer key and certificate should come as a pair.

Impact:
None.

Recommended Action:
Either specify both key and certificate, or specify none of them.

01071868 : OCSP cert-validator (%s): Only prime256v1 named curve is supported for signer key.

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
The signer key of the OCSP validator is an EC (elliptic curve) key with an unsupported curve type (the only supported curve is prime256v1).

Impact:
None.

Recommended Action:
If the signer key is an EC (elliptic curve) key, make sure that its curve type is prime256v1.

01071869 : OCSP cert-validator (%s): Security type %s is not supported for signer key.

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
The user is trying to configure a signer key to an OCSP validator, but the key type of the signer key is not supported.

Impact:
None.

Recommended Action:
The security type of the key can be obtained by "tmsh list sys crypto key". Currently fips and nethsm types are not supported.

0107186a : OCSP cert-validator (%s): Signer key (%s) and signer certificate (%s) do not match.

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
The signer key and signer certificate that the user is configuring for the OCSP cert-validator don't match.

Impact:
None.

Recommended Action:
Make sure that the key and certificate match each other. If not, try to get a correct key/certificate pair.

010718e1 : Only the standard-balanced-fpga firmware type is permitted in vCMP mode.

Location:
tmsh, GUI, iControl, /var/log/ltm

Conditions:
Provisioning VCMP or changing the FPGA.

Impact:
User is forced to only use standard-balanced-fpga when using VCMP.

Recommended Action:
Make sure the FPGA is set to standard-balanced-fpga when using VCMP.

010718e3 : Certificate (%s) has enabled OCSP at cert-validation-option but is not associated with any OCSP cert-validator.

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
The user is trying to enable OCSP monitoring for a certificate that has no OCSP validator assigned.

Impact:
None.

Recommended Action:
Assign an OCSP validator to the certificate first, and then enable the OCSP monitoring for the certificate.

010718e4 : OCSP cert-validator (%s): can not use both DNS resolver and proxy server pool. Please ensure that only one of them is configured.

Location:
/var/log/ltm, tmsh console, iControl, GUI

Conditions:
The user is trying to create an OCSP cert-validator, but assigning both of DNS resolver and proxy server pool to the OCSP validator.

Impact:
None.

Recommended Action:
Remove either the DNS resolver or proxy server pool from the OCSP cert-validator.

01071909 : Anti-Fraud publisher '%s' is required to be with one destination of type '%s'.

Location:
TMSH, GUI

Conditions:
Trying to delete a publisher used by Anti-Fraud, or trying to set a publisher with wrong destination type.

Impact:
Configuration will fail.

Recommended Action:
Detach publisher from Anti-Fraud profile prior publisher removal. Set a publisher with the correct destination type.

0107190a : Field '%s' cannot be empty in the Anti-Fraud profile '%s'.

Location:
/var/log/ltm, GUI, and console

Conditions:
An empty field was specified while configuring an Anti-Fraud profile.

Impact:
Configuration will not be applied.

Recommended Action:
Specify a non-empty field.

01071911 : %s in rule (%s) are not allowed under %s event on the %s (%s).

Location:
/var/log/ltm, GUI

Conditions:
This is an error that is issued when MCPD is validating iRule proc with the current configuration and detecting an incompatibility.

This scenario is most likely involves the user creating a library of nested reusable iRule procs that are meant to be called from multiple event based iRules and other procs, and then combining one or more iRules with these procs by associating them with the virtual server in order to achieve the desired behavior. One or more of of the rules invoking functionality in the procs does so in under the wrong event.

For example, an iRule proc might attempt to return an application specific combination of HTTP headers, including the host header:

# user creates virtual
ltm virtual vs_http {
   destination any:80
   profiles {
     http {}
     tcp {}
   }
   ...
}
   

# user creates rule in ltm rule /Common/rl_app_http
proc get_app_host_headers { } {
 return "[HTTP::header app_1]-[HTTP::host]"
}
proc get_app_headers { } {
 return "[call get_app_host_headers]-[HTTP::host]"
}

this code may then be called from an iRule event in
# in ltm rule /Common/rl_http_req
when HTTP_RESPONSE {
 set app_h [call rl_app_http::get_app_host_headers]
}


# Error is issued by validation code upon saving since HTTP::host is not valid under HTTP_RESPONSE

Impact:
Saving the modified configuration will not be possible.
The virtual server configuration or iRules need to be corrected before saving the configuration will be possible.

Recommended Action:
Users need to ensure that the correct combination of iRule commands and events is associated with the virtual server by performing one of the steps:
1. Associate the right profile(s) with the virtual server.
2. Use only applicable commands in iRule procs.
3. Ensure that the combination of events in iRules and commands is still valid when modifying virtual server configuration.

01071912 : %s in rule (%s) requires an associated %s profile on the %s (%s).

Location:
/var/log/ltm

Conditions:
A an iRule script was added to a virtual that referred to a configuration object (like pool, snat pool, transport-congig, etc). When this iRule script was added to a virtual or transport-config, the validation logic identified that the referred object would not be present unless the named profile existed on the virtual or transport-config.

Impact:
There should be no impact. The validation logic checks the configuration to insure the script will run properly.

Recommended Action:
Remove the reference to the named object and add the script to the virtual or transport-config.

01071913 : %s in rule (%s) under %s event at %s (%s) does not satisfy cmd/event/profile requirement.

Location:
/var/log/ltm and GUI

Conditions:
This is an error that is issued when MCPD is validating iRule proc with the current configuration and detecting an incompatibility.

This scenario is most likely involving the user creating a library of reusable iRule procs that are meant to be called from multiple event based iRules, and then combining one or more iRules with these procs by associating them with the virtual server in order to achieve the desired behavior. The user then decides to remove a profile deemed unnecessary from the virtual.

However, the combination of virtual server, the iRule event that leads to calling the proc and the commands executed in the iRule proc itself, might lead to incompatible combination.

For example, an iRule proc might attempt to return an application specific combination of HTTP headers:

# user creates virtual
ltm virtual vs_http {
   destination any:80
   profiles {
     http {}
     tcp {}
   }
   ...
}
   

# user creates rule in ltm rule /Common/rl_app_http
proc get_app_headers { } {
 return "[HTTP::header app_1]-[HTTP::header app_2]"
}

this code may then be called from an iRule event in
# in ltm rule /Common/rl_http_req
when HTTP_REQUEST {
 set app_h [call rl_app_http::get_app_headers]
}


# user then decides to remove http profile from the virtual server
... (tmos)# mod ltm virtual vs_http profiles delete { http } <ENTER>

# Error is issued by validation code

Impact:
Saving the modified configuration will not be possible.
The virtual server configuration or iRules need to be corrected before saving the
configuration will be possible.

Recommended Action:
Users need to ensure that the correct combination of iRule commands and events is associated with the virtual server by performing one of the steps below:
1. Associate the right profile(s) with the virtual server
2. Use only applicable commands in iRule procs
3. Ensure the combination of events in iRules and commands is still valid when modifying
   virtual server configuration

01071918 : CMI device (%s) has a different version (%s) from this device (%s).

Location:
/var/log/ltm

Conditions:
Another device attempts to make a CMI connection to this device, but reports that it has a different version of TMOS than this device.

This message will show up during the process of upgrading a CMI trust domain from one version of TMOS to a later one.

Impact:
CMI sync between devices of different versions is not supported.

Recommended Action:
This message usually will show up during the process of upgrading a CMI trust domain from one version of TMOS to a later one. Once all devices are upgraded to the new TMOS version, they will be able to connect to each other.

010719a8 : URL parameters can be %s only when %s is enabled in the Anti-Fraud profile '%s'.

Location:
mcpd, tmsh console, GUI

Conditions:
Parameter's flag is dependent on URL flag. (in order to enable Parameter's flag 'A', URL's flag 'B' must be enabled).

Impact:
Parameter's flag won't be set.

Recommended Action:
Enable the dependent flags.

010719ac : Parameter cannot be %s while it is %s in the Anti-Fraud profile '%s'.

Location:
mcpd, tmsh console, GUI

Conditions:
A mobilesafe parameter is marked as encrypted, and the user want's to mark it as enforced (entangled).
OR
A mobilesafe parameter is marked as enforced, and the user want's to mark it as encrypted.

Impact:
Parameter remains with original flag enabled.

Recommended Action:
Enable either "encrypted" or "enforced", but not both.

010719b7 : URL whitelist words can be selected only from malware blacklist words in the Anti-Fraud profile '%s'.

Location:
mcpd, tmsh console, GUI

Conditions:
Setting a whitelist word that isn't configured in blacklist words (of the same profile).

Impact:
The mcp transaction aborted. Malware object is not changed.

Recommended Action:
Add whitelist words only if they are configured in blacklist words (of the same profile).

010719b7 : Anti-Fraud DOM signature '%s'(hash ID) cannot be deleted as it appears in the DOM signatures whitelist in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to delete an Anti-Fraud DOM signature that appears in a DOM signatures whitelist. The whitelist is in a URL in the Anti-Fraud profile.

Impact:
The Anti-Fraud DOM signature is not deleted.

Recommended Action:
If an Anti-Fraud DOM signature needs to be deleted, then before deleting it,
remove it from all DOM signatures whitelists that it appears in.

010719c9 : Unicast address warning (FAILOVER MAY NOT WORK): %s should be a mgmt (blade) address or non-floating self IP.

Location:
/var/log/ltm

Conditions:
The address does not seem to be valid with the information present in the local box, but may still be valid based on the configuration of the network.

Impact:
Verify the unicast address to make sure there is not a configuration error.

Recommended Action:
None.

010719d6 : The location '%s' cannot have empty path between leading '/' and file extension or trailing '/', and also cannot contain only '/' and '.' in the Anti-Fraud profile '%s'.

Location:
mcpd, tmsh console, GUI

Conditions:
Setting invalid location (empty or contains only '/' and '.' characters).

Impact:
The mcp transaction aborted. Changes will not take effect.

Recommended Action:
Set valid locations only (non-empty, containing alphanumeric characters).

010719e7 : Virtual Address %s general status changed from %s to %s.

Location:
/var/log/ltm

Conditions:
Example:
Virtual Address my_server general status changed from YELLOW to GREEN.

This message is logged when a general status change is detected for the virtual address. Possible general statuses for a virtual address include: 'GREEN', 'YELLOW', 'RED', 'BLUE', 'GRAY'.

The general status for a virtual address typically depends on one-or-more pool members, and the associated configuration of the virtual address itself. For example, a pool of four members might be associated with a virtual address, and require a minimum of two pool members to be available for the virtual address to be marked up (that is, "GREEN"). Thus, the conditions for a change in the general status of the virtual address include a combination of the virtual address configuration, plus the health of the contributing pool members.

Impact:
This message might not indicate an error, because it merely reports the detected general status change. For example, upon system start, it is expected that the general status might change from "BLUE" (unchecked) to "GREEN" (available). Similarly, user-action (such as through xui or tmsh) might explicitly change the general status, such as to "GRAY" when forcing the virtual address to be unavailable during maintenance.

Recommended Action:
This message might not indicate an error, but a notification of a virtual address general status change, due to monitor results or user-initiated action. If an unexpected "RED" status is reported, the user should verify the virtual address configuration, and the availability of the contributing pool members.

010719e8 : Virtual Address %s monitor status changed from %s to %s.

Location:
/var/log/ltm

Conditions:
Example:
Virtual Address my_name monitor status changed from CHECKING to UP.

This message is logged when a status change is detected for a virtual address. Possible statuses include: "UNCHECKED", "CHECKING", "INBAND", "FORCED_UP", "UP", "UP_MAX", "DOWN_MIN", "ADDR_DOWN", "DOWN", "FORCED_DOWN", "MAINT", "IRULE_DOWN", "INBAND_DOWN", "DOWN_WAIT_MAN_RES".

Impact:
This message might not itself indicate an error, as it merely reports the detected status change. For example, upon system start it is expected that the status might change from "UNCHECKED" to "CHECKING" to "UP". Similarly, user action (such as through the xui or tmsh) might explicitly change the status, for example, to "FORCED_DOWN".

However, an unexpected "DOWN" status not resulting from intentional user-initiated action might indicate an issue, such as a failed resource or an improperly configured virtual address.

Recommended Action:
This message might not itself indicate an error, but a notification of a virtual address status change, due to monitor results or user-initiated action. If an unexpected "DOWN" status is reported, the user should verify that the virtual address is available and ensure correct monitor configuration.

010719ea : GTM changed state from %s to %s.

Location:
/var/log/ltm

Conditions:
Example:
notice reported: notice mcpd[7345]: 010719ea:5: GTM changed state from UP to DOWN.

This message is not an error by itself, only a notice.
It only means that the GTM module went from UP to DOWN or vice versa.
If the message shows up repeatedly in the logs, this could mean that something else is wrong with the system and the user should look for additional clues as to why this is happening.

Impact:
"GTM changed state from UP to DOWN" means that the gtmd daemon went offline, while offline GTM functionalities will not be available.
"GTM changed state from DOWN to UP" means that the gtmd daemon went online, while online GTM functionalities are available.

Recommended Action:
If GTM is DOWN, the user can bring the daemon back online with the command "bigstart start gtmd", "bigstart stop gtmd" to take it offline. If that does not work, the user should investigate further as to why the daemon is going offline or refusing to come online.

010719fd : No IPv%s self IP exists on VLAN (%s) for static route (%s)

Location:
/var/log/ltm

Conditions:
The last IPv4 or IPv6 self IP was deleted from a VLAN, which will leave a static route without an IP on the egress VLAN.

Impact:
The self IP cannot be deleted until the static route is deleted or its nexthop is changed to use a different VLAN.

Recommended Action:
Before deleting the last IPv4 or IPv6 self IP from a VLAN, delete static routes for that protocol that use the VLAN.

01071a01 : URL parameters can appear only in POST request when Mobile encryption is enabled in the Anti-Fraud profile '%s'.

Location:
mcpd, tmsh console, GUI

Conditions:
Trying to set a Mobilesafe parameter to GET method.

Impact:
The transaction aborted. No change to parameter.

Recommended Action:
Either disable mobilesafe encryption, or declare mobilesafe parameter for POST method only.

01071a14 : device_trust_group: Requesting device data from device %s.

Location:
/var/log/ltm

Conditions:
When the local device requests device-specific data from the remote device. This usually happens when the remote device has changed something in its device data, and the local device needs to sync this information.

Impact:
None.

Recommended Action:
None.

01071a15 : device_trust_group: Sending device data to device %s.

Location:
/var/log/ltm

Conditions:
Information that a device is sending its device-specific trust data to the remote device that requested it.

Impact:
None.

Recommended Action:
None.

01071a37 : Anti-Fraud %s '%s' was created as %s and this setting cannot be changed.

Location:
/var/log/ltm

Conditions:
Attempting to change the type of an Anti-Fraud URL or parameter from explicit to wildcard and vice-versa.

Impact:
Configuration will not load.

Recommended Action:
Do not change the type of an Anti-Fraud URL or parameter. Delete item and recreate it with the desired type instead.

01071a38 : Wildcard %ss must have unique priorities in the Anti-Fraud profile '%s'.

Location:
/var/log/ltm

Conditions:
Attempting to assign identical priorities to wildcard URLs or parameters in an Anti-Fraud profile.

Impact:
Configuration will not load.

Recommended Action:
Verify priorities are unique among wildcard URLs or parameters in an Anti-Fraud profile.

01071a39 : Cannot %s of explicit %s in the Anti-Fraud profile '%s'.

Location:
/var/log/ltm

Conditions:
Attempting to edit priority of explicit URL or parameter in an Anti-Fraud profile.

Impact:
Configuration will not load.

Recommended Action:
Do not edit priority of an explicit URL or parameter.

01071a6e : Incompatible options - traffic group %s cannot have both auto-failback-enabled and the failover-method set to ha-score

Location:
/var/log/ltm, console

Conditions:
When a user tries to set both parameters for a traffic-group.

Impact:
The command will not be executed.

Recommended Action:
None.

01071a85 : Wildcard URL cannot have %s enabled in the Anti-Fraud profile '%s'.

Location:
mcpd, tmsh console, GUI

Conditions:
Trying to set mutual exclusive flags (that is, wildcard + mobilesafe encryption).

Impact:
The mcp transaction aborted. No change will be made to URL object.

Recommended Action:
Do not try to set mutual exclusive flags.

01071a95 : Admin IP (%s/%s): Gateway (%s) for management route (%s) is not in a connected network.

Location:
/var/log/ltm

Conditions:
When the user creates a management-ip that is not on the same subnet as the management-route, an error message is added to /var/log/ltm.
This validation error message is to help the user to prevent leaving a stray management gateway configured.

Impact:
None.

Recommended Action:
Delete the stray management-route and add a new one that matches the management-ip.

01071a9a : The '%s' for interface %s has been adjusted to '%s'.

Location:
/var/log/ltm

Conditions:
The bundle status and bundle speed attributes of each interface are detected when the system boots up, based on the type of physical ports.
For ports that support the bundle feature, the two attributes have to be updated to reflect the run time values.
A notice is logged into the /var/log/ltm to notify the user of this update.

Impact:
None.

Recommended Action:
None.

01071aa6 : %s bad actor cannot be enabled if per-source detection/limit pps is less than 1% of the DoS vector (%s) %s setting for %s.

Location:
/var/log/ltm

Conditions:
The per-source detection/limit pps is less than 1 percent of the corresponding value of the DoS vector. The Dos vector is specified by the configuration value of the rate threshold/rate limit in the DoS vector.

Impact:
Security DoS DNS/SIP/NETWORK/Device attack vector bad actor cannot be enabled.

Recommended Action:
Change the configuration settings of the DoS attack vector for either per-source detection/limit pps or rate threshold/rate limit.

01071aa7 : %s bad actor per-source detection/limit pps cannot be greater than the Dos vector (%s) %s setting for %s.

Location:
/var/log/ltm

Conditions:
The per-source detection/limit pps is greater than the corresponding value of the DoS vector. The DoS vector is specified by the configuration value of the rate threshold/rate limit in the DoS vector.

Impact:
The security DoS DNS/SIP/NETWORK/Device attack vector bad actor cannot be enabled.

Recommended Action:
Change the configuration settings of attack vector for either the per-source detection/limit pps or the rate threshold/rate limit.

01071acc : Cannot enable maintenance mode when device is forced offline.

Location:
/var/log/ltm, GUI, console

Conditions:
When the device is in forced offline mode; setting it to maintenance mode will not be allowed until the device is back online.

Impact:
None. Validation for a bad config operation.

Recommended Action:
None.

01071acd : The requested device (%s) was not found in self failover device group (%s).

Location:
/var/log/ltm, GUI, console

Conditions:
When a device is not a member of the failover group and a command is executed to specify a traffic group HA order, including the non-member device.

Impact:
The respective HA order command will be rejected with the validation error displayed in the respective UI.

Recommended Action:
Do not include devices that are not member of the failover group when specifying a traffic group HA order; or include the device non-member in the failover group before executing the HA order command.

01071ad3 : The requested provision module (%s) is not compatible with already provisioned module (%s).

Location:
GUI, console

Conditions:
(1) User tries to provision URLDB module, but SWG module is already configured.
(2) User tries to provision SWG module, but URLDB module is already configured.

Impact:
None.

Recommended Action:
Either provision SWG or URLDB module, depending on the use case, but not both.

01071ad4 : LSN pool %s shares the same name as security nat source translation object. LSN iRules that take in 'pool name' as an argument would default to LSN objects

Location:
GUI, CLI

Conditions:
Name of the object has to be unique across LSN Pools and Source translation object, and if the user is attempting to configure a LSN Pool or Source translation Object with name that is already in use by another LSN Pool or Source translation object, this mcpd validation error is thrown to the user via GUI or TMSH.

Impact:
Creation of the LSN pool or FW NAT source translation object would fail unless user uses a different name.

Recommended Action:
None

01071ad9 : Security NAT Source Translation object %s shares the same name as LSN pool. LSN iRules that take in 'pool name' as an argument would default to LSN objects.

Location:
GUI, CLI

Conditions:
This is a warning message shown to the user if the user is attempting to configure the FW Nat source translation object with a name that is already in use by another LSN Pool.

Impact:
User would see this warning, but the configuration will go through fine. So No impact.

Recommended Action:
None

01071af3 : URL parameters cannot be entangled for Mobile while no parameter is encrypted for Mobile in the Anti-Fraud profile '%s'.

Location:
mcpd, tmsh console, and GUI

Conditions:
Trying to enable Mobilesafe parameter's both encrypt and enforce (entangle) options.

Impact:
Mobilesafe Parameter can have encrypt or enforce options enabled, but not both.

Recommended Action:
None.

01071af8 : The firewall rule UUID cannot be modified by user once it's created.

Location:
/var/log/ltm

Conditions:
A user has tried to modify the policy rule UUID value.

Impact:
The operation to modify the policy rule fails.

Recommended Action:
Modify the policy rule without changing the UUID value.

01071af8 : The firewall rule UUID (%s) already exists in other rules.

Location:
/var/log/ltm

Conditions:
A firewall rule is attempting to use the same UUID that exists in another firewall policy.

Impact:
You cannot create the policy.

Recommended Action:
Try to create the policy with a different rule UUID.

01071af9 : The specified firewall rule UUID (%s) is diffrent from exists rule UUID.

Location:
/var/log/ltm

Conditions:
A different rule UUID has been applied to the same rule.

Impact:
Modifying the rule or re-creating the rule operation fails.

Recommended Action:
Allow the system to choose the rule UUID instead of specifying a different UUID for the same rule.

01071aff : AOM webui is not available in this release.

Location:
/var/log/ltm

Conditions:
When the user tries the following tmsh commands:
- modify sys aom webui enabled
- modify sys aom webui disabled

Impact:
The AOM web services are not supported in this release of BIG-IP software. Typing the tmsh command doesn't do anything.

Recommended Action:
None.

01071b00 : AOM vkvm is not available in this release.

Location:
/var/log/ltm

Conditions:
When the user tries the use one of the following the tmsh commands:
- modify sys vkvm enabled
- modify sys vkvm disabled

Impact:
This tmsh command does not do anything. The AOM Virtual Keyboard, Video and Mouse redirection is not supported in this release of BIG-IP software.

Recommended Action:
None.

01071b1d : The %s (%s) cannot be created because the %s secret generation failed due to (%s).

Location:
/var/log/ltm, GUI, tmsh console

Conditions:
This error can occur when you add Access:Federation:OAuthAuthorizationServer:ClientApplication or Access:Federation:OAuthAuthorizationServer:ResourceServer.

The error occurs when secret generation fails for the above instance.

Secret generation can fail due to:
-- Random generator failure.
-- MAC address read failure.
-- Memory allocated for the secret is not sufficient.

Impact:
The instance cannot be created for Access:Federation:OAuthAuthorizationServer:ClientApplication or Access:Federation:OAuthAuthorizationServer:ResourceServer.

Recommended Action:
None

01071b27 : Scope name cannot be empty for OAuth Authorization agent %s.

Location:
/var/log/apm, TMSH

Conditions:
The scope name is empty in the OAuth Authorization agent.

Impact:
Object save will fail.

Recommended Action:
Specify a scope name in the OAuth Authorization agent.

01071b28 : Scope name (%s) associated with OAuth Authorization agent (%s) is not defined under OAuth scope.

Location:
/var/log/apm, TMSH

Conditions:
If the scope referenced in the OAuth Authorization agent is not created under OAuth Scope, this error will be seen

Impact:
Object save will fail.

Recommended Action:
Create the scope under OAuth Scope first, and then it can be referenced in the OAuth Authorization agent.

01071b29 : %s entry refers to invalid OAuth Authorization agent %s, entry %d.

Location:
/var/log/apm, TMSH

Conditions:
This occurs when the OAuth Authorization Agent Scope or Claim entry refers to an invalid OAuth Authorization agent and its entry.

Impact:
Object won't be saved.

Recommended Action:
Specify the correct OAuth Authorization agent and its entry while creating or modifying an OAuth Authorization agent Scope or Claim entry.

01071b2c : The client app (%s) that is associated with the %s (%s) does not exist.

Location:
/var/log/apm, TMSH

Conditions:
This appears when a client app is referenced in an OAuth profile, and that OAuth client app does not exist.
It also appears when a JWT access token claim is associated with a client app, and the reference client app does not exist.

Impact:
Object save will fail.

Recommended Action:
Make sure that the client app is valid, or create one if necessary. And then, the client app can be referenced in the OAuth Profile, or while associating a JWT access token claim with the client app.

01071b3b : Notice: Purging initiated for OAuth DB Instance (%s). Time taken for DB purging depends on the amount of data; BIG-IP performance may be affected during this time. Only expired tokens will be removed.

Location:
/var/log/ltm, GUI, CLI

Conditions:
An administrator initiates an immediate DB purge of expired tokens (via the Purge Now button).

Impact:
BIG-IP system performance might be affected during this time.

Recommended Action:
None.

01071bad : The certificate (%s) can not simultaneously use a cert-validator (%s) and be configured as the %s of a cert-validator (%s).

Location:
/var/log/ltm, console, iControl, GUI

Conditions:
A conflicting configuration occurred, based on the configuration order:

Order 1: The certificate already has a cert-validator configured, but the user is trying to configure this certificate as some cert-validator's trusted responder or signer certificate.

Order 2 (the other way around): The certificate is already a trusted responder or signer certificate of some cert-validator, but the user is trying to assign a cert-validator to it.

Impact:
None.

Recommended Action:
None.

01071bbd : SSL profile (%s): When CRL configuration name (%s) is specified, both static CRL file (%s) and Allow-Expired-CRL settings are not allowed.

Location:
/var/log/ltm

Conditions:
A user has attempted to configure a CRL object and a static CRL file together in a Client SSL profile.

Impact:
The system has successfully prevented the user from an invalid configuration. There is no impact to the user.

Recommended Action:
None.

01071bcd : Security NAT Source Translation object (%s) cannot use both Self IP and DSLITE tunnel for PCP configuration.

Location:
GUI, CLI

Conditions:
If user is attempting to configure both the DSLITE and Self IP parameters in the PCP configuration in FW NAT source translation object, this error messages is shown to the user.

Impact:
Creation/Modification of the FW NAT source translation object would fail unless removes either of the Self IP or DS Lite tunnel PCP configuration.

Recommended Action:
None

01071bd1 : Inbound CMI connection from IP (%s) denied because it came from VLAN (%s), not from expected VLAN (%s).

Location:
/var/log/ltm

Conditions:
This should not happen under any circumstances.

Impact:
Mcpd has detected that sync traffic is being sent over a VLAN that is not the correct one. Therefore, if any traffic is sent, it is unexpectedly unencrypted. For security purposes, sync is disabled.

Recommended Action:
There is no workaround.

01071bd6 : %s (%s): Cannot enable Device-ID without enabling Bot Signatures and the 'Search Engine' Bot Signature Category.

Location:
/var/log/ltm, console

Conditions:
Using tmsh to create or modify a dos profile with application enabled, and enabling the device-id field without enabling the Search Engine Bot Signature Category.

Impact:
Creation or modification of the dos profile will fail.

Recommended Action:
Create the dos profile using two separate steps. For example:
create security dos profile dos1 application add { dos { bot-signatures { check enabled } } }
modify security dos profile dos1 application modify { dos { tps-based { device-captcha-challenge enabled } } }

01071bd8 : The tag-mode for requested member %s has to be 'none' on platforms that do not support QinQ.

Location:
/var/log/ltm

Conditions:
If the user attempts to configure the tag-mode of a VLAN member to some other value, but 'none' on platforms that do not support QinQ, the MCP validation rejects the configuration, and an error message is logged in the /var/log/ltm.

Impact:
The configuration issued via tmsh command is rejected as invalid.

Recommended Action:
If the user has to configure QinQ functionality, the use must switch to using a platform that supports QinQ.

01071be4 : port-fwd-mode value of interface (%s) is not compatible with vlan (%s) member interface (%s).

Location:
/var/log/ltm

Conditions:
This message is caused by an invalid configuration. When adding a member to a VLAN, the member's forwarding mode must be the same as other members in the vlan. For example, the port-fwd-mode value of the interface must be the same value as other interfaces in the same VLAN.

Impact:
Unable to add the member.

Recommended Action:
Inspect the relevant object configuration in VLAN, trunk, and interface. Do not add an incompatible member with different port-fwd-mode value to the same VLAN.

01071be5 : Member interface (%s) of trunk (%s) not found.

Location:
/var/log/ltm

Conditions:
Caused by an invalid configuration when a trunk consists of a interface, but the interface does not exist. This is very unlikely to happen.

Impact:
The interface will not be added.

Recommended Action:
Inspect the relevant object configuration in the trunk and interface. Delete the trunk object and re-create it.

01071be6 : port-fwd-mode value of interface (%s) is not compatible with trunk (%s) member interface (%s).

Location:
/var/log/ltm

Conditions:
This is caused by an invalid configuration. All interfaces in the same trunk must have the port-fwd-mode property set to the same value.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in trunk and interface. Only add interfaces with the same port-fwd-mode value to the same trunk.

01071bed : The URL (%s) belongs to Custom Category (%s) has invalid type as regex-match and not supported yet.

Location:
/var/log/ltm

Conditions:
When the custom category url type is mentioned as regex type, you would see this message in /var/log/ltm. This regex type is not exposed in TMUI or GUI. This is only possible through programmatic internal access.

Impact:
You will not see this message in console or GUI, because regex type is not exposed.

Recommended Action:
None.

01071bee : SSLv2 is no longer supported and has been removed. The 'sslv2' keyword in the cipher string has been ignored.

Location:
/var/log/ltm

Conditions:
This message appears if an ssl profile is parsed that has the sslv2 enabled. This is a warning that appears in the logs.

Impact:
The high level impact is that you are using an ssl profile that previously tried to enable sslv2. We have disabled sslv2 and this is warning them that we are ignoring the fact that they tried to enable sslv2. SSLv2 has numerous vulnerabilities and enabling it can even open up vulnerabilities in more secure versions of SSL or TLS.

Recommended Action:
Remove the "sslv2" string from the cipher list.

01071bf0 : Vlan %s c-tag %s is out of range.

Location:
/var/log/ltm

Conditions:
MCP validation code rejects the tmsh configuration for a vlan tag that is grater than 4094 or less than 1. An error is logged in /var/log/ltm.

Impact:
The configuration issued via tmsh command is rejected as invalid.

Recommended Action:
Reissue the tmsh command with a VLAN tag, which is less than or equal to 4094, and equal to or greater than 1.

01071bf1 : Vlan %s tag %d is out of range.

Location:
/var/log/ltm

Conditions:
When the user attempts via tmsh to configure a VLAN tag which is greater than 4094, the MCP validation code rejects the configuration and an error message is logged at /var/log/ltm.

Impact:
The configuration issued via a tmsh command is rejected as invalid.

Recommended Action:
Reissue the tmsh command with a VLAN tag, which is less than or equal to 4096.

01071bf6 : Cannot change FIPS name on busy guest: %s.

Location:
/var/log/ltm

Conditions:
The user tries to change the "fips-name" property of a vCMP guest configuration while the guest is running.

Impact:
The system does not allow the change operation because the guest might be actively using the FIPS partition referred to by the "fips-name" property. As a result, the configuration remains unmodified.

Recommended Action:
Before changing the "fips-name" property of the guest, disable the guest and wait until it stops running.

01071bf7 : Invalid URL format %s in CA-bundle manager %s. Check help page.

Location:
/var/log/ltm

Conditions:
The proxy server configuration on the CA-bundle manager object is restricted to use HTTP proxy.

Impact:
None.

Recommended Action:
The proxy server should be prefixed with HTTP or none.

01071bf8 : Bundle manager %s cannot use a certificate file object %s that depends on itself. This would cause a cyclic dependency.

Location:
/var/log/ltm

Conditions:
CA-bundle manager can be configured with other CA-bundles as sources. In this case, the newly created CA-bundle manager is trying to manage a CA-bundle file that eventually depends on itself. For example, CA-bundle manager A depends on a CA-bundle B managed by CA-bundle manager B, and B is in turn dependent on CA-bundle A.

Impact:
None.

Recommended Action:
Check the dependency relationship between the newly created CA-bundle manager and its included or excluded CA-bundle sources.

01071bf9 : CA-bundle management trace: CA-bundle %s depends on %s.

Location:
/var/log/ltm

Conditions:
CA-bundle manager can be configured with other CA-bundles as sources. In this case, the newly created CA-bundle manager is trying to manage a CA-bundle file, which eventually depends on itself. For example, CA-bundle manager A depends on a CA-bundle B, managed by CA-bundle manager B, and B is in turn dependent on CA-bundle A.

Impact:
None.

Recommended Action:
Check the dependency relationship between the newly created CA-bundle manager and its included or excluded CA-bundle sources.

01071bfa : CA-bundle manager %s does not exist.

Location:
/var/log/ltm

Conditions:
A database join operation refers to a CA-bundle manager that does not exist.

Impact:
None.

Recommended Action:
None.

01071bfb : The default CA-bundle manager %s cannot be deleted.

Location:
/var/log/ltm

Conditions:
The default CA-bundle manager called ca-bundle is being deleted.

Impact:
None.

Recommended Action:
The default CA-bundle manager called ca-bundle cannot be deleted.

01071bfc : The default CA-bundle manager %s cannot be changed.

Location:
/var/log/ltm

Conditions:
An attempt is being made to modify the default CA-bundle manager named ca-bundle.

Impact:
The default CA-bundle manager nameed ca-bundle cannot be modified.

Recommended Action:
None.

01071bfd : The default CA-bundle manager %s cannot change the exclude-url or exclude-bundle sets.

Location:
/var/log/ltm

Conditions:
The default CA-bundle manager called ca-bundle is being modified, regarding the exclude CA-bundles.

Impact:
None.

Recommended Action:
The default CA-bundle manager called ca-bundle cannot be modified.

01071bfe : The port number must be removed from %s, and set separately.

Location:
/var/log/ltm

Conditions:
The URL downloads in the CA-bundle manager configuration might use a proxy. The proxy server and port number are set separately.

Impact:
None.

Recommended Action:
The proxy server and port number are set separately using different attributes.

01071bfe : %s: %s can't be deleted because %s.

Location:
/var/log/ltm, GUI, tmsh

Conditions:
When a configuration object is not allowed to be deleted in the certain situation (described in the message), the error message will be triggered.

If this happens, the related configuration will not be updated.

Impact:
The related configuration will not be updated.

Recommended Action:
The fix that the reason described in the message as to why it cannot be deleted.

01071bff : The trusted CA-bundle must be provided in CA-bundle manager %s in order to download from URLs.

Location:
/var/log/ltm

Conditions:
The CA-bundle manager has an include or exclude URL source, but the trusted CA-bundle is not provided for downloading from the URL source.

Impact:
None.

Recommended Action:
When a CA-bundle manager refers to URL resource as a source, it must also provide the trusted CA-bundle.

01071c00 : The requested certificate file object %s for %s was not found.

Location:
/var/log/ltm

Conditions:
The certificate file object referred by the CA-bundle manager is not yet set up in the configuration database.

Impact:
Fail to set up the CA-bundle manager.

Recommended Action:
Create the proper certificate file object before referring to the object in the CA-bundle manager.

01071c01 : Object %s cannot be used in both include and exclude sets in CA-bundle manager %s.

Location:
/var/log/ltm

Conditions:
The same CA-bundle source, either from local file system or remote URL, is used as both include-source and exclude-source when users configure a CA-bundle manager.

Impact:
None.

Recommended Action:
Users must not use the same CA-bundle source as both include and exclude sources.

01071c02 : CA-bundle URL %s in CA-bundle manager %s only supports HTTPS.

Location:
/var/log/ltm

Conditions:
Users may try to use a CA-bundle manager to compose a new CA-bundle by downloading remote CA-bundle through HTTP or other protocols, such as SFTP.

Impact:
CA-bundle download methods other than HTTPS are disallowed.

Recommended Action:
Use a HTTPS URL.

01071c03 : F5 CA-bundle %s cannot be dynamically managed.

Location:
/var/log/ltm

Conditions:
User may try to create a CA-bundle manager that will manage the update operations of the CA-bundle f5-ca-bundle.crt.

Impact:
The special CA-bundle f5-ca-bundle.crt cannot be managed by the CA-bundle manager due to security reasons. It has to be updated manually, or by F5 official releases.

Recommended Action:
It is a required feature, not to be fixed.

01071c04 : Cannot find device group (%s).

Location:
/var/log/ltm

Conditions:
No device group is configured: needed for policy sync feature.

Impact:
Policy sync validation fails.

Recommended Action:
Create a device group and use it for policy sync.

01071c05 : Cannot find Policy Sync object definition file (%s).

Location:
/var/log/ltm

Conditions:
Cannot find data file(s) needed for the policy sync feature.

Impact:
Policy sync validation fails.

Recommended Action:
Configure data files to use for policy sync.

01071c06 : Cannot find Policy Sync object list file (%s).

Location:
/var/log/ltm

Conditions:
Cannot find the Policy Sync object list file.

Impact:
Policy sync validation fails.

Recommended Action:
Configure the Policy Sync object list file.

01071c07 : Cannot find Policy Sync data file (%s).

Location:
/var/log/ltm

Conditions:
Cannot find the Policy Sync data file.

Impact:
Policy sync validation fails.

Recommended Action:
Configure the Policy sync data file.

01071c08 : Cannot determine whether agent type %s is appropriate for access policy (%s) of type %s because it is not attached to apm profile access using access-policy property.

Location:
/var/log/ltm

Conditions:
Cannot determine whether agent type is appropriate for access policy because it is not attached to apm profile access using access-policy property.

Impact:
Access policy validation failure.

Recommended Action:
Attach access policy to access profile.

01071c09 : Cannot determine whether agent type %s is appropriate for access policy (%s) of type %s because visibility is not properly defined.

Location:
/var/log/ltm, GUI, CLI GUI

Conditions:
It cannot be determined whether agent type is appropriate for access policy because visibility is not properly defined.

Impact:
Access policy validation fails.

Recommended Action:
Fix policy agent visibility.

01071c0a : Cannot determine whether agent type %s is appropriate for access policy (%s) of type %s parent of access policy (%s) of type %s because it is not attached to apm profile access using access-policy property.

Location:
/var/log/ltm, GUI, CLI

Conditions:
It cannot be determined whether the agent type is appropriate for the access policy type of parent access policy. This is because the policy is not attached to the access profile using the access-policy property.

Impact:
Access policy validation failure.

Recommended Action:
Attach an access policy to the access profile.

01071c0b : Cannot determine whether agent type %s is appropriate for access policy (%s) of type %s parent of access policy (%s) of type %s because visibility is not properly defined.

Location:
/var/log/ltm, GUI, CLI

Conditions:
It cannot be determined whether the agent type is appropriate for the access policy of the parent of the access policy because visibility is not properly defined.

Impact:
Access policy validation failure.

Recommended Action:
Fix agent visibility.

01071c0c : Categories can't be assigned without selecting dynamic bwc policy.

Location:
/var/log/tmsh, GUI, CLI

Conditions:
There is no bandwidth control (BWC) policy during agent resource assignment.

Impact:
Agent resource assignment cannot be completed.

Recommended Action:
Define a BWC policy.

01071c0d : Default attribute consuming service (%s) must be present in the list 'attribute-consuming-services' of apm saml aaa (%s)

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Misconfiguration.
An admin attempts to configure a default attribute consuming service in apm aaa saml object.
Selected 'default' attribute consuming service must be present in the list 'attribute-consuming-services' associated with apm aaa saml object. Error indicated that selected default value is not present in the list.

Impact:
This is mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
A 'default' attribute consuming service must be first configured in 'attribute-consuming-services' associated with apm aaa saml object. After that, the service can be selected as 'default'.

01071c0e : Attribute consuming service session variable and object cannot be configured at the same time in agent (%s)

Location:
/var/log/ltm, tmsh

Conditions:
Administrator attempts to change configuration on 'apm policy agent aaa-saml' object,
and set both properties 'attribute-consuming-service' and 'attr-consuming-service-session-var'.
This is not valid configuration.

Impact:
This is mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
Configure either 'attribute-consuming-service' or 'attr-consuming-service-session-var' property of 'apm policy agent aaa-saml' object.

01071c0f : Attribute consuming service variable (%s) in agent (%s) is not in session variable format

Location:
/var/log/ltm, tmsh

Conditions:
Administrator attempts to change configuration on 'apm policy agent aaa-saml' object,
and set property 'attr-consuming-service-session-var'. The provided value is not in valid format "%{session.var}".

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
The 'attr-consuming-service-session-var' must refer to a valid session variable, for example, "%{session.var}".

01071c10 : 'attribute-name' must be configured for attribute (%s) in attribute-consuming-service (%s)

Location:
/var/log/ltm, tmsh, GUI

Conditions:
An administrator attempts to configure 'apm saml attribute-consuming-service' object.
The object permits specifying list of attributes. Each attribute must have a unique 'attribute-name' property.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
Provide 'attribute-name' value for specified attribute.

01071c11 : All attribute names must be unique within attribute-consuming-service (%s). Provided attribute name (%s) is not unique

Location:
/var/log/ltm, tmsh, GUI

Conditions:
An administrator attempts to configure 'apm saml attribute-consuming-service' object.
The object permits specifying list of attributes. Each attribute must have a unique 'attribute-name' property.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
Provide a *unique* 'attribute-name' value for specified attribute.

01071c12 : attribute-consuming-service (%s) must specify at least one attribute

Location:
/var/log/ltm, tmsh, GUI

Conditions:
An administrator attempts to configure 'apm saml attribute-consuming-service' object.
The object permits specifying list of attributes. At least one attribute must be configured for every object.

Impact:
This is mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
Configure an attribute for specified attribute-consuming-service object.

01071c13 : attribute-consuming-service-index (%d) in aaa saml server (%s) conflicts with index of existing service (%s). Please provide unique index.

Location:
/var/log/ltm, tmsh

Conditions:
An administrator attempts to configure apm aaa saml object to modify a list of attribute consuming services. The explicitly provided index for attribute consuming service is not unique for said aaa saml object.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
Do not specify index when configuring a list of attribute consuming services in aaa saml object.
Index will be auto generated when not explicitly specified.
If index must be specified manually, provide a unique value for the index. Value must be unique per aaa saml object.

01071c14 : 'service-name' value must be configured in attribute-consuming-service (%s)

Location:
/var/log/ltm, tmsh, GUI

Conditions:
An administrator attempts to configure 'apm saml attribute-consuming-service' object.
The object requires non-empty value for property 'service-name', which was not provided resulting in error.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
Provide a value for 'service-name' property of attribute-consuming-service object.

01071c15 : aaa saml server must be configured before attribute consuming service can be specified

Location:
/var/log/ltm, tmsh, VPE UI

Conditions:
An administrator attempts to change configuration on 'apm policy agent aaa-saml' object,
and set property 'attribute-consuming-service', but aaa saml service has not been specified for this agent.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
Specify aaa saml server property for 'apm policy agent aaa-saml', and then provide value for 'attribute-consuming-service'.

01071c16 : SAML agent (%s) specifies attribute consuming service (%s) that is not configured in aaa saml server (%s)

Location:
/var/log/ltm, tmsh, VPE UI

Conditions:
An administrator attempts to change configuration on 'apm policy agent aaa-saml' object,
and set property 'attribute-consuming-service'.

However, the chosen 'attribute-consuming-service' object is not present in the list of services associated with specified aaa saml server.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
Add requested service in the list 'attribute-consuming-services' of aaa saml server.

01071c18 : Attribute consuming service (%s) cannot be removed from aaa saml server (%s) because service is set as default

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Misconfiguration.
An admin attempts to delete a service from the list of 'attribute-consuming-services' associated with apm aaa saml object that is also configured as 'default' attribute consuming service for that apm aaa saml object. Error indicated that this configuration is not valid.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
The service must be removed as 'default' attribute consuming service for the apm aaa saml object first and then deleted from the list of 'attribute consuming services' associated with the apm aaa saml object.

01071c19 : The requested username source (%s) is not a valid session variable.

Location:
/var/log/ltm, tmsh, VPE UI

Conditions:
Admin can define multiple session variables for username source. If one of these session variables is not valid, this error occurs.

Impact:
Admin can't configure username source field. It is considered to be an mcp configuration error.

Recommended Action:
None.

01071c1a : The requested password source (%s) is not a valid session variable.

Location:
/var/log/ltm, tmsh, VPE UI

Conditions:
Admin can define multiple session variables for password source. If one of these session variables is not valid, this error will be thrown.

Impact:
Admin can't configure password source field. It is considered to be an mcp configuration error.

Recommended Action:
None.

01071c1b : Virtuals Servers in the same listener group can have different profiles. Modifying the profiles in the listener will not update the profiles in the Virtual Servers. To update the profiles in Virtual servers, modify the Virtual Servers individually.

Location:
Console, TMSH

Conditions:
Attempt to modify spm or subscriber management profile for a PEM listener.

Impact:
Modification of spm and subscriber management profile for the PEM listener is blocked.

Recommended Action:
User has to directly modify the virtual servers in the listener group, as suggested in the error message.

01071c1c : You cannot delete the nodejs version (%s).

Location:
/var/log/ltm

Conditions:
There is an attempt to delete the known nodejs versions maintained by MCPD. This action is not exposed via tmsh or the GUI; it is the result of a 'backdoor' attempt.

Impact:
None. The attempt tp change the node version is blocked.

Recommended Action:
None.

01071c1d : You cannot modify the nodejs version (%s).

Location:
/var/log/ltm

Conditions:
An attempt is made to modify the known nodejs versions maintained by MCPD. Since this action is not exposed via tmsh or the GUI, it is the result of a 'backdoor' attempt.

Impact:
None.

Recommended Action:
None.

01071c1e : Cannot perform Protocol inspection update: %s

Location:
/var/log/ltm

Conditions:
The Protocol Inspection module failed (load/install/delete) with the Update package.

Impact:
The Protocol Inspection update package action is not performed.

Recommended Action:
None.

01071c1f : Protocol Inspection compliance inspection %s requires valid value: %s

Location:
/var/log/ltm

Conditions:
attempt to set invalid compliance inspection value

The user runs the following tmsh command with an invalid compliance inspection value:
"modify security protocol-inspection profile <profile name> { services modify { <service name> { compliance modify { <compliance inspection name> { value <value> } }}}}"

Impact:
None.

Recommended Action:
Do not set an invalid compliance inspection value (for example, if the type of the compliance inspection value is integer and you to set some string value).

01071c20 : Too many Protocol Inspection profiles. Up to %d supported.

Location:
/var/log/ltm

Conditions:
The limit of the number of allowed Protocol Inspection profiles has been reached.

Impact:
No more Protocol Inspection profiles can be added.

Recommended Action:
Delete unused / obsolete / not needed Protocol Inspection Profiles.

01071c22 : Modifying predefined Protocol Inspection profiles are not allowed.

Location:
/var/log/ltm

Conditions:
An attempt has been made to modify an "protocol_inspection" predefined profile. An example is the use of any tmsh command which starts with "modify protocol-inspection profile <predefined profile name> ... ".

Impact:
None.

Recommended Action:
Do not modify following "protocol_inspection" predefined profiles: "protocol_inspection", "protocol_inspection_dns",and "protocol_inspection_http"

01071c23 : Creating predefined Protocol Inspection profiles are not allowed.

Location:
/var/log/ltm

Conditions:
An attempt has been made to create a "protocol_inspection" predefined profile from tmsh.

Impact:
Creating a "protocol_inspection" profile with the name of a predefined profile from tmsh is disallowed. Predefined profiles have names such as "protocol_inspection", "protocol_inspection_dns", and "protocol_inspection_http".

Recommended Action:
Do not create a profile that has the same name as a predefined profile.

01071c24 : Deleting predefined Protocol Inspection inspections are not allowed.

Location:
/var/log/ltm

Conditions:
An attempt has been made to delete a "protocol_inspection" predefined inspection.

Impact:
None.

Recommended Action:
Do not delete "protocol_inspection" predefined inspections.

01071c25 : Modifying predefined Protocol Inspection inspections are not allowed.

Location:
/var/log/ltm

Conditions:
An attempt has been made to modify "protocol_inspection" predefined inspections.

Impact:
None.

Recommended Action:
Do not modify predefined inspections. A user can modify user-defined signatures only.

01071c27 : Protocol Inspection internal error: %s.

Location:
/var/log/ltm

Conditions:
This is an internal error.

Impact:
The "protocol_inspection" module does not work properly.

Recommended Action:
None.

01071c28 : Invalid Protocol Inspection snort signature: %s.

Location:
/var/log/ltm

Conditions:
The user has run one of the following tmsh commands with an incorrect snort signature:
"create security protocol-inspection signature <sig name> { sig "<snort signature>" ... }"
"modify security protocol-inspection signature <sig name> { sig "<snort signature>" ... }"

Impact:
None.

Recommended Action:
Create correct signatures in valid snort format.

01071c2a : Creating/Modifying Protocol Inspection compliance enums are not allowed.

Location:
/var/log/ltm

Conditions:
An attempt has been made to create or modify "protocol_inspection" compliance enums.

Impact:
Creating or modifying "protocol_inspection" compliance enums is disallowed.

Recommended Action:
Do not create or modify "protocol_inspection" compliance enums.

01071c2b : Deleting Protocol Inspection services are not allowed.

Location:
/var/log/ltm

Conditions:
An attempt has been made to delete a "protocol_inspection" service.

Impact:
Deleting a "protocol_inspection" service is disallowed.

Recommended Action:
Do not delete a "protocol_inspection" service.

01071c2c : Creating/Modifying Protocol Inspection services are not allowed.

Location:
/var/log/ltm

Conditions:
An attempt has been made to create or modify a "protocol_inspection" service.

Impact:
Creating or modifying a "protocol_inspection" service is disallowed.

Recommended Action:
Do not create or modify a "protocol_inspection" service.

01071c2d : The VLAN (%s) tag is %u. The port-fwd-mode value of %s (%s) must be set to (%s).

Location:
/var/log/ltm

Conditions:
This is caused by an invalid configuration; a VLAN with the tag 'any.' The VLAN member must have the port-fwd-mode set to 'l2wire.'

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in VLAN, trunk, and interface. You can add an interface with port-fwd-mode set to 'l2wire' to a VLAN with a tag 'any.' You can also add a trunk with interface members with a port-fwd-mode set to 'l2wire' to a VLAN with the tag 'any.'

01071c2e : The VLAN (%s) can have at most %u member because member (%s) port-fwd-mode value is (%s).

Location:
/var/log/ltm

Conditions:
A VLAN to which you assign an interface or trunk with the port-fwd-mode property set to 'l2wire' can have a maximum of one member.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration for the VLAN, trunk, and interface. Don't add more than one member to the VLAN if a VLAN member (interface) has the port-fwd-mode property set to 'l2wire'.

01071c2f : The requested VLANGROUP (%s) can have at most %u member(s) because VLAN members have virtual-wire members.

Location:
/var/log/ltm

Conditions:
The configuration is invalid. A VLAN group containing VLANs with visual-wire members can have at most 2 VLANs.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in the VLAN group, VLAN, trunk, and interface. Don't add more than 2 VLANs to a VLAN group if a VLAN has virtual wire members.

01071c30 : Vlan (%s) is not compatible with member vlan in VLANGROUP (%s).

Location:
/var/log/ltm

Conditions:
The configuration is invalid. The VLANs in a VLAN group must contain interfaces for which the value of the forwarding mode property is the same.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in VLAN group, VLAN, trunk, and interface. Modify VLANs in the same VLAN group so that all interfaces have the same value for the forwarding mode property.

01071c31 : The VLANGROUP (%s) mode and the VLAN (%s) member (%s) port-fwd-mode are not compatible.

Location:
/var/log/ltm

Conditions:
The configuration is invalid. The mode of the VLAN group is not set to 'virtual wire', even though the VLAN member being added to the VLAN group consists of interfaces with the forwarding mode property set to 'virtual wire'.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in VLAN group, VLAN, trunk, and interface. Change the mode of the VLAN group to 'virtual wire' when adding a VLAN that contains an interface with the forwarding mode property set to 'virtual wire'.

01071c32 : The VLANs must have the same tag in VLANGROUP (%s) when they have l2wire member.

Location:
/var/log/ltm

Conditions:
The configuration is invalid. The VLAN group contains VLANs that include a trunk or an interface with the forwarding mode property set to 'virtual wire', but the tags for the VLANs do not match.

Impact:
None.

Recommended Action:
Modify or re-create the VLANs with the same tag before adding the VLANs to the same VLAN group.

01071c32 : The VLANs must have the same tag in VLANGROUP (%s) when they have virtual-wire member.

Location:
/var/log/ltm

Conditions:
The message is caused by an invalid configuration. When vlan-group consists of vlans, which consist of trunks or interfaces with port-fwd-mode set to 'virtual-wire', the vlans must have the same tag.

Impact:
None.

Recommended Action:
Modify or re-create the vlans with the same tag, before adding them to the same vlan-group.

01071c33 : The VLAN (%s) tag (%u) cannot be modified %s '4096'.

Location:
/var/log/ltm

Conditions:
You cannot change the VLAN tag of an existing VLAN from the special tag 4096 to a numeric tag, or from a numeric tag to the special tag 4096.

Impact:
None.

Recommended Action:
Delete the VLAN and re-create the VLAN with the new tag.

01071c34 : The requested member (%s) is already configured as a member of VLAN (%s) with tag (%d). A member can belong to only one VLAN for a given tag.

Location:
/var/log/ltm

Conditions:
The configuration is invalid. The system attempted to assign the same 'virtual wire' interface, either tagged or untagged, to more than one VLAN.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in VLAN group, VLAN, trunk, and interface. Do not attempt to add the same 'virtual wire' interface to more than one VLAN.

01071c34 : The requested member (%s) is already configured as a member of VLAN (%s) with tag (%u). A member can belong to only one VLAN for a given tag.

Location:
/var/log/ltm

Conditions:
This message is caused by an invalid configuration. A 'virtual-wire' interface can be a member of at most one VLAN. It cannot be a member of another VLAN, no matter it is tagged or untagged.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in vlan, trunk, and interface. Don't add a 'virtual-wire' interface to more than one VLAN.

01071c35 : The VLAN (%s) has %s interface while the VLAN (%s) has %s interface. Interfaces of VLANs that are in the same 'virtual-wire' VLANGROUP (%s) must have the same taggedness.

Location:
/var/log/ltm

Conditions:
The VLANs that are members of the VLAN group do not have the same VLAN tag.

Impact:
The VLAN configuration is invalid.

Recommended Action:
Inspect the relevant object configuration in the VLAN group, VLAN, trunk, and interface. Change the configuration to ensure matching tags for the VLANs in the VLAN group.

01071c36 : The SelfIP (%s) cannot associate with %s (%s) with (%s) interface.

Location:
/var/log/ltm

Conditions:
The system has an invalid configuration. The self IP address can only be associated with a VLAN or VLAN group that has either a Layer 3 interface or no interface. The self IP address cannot be associated with a VLAN or VLAN group that has an interface with its forwarding mode set to Passive or Virtual Wire.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in the VLAN group, VLAN, and self IP address. Do not associate self IP address with a VLAN or VLAN group with a Passive or Virtual Wire interface.

01071c37 : %s: %s is not supported on this platform (%s).

Location:
/var/log/ltm

Conditions:
The configuration is invalid based on platform attributes. There are values in the field of this object that are not supported on certain platforms.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration that causes the error.

01071c38 : Rule Profiler object %s requires log publisher to be specified.

Location:
/var/log/ltm

Conditions:
The system is attempting to create an iRule profiler (tracer) without a log publisher and attempting to remove a log publisher from an iRule profiler (tracer).

Impact:
The iRule profiler (tracer) configuration cannot be created or modified.
Tracing iRules will not be possible.

Recommended Action:
Repeat the configuration operation, specifying a valid log publisher.

01071c38 : Modify of ephemeral %s (%s) is not permitted.

Location:
/var/log/ltm

Conditions:
User-initiated action (such as through 'tmsh') attempted to modify an ephemeral node, which is not allowed. Ephemeral nodes are created as a result of a DNS resolve operation, which creates an ephemeral node that maintains the configuration established through its parent FQDN template.

Impact:
No action occurred, and the configuration is unchanged. No further user action is necessary.

Recommended Action:
Instead of trying to modify a specific ephemeral node, the user may modify the FQDN template that is used to create ephemeral nodes, at which point the configuration changes will propagate to all existing and future ephemeral nodes that are created from that FQDN template.

01071c3a : Route MTU for (%s) below minimum %u.

Location:
/var/log/ltm

Conditions:
When creating a static route with an MTU below the minimum value of 68.

Impact:
An exception aborts the creation of static route.

Recommended Action:
Correct the MTU value to be above 68.

01071c3a : Invalid FQDN node %s: %s.

Location:
Tmsh, GUI

Conditions:
You attempt to create an FQDN node with a name that looks like an IP address, for example:
create ltm node 1.1.1.1 fqdn { name www.f5.com }

Impact:
The operation fails.

Recommended Action:
Choose a different name for the object.

01071c52 : Routing object (%s) cannot have both items: %s.

Location:
TMSH

Conditions:
This will occur if there is an attempt to have a routing object reference two objects that cannot be referenced at the same time.

Impact:
The user will not be able to have the object being configured reference both of the objects which are not allowed to be referenced at the same time. The user must choose either one or neither of the objects to reference.

Recommended Action:
Reference either one or neither of the objects attempting to be referenced.

01071c55 : Invalid as-path (%s): %s.

Location:
TMSH

Conditions:
This will occur if there is an attempt to create an invalid AS-Path object.

Impact:
The user will not be able to create the AS-Path object as configured.

Recommended Action:
Create the AS-Path object with valid values.

01071c56 : Invalid as-path entry (%s) for as-path (%s): %s.

Location:
TMSH

Conditions:
This will occur if there is an attempt to create an invalid AS-Path entry object.

Impact:
The user will not be able to create the AS-Path entry object as configured.

Recommended Action:
Create the AS-Path entry object with valid values.

01071c58 : Virtual server %s is in ALG mode. Must not use static source translation, as used by attached profile %s.

Location:
gui, cli (tmsh), /var/log/ltm

Conditions:
You have attempted to configure a virtual server in MRF mode with Application Level Gateway enabled on the router profile and a security nat policy with static source translation.

Impact:
Configuration will not load until it is corrected.

Recommended Action:
None.

01071c5c : Cannot disable AJAX encryption for URL '%s' while parameter '%s' has AJAX mapping enabled in the Anti-Fraud profile '%s'.

Location:
/var/log/ltm, GUI

Conditions:
Improper FPS URL configuration.

Impact:
Configuration will not load.

Recommended Action:
Disable parameter AJAX mapping before disabling AJAX encryption.

01071c5c : AJAX encryption or both AJAX integrity and strong integrity must be enabled for URL '%s' while parameter '%s' has AJAX mapping enabled in the Anti-Fraud profile '%s'.

Location:
/var/log/ltm, CLI

Conditions:
A URL has a parameter with a none empty AJAX mapping. A URL is valid only if it has either:

 1) AJAX encryption is enabled (and RT encryption or parameter encrypt or a parameter substitute value is enabled), or

 2) AJAX integrity is enabled and 3) Strong integrity is enabled

Therefore, disabling 1 and 2 or 3 is not allowed.

Impact:
The configuration fails.

Recommended Action:
1. Remove parameters with none-empty AJAX mapping on this URL.
2. DO NOT disable AJAX encryption AND AJAX integrity or Strong Integrity.

01071c5d : AJAX mapping '%s' for parameter '%s' cannot start or end with a '.' in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').

Location:
tmsh, GUI

Conditions:
Trying to set invalid JSON path.

Impact:
Configuration will fail.

Recommended Action:
Set a valid JSON path.

01071c5e : Anti-Fraud parameter '%s' is invalid. Enabling AJAX mapping for parameter requires that either 1. AJAX encryption and either value substitution or Real-Time Encryption or parameter encryption enabled 2. Full and Enhanced AJAX Data Manipulation Check enabled in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').

Location:
/var/log/ltm, GUI

Conditions:
Improper FPS profile configuration.

Impact:
Configuration will not load.

Recommended Action:
Either enable AJAX encryption or parameter value substitution.

01071c5f : Cannot %s when %s in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').

Location:
/var/log/ltm, GUI

Conditions:
Improper FPS profile configuration.

Impact:
Configuration does not load.

Recommended Action:
Either enable a custom encryption function or enable Real-Time Encryption in the Anti-Fraud URL.

01071c60 : DynaD private key generation failed ('%s').

Location:
/var/log/ltm

Conditions:
Out-of-memory or internal OpenSSL failure.

Impact:
Encrypted DynaD instrumentation may fail to execute.

Recommended Action:
Consider restarting mcpd.

01071c61 : DynaD public key generation failed ('%s').

Location:
/var/log/ltm

Conditions:
Out-of-memory or OpenSSL error, invalid private key, and a bad public key (/var/lib/dynad/tmm.dynad.pub).

Impact:
Encrypted DynaD instrumentation may fail to execute

Recommended Action:
Multiple options (1) consider reloading the configuration, (2) deleting "sys dynad key" element from BIG-IP_base.conf, reload configuration, and (3) consider re-installing the software image.

01071c62 : DynaD failed to decrypt private key. Re-generating.

Location:
/var/log/ltm

Conditions:
This may occur if there is (1) a bad dynad key value (BIG-IP_base.conf:sys dynad key), or (2) a master-key mis-match.

Impact:
May be unable to execute encrypted DynaD instrumentation.

Recommended Action:
(1) Delete a key from BIG-IP_base.conf; reload configuration. (2) Restore the old master-key (https://support.f5.com/csp/article/K9420).

01071c63 : DynaD development mode requires an F5 development license.

Location:
/var/log/ltm

Conditions:
An attempt was made to enable dynad development-mode without a development license.

Impact:
dynad development-mode will remain disabled.

Recommended Action:
Obtain a development license.

01071c64 : DynaD signature verification failed ('%s').

Location:
/var/log/ltm

Conditions:
This message can occur due to:
a) Bad signature (invalid or does not match /var/lib/dynad/tmm.pub.key value)
b) Memory failure
c) System error (failure to read file)

Impact:
DynaD instrumentation signature could not be verified and will not be executed.

Recommended Action:
Contact support.

01071c65 : DynaD cannot activate unsigned instrumentation.

Location:
/var/log/ltm, console

Conditions:
DynaD instrumentation signature could not be verified (warning).

Impact:
DynaD instrumentation will not be activated. Full error details will be logged to /var/log/ltm.

Recommended Action:
Refer to recommended action for error found in /var/log/ltm. Consider contacting support.

01071c66 : The VLAN (%s) member (%s) must be tagged when the tag is '4096'.

Location:
/var/log/ltm

Conditions:
The configuration is invalid. When a VLAN has the special tag 4096, the VLAN member can only be configured as a tagged interface.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in the VLAN. Specify the VLAN interface as tagged when the VLAN tag is 4096.

01071c67 : The PEM rating group id needs to be greater than Zero. Rating group %s cannot use rating group id %d because it is invalid.

Location:
GUI, TMSH, /var/log/ltm

Conditions:
Occurs if the Rating group id field is set to Zero

Impact:
Configuration will be aborted, if rating group id field is set to zero while configuration.

Recommended Action:
Provide a valid rating group id (greater than 0).

01071c68 : Profile %s's SSL client certificate constrained delegation CA key is missing.

Location:
GUI, tmsh shell, iControl shell

Conditions:
When client certificate constrained delegation is enabled on one server-ssl profile, with client certificate constrained delegation CA key not configured.

Impact:
The client certificate constrained delegation cannot be enabled on this server-ssl until the user configures client certificate constrained delegation CA key.

Recommended Action:
None.

01071c69 : Profile %s's SSL client certificate constrained delegation CA cert is missing.

Location:
GUI, tmsh shell, iControl shell

Conditions:
When client certificate constrained delegation is enabled on one server-ssl profile, with client certificate constrained delegation CA certificate not configured.

Impact:
The client certificate constrained delegation cannot be enabled on this server-ssl until the user configures client certificate constrained delegation CA certificate.

Recommended Action:
None.

01071c6a : Profile %s's SSL client certificate constrained delegation peer-cert-mode is invalid.

Location:
GUI, tmsh shell, iControl shell

Conditions:
When client certificate constrained delegation is enabled on one client-ssl profile, and peer certificate mode not "request" or "require".

Impact:
The client certificate constrained delegation cannot be enabled on this client-ssl profile until the user configures peer certificate mode to "request" or "require".

Recommended Action:
None.

01071c6b : Profile %s supports only RSA key and certificate for SSL client certificate constrained delegation.

Location:
GUI, tmsh shell, iControl shell

Conditions:
When client certificate constrained delegation is enabled on one server-ssl profile, with client certificate constrained delegation CA key/certificate not RSA based.

Impact:
The client certificate constrained delegation cannot be enabled on this server-ssl until the user configures client certificate constrained delegation CA key/certificate with RSA type.

Recommended Action:
None.

01071c6c : Profile %s's SSL client certificate constrained delegation key is missing.

Location:
GUI, CLI, iControl

Conditions:
Client certificate constrained delegation is configured on one Server SSL profile and an RSA key and certificate are not configured.

Impact:
The client certificate constrained delegation cannot be enabled on this Server SSL profile.

Recommended Action:
Configure one RSA key and certificate.

01071c6d : Profile %s's SSL client certificate constrained delegation CA key and certificate do not match

Location:
/var/log/ltm

Conditions:
When configuring a server SSL profile for 'client certificate constrained delegation (C3D)', the configured CA key does not match the configured CA certificate.

Impact:
This is a new log message for C3D.

Recommended Action:
None.

01071c6e : PKCS11d (re)initialized. Re-connecting to network-HSM PKCS11d.

Location:
/var/log/ltm

Conditions:
The PKCS11d daemon is restarting.

Impact:
The message is benign and used to log the PKCS11d restart, so there is no impact.

Recommended Action:
None.

01071c72 : Policy '%s', rule '%s'; %s SSL server profile %s not found.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Condition occurs when a server SSL profile is specified but a matching profile is not found in the BIG-IP system. Check spelling. The command to find the list of known SSL server profiles is:
    tmsh list ltm profile server-ssl

Impact:
The create/change operation fails.

Recommended Action:
Try again specifying a known SSL server profile. A list of the known SSL server profiles can be found using the following tmsh command:
    tmsh list ltm profile server-ssl

01071c73 : F5 Service Connector %s validation error: %s.

Location:
/var/log/ltm

Conditions:
An F5 Service Connector validation error has occurred and is caused by any of these conditions:
- The name is already used.
- An SSL Server profile is missing or doesn't exist.
- A DNS resolver is missing or doesn't exist.
- An object cannot be deleted because it is referenced by an F5 MFA Configuration object.

Impact:
The system does not apply the configuration changes.

Recommended Action:
Depending on system conditions, you can take any of these actions:
- Use another name.
- Use an existing SSL Server profile.
- Use an existing DNS resolver.
- Delete a corresponding F5 MFA Configuration object first.

01071c74 : F5 MFA Configuration %s validation error: %s.

Location:
/var/log/ltm

Conditions:
An F5 MFA Configuration validation error has occurred and is caused by any of these conditions:
- The name is already used.
- Am F5 Service Connector is missing or doesn't exist.
- An allowed device type isn't specified.
- The SMS template doesn't contain the session variable %{session.f5_mfa.device_registration.registration_url}
- The object cannot be deleted because it is referenced by an F5 MFA User Verification agent or by F5 MFA Device Registration.

Impact:
The system does not apply the configuration changes.

Recommended Action:
Depending on system conditions, you can take any of these actions:
- Use another name.
- Use an existing F5 Service Connector name.
- Specify at least one allowed device type.
- Add the session variable %{session.f5_mfa.device_registration.registration_url} to the SMS template.
- Delete the corresponding agent or agents first.

01071c75 : F5 MFA User Verification Agent %s validation error: %s.

Location:
/var/log/ltm

Conditions:
An F5 MFA User Verification validation error has occurred and is caused by any of these conditions:
- The name is already used.
- A customization group is missing or has an incorrect type.

Impact:
The system does not apply the configuration changes.

Recommended Action:
Depending on system conditions, you can take any of these actions:
- Use another name.
- Use the name of an existing customization group of type aaa-f5-mfa-user-verification.

01071c76 : F5 MFA Device Registration Agent %s validation error: %s.

Location:
/var/log/ltm

Conditions:
An F5 MFA Device Registration Agent validation error has occurred and is caused by any of these conditions:
- The name is already used.
- A customization group is missing or has an incorrect type.

Impact:
The system does not apply the configuration changes.

Recommended Action:
Depending on system conditions, you can take any of these actions:
- Use another name.
- Use the name of an existing customization group of type aaa-f5-mfa-device-registration.

01071c77 : Issuer is required for JWT config (%s).

Location:
/var/log/apm, GUI, CLI

Conditions:
The issuer is not configured for JWT configObject.

Impact:
A save operation on an object or a configuration load operation fails.

Recommended Action:
Configure an issuer in JWT configObject.

01071c78 : Invalid %s (%s) in JWT config (%s). The value %s.

Location:
/var/log/apm, GUI, CLI

Conditions:
There is an invalid URI for issuer or JWKS URI attribute in JWT Config

Impact:
A save operation on an object or a configuration load operation fails.

Recommended Action:
Configure a valid URI.

01071c79 : Self-issued token is not allowed (%s) for JWT config (%s).

Location:
/var/log/apm, GUI, CLI

Conditions:
The issuer is configured to use a self-issued value ("https://self-issued.me") in a JWT configuration.

Impact:
A save operation on an object or a configuration load operation fails.

Recommended Action:
Use a valid issuer in the JWT Configuration.

01071c7a : In JWT config (%s), same signing algorithm is present in both allowed signing algorithms and blocked signing algorithms. This is not allowed.

Location:
/var/log/apm, GUI, CLI

Conditions:
The same signing algorithm is configured in both the allowed signing algorithms and the blocked signing algorithms in a JWT configuration.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Remove the same signing algorithm from the allowed signing algorithms or the blocked signing algorithms configuration in the JWT config.

01071c7b : OAuth Provider (%s) references OAuth JWT Config (%s) that does not exist.

Location:
This error will be logged in /var/log/apm. It will appear in TMSH/TMUI

Conditions:
JWT config in OAuth Provider is invalid/ does not exist.

Impact:
Object save/Configuration load will fail.

Recommended Action:
Use a valid JWT config in OAuth Provider.

01071c7c : When key-type is '%s', '%s' must be present for jwk-config (%s).

Location:
/var/log/apm, tmsh

Conditions:
Required fields are not present, or wrong key type specified.

Impact:
Configuration load will fail. Object save will fail.

Recommended Action:
Correct the invalid configuration.

01071c7d : The JWK config (%s) with key-type '%s' cannot contain an empty '%s'.

Location:
/var/log/apm,TMSH,GUI

Conditions:
Required fields are not present.

Impact:
Object save and Configuration Load will fail.

Recommended Action:
Fill in required fields.

01071c7e : The field (%s) is not relevant to key-type '%s' and thus cannot be present for jwk-config (%s).

Location:
/var/log/ltm, TMSH

Conditions:
Fields relevant to other key types are present.

Impact:
Configuration load and object save will fail.

Recommended Action:
Remove irrelevant fields.

01071c7f : Certificate key file must be referenced when passphrase is present for jwk-config (%s).

Location:
TMSH, GUI

Conditions:
While creating/modifying a JWK object, this error message will appear if a passphrase is specified but a certificate key is not.

Impact:
This JWK object creation/modification will not succeed.

Recommended Action:
Specify a certificate key reference.

01071c80 : JWT access token lifetime (%u) for %s (%s) must be in range of (%u-%u).

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
The error occurs when the admin sets the JWT access token lifetime out of its valid range. Both the OAuth profile and the Client App configuration have a JWT access token lifetime setting.

Impact:
The out of range lifetime value will be rejected.

Recommended Action:
The admin should set the JWT access token lifetime within its valid range indicated by the error message.

01071c81 : JWT refresh token lifetime (%u) for %s (%s) must be in range of (%u-%u).

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
The error happens when the admin sets the JWT refresh token lifetime out of its valid range. Both the OAuth profile and the Client App configuration have a JWT refresh token lifetime setting.

Impact:
The out of range value will be rejected.

Recommended Action:
The admin should set the JWT refresh token lifetime within its valid range indicated by the error message.

01071c82 : OpenID Connect Configuration Endpoint URL (%s) for %s (%s) must end with (%s).

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
Per RFC specification, some URLs used in OpenID Connect must end with certain pattern, such as, the well-known endpoint must end with "/.well-known/openid-configuration". This error occurs if this kind of requirement is not met.

Impact:
The URL entered by the admin will not be accepted.

Recommended Action:
The admin should correct the URL per requirement.

01071c83 : (%s) (%s) load failed due to %s

Location:
/var/log/ltm, CLI

Conditions:
1) Mismatch between x5tsha1 in certificate and the value specified in object.
2) Mismatch between x5tsha256 in certificate and the value specified in object.
3) Mismatch between modulus in certificate and the value specified in object.
4) Mismatch between public exponent in certificate and the value specified in object.
5) Mismatch between x coordinate in certificate and the value specified in object.
6) Mismatch between y coordinate in certificate and the value specified in object.
7) Mismatch between curve in certificate and the value specified in object.
8) RSA load failed for specified certificate.
9) Elliptic curve load failed for specified certificate.
10) Elliptic Curve Point load failed for specified certificate.
11) Elliptic Curve group failed for specified certificate.
12) Elliptic Curve Group NID not supported.
13) Extraction of EC key coordinates failed.
14) Failed to allocate BIO for specified certificate.
15) Failed to write BIO for specified certificate.
16) Failed to get BIO memory pointer for specified certificate.
17) Certificate begin marker not found in certificate.
18) Certificate end marker not found in certificate.
19) Certificate file path does not exist.
20) OpenSSL API failed for certificate.
21) Certificate public key load failed.
22) Certificate key file path does not exist.

Impact:
The JWK configuration is not saved.

Recommended Action:
Change the incorrect values based on the error message and save the object.

01071c85 : (%s) key-type (%u) does not match certificate (%s) type (%u).

Location:
/var/log/ltm

Conditions:
While creating or modifying OAuth JWK Config, the prerequisite condition is the specification of certificate object and mismatched key-type value. Condition 1: The specified key-type is rsa , and providing a certificate of non-rsa type. OR Condition 2: The specified key-type is elliptic-curve, and providing a certificate of non-elliptic-curve type.

Impact:
The creation or modification of the OAuth JWK Config object would fail.

Recommended Action:
Provide the certificate of type matching the specified key-type value. If the provided certificate is of type rsa, specify key-type as rsa. Or if the provided certificate is of type elliptic-curve, specify key-type as elliptic-curve.

01071c86 : The %s must be provided in base64url encoded format for jwk-config (%s).

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
If this occurs, some field in the JWK configuration, such as the shared-secret, the modulus, or the public-exponent, etc., is not properly encoded in BASE64URL format.

Impact:
It might indicate that the configuration is corrupted or manually entered incorrectly.

Recommended Action:
Enter the indicated field correctly. In case of data corruption, delete the JWK configuration, and recreate it from scratch, if necessary.

01071c87 : The claim name (%s) of claim (%s) cannot contain spaces.

Location:
/var/log/apm, TMSH, GUI

Conditions:
While creating or modifying an OAuth Claim object. This occurs when the claim name contains spaces.

Impact:
Object cannot be saved.

Recommended Action:
Choose a claim name without spaces while creating or modifying OAuth claim.

01071c88 : The word (%s) is a reserved word and cannot be used as claim name for the claim (%s).

Location:
/var/log/apm, TMSH

Conditions:
The word that is used as a claim name for OAuth Claim is a reserved word and must not be used.

Impact:
Object creation or modification will fail.

Recommended Action:
Use a different word as a claim name for OAuth Claim.

01071c89 : The %s claim name (%s) is already in use by agent %s for this entry.

Location:
/var/log/apm, TMSH

Conditions:
When the same claim is configured again for a particular entry in the OAuth Authorization agent.

Impact:
Object save will fail.

Recommended Action:
A claim can be configured only once for a particular entry in the OAuth Authorization agent.

01071c8a : The %s claim (%s) that is associated with the %s (%s) does not exist.

Location:
/var/log/apm, TMSH

Conditions:
The JWT access token claim that is specified either in the OAuth Client App or in the OAuth Profile is not created under OAuth Claim.

Impact:
Object save will fail.

Recommended Action:
Create the claim under OAuth claim before referencing in the OAuth Client App or OAuth Profile.

01071c8b : The %s claim name cannot be empty for OAuth Authorization agent %s.

Location:
/var/log/apm, TMSH, GUI

Conditions:
This error will occur when the oauth authorization agent contains a claim entry with empty claim name during creating or modification.

Impact:
The object will not be saved.

Recommended Action:
Create the oauth authz agent correctly by specifying claim name for the claim entry.

01071c8c : %s claim name (%s) associated with OAuth Authorization agent (%s) is not defined under OAuth claim.

Location:
/var/log/apm, TMSH

Conditions:
If the claim referenced in the OAuth Authorization agent is not created under OAuth Claim, this error will be seen.

Impact:
Object save will fail.

Recommended Action:
Create the claim under OAuth Claim first, and then it can be referenced in the OAuth Authorization agent.

01071c8d : %s cannot be empty because %s for %s (%s).

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
The error happens when some field is required by the OAuth profile configuration and it is empty. For example, the Issuer field is required when JWT support is enabled, or the DB Instance field is required when opaque token support is enabled.

Impact:
Admin not able the enable JWT support or opaque token support if those required fields are missing.

Recommended Action:
Fill in those required fields as indicated in the error message.

01071c8e : %s in %s (%s) is not an allowed URL: %s

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
The error happens when the admin enters a mal-formatted URL for a field that requires a URL, such as the Issuer in an OAuth profile.

Impact:
None.

Recommended Action:
The admin should fix his URL to be a properly formatted URL.

01071c8f : The %s (%s) associated to %s (%s) is not a valid %s.

Location:
/var/log/ltm

Conditions:
Either the OAuth profile name or the JWK config name under Additional JWK for JWKS URI setting is invalid.

Impact:
Change the key use setting in the JWK configuration in the OAuth profile to signing.

Recommended Action:
Make sure that the JWK configuration under Additional JWK for JWKS URI setting in the OAuth profile exists in the JWK configuration list.

01071c90 : JWT config %s to be associated with JWK config (allowed keys) %s does not exist.

Location:
/var/log/apm, GUI, CLI

Conditions:
Allowed keys are configured for an invalid JWT config.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Configure allowed keys for a valid JWT config and save the object.

01071c91 : In JWT config %s, allowed keys '%s' do not exist. Use a valid JWK config for allowed keys.

Location:
/var/log/apm, GUI, CLI

Conditions:
An invalid JWK configuration is used for allowed keys in a JWT config.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Use a valid JWK configuration for allowed keys and save the object.

01071c92 : In JWT config (%s), the same JWK config (%s) is present in both allowed keys and blocked keys. This is not allowed.

Location:
/var/log/apm, GUI, CLI

Conditions:
The same JWK configuration is present in both allowed keys and blocked keys in JWT Config.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Remove the duplicate JWK configuration from allowed keys or blocked keys in JWT Config and save the object.

01071c93 : JWT config %s to be associated with JWK config (blocked keys) %s does not exist.

Location:
/var/log/ltm, CLI

Conditions:
Blocked keys are associated with an invalid JWT Config.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Configure blocked keys for a valid JWT Config and save the object.

01071c94 : In JWT config (%s), blocked keys '%s' do not exist. Use a valid JWK config for blocked keys

Location:
/var/log/apm, GUI, CLI

Conditions:
An invalid JWK config is used for blocked keys in JWT Config.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Use a valid JWK Config to configure blocked keys in JWT Config and save the object.

01071c95 : JWT Provider List %s to be associated with OAuth Provider %s does not exist.

Location:
/var/log/apm, GUI, CLI

Conditions:
There is an OAuth provider configuration for an invalid JWT provider List.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Try to configure OAuth Provider in a valid JWT Provider List only and then save the configuration.

01071c96 : In JWT Provider List %s, OAuth Provider %s does not exist. Use a valid OAuth Provider for providers attribute.

Location:
/var/log/apm, GUI, CLI

Conditions:
An invalid OAuth Provider is configured for the providers attribute in JWT Provider List.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Use a valid OAuth Provider for the providers attribute in JWT Provider List and save the object.

01071c97 : Error generating JWT encryption key using secret.

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
This error occurs when an openssl function (not F5 software), PKCS5_PBKDF2_HMAC_SHA1, failed.

Impact:
The admin should never see this error. If it really happens, it is possible that the OS environment/file system might be corrupted.

Recommended Action:
Suggest the admin to try again. If the same error occurs, restart the BIG-IP system. If the same error still occurs, reinstall the software image.

01071c98 : The JWK config (%s) associated to %s (%s) can contain public key types only (such as, rsa, elliptic-curve).

Location:
/var/log/ltm

Conditions:
Under OAuth profile settings, rotation-key(tmui) or additional-jwk-for-jwks-uri(tmsh) includes a JWK config pointing to non public-key type and/or algorithm. Using JWK config with 'octet' key-type will lead to this configuration error.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
For rotation-key(tmui) or additional-jwk-for-jwks-uri(tmsh) use JWK config containing public key-type or algorithm. This includes RSA, Elliptic-Curve key types/algorithms.

01071c99 : The OAuth profile (%s) does not allow JWK config (%s) with duplicate key-id (%s) of type (%s).

Location:
/var/log/ltm

Conditions:
OAuth profile allows configuring the JWK config, and additional JWK for JWKS URI config for JWKS URI. If the entries configured in these entries contains a JWK setting with the same key-id and algorithm type, this error will be shown.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
* Disassociate all JWK settings containing a duplicate key-id mentioned in the error that is attached to one of JWK or additional JWK setting on OAuth profile.
* Modify the key-id of the JWK config mentioned in the error message leading to this error.

01071c9a : The JWK config (%s) containing algorithm (%s) does not match key type (%s).

Location:
/var/log/ltm

Conditions:
The signing algorithm in a given JWK config doesn't match the selected key-type.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
* For key-type rsa, valid algorithm types can be RS256, RS384 or RS512
* For key-type octet, valid algorithm types can be HS256, HS384 or HS512
* For key-type elliptic-curve, valid algorithm types can be ES256, ES384

01071c9b : The JWK config (%s) associated to %s (%s) contains an invalid signing algorithm.

Location:
/var/log/ltm

Conditions:
The JWK config assigned to the OAuth profile includes invalid signing algorithm (none).

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
A JWK config containing a 'none' signing algorithm is not allowed to be assigned to OAuth profile. Change JWK config signing algorithm to RS, HS, or ES type signing algorithms to get past this error.

01071c9c : The JWK config (%s) associated to %s (%s) can only be used for signing.

Location:
/var/log/ltm

Conditions:
The JWK config in the OAuth profile contains key use setting set to encryption. At this time, only signing is supported for key usage.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
Change key use setting in the JWK config in the OAuth profile to signing.

01071c9d : The JWK config (%s) associated to %s (%s) requires certificate key configuration.

Location:
/var/log/ltm

Conditions:
A JWK config can be created without specifying a certificate-key value. However, a JWK config without certificate-key cannot be used by a OAuth profile for token signing. A JWK config used by OAuth AS must contain certificate-key value.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
Fix the JWK config to contain a certificate-key value, and then associate the created JWK config to the OAuth profile for JWT signing.

01071c9e : The encryption secret is needed to generate an encryption key for OAuth profile (%s).

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
When the admin enables the JWT support for the first time in an OAuth profile, and does not provide an encryption secret, this error occurs.

Impact:
The JWT support will not be enabled. If it is the creation of an OAuth profile, the profile will not be created.

Recommended Action:
The admin should give an non-empty encryption secret.

01071c9f : Allowed signing algorithms list cannot be empty in JWT config (%s) for Issuer (%s).

Location:
/var/log/apm, TMSH, GUI

Conditions:
Allowed signing algorithms list has been left empty.

Impact:
Object save and Configuration load will fail.

Recommended Action:
Move one algorithm at least to allowed signing algorithms.

01071ca0 : When the %s flag is enabled, OAuth Provider (%s) must have %s JWT config attached for the JWT provider list (%s)

Location:
/var/log/ltm, GUI, CLI

Conditions:
The JWT config is not attached to a provider (manual or auto depending on flag) before being added to the JWT provider list.

Impact:
The command to add the provider to the JWT Provider List fails.

Recommended Action:
Attach the JWT config to a provider (either manually or by auto-discovery) before adding it to the JWT provider list.

01071ca1 : The JWK config (%s) associated to %s (%s) was auto-generated and is meant for Client/Resource Server purposes only.

Location:
/var/log/apm, TMSH

Conditions:
If an auto-discovered key is being referenced by an OAuth profile, this error will be seen.

Impact:
Object save will fail.

Recommended Action:
This key can be used only by Client/RS configuration.

01071ca2 : When jwt-token is enabled, a JWK config must be assigned as the Primary Key for OAuth Profile (%s).

Location:
/var/log/apm, TMSH, GUI

Conditions:
If the attribute primary-key is not filled while creating/modifying an OAuth Profile, and JWT token flag is enabled.

Impact:
Will not let you save without this value.

Recommended Action:
Assign a JWK to primary key.

01071ca3 : Error loading cert-chain (%s) associated to JWK config (%s)%s

Location:
/var/log/ltm

Conditions:
A certificate chain setting in the JWK config contains an invalid entry or the certificate chain contents are invalid.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
Make sure that the certificate chain associated in the JWK-config exists in the BIG-IP certificate store. Check Traffic Certificate management under 'System -> Certificate Management' in the GUI to make sure. If the certificate chain does exist, make sure that the certificate-chain contents are valid.

01071ca4 : Invalid certificate order within cert-chain (%s) associated to JWK config (%s).

Location:
/var/log/ltm

Conditions:
In a given JWK config, if a cert-chain input is specified, the chain should contain the certificate of the issuer of the cert provided in the cert input. If cert-chain is a bundle, that is, it contains multiple certificates, then every subsequent certificate should be the issuer of the previous certificate.
If the certificate bundle contains multiple certificates, but the issuer is not in order, it will lead to this error.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
Fix the order of certificate(s) in the cert-chain input file so that the 'cert' input certificate issuer is present in the cert-chain file, and each next certificate contains the issuer of the previously issued certificate.

Here is an example of a valid cert/cert-chain config:

cert input contains:
  CN = as-cert.com
  issuer = intermediate-level3-cert.com

cert-chain input contains:
  1st CN = intermediate-level3-cert.com
  1st issuer = intermediate-level2-cert.com
  ---------------------------
  2nd CN = intermediate-level2-cert.com
  2nd issuer = intermediate-level1-cert.com
  ---------------------------
  1st CN = intermediate-level1-cert.com
  3rd issuer = root-cert.com
  ---------------------------

01071ca5 : The JWK config (%s) associated to OAuth %s (%s) failed trust verification with trusted CA bundle (%s).

Location:
/var/log/ltm

Conditions:
This is a common error for OAuth profile or OAuth provider page.

The JWK config, associated with a OAuth profile or provider, contains a certificate, certificate-chain, and trusted-ca bundle assigned to the OAuth profile or provider that failed a trust verification check. A trust verification check means that the certificate issuer is included within certificate-chain and that the issuer for certificate-chain is included in the trusted-ca bundle.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
* If a JWK config contains only a certificate, make sure to include the certificate issuer in the trusted-ca bundle.
* If a JWK config includes a certificate-chain, make sure that the certificate issuer is included in the certificate-chain. If there are multiple certificates in the certificate-chain, the issuer for all of the certificates must exist within the certificate-chain, except the last certificate. A certificate issuer for the last certificate-chain must be part of trusted-ca bundle.

01071ca6 : Only '%s' token validation mode is allowed for OAuth %s agent '%s'.

Location:
/var/log/ltm, tmsh

Conditions:
Misconfiguration.
Admin attempts to configure token-validation-mode for Oauth Client Agent as something other than 'External' in tmsh. The error indicates that this configuration is not valid.

Impact:
This is mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
Allowed token-validation-mode ('External') must be configured for Oauth client agent.

01071ca7 : JSON web token '%s' already exists in Provider List '%s'. The change you are trying to make is not allowed because it would result in a provider list that contains more than one instance of the same JSON web token.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Misconfiguration.
Admin attempts to add a Provider to a Provider list when the Provider has JWT config associatedm and the Provider list already has the same JWT config associated through some other Provider in the list. All the JWT configs associated with a Provider list must be unique.

Impact:
This is mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
When attempting to add a Provider to a Provider list, check that the operation will not result in a Provider list with more than one instance of the same JWT config.

01071ca8 : JSON web key '%s' already exists in Provider List '%s'. The change you are trying to make is not allowed because it would result in a provider list that contains more than one instance of the same JSON web key.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Misconfiguration.
Admin attempts to add a Provider to a Provider list when the Provider has JWK config(s) associated and the Provider list already has the same JWK config(s) associated through some other Provider in the list. All the JWK configs associated with a Provider list must be unique.

Impact:
This is mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
When attempting to add a Provider to a Provider list, check that the operation will not result in a Provider list with more than one instance of the same JWK config.

01071ca9 : OAuth parent profile's jwt-refresh-token-enc-secret attribute cannot be modified.

Location:
/var/log/apm, TMSH

Conditions:
If OAuth profile's jwt-refresh-token-enc-secret is modified from TMSH.

Impact:
A validation exception is seen.

Recommended Action:
Do not specify jwt-refresh-token-enc-secret for parent profile.

01071caa : The encryption key for OAuth profile (%s) cannot be specified directly. Use encryption secret to generate a new encryption key and make sure that jwt-token is enabled.

Location:
/var/log/apm, TMSH

Conditions:
If jwt-refresh-token-enc-key is specified directly.

Impact:
Object save will fail.

Recommended Action:
Do not specify jwt-refresh-token-enc-key. Instead use jwt-refresh-token-enc-secret to generate key.

01071cab : The JWK config (%s) associated to %s (%s) requires key ID configuration.

Location:
/var/log/ltm, GUI, TMSH console

Conditions:
The JWK does not have an ID configured. This JWK can be used in a client but not in an AS. Associating the JWK with an OAuth profile is intended to use it in an AS.

Impact:
The admin cannot associate this JWK to the OAuth profile without changing the JWK configuration.

Recommended Action:
The admin can give the JWK an ID, or use another JWK that already has an ID.

01071cac : When more than one JWK config of key-type '%s' is present in a JWT config, all the keys of that key-type must have key-id or cert-thumbprint-sha1 or cert-thumbprint-sha256 present.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Misconfiguration.
An admin attempts to add a JWK config to a JWT config, resulting in the JWT config having more than one JWK config of the same key-type, and not all the JWK configs of that key-type have key-id, cert-thumbprint-sha1, or cert-thumbprint-sha256 present.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
When more than one JWK config of the same key-type is associated with a JWT config, all these JWK configs must have key-id, cert-thumbprint-sha1, or cert-thumbprint-sha256 present.

01071cad : All the JWK configs in a JWT config must have unique key-id for each key-type. The key-id '%s' for key-type '%s' is already present in JWT config '%s'.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Misconfiguration.
Admin attempts to add a JWK config to a JWT config, and the JWK config has pair (key-id, key-type) that is already present in the JWT config through some other JWK config. The pair (key-id, key-type) must be unique within a JWT config.

Impact:
This is mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
When attempting to add a JWK config to a JWT config, check that the operation will not result in a JWT config with more than one instance of the same pair (key-id, key-type).

01071cae : %s (%s) for OAuth profile (%s) should be unique across other OAuth Authorization Server endpoints.

Location:
TMSH

Conditions:
When the oauth endpoints are configured to be the same, this warning will be seen.

Impact:
The object is saved, however the OAuth AS functionality will be affected.

Recommended Action:
Configure different values for Authorization server endpoints.

01071caf : The issuer cannot be modified for autodiscovered JWT config '%s'.

Location:
/var/log/ltm, tmsh

Conditions:
Modification error.
Admin attempts to modify issuer attribute of an auto-discovered JWT config in tmsh. This operation is not allowed.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
None.

01071cb0 : Cannot enable Real-Time Encryption when a custom encryption function is specified in the Anti-Fraud URL '%s'.

Location:
/var/log/ltm, GUI

Conditions:
Improper FPS profile configuration.

Impact:
Configuration will not load.

Recommended Action:
Either disable a custom encryption function or enable Real-Time Encryption.

01071cb0 : For autodiscovered JWT config '%s', you can move algorithms between the allowed and blocked lists only.

Location:
/var/log/ltm, tmsh

Conditions:
Misconfiguration.
Admin attempts to modify the allowed-algorithms or blocked-algorithms of an auto-discovered JWT config, by either adding a new algorithm that was not previously present in either of the two lists, or by removing an algorithm from either of the two lists without adding that algorithm to the other list.
For auto-discovered JWT config, the algorithms can be moved between allowed and blocked lists only.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
For auto-discovered JWT config, the algorithms can be moved between allowed and blocked lists only.

01071cb1 : JWK config '%s' is autodiscovered, JWT config '%s' is not. An autodiscovered JWK config can be added to an autodiscovered JWT config only.

Location:
/var/log/ltm, tmsh

Conditions:
Misconfiguration.
Admin attempts to add an auto-discovered JWK config to a manual JWT config. An auto-discovered JWK config can be associated with an auto-discovered JWT config only.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
This operation is not allowed. Auto-discovered JWK config cannot be added to manual JWT config.

01071cb2 : For autodiscovered JWT config '%s', you can move autodiscovered keys between the allowed and blocked lists only.

Location:
/var/log/ltm, tmsh

Conditions:
Misconfiguration.
Admin attempts to modify the allowed-keys or blocked-keys of an auto-discovered JWT config, by either adding a new key that was not previously present in either of the two lists, or by removing a key from either of the two lists without adding that key to the other list.
For auto-discovered JWT config, the keys can be moved between allowed and blocked lists only.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
For auto-discovered JWT config, the keys can be moved between allowed and blocked lists only.

01071cb3 : Autodiscovered JWK config '%s' cannot be modified.

Location:
/var/log/ltm, tmsh

Conditions:
Modification error.
Admin attempts to modify an attribute of an auto-discovered JWK config in tmsh. This operation is not allowed.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
None.

01071cb4 : Autodiscovered JWT config cannot be modified for OAuth Provider '%s'.

Location:
/var/log/ltm, tmsh

Conditions:
Modification error.
Admin attempts to modify auto-jwt-config-name of a Provider in tmsh. This operation is not allowed.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
None.

01071cb5 : Autodiscovered JWT config '%s' is associated with OAuth Provider '%s'. It cannot be added to Provider '%s'.

Location:
/var/log/ltm, tmsh

Conditions:
Misconfiguration.
Admin attempts to add an auto-discovered JWT config to a Provider, and the JWT config is already associated with another Provider. An auto-discovered JWT config is bound to one Provider and cannot be added to another Provider.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
Auto-discovered JWT config needs to be discovered on TMUI to be associated with a Provider.

01071cb6 : Support for at least Opaque or JWT token should be enabled for OAuth profile (%s).

Location:
/var/log/ltm, tmsh, GUI

Conditions:
This occurs when support for both an opaque and jwt token is disabled.

Impact:
Object save will fail.

Recommended Action:
Enable support for at least an opaque token or jwt token.

01071cb7 : The auto-generated attribute for %s '%s' cannot be modified.

Location:
/var/log/ltm, tmsh

Conditions:
Modification error.
Admin attempts to modify the 'auto-generated' attribute of a JWT config or a JWK config in tmsh. This operation is not allowed.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
None.

01071cb8 : The auto-generated attribute for %s '%s' cannot be specified.

Location:
/var/log/ltm, tmsh

Conditions:
Misconfiguration.
Admin specifies an 'auto-generated' attribute while creating a new JWT config, or a JWK config in tmsh. This is not allowed as the value for this field is populated automatically.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
Auto-generated attribute should not be specified while creating a new JWT config or JWK config.

01071cb9 : Claim value cannot be empty for OAuth claim (%s).

Location:
/var/log/apm, TMSH

Conditions:
When the claim value is empty in the OAuth Claim.

Impact:
Object save will fail.

Recommended Action:
Configure claim value in OAuth Claim.

01071cba : %s claim value associated with OAuth claim (%s) cannot be empty for OAuth Authorization agent %s, entry %d.

Location:
/var/log/apm, TMSH

Conditions:
In the OAuth Authorization agent, the claim value of the OAuth Claim is empty.

Impact:
Object save will fail.

Recommended Action:
Configure claim value in the Claim that is configured in the OAuth Authorization agent.

01071cbb : The JWK config (%s) containing algorithm (%s) does not match curve (%s) for elliptic-curve.

Location:
/var/log/apm, TMSH

Conditions:
When the algorithm specified in the JWK config does not match with the curve. When algorithm is ES256, curve value must be P-256. When algorithm is ES384, curve value must be P-384. Any other combination is invalid.

Impact:
Object save will fail.

Recommended Action:
In the JWK config, when algorithm is ES256, configure curve value P-256. When algorithm is ES384, curve value of P-384 must be configured. Any other combination is invalid.

01071cbc : The last-discovery-time cannot be specified while creating Provider '%s'.

Location:
/var/log/ltm, tmsh

Conditions:
Misconfiguration.
Admin specifies a 'last-discovery-time' attribute while creating a new OAuth Provider in tmsh. This is not allowed as the value for this field is populated automatically.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
The 'last-discovery-time' attribute should not be specified while creating a new OAuth Provider in tmsh as this will be populated automatically.

01071cbd : The last-discovery-time cannot be modified for Provider '%s'.

Location:
/var/log/ltm, tmsh

Conditions:
Modification error.
Admin attempts to modify a 'last-discovery-time' attribute of an OAuth Provider in tmsh. This operation is not allowed.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
The 'last-discovery-time' is updated on discovering auto JWT config/JWK config on TMUI. It is not allowed to modify this field in tmsh.

01071cbe : When use auto JWT config is enabled, OAuth Provider (%s) must have trusted CA present.

Location:
/var/log/ltm, tmsh

Conditions:
Misconfiguration.
An admin attempts to create an OAuth Provider with the default value 'true' for attribute use-auto-jwt-config, and does not specify trusted-ca-bundle.
Or, an admin attempts to set the value for trusted-ca-bundle to 'none' for an OAuth Provider that has the value 'true' for use-auto-jwt-config.

Impact:
This is an mcp configuration error. The object containing this configuration will not be saved.

Recommended Action:
For an Oauth Provider with use-auto-jwt-config=true, trusted-ca-bundle is a mandatory field.

01071cbf : The JWK Config (%s) cert field cannot be empty if cert-key (%s) is specified.

Location:
CLI

Conditions:
The certificate key reference field is filled in but not the certificate field itself.

Impact:
The object cannot be saved.

Recommended Action:
Either attach a certificate along with the key, or use the modulus/exponent/x/y/curve fields.

01071cc0 : %s (%s): Traffic Scrubbing Advertisement Duration must be more than zero.

Location:
/var/log/ltm

Conditions:
A DoS Profile is configured with Application enabled and Traffic Scrubbing Advertisement Duration is set to 0.

Impact:
DoS profile changes are not saved.

Recommended Action:
Set the value to a value more than zero.

01071cc1 : %s (%s): RTBH Advertisement Duration must be more than zero.

Location:
/var/log/ltm

Conditions:
A DoS Profile is configured with Application enabled and RTBH Advertisement Duration is set to 0.

Impact:
DoS profile changes are not saved.

Recommended Action:
Set the value to a value more than zero.

01071cc2 : Cannot enable both %s and %s for parameter '%s' in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').

Location:
/var/log/ltm

Conditions:
Both "substitute value" and "check integrity" are enabled in an anti-fraud parameter.

Impact:
The configuration will not load.

Recommended Action:
Disable either of the 'substitute value' or 'check integrity' check boxes for the given parameter.

01071cca : Dos Signature (%s): %s is not user settable field.

Location:
/var/log/ltm, TMSH, GUI

Conditions:
This message will happen when user is trying to change unchangeable field of Dos Signature Configuration.

Impact:
The configuration is not changed.

Recommended Action:
None.

01071ccb : %s (%s): Attacked dst can not be enabled if per-destination detection/limit pps is less than 0.1%% of the corresponding vector setting.

Location:
/var/log/ltm

Conditions:
The per-source detection/limit pps is less than 1 percent of the corresponding value of the DoS vector. The DoS vector is specified by the configuration value of the rate threshold/rate limit in the DoS vector.

Impact:
The security DoS DNS/SIP/NETWORK/Device attack vector attacked dst cannot be enabled.

Recommended Action:
Change the configuration settings of attack vector for either the per-source detection/limit pps or the rate threshold/rate limit.

01071ccc : %s (%s): Attacked dst per-destination detection/limit pps cannot be greater than the corresponding vector setting.

Location:
/var/log/ltm

Conditions:
The per-source detection/limit packets per second is greater than the corresponding DoS vector specified in the value of the rate threshold/rate limit.

Impact:
Security DoS DNS/SIP/NETWORK/Device attack vector attacked dst actor cannot be enabled.

Recommended Action:
Change the configuration settings of the attack vector for either per-source detection/limit pps or rate threshold/rate limit.

01071cd4 : %s: %s can't be deleted because %s.

Location:
/var/log/ltm, GUI, console

Conditions:
When a configuration object is not allowed to be deleted, the error message is triggered.

Impact:
No update to the related configuration.

Recommended Action:
None.

01071cd5 : %s: %s can't be modified because %s.

Location:
/var/log/ltm, GUI, console

Conditions:
When modification to a configuration object is not allowed, the error message is triggered.

Impact:
No update to the related configuration.

Recommended Action:
None.

01071cd6 : Dos Signature (%s): %s is not allowed to be reset by user once it is specified.

Location:
/var/log/ltm, console, GUI

Conditions:
This message will happen when user is trying to reset unresettable field of Dos Signature Configuration.

Impact:
The configuration is not changed.

Recommended Action:
None.

01071cd9 : Field-list contains an invalid/duplicate value.

Location:
CLI

Conditions:
An attempt has been made to add an invalid field to the field-list when creating a security log profile.

Impact:
The CLI displays an error message when creating the security log profile:

root@(cfg-sync Standalone)(autodosd DOWN)(/Common)(tmos)# create security log profile test nat {format { end-inbound-session { type field-list field-list {context_name src_ip dest_ip test } user-defined [TEST] }}}
01071bf2:3: Field-list contains an invalid/duplicate value.The message indicates an invalid field configuration. After removing the invalid field, log profile can be created/modified.

Recommended Action:
Remove the invalid field.

01071cdc : Security static PAT %s translation object '%s' address (%s) is overlapping with another address (%s) located in '%s' PAT %s translation object.

Location:
GUI, CLI

Conditions:
A security static PAT translation object contains an overlapping address with another static PAT translation object address.

Impact:
An error message is displayed and the configuration is not applied.

Recommended Action:
Remove the overlapping address/address range from the configuration.

01071cdd : Traffic-group (%s) is referenced by security NAT Policy (%s) and cannot be deleted.

Location:
/var/log/ltm

Conditions:
An attempt was made to delete a traffic group that is being referenced by a security NAT policy object.

Impact:
The operation to delete the traffic group failed.

Recommended Action:
The referenced security NAT policy object must be deleted first. Then the traffic group can be deleted.

01071cde : Traffic-group (%s) is referenced by security source translation (%s) and cannot be deleted.

Location:
/var/log/ltm

Conditions:
An attempt was made to delete a traffic group that is being referenced by a security source translation object.

Impact:
The operation to delete the traffic group will fail.

Recommended Action:
The referenced security source translation object must be deleted first. Then the traffic group can be deleted.

01071cdf : %s (%s): Dos vector (%s) does not support Attacked destination DOS attack detection.

Location:
var/log/ltm

Conditions:
Certain dos vectors do not support attacked destination detection because they are error or drop vectors for which the system does not process traffic and drop packets. Do not configure for an attacked destination.

Impact:
Not an error or defect; this is an informational type message for the user.

Recommended Action:
None.

01071ce3 : %s (%s) cannot be set to (%s) when %s (%s) is set to (%s)

Location:
/var/log/ltm, GUI, console.

Conditions:
This is a generic error message describing a validation constraint across two different objects' value(s).

The objects can be:
1) of the same type
2) different types
3) the same instance

The constraint can be:
1) over the same property
2) over different properties

The specialization of this template should tell you which object classes and specific properties it is referring to.

Impact:
Validation error.

Recommended Action:
None.

01071ce4 : %s (%s): %s feature is not supported for %s attack type.

Location:
/var/log/ltm, console, GUI

Conditions:
This will happen when configuring Dos Attack for a feature that is not supported with the specified attack type.

Impact:
The configuration in the system will not be changed.

Recommended Action:
None.

01071ce5 : %s (%s): %s cannot be enabled if %s is not enabled for %s attack type.

Location:
/var/log/ltm, console, GUI

Conditions:
This will happen when enabling a Dos Attack feature that depends on a condition that is not satisfied.

Impact:
The configuration in the system is not changed.

Recommended Action:
None.

01071ce6 : The value (%s) is invalid. Valid TTL is %s.

Location:
GUI, console

Conditions:
The error message displays if a user attempts to configure the scrubber advertisement tel and the values are not in a valid range.

Impact:
Configuration of the scrubber TTL fails unless you change one of the allowed values for the TTL.

Recommended Action:
None.

01071ce7 : Cannot configure Advertisement TTL while scrubbing is in progress.

Location:
GUI, console

Conditions:
The user is attempting to modify the scrubber advertisement TTL, while the scrubber action is already in progress for one of the monitored objects.

Impact:
Modification of the scrubber advertisement TTL will fail, unless the user configures this value once the scrubbing action is done for all the monitored objects.

Recommended Action:
None.

01071ce8 : The VLAN %s has the same tag %u as VLAN %s. So the port-fwd-mode of the interface associated with the VLAN must be set to l2wire.

Location:
/var/log/ltm

Conditions:
The configuration is invalid. If an interface is added to a 'virtual wire' VLAN, the forwarding mode of the interface cannot be changed to the value other than 'virtual wire'.

Impact:
None.

Recommended Action:
Remove the interface from the VLAN before changing the forwarding mode property of the interface.

01071ce8 : The VLAN (%s) has the same tag %u as VLAN (%s). So the port-fwd-mode of the interface associated with the VLAN must be set to virtual-wire.

Location:
/var/log/ltm

Conditions:
This message is caused by an invalid configuration. If an interface is added to a 'virtual-wire' vlan, the port-fwd-mode cannot be changed to the value other than 'virtual-wire'.

Impact:
None.

Recommended Action:
Remove the interface from VLAN before changing the port-fwd-mode property.

01071ce9 : The Scrubber Route Domain (%s) has a destination IP (%s) that overlaps with (%s).

Location:
/var/log/ltm, console, GUI

Conditions:
When attempting to configure a scrubber-rd-network in scrubber-rt-domain, its destination IP must not overlap with other scrubber-rd-networks within the same scrubber-rt-domain.

Impact:
Validation failure.

Recommended Action:
Choose a different value.

01071ceb : Operation failed for CA bundle manager %s due to other pending operation.

Location:
/var/log/ltm

Conditions:
When a ca-bundle manager is updated more than once over a very short period of time, the keymgmtd will see two concurrent updates to the ca-bundle manager.

Impact:
The second update operation will be rejected.

Recommended Action:
Successive update to the same ca-bundle manager needs to be separated by a short time period. In most update operations, this error log will not be encountered.

01071cec : Ignoring unknown tag (%u) in %s message.

Location:
/var/log/ltm

Conditions:
High availability (HA) communication is happening with another device that sends a tag that this device does not recognize.

Although this should never happen, it might occur when the software versions differ on the devices in the HA configuration.

Impact:
The unknown tag field is ignored.

Recommended Action:
These two versions are incompatible, so they cannot communicate by DSC. Ensure that all devices are running the same version.

01071ced : MQTT monitor '%s' must have a username when password is configured.

Location:
/var/log/ltm, console, GUI

Conditions:
The message appears for a missing username in MQTT monitor when a password is configured.

01071c73:3: MQTT monitor '/Common/mon-mqtt-1.2' must have a username when password is configured.

MQTT monitor is created and it has a 'password' field filled in while 'username' field remains empty (having value "none" in tmsh).

Impact:
Submitting configuration of MQTT monitor is not accepted.

Recommended Action:
Have a non-empty value for 'username' field in the MQTT monitor when username and password credentials are required.

01071cee : Virtual %s cannot use FastL4 hash persistence profile %s when protocol is not TCP.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
You attempt to configure a FastL4 virtual server with an IP-protocol other than TCP, and then and add the hash persistence profile.

Impact:
FastL4 virtual servers when configured with IP protocol other than TCP do not support hash persistence profile configurations.

Recommended Action:
Do not configure non-TCP FastL4 with hash persistence. Use other type of virtual server if hash persistence is required.

01071cef : Policy (%s) of type %s cannot have subroutine-properties attached, policy type must be %s.

Location:
/var/log/ltm

Conditions:
This message is generated when an attempt is made to attach a subroutine to an access policy that is not of type "subroutine".

Impact:
The system cannot perform the requested operation of attaching the subroutine to a policy.

Recommended Action:
Create a policy of type "subroutine".

01071cf0 : DNS resolver must be configured for SAML metadata automation object (%s).

Location:
/var/log/ltm, VPE UI, tmsh

Conditions:
Administrator attempts to configure 'connection-properties' attribute of SAML metadata automation object. Administrator has not specified required DNS resolver in 'connection-properties' resulting in the validation error.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
Specify DNS resolver in connection-properties attribute of SAML metadata automation object.

01071cf1 : SAML metadata automation object (%s) should have only one 'connection-properties' attribute configured.

Location:
/var/log/ltm, VPE UI, tmsh

Conditions:
Administrator attempts to configure SAML metadata automation object, and set more then one property 'connection-properties'.

Only a single 'connection-properties' configuration is allowed per SAML metadata automation object, so the error will be shown.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
Configure only one 'connection-properties' attribute per SAML metadata automation object.

01071cf2 : apm sso saml (%s) contains empty value in saml-attribute (%s).

Location:
/var/log/ltm, VPE UI, tmsh

Conditions:
BIG-IP system Administrator attempts to configure APM SSO SAML object. List of attributes is included in this object. The Administrator has specified an empty value for one of the attributes.

Impact:
This is an mcp configuration error. The object containing this configuration is not saved.

Recommended Action:
Remove empty values from SAML attribute of the APM SSO SAML object.

01071cf3 : Authorize redirect request (%s) must always use 'GET' method.

Location:
Console.

Conditions:
If an authorize redirect request is created with POST method, then this message displays

Impact:
Create the OAuth Request object fails.

Recommended Action:
Create authorize redirect request only with 'GET' method.

01071cf4 : Invalid %s for Monitor Test (%s) conflicts with monitor value (%s)

Location:
/var/log/ltm, tmsh, iControl REST

Conditions:
One or more of the parameters specified in the tmsh 'run ltm monitor' command to test an LTM monitor configuration are incorrect.
Specifically, the destination IP Address and/or Service Port are specified in the 'run ltm monitor' command, when the destination IP Address and/or Service Port are already specified in the LTM health monitor configuration being tested.

Impact:
A potentially-invalid or misleading monitor test is prevented from running.
If the destination IP Address and/or Service Port of an LTM health monitor is configured, that configuration will be used during the monitor test.
Preventing conflicting destination IP Address and/or Service Port parameters from being specified in the tmsh 'run ltm monitor' command helps ensure accuracy of the monitor test, and fidelity with actual behavior of the LTM health monitor as configured once assigned to an LTM node, pool member or pool.

Recommended Action:
When performing a test of an LTM monitor using the tmsh 'run ltm monitor' command, only provide destination IP Address and/or Service Port parameters which are not already configured in the LTM health monitor being tested.

01071cf5 : Invalid state (%s) for Monitor Test target (%s) marked for cleanup

Location:
/var/log/ltm

Conditions:
A monitor instance created internally for the purpose of executing the tmsh 'run ltm monitor' command (to test LTM health monitor configuration) was found to be in an unexpected state.

Impact:
The LTM monitor test result cannot be evaluated accurately.
This condition results from an invalid internal state in mcpd and/or bigd daemon processing. Therefore, it might be an indication of more significant inconsistencies within the BIG-IP configuration subsystem.

Recommended Action:
Further diagnosis of the mcpd and bigd daemons is indicated, including enabling mcpd and bigd debug logging and repeating the LTM monitor test which encountered the error condition.

01071cf6 : The current provisioning does not support the TurboFlex profile. Please provision LTM first or choose another profile suggested on the help page.

Location:
/var/log/ltm

Conditions:
TurboFlex profiles need certain provisioning to be configured. Different TurboFlex profiles have different requirements, but all of them can be configured when LTM is provisioned.

Impact:
When the user selects a TurboFlex profile, the profile does not become the active profile.

Recommended Action:
Provision LTM or other modules that support the chosen TurboFlex profile listed under the description of each profile. (The TMSH command is "show sys turboflex profile all field-fmt".)

01071cf7 : The chosen turboflex is not licensed, therefore the change cannot be made.

Location:
/var/log/ltm, GUI, tmsh

Conditions:
This only happens when the user is trying to change the active TurboFlex profile. If the user has an unthrottled license, which is also called a PAYG standard license, some TurboFlex profile will not be licensed. Therefore, choosing the unlicensed profile will trigger this message, and the change will not be made.

Impact:
The change of the desired TurboFlex profile will not be done.

Recommended Action:
If you would like the TurboFlex profile, you will need to upgrade the license from unthrottled to throttled, in other words, from PAYG standard to PAYG performance.

01071cf9 : The provision module %s requires TurboFlex profile %s. Please either un-provision the module or choose the required profile. For more information, please see 'tmsh help sys turboflex' on the command line, or look at the 'Help' tab on the TurboFlex page under Resource Provisioning.

Location:
/var/log/ltm, GUI

Conditions:
Some provisioning module can only be provisioned when a certain TurboFlex profile is set as active. Therefore, this error will appear when you are trying to provision a module when the required TurboFlex profile is not active, or when you are switching to another TurboFlex profile that does not allow a provisioned module to be provisioned that the previous profile allowed.

Impact:
The modifying action will not be done.

Recommended Action:
The error message will tell you which profile to modify with the command "tmsh modify sys turboflex profile-config type <profile>", or which modules to un-provision with command "modify sys provision <module> level none", in order for the change to occur without error.

01071cfb : Please get the Advanced Protocols or FIX add-on license to enable FIX features.

Location:
/var/log/ltm

Conditions:
The TurboFlex low latency profile cannot be enabled.

Impact:
The TurboFlex configuration will remain unchanged or will be the default configuration.

Recommended Action:
Customers will need to get an additional add-on license from F5 in order to enable the profile.

01071cfc : %s changing OpenSSL FIPS flag from (%d) to (%d). Reboot is required for changes to take full effect.

Location:
/var/log/ltm

Conditions:
Enabling or disabling either FIPS 140-2 compliance mode or modifying the Common Criteria DB variable (Security.CommonCriteria) changes the OpenSSL FIPS flag. Log the message. The prompt changes to 'Reboot Required'.

Impact:
The log message and the prompt change to 'Reboot Required' to remind the user to reboot for all FIPS changes to take effect.

Recommended Action:
Reboot the BIG-IP system for all processes to get initialized correctly in the compliant mode.

01071cfc : %s changing OpenSSL FIPS flag from (%d) to (%d). Reboot is required for changes to take full effect.

Location:
/var/log/ltm

Conditions:
On a BIG-IP non-VE device or hardware device that did not have a FIPS 140-2 Level 1 license, a FIPS 140-2 Level 1 license has been procured and installed.

Impact:
The system prompt changes to "REBOOT REQUIRED".

Recommended Action:
Reboot the device for the new license settings to take effect and for FIPS-specific code-paths to execute in the system OpenSSL.

01071cfd : The VLAN (%s) tag %u cannot be modified to %u once the VLAN is created. Please delete and re-create it.

Location:
/var/log/ltm

Conditions:
The configuration is invalid. The VLAN tag is not allowed to change to an existing VLAN tag when a virtual wire interface is associated with any VLANs of the same tag.

Impact:
None.

Recommended Action:
Inspect the relevant object configuration in the VLAN, trunk, and interface. You can delete the VLAN and re-create the VLAN with the tag.

01071cfe : %s (%s): AutoMitigate %s %u must be lower than AutoMitigate ceiling %u.

Location:
GUI, CLI

Conditions:
In the AFM DoS feature, the attack detection threshold is higher than the detection ceiling value set for a vector.

Impact:
An attack detection threshold that exceeds the detection ceiling value invalidates the configuration.

Recommended Action:
Reset the detection ceiling to a value higher than the threshold.

01071cff : %s (%s): AutoMitigate %s 'infinite' must be lower than AutoMitigate ceiling %u.

Location:
GUI, CLI

Conditions:
In the AFM DoS feature, the attack detection threshold value is set to Infinite while the attack detection ceiling is set to a finite value.

Impact:
The configuration is invalid.

Recommended Action:
Set the rate threshold value to a finite value that is lower than the ceiling value.

01071d00 : Maximum response size (%u) for OAuth provider (%s) must be in range of (%u-%u).

Location:
TMSH

Conditions:
When the admin specifies the maximum allowed response size for a particular provider with too large or too small of a value.

Impact:
The out of range value will not be set. The previous value remains.

Recommended Action:
The admin has to enter a value within the range.

01071d01 : Invalid value (%s) for profile %s field %s. Only integers between 0 and 4294967295 are permitted.

Location:
/var/log/ltm, console, GUI

Conditions:
When the user enters a non-integer, a negative integer, or an integer that exceeds 4294967295 in a field that's limited to unsigned long integers.

Impact:
The profile will not be updated or created until the error is corrected.

Recommended Action:
Enter a value between 0 and 4294967295 in the field indicated by the error message.

01071d02 : Size of field '%s' for monitor '%s' exceeds allowed maximum of %d bytes.

Location:
/var/log/ltm, tmsh console, iControl REST, GUI

Conditions:
When a monitor has a password, or a secret parameter, and it is being created or updated with a value exceeding the allowed maximum number of bytes.

Impact:
Upon receiving the message, a creation or modification of the object for specified monitor fails.

Recommended Action:
Set the size of the identified parameter within the specified limit.

01071d03 : Encryption object is too big.

Location:
/var/log/ltm, tmsh console, iControl REST, GUI

Conditions:
There is an object which has a parameter stored in Secure Vault, and the size of the parameter, in bytes, exceeds a documented limit during the object creation or modification.

Impact:
An operation on the object creation or modification fails.

Recommended Action:
Set the parameter's value with the documented limit.

01071d04 : Encryption failed.

Location:
/var/log/ltm, tmsh console, iControl REST, GUI

Conditions:
There is an object which has a parameter stored in Secure Vault and encryption of the parameter fails during the object creation or modification.

Impact:
An operation on the object creation or modification fails.

Recommended Action:
None.

01071d05 : %s is not a valid IP address or hostname.

Location:
/var/log/ltm, console, GUI

Conditions:
For apm::aaa::active-directory, provide invalid ip or FQDN hostname for domain-controller.

Impact:
Configuration cannot be saved.

Recommended Action:
Supply valid ip or hostname for the value.

01071d06 : Overlapping %s IP addresses (%s) is in NAT policy '%s', rule '%s'.

Location:
/var/log/ltm

Conditions:
There are overlapping IP addresses in a NAT policy rule.

Impact:
No impact. Message is informational only

Recommended Action:
None.

01071d07 : The VLANGROUP (%s) is composed of VLAN (%s) of tag %u with %s member (%s). A similar VLANGROUP must be created first and be composed of VLAN of tag '4096' with member (%s).

Location:
/var/log/ltm

Conditions:
The BIG-IP system has an invalid VLAN Group configuration.

Impact:
The BIG-IP system logs an error message.

Recommended Action:
Inspect the relevant object configuration in the VLAN Group, VLANs, and the interface used in virtual-wire configuration. Then create VLANs of tag 4096 with the same interface, and create another VLAN Group with those VLANs.

01071d08 : Connectivity profile (%s) does not exist.

Location:
/var/log/ltm

Conditions:
The connectivity profile does not exist even when a handle is on it. A race condition might have occurred.

Impact:
Upgrading or modifying a connectivity profile is likely to fail for the object in question.

Recommended Action:
To avoid race conditions, do not have multiple tmsh sessions editing the connectivity profiles.

01071d09 : Management auto-lasthop (%s) can't be disabled on a 1-NIC platform.

Location:
/var/log/ltm

Conditions:
The user tries to disable management auto-lasthop ("tmsh modify ltm global-settings general mgmt-auto-lasthop") on VE system configured with 1-NIC.

Impact:
Management auto-lasthop cannot be disabled.

Recommended Action:
None.

01071d09 : Invalid multicast address '%s' specified for multicast-ip.

Location:
/var/log/ltm

Conditions:
An invalid multicast address has been specified in the cm/device configuration. IPv4 multicast addresses must be in the 224.0.0.0/4 subnet and IPv6 multicast addresses must use the ff00:/8 prefix.

Impact:
Multicast failover packets do not work on the multicast interface, thus reducing the reliability of operation in high-availability (HA) cluster.

Recommended Action:
Configure a valid multicast address on all devices in the HA cluster.

01071d0a : adm: %s

Location:
Those messages wraps Behavioral Signature debug logs independent for development team to investigate an issue.

Conditions:
Those massages should only be activate if a further investigation of an issue is required.

Impact:
no impact

Recommended Action:
no workaround

01071d0a : Policy (%s) of type %s cannot have per-req-policy-properties attached, policy type must be %s.

Location:
cli

Conditions:
A user has tried to add a per-req-policy-properties object to an Access policy that is not of type "per-rq-policy" or "sslo-policy".

Impact:
The operation to add the per-req-properties object fails.

Recommended Action:
Add the per-req-policy-properties object to a policy of the correct type.

01071d0b : adm: %s

Location:
This log message is contained in internal Behavioral Signatures error logs.

Conditions:
Those errors could be caused by a broken feature or critical system errors.

Impact:
Behavioral signatures will not be managed correctly.

Recommended Action:
no workaround

01071d0b : Configuration error: Virtual Server (%s) with Access Profile of type sslo is not compatible with profile of type (%s).

Location:
/var/log/ltm, GUI

Conditions:
For a virtual server, an attempt has been made to assign a type of profile that is incompatible with an SSLO Access profile assigned to that virtual server. The two profiles are incompatible.

Impact:
This results in an invalid configuration.

Recommended Action:
None.

01071d0c : adm: %s

Location:
This log message wraps internal Behavioral Signatures warning logs.

Conditions:
Those errors usually refer to invalid signatures, usually self created by using the tmsh.

Impact:
The signature will not be created / modified.

Recommended Action:
Those warnings should explain what went wrong which will explain how to fix the issue.

01071d0c : Configuration error: Access Profile of type sslo is not compatible with exchange profile.

Location:
/var/log/ltm, GUI

Conditions:
An attempt has been made to add or modify both the exchange property for SSLO and an SSLO Access profile. They are incompatible.

Impact:
This results in an invalid configuration.

Recommended Action:
None.

01071d0d : adm: %s

Location:
Those messages wraps Behavioral Signature information logs.

Conditions:
Those logs indicates the successful transaction with the added / modified signature.

Impact:
no impact.

Recommended Action:
no workaround

01071d0d : Configuration error: Virtual server (%s) cannot be used for connector profile (%s), type must be internal.

Location:
/var/log/ltm, GUI

Conditions:
The user has specified a virtual server as a connector profile's entry virtual server, while the virtual server type is not set as type "nternal".

Impact:
The user cannot successfully deploy an SSL orchestrator using a connector profile.

Recommended Action:
Either remove the entry virtual server property from the connector profile, or change the virtual server's type to "internal".

01071d0e : Global ASM health alerts configurations error: %s

Location:
tmsh

Conditions:
In tmsh when trying to configure new ASM alert with illegal value.

Example:
(/Common)(tmos)# modify asm health-alerts tmm-cpu-utl-threshold 200
01071d06:3: Global ASM health alerts configurations error: tmm CPU utilization threshold can't be more than 100.

Example:
root@(eddie)(cfg-sync Disconnected)(monpd DOWN)(/Common)(tmos)# modify asm health-alerts backlog-msg-queue-utl-threshold 900
01071d06:3: Global ASM health alerts configurations error: backlog message queue utilization threshold can't be more than 100.

Impact:
The threshold for the specific ASM alert will not be configured unless a legal value is given.

Recommended Action:
Provide legal value to the threshold field.

01071d0e : Configuration error: Connector profile (%s) cannot be attached to virtual server (%s) when per-request policy (%s) is attached to this virtual server. Attach service connect agent to the per-request policy instead.

Location:
/var/log/ltm, GUI

Conditions:
The user has tried to attach a connector profile to a virtual server when a per-request policy is attached to the same virtual server.

Impact:
The user cannot successfully configure an SSL orchestrator deployment.

Recommended Action:
Either attach a connector profile to a virtual server, or attach a per-request policy to it, and attach service connect agent to the per-request policy.

01071d0f : Configuration error: Virtual server (%s) used by connector profile (%s) must have a service profile attached.

Location:
/var/log/ltm, GUI

Conditions:
The user has tried to specify an entry virtual server for a connector profile when a service profile is attaching to this virtual server.

Impact:
The user cannot configure a SSL orchestrator deployment successfully.

Recommended Action:
Either remove the service profile from the virtual server, or set the entry virtual server of the connector profile to "none".

01071d10 : Configuration error: Virtual server (%s) used by connector profile (%s) with inline service profile (%s) must have a splitsession client profile attached.

Location:
/var/log/ltm, GUI

Conditions:
The user has tried to specify an entry virtual server of a connector profile when:

1) The virtual server is attached to an inline, inline-http, or inline-http-explicit service profile, and

2) The virtual server does NOT have a split session client profile attached

Impact:
The user cannot configure the SSL orchestrator deployment successfully.

Recommended Action:
Doone of the following:

1) Set connector profile's entry virtual server to "none".
2) Change the service profile's type so that it's not any of the inline types.
3) Attach a split session client profile to the virtual server.

01071d12 : Cannot delete the Anti-Fraud URL '%s' since it is referenced by the Anti-Fraud View '%s' in the Anti-Fraud Profile '%s'.

Location:
/var/log/ltm, TMSH and GUI

Conditions:
Trying to delete a 'Base URL' while it has 'View URL' children

Impact:
Configuration failed

Recommended Action:
Delete all VIews before deleting it's parent 'Base URL'

01071d13 : Anti-Fraud Base URL '%s' must exist before creating the Anti-Fraud View '%s' in the Anti-Fraud Profile '%s'.

Location:
/var/log/ltm, TMSH and GUI

Conditions:
Trying to create a 'View URL' before its parent 'Base URL'

Impact:
Configuration load fails

Recommended Action:
Create 'Base URL' before crating its 'View URLs'

01071d14 : '%s' can be modified only for a 'Base URL', while the Anti-Fraud URL '%s#%s' is a 'View URL' in the Anti-Fraud Profile '%s'.

Location:
/var/log/ltm, TMSH and GUI

Conditions:
Trying to set a 'Base URL only' attribute in an View URL object.

Impact:
Configuration load fails

Recommended Action:
set 'Base URL only' attributes only in a Base URL objects.

01071d15 : Configuration error: access log configuration (%s) is part of system configuration, so it cannot be deleted.

Location:
/var/log/ltm, CLI, GUI

Conditions:
User attempted to delete the default APM log setting configuration.

Impact:
Deleting the default APM log setting configuration is disallowed.

Recommended Action:
None.

01071d16 : DNS profile (%s) cannot have both edns0 client subnet insertion and the DNS cache enabled simultaneously.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A change was made to the configuration of a DNS profile such that both edns0 client subnet insertion and DNS caching are set to enabled.

Impact:
The current implementation of the DNS cache is not client subnet aware and therefore might cache responses for all clients when the scope of the response is actually much narrower. Consequently, the configuration changes are dropped.

Recommended Action:
Enable the DNS cache by disabling edns0 client subnet insertion (or vice versa). This can be accomplished in the same command/transaction:

tmsh modify ltm profile dns <profile_name> enable_cache <yes/no> cache <cache_name/none> edns0-client-subnet-insert <disabled/enabled>

01071d16 : Configuration error: sslo log configuration (%s) is part of system configuration, so it cannot be deleted.

Location:
/var/log/ltm, CLI, GUI

Conditions:
The user attempted to delete the default SSLO log setting configuration.

Impact:
Deleting the default SSLO log setting configuration is disallowed.

Recommended Action:
None.

01071d17 : DNS profile (%s) inherits options from DNS profile (%s) and cannot have both edns0 client subnet insertion and the DNS cache enabled simultaneously.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A change was made to the configuration of the parent DNS profile so that a child DNS profile that inherits default options from the parent profile has entered an invalid state with both edns0 client subnet insertion and DSN caching enabled.

Note that the child profile might or might not be an immediate child of the parent and it is possible for the child to have one or more profiles between it and the parent profile.

Impact:
The current implementation of the DNS cache is not client subnet aware and therefore might cache responses for all clients when the scope of the response is actually much narrower. Consequently,the configuration changes are dropped.

Recommended Action:
Change the child profile so that it does not enter an invalid state. If the child profile explicitly sets a configured value rather than using the default value from the parent profile, then changing an option on the parent profile's configuration does not affect the same option on the child.

Setting the child's edns0-client-subnet-insert option to "disabled" or the cache-enabled option to "no" should allow changes to the parent profile.

01071d18 : The IP::port(%s:%d) to be dedicated, can't be shared. Refer pools(%s, %s)

Location:
/var/log/ltm

Conditions:
A pool member that is in a pool dedicated to traffic acceleration cannot also be part of another pool.

Impact:
The configuration is rejected.

Recommended Action:
Change the pool member to be in only one of the pools mentioned in the error message.

01071d19 : The IP(%s) to be dedicated, can't be shared.

Location:
/var/log/ltm

Conditions:
A member of a SNAT pool that is being used for traffic acceleration is shared between two SNAT pools.

Impact:
The configuration is rejected.

Recommended Action:
Change the configuration so that the SNAT pool member is being used in one SNAT pool only.

01071d1a : The dedicated snatpool member address (%s) matches a selfip address (%s)

Location:
/var/log/ltm

Conditions:
A SNAT pool member address matches a self IP address.

Impact:
The configuration is rejected.

Recommended Action:
Change the IP address of either the self IP or the SNAT pool member.

01071d1b : The VIP(%s) needs pool(%s) or snatpool(%s) as dedicated for Accelerated traffic only

Location:
/var/log/ltm

Conditions:
The configuration has assigned a pool or a SNAT pool to both a virtual server that is traffic accelerated and a virtual server that is not traffic accelerated.

Impact:
The configuration is rejected.

Recommended Action:
Remove the pool or SNAT pool from the non-traffic-accelerated virtual server.

01071d1b : Virtual server (%s) requires clientssl profile when the ftps-mode in FTP profile (%s) is require.

Location:
/var/log/ltm

Conditions:
A virtual server has an FTP profile, but no SSL profiles, assigned to it. Also, the FTP profile has FTPS mode set to "none" or "require".

Impact:
The virtual server creation or modification is rejected.

Recommended Action:
None.

01071d1c : The VIP(%s) in DSR mode, expect source-address-translation type(%d) as none

Location:
/var/log/ltm

Conditions:
In the configuration of the virtual server, both DSR mode and Source Address Translation are enabled.

Impact:
The configuration is rejected.

Recommended Action:
Disable either DSR mode or Source Address Translation for the virtual server.

01071d1d : The TrafficAcceleration profile(%s) does not support persist-mode(%d)

Location:
/var/log/ltm

Conditions:
A traffic acceleration profile is set to an invalid persist mode. The only persistence mode that is supported for traffic acceleration is Source Address.

Impact:
The configuration is rejected.

Recommended Action:
Assign the traffic acceleration profile to either no persistence or Source Address persistence.

01071d1e : The VIP(%s) does not support persistence profiles(%s) because it is dedicated for traffic-acceleration

Location:
/var/log/ltm

Conditions:
A persistence profile is assigned to a virtual server dedicated to traffic acceleration via Traffic Acceleration Module (TAM). TAM does not support persistence profiles.

Impact:
The configuration is rejected.

Recommended Action:
Remove either the persistence profile or the traffic-acceleration profile that is assigned to the virtual server.

01071d1f : The VIP(%s) does not support last hop pools because it is dedicated for traffic-acceleration

Location:
/var/log/ltm

Conditions:
A last hop pool is assigned to a virtual server dedicated to traffic acceleration via Traffic Acceleration Module (TAM). TAM does not support last hop pools.

Impact:
The configuration is rejected.

Recommended Action:
Remove either the last hop pool or the traffic-acceleration profile assigned to the virtual server.

01071d20 : The Pool(%s) does not support load-balancing mode(%u) because it is in use for traffic-acceleration

Location:
/var/log/ltm

Conditions:
An invalid load balancing mode is configured for a pool assigned to a Traffic Acceleration Module (TAM) virtual server. The only supported load balancing modes are Round Robin and Ratio Member.

Impact:
MCPD rejects the configuration.

Recommended Action:
Assign either the Round Robin or the Ratio Member load balancing mode to the pool assigned to the virtual server.

01071d23 : MQTT multiple peers on %s %s not supported.

Location:
/va/log/ltm

Conditions:
The MQTT protocol is attached to a Message Routing virtual server, and multiple message-routing peers are being attached to an MQTT route.

Impact:
The configuration fails. This is a validation check.

Recommended Action:
Ensure that an MQTT route does not have multiple peers, and the configuration should successfully load.

01071d24 : MQTT %s %s refers to non-existing %s %s.

Location:
/var/log/ltm

Conditions:
The MQTT protocol is attached to a Message Routing virtual server, and in an MQTT peer or route configuration, a peer or route is referencing a non-existent pool or peer.

Impact:
The configuration fails. This is a validation check.

Recommended Action:
Check whether the peer or pool being referenced by the route or peer exists. Check for any name mismatches or create the appropriate configuration objects. The configuration should successfully load.

01071d25 : \'%s\' at rule %s is %s by virtual server %s of type %s.

Location:
GUI, CLI

Conditions:
The virtual server is configured not as flow-based. For example, the command "virtual" does not work when the virtual server is message-routing.

Impact:
Some iRule commands cannot run, and the error prevents the configuration from loading.

Recommended Action:
Fix the tcl script by deleting the offending command.

01071d25 : Error configuring Virtual Server (%s). Connection mirroring is not supported in combination with an IMAP profile.

Location:
/var/log/ltm, CLI, GUI

Conditions:
Connection mirroring is configured with an IMAP profile.

Impact:
This is an invalid configuration.

Recommended Action:
Do not use connection mirroring in IMAP profiles.

01071d26 : Error configuring Virtual Server (%s). Connection mirroring is not supported in combination with an POP3 profile.

Location:
/var/log/ltm, CLI, GUI

Conditions:
An attempt was made to configure connection mirroring with an IMAP profile.

Impact:
The configuration fails.

Recommended Action:
Do not use connection mirroring on POP3 profiles.

01071d27 : Error parsing SAML assertion consumer service url: (%s) in SAML SP connector (%s)

Location:
/var/log/ltm, VPE UI, CLI

Conditions:
In an Access Policy Manager (APM) Single Sign-On (SSO) saml-sp-connector object, one of the specified assertion consuming services contains an improperly structured URL.

Impact:
The object containing this configuration is not saved. This is an MCP configuration error.

Recommended Action:
Verify that the provided URL is correct. If the URL is not correct, specify the correct URL in the assertion consuming services of the APM SSO saml-sp-connector object.

01071d28 : 'sp-location' in SAML SP connector (%s) is set to internal-multi-domain, but the virtual server where SP is located is not specified in 'multi-domain-location' property.

Location:
/var/log/ltm, VPE UI, CLI

Conditions:
For an Access Policy Manager (APM) Single Sign-On (SSO) saml-sp-connector object, an administrator has set the "sp-location" property to "internal-multi-domain", even though the "multi-domain-location" property is not specified.

Impact:
The object containing this configuration is not saved. This is an MCP configuration error.

Recommended Action:
In the object's "multi-domain-location" property, specify the URL for the virtual server location behind which the SAML service provider is located. The location must contain the scheme and hostname only, for example, https://application.f5.com.

01071d28 : Virtual server (%s) requires clientssl profile (%s) to enable SSL forward proxy when FTP profile (%s) is present.

Location:
/var/log/ltm

Conditions:
A virtual server is configured as follows:

1) An FTP profile and SSL profiles assigned to it, and
2) The FTPS mode in the FTP profile is set to "none" or "require", and
3) The SSL profiles have forward proxy disabled.

Impact:
The virtual server creation or modification is rejected.

Recommended Action:
None.

01071d29 : Multidomain location (%s) of SAML SP connector (%s) is invalid: (%s). Location must begin with http or https and must contain hostname with no path.

Location:
/var/log/ltm, VPE UI, CLI

Conditions:
In an Access Policy Manager (APM) Single Sign-On (SSO) saml-sp-connector object, the configured property "multi-domain-location" is not in the expected format.
For example, the location URI must not contain a path part or query parameters.

Impact:
The object containing this configuration is not saved. This is an MCP configuration error.

Recommended Action:
For the object's "multi-domain-location" property, specify the URL for the virtual server location behind which the SAML service provider is located. The location must contain the "http" or "https" scheme and the hostname, for example, https://application.f5.com.

01071d29 : Virtual server (%s) requires clientssl profile (%s) to enable SSL verified handshake when FTP profile (%s) is present.

Location:
/var/log/ltm.

Conditions:
A virtual server is configured with an FTP profile and SSL profiles, and the SSL profiles have forward proxy enabled.

Impact:
The virtual server creation or modification is rejected.

Recommended Action:
None.

01071d2a : Cipher rule (%s): '%s' is not a valid %s.

Location:
/var/log/ltm

Conditions:
When creating a cipher rule, either an invalid DH Group or an invalid Signature Algorithm was specified. The error will contain which had an issue, and the exact issue.

Impact:
The cipher rule will not be created or modified.

Recommended Action:
Only use correct DH Groups and correct Signature Algorithms.

01071d2a : When OpenID Connect is enabled for OAuth profile (%s) and the alg type for %s primary key (%s) is 'HS512', the client secret for all associated Client apps with OpenID Connect enabled should be of size 64 bytes. Please re-generate the client secret for Client app (%s).

Location:
/var/log/ltm, TMSH

Conditions:
There is an OAuth Profile configuration or an OAuth Client App configuration that has:

1) "Support OpenId Connect" enabled, and
2) An ID token primary key and/or UserInfo primary key that is set as HS512, and

The size of the client secret for associated client apps is not 64 bytes in length.

Impact:
Saving the configuration fails.

Recommended Action:
Regenerate the client secret so that it is 64 bytes in length, and then save.

01071d2b : ID token lifetime (%u) for %s (%s) must be in range of (%u-%u).

Location:
/var/log/apm, GUI, CLI

Conditions:
The administrator has set an ID token lifetime out of its valid range. Both the OAuth profile and the Client App configuration have an ID token lifetime setting.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Set a valid ID token lifetime in OAuth Profile and OAuth Client App.

01071d2b : Virtual server (%s) cannot have connector profiles when allow-active-mode in FTP profile (%s) is enabled.

Location:
/var/log/ltm

Conditions:
A virtual server is configured with both an FTP profile and a connector profile, and the FTP profile with the allow_active_mode option is enabled.

Impact:
The virtual server creation or modification is rejected.

Recommended Action:
None.

01071d2c : When OpenID Connect is enabled, a JWK config must be assigned as the ID Token Primary Key for OAuth Profile (%s).

Location:
/var/log/apm, GUI, CLI

Conditions:
In OAuth profile, the ID token primary key is not selected when OpenID Connect is enabled.

Impact:
The BIG-IP system logs and displays an error message.

Recommended Action:
In the OAuth profile, set the ID token primary key when OpenID Connect is enabled.

01071d2d : When OpenID Connect is enabled, support for JWT token should be enabled for OAuth profile(%s).

Location:
/var/log/apm, GUI, CLI

Conditions:
In OAuth Profile, JWT token support is not enabled when OpenID Connect support is enabled.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
In the OAuth Profile, enable JWT token support when OpenID Connect support is enabled.

01071d2f : The OAuth profile (%s) does not allow JWK config (%s) with duplicate key-id (%s) of type (%s) within UserInfo Primary Key and Rotation Keys.

Location:
/var/log/apm, GUI, CLI

Conditions:
In an OAuth profile, UserInfo Primary Key and Rotation Keys are set to JWK config with duplicate key-id and key type.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
In the OAuth profile, do not set UserInfo Primary Key and Rotation Keys to JWK config with duplicate key-id and key type.

01071d30 : OAuth claim (%s) has invalid value (%s). For '%s' claim, allowed value is a numeric value or a valid session variable.

Location:
The save operation on an object or a configuration load operation fails.

Conditions:
Some OAuth claim (for example: updated_at) has an invalid value (that is, not a valid number or a session variable).

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Configure a specific OAuth claim (such as: updated_at) to have a valid value (that is, a valid number or a session variable).

01071d31 : Authentication type for Client app (%s) is not valid. When OpenID Connect is enabled for OAuth profile (%s) and the key type for %s primary key (%s) is 'octet', then all associated Client apps with OpenID Connect enabled should have the authentication type as 'Secret'.

Location:
/var/log/ltm, CLI

Conditions:
There is an OAuth Profile configuration or an OAuth Client App configuration that has:

1) "Support OpenId Connect" enabled, and
2) An ID token primary key and/or UserInfo primary key that is of type "Octet", and

The authentication type for the Client app is not "Secret".

Impact:
Saving the configuration fails.

Recommended Action:
Change the authentication type of the Client app to "Secret" and save the object.

01071d32 : The OAuth profile (%s) does not allow JWK config with duplicate key-id (%s) of type (%s) within %sPrimary Key (%s) and %sPrimary Key (%s).

Location:
/var/log/apm, GUI, CLI

Conditions:
In an OAuth profile, JWK with duplicate kid and key type are selected among JWT Access Token primary key, ID token primary key, or UserInfo primary key.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
In OAuth profile, do not set the JWT Access Token primary key, ID token primary key, and/or UserInfo primary key to JWK config with duplicate key-id and key type.

01071d33 : JWK config (%s) cannot be configured to use both client secret and shared secret for key type octet.

Location:
/var/log/ltm, CLI

Conditions:
A JWT key configuration is created with type "octet", and the key is configured to use both a client secret and a shared secret.

Impact:
The object is not saved.

Recommended Action:
Ensure that the JWT key configuration with type "octet" is configured to use either a client secret or a shared secret, but not both.

01071d34 : In JWT config (%s), the %s JWK config (%s) cannot be configured to use client secret when key type is octet.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A JWT key that is configured to use a client secret for type "octet" is associated as a blocked or allowed key in a JWT token configuration.

Impact:
The object is not saved.

Recommended Action:
Ensure that a JWT key configuration with type "octet" and a shared secret is associated with JWT token configuration as an allowed or blocked key.

01071d36 : JWK config (%s) is %sconfigured to use client secret for key type octet. Hence, this cannot be used as %s primary key in %s (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
This appears in either of the following scenarios:

1) A JWT key configuration of type 'octet' is configured to use a client secret and it is assigned as a JWT primary key in the OAuth profile.

2) A JWT key configuration of type 'octet' is configured to use a shared secret and it is assigned as an ID Token primary key in the OAuth profile.

Impact:
The object is not saved.

Recommended Action:
If the JWT key is configured as a JWT primary key in the OAuth profile, do not configure the key to use a client secret.

If the JWT key is configured as an ID token primary key in the OAuth profile, configure the key to use a client secret.

01071d36 : The prefix (%s) is a reserved word and claim name (%s) cannot be used for the claim (%s). Please remove or change the prefix to continue.

Location:
GUI, CLI

Conditions:
An administrator is trying to configure a claim name that has a reserved prefix.

Impact:
The BIG-IP system rejects the new claim configuration.

Recommended Action:
Change or remove the reserved prefix of the claim name.

01071d37 : %s claim (%s) cannot be associated with %s (%s) since the claim name is 'address'. Please create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.

Location:
/var/log/ltm, GUI, CLI

Conditions:
An OAuth claim with a claim name address is associated as an ID Token claim or UserInfo claim in the OAuth profile or Client App configuration.

Impact:
The object is not saved.

Recommended Action:
Do not associate an OAuth claim with claim name "address" as an ID Token or UserInfo claim in an OAuth Profile or Client app configuration. Instead, create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim "address".

01071d38 : %s claim (%s) cannot be associated with OAuth Authorization agent (%s), entry (%d) since the claim name is 'address'. Please create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.

Location:
/var/log/ltm, GUI, CLI

Conditions:
An OAuth claim with claim name "address" is associated as an ID Token claims or UserInfo claim in the OAuth Authorization agent.

Impact:
The object is not saved.

Recommended Action:
Do not associate an OAuth claim with claim name "address" as an ID Token or UserInfo claim in an OAuth Authroization agent. Instead, create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim "address".

01071d39 : The claim name of the Claim (%s) cannot be changed to 'address' because this claim is part of %s claims that is associated with %s (%s). Please create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.

Location:
/var/log/ltm, GUI, CLI

Conditions:
An administrator has changed the name of the claim to "address", and the claim is associated as an ID Token or UserInfo claim in the OAuth profile or client app.

Impact:
The object is not saved.

Recommended Action:
Do not change name of the claim to "address" if the claim is associated as an ID Token or UserInfo claim in the OAuth profile or client app. Instead, create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.

01071d3a : The claim name of the Claim (%s) cannot be changed to 'address' because this claim is part of %s claims that is associated with OAuth Authorization agent (%s), entry (%d). Please create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.

Location:
/var/log/ltm, GUI, CLI

Conditions:
An administrator has changed the name of the claim to "address", and the claim is associated as an ID Token or UserInfo claim in the OAuth Authorization agent.

Impact:
The object is not saved.

Recommended Action:
Do not change name of the claim to "address" if the claim is associated as an ID Token or UserInfo claim in the OAuth Authorization agent. Instead, create and associate claims with claim name (street_address, locality, region, postal_code, country) that are sub-fields of this claim.

01071d3b : %s claim (%s) cannot be associated with %s (%s). The claim value must be set to 'true', 'false' or a valid session variable.

Location:
GUI, CLI

Conditions:
The “email_verified” and “phone_number_verified” claims are not set to “true”, “false”, or a valid session variable, and these claims are associated with an OAuth profile’s or client app’s “ID Token” or “UserInfo” claim.

Impact:
Saving a claim object fails.

Recommended Action:
Change the claim values to a recommended value, that is, "true", "false", or a valid session variable.

01071d3c : %s claim (%s) cannot be associated with OAuth Authorization agent (%s), entry (%d). The claim value must be set to 'true', 'false' or a valid session variable.

Location:
GUI, CLI

Conditions:
The "email_verified" and "phone_number_verified" claims are not set to "true", "false", or a valid session variable, and the claims are associated with OpenID-relaed claims on the OAuth Authorization agent.

Impact:
Saving a claim object fails.

Recommended Action:
Either set each claim value to a recommended value, or do not associate the claims with the OAuth Authorization agent.

01071d3d : The claim value must be set to 'true', 'false' or a valid session variable for Claim (%s) when it is attached to %s claims on %s (%s).

Location:
GUI, CLI

Conditions:
The "phone_number_verified" or "email_verified" claim is not set to "true", "false", or a valid session variable, and the claim is attached to an OAuth profile's or client app's OpenID-related claim.

Impact:
The claim object is not saved.

Recommended Action:
Set the claim values to a recommended value, that is, "true", "false", or a valid session variable.

01071d3e : The claim value must be set to 'true', 'false' or a valid session variable for Claim (%s) when it is attached to %s claims on OAuth Authorization agent (%s), entry (%d).

Location:
GUI, CLI

Conditions:
When modified, the 'phone_number_verified' or 'email_verified' claim is not set to "true", "false", or a valid session variable, and the claim is attached to an OAuth profile's or client app's OpenID-related claim.

Impact:
The claim object is not saved.

Recommended Action:
Set each claim to a recommended value, that is, "true", "false", or a valid session variable.

01071d3f : Can't find prime AVR-profile.

Location:
/var/log/audit, /var/log/ltm, GUI, CLI

Conditions:
An expected AVR base/prime profile does not exist on the system.

Impact:
This message is a sanity check to ensure that the base/prime profile for AVR was created successfully. AVR functionality might not work as expected. Also, AVR profile creation and modification might not be possible.

Recommended Action:
None.

01071d40 : Can't generate more than %d %s when collecting AVR statistics.

Location:
tmsh

Conditions:
The error appears when the user tries to add more than the maximum limit of IP addresses, URLs, countries or subnet IP addresses to the predefined lists. The current maximum limit per list is 10.

For example:
1) modify ltm profile analytics analytics ips-for-stat-collection add {172.29.54.1 172.29.54.2 172.29.54.3 172.29.54.4 172.29.54.5 172.29.54.6 172.29.54.7 172.29.54.8 172.29.54.9 172.29.54.10 172.29.54.11 172.29.54.12}


2) modify ltm profile analytics analytics urls-for-stat-collection add {/url1 /url2 /url3 /url4 /url5 /url6 /url7 /url8 /url9 /url10 /url11}

Impact:
N/A

Recommended Action:
Verify that the number of items per list after running the command will not exceed the maximum limit.

01071d41 : Can't generate a list of %s because 'collect_%s' flag is disabled.

Location:
tmsh

Conditions:
The error appears when:

1. Running the following TMSH command when the 'collect_ip' flag is disabled:
 modify ltm profile analytics analytics ips-for-stat-collection add { <ip address>}


2. Running the following TMSH command when the 'collect-geo' flag is disabled:
 modify ltm profile analytics analytics countries-for-stat-collection add {<countries>}


3. Running the following TMSH command when the 'collect-subnets' flag is disabled:
 
modify ltm profile analytics analytics subnets-for-stat-collection add {<subnet ips>}


4. Running the following TMSH command when the 'collect-url' flag is disabled:
    modify ltm profile analytics analytics urlss-for-stat-collection add {<urls>}

Impact:

Recommended Action:
Enable the specific flag and rerun the command.

01071d41 : Anti-Fraud View '%s' is invalid. View must be non-empty string with size less than %u and should contain only valid characters in the Anti-Fraud Profile '%s'.

Location:
tmsh console, /var/log/ltm

Conditions:
trying to configure an empty view ID (A.K.A view name)

Impact:
configuration failure

Recommended Action:
while configuring views, use a non-empty name

01071d42 : Can't generate list of counties because the '%s' is invalid.

Location:
CLI

Conditions:
The following TMSH command has been run with an invalid country name:
modify ltm profile analytics analytics countries-for-stat-collection add {"country name"}

Impact:
The operation to generate a list of countries fails.

Recommended Action:
Run the TMSH command with a valid country name. If the country name has multiple words, write the name in the following format: "<country name>". Use TAB to see the list of valid countries.

01071d43 : Can't generate list of urls because the '%s' URL's length is exceeded maximum %1d.

Location:
TMSH

Conditions:
The error appears when running the following TMSH command with a URL that exceeded the maximum allowed length of 255 characters:

list ltm profile analytics analytics urls-for-stat-collection add {<url>}

Impact:

Recommended Action:
Run the command with a URL that does not exceed the maximum allowed length.

01071d44 : The Traffic Matching Criteria (%s) is already in use by another Netflow Protected Server (%s).

Location:
/var/log/ltm

Conditions:
Validation error. Each Netflow Protected Server object must reference a unique Traffic Matching Criteria. A Traffic Matching Criteria cannot service more than one Netflow Protected Server.

Impact:
Validation error might lead to configuration load, upgrade, and sync failures.

Recommended Action:
Remove one of the references to Traffic Matching Criteria before assigning it to the intended Netflow Protected Server.

01071d44 : Invalid type %s for %s %s. All the %s should be the same type (IPv4 ot IPv6).

Location:
CLI

Conditions:
The user has run the following TMSH commands to add IP addresses or subnet IP addresses to the predefined list, where one or more of the IP addresses are not the same IP address version:

1. modify ltm profile analytics analytics ips-for-stat-collection add {<ip address>}

2. modify ltm profile analytics analytics subnets-for-stat-collection add {<subnet ip>}

Impact:
An error message appears.

Recommended Action:
Verify that the IP addresses/subnet IP addresses in the predefined lists are the same version.

01071d45 : Invalid Netflow Protected Server [%s] name for stopping redirection

Location:
/var/log/ltm

Conditions:
When trying to stop redirection on a non-existent Netflow Protected Server.

Impact:
Validation error.

Recommended Action:
Reference an existant Netflow Protected Server.

01071d45 : Discovery interval (%u) for OAuth provider (%s) must be greater than (%u) minutes.

Location:
/var/log/ltm

Conditions:
An attempt is made to set the discovery interval to a value that is less than 60.

Impact:
The discovery interval remains unchanged.

Recommended Action:
Change the discovery interval to a value that is greater than 60.

01071d46 : Netflow Protected Server (%s) cannot have a Traffic Matching Criteria that references a route domain.

Location:
/var/log/ltm, CLI

Conditions:
The system cannot validate the system configuration.

Impact:
The configuration fails.

Recommended Action:
In the traffic matching criteria for a Netflow Protected Server, do not reference a route domain.

01071d47 : (%s) has an invalid mask %u.

Location:
/var/log/ltm

Conditions:
Configuration validation, when an IP Address is configured with invalid mask. For example, 10.10.0.1/24 should be 10.10.0.1/32.

Impact:
Configuration exception.

Recommended Action:
Provide the correct mask.

01071d49 : Specified compatibility level-%d is too high. That level includes feature settings that are not supported for this platform.

Location:
/var/log/ltm

Conditions:
The user has set the compatibility level to one that is not allowed on the current platform.

Impact:
None.

Recommended Action:
Enter a supported compatibility level for the platform.

01071d4a : Security FlowSpec: %s: router-id(%s) is not a valid IPv4 address.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The security flowspec-route-injector profile or its neighbor is configured incorrectly.

Impact:
The related configuration will not be in the system.

Recommended Action:
None.

01071d4b : Security FlowSpec: %s: %s (%s) has mis-matched route domain (%d).

Location:
/var/log/ltm, GUI, CLI

Conditions:
The security flowspec-route-injector profile or its neighbor is configured incorrectly.

Impact:
The related configuration will not be in the system.

Recommended Action:
None.

01071d4c : Route domain (%s) can not have both 'Security Flowspec BGP' and 'Zebos BGP' routing planes enabled at the same time.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The configuration referenced in the error message prevents a configuration object from being updated.

Impact:
The relevant configuration is not updated.

Recommended Action:
Revise the configuration.

01071d4d : Security FlowSpec: %s: missing required field(s) %s.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The configuration described in the error message is invalid.

Impact:
The relevant configuration will not be updated.

Recommended Action:
Change the required field or fields.

01071d4e : Security FlowSpec: %s: must have at least one 'neighbor' specified.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The configuration described in the error message is invalid.

Impact:
The relevant configuration will not be updated.

Recommended Action:
Specify at least one neighbor.

01071d4f : Security FlowSpec: %s: The datatype (%d) for inherited fields is missing.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The configuration described in the error message is invalid.

Impact:
The relevant configuration will not be updated.

Recommended Action:
Specify the data type referenced in the error message.

01071d50 : Security FlowSpec: %s: %s is non-mutable field.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The configuration described in the error message is invalid.

Impact:
The relevant configuration will not be updated.

Recommended Action:
Fix the invalid configuration referenced in the error message.

01071d51 : Security FlowSpec: %s: %s doesn't have matched address family.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The configuration described in the error message is invalid.

Impact:
The relevant configuration will not be updated.

Recommended Action:
Fix the invalid configuration referenced in the error message.

01071d52 : The attribute (%s) for (%s) cannot be none.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A value is set to "none".

Impact:
The validation fails.

Recommended Action:
Change configuration to a valid non-zero value, or set using default keyword.

01071d54 : The value (%lld) for attribute (%s) for (%s) must be within range %s.

Location:
/var/log/ltm, CLI

Conditions:
A configured value is invalid because it is out of the allowed range.

Impact:
The configuration fails to load.

Recommended Action:
Set the value within the range specified in the error message.

01071d55 : Security FlowSpec: %s: can not refer route domain (%s) which is neither in the same partition as profile nor in /Common partition.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The route domain is not in the same administrative partition as the profile or in partition /Common.

Impact:
The relevant configuration will not be updated.

Recommended Action:
Fix the configuration so that the route domain is in the correct administrative partition.

01071d56 : Limit on the number of extended white list entries (%u) has been reached. Please modify the value of dos.maxewlsize to allow more entries.

Location:
/var/log/ltm

Conditions:
The number of extended white list entries that can be configured on Neuron platforms exceeds the value set in the db variable dos.maxewlsize.

Impact:
The configuration is rejected. Applies to Neuron platform, DOS extended white list.

Recommended Action:
Change the value of dos.maxewlsize (max value 1024) to allow more extended white list entries.

01071d57 : The %s (%s) attribute %s can only reference objects in partition %s.

Location:
/var/log/ltm, CLI

Conditions:
The user is attempting to configure an attribute that references an object in an illegal administrative partition.

Impact:
The validation fails.

Recommended Action:
Reference objects that reside in legal partitions or partition Common.

01071d59 : Cannot modify scrubber config property %s

Location:
GUI, CLI

Conditions:
An attempt was made to modify fields that are part of the key in the scrubber configuration objects.

Impact:
You cannot perform the modify operation.

Recommended Action:
None.

01071d5a : IPv4/IPv6 Next hop must be configured.

Location:
GUI, CLI

Conditions:
While creating RTBH blacklist publisher profile, the user has not provided either of the next-hop v4 or next-hop-v6 addresses for the profile, and the advertisement method for the profile is BGP.

Impact:
The configuration fails.

Recommended Action:
Provide either of the v4 or v6 next hop IP addresses.

01071d5b : Not a valid %s Address.

Location:
GUI, CLI

Conditions:
The user configures an invalid IP address to the route-advertisement-nexthop or route-advertisement-nexthop-v6 attributes in the Blacklist publisher profile.

Impact:
The configuration fails.

Recommended Action:
Fix the configuration value for the next hop or nexthop-v6 IP addresses.

01071d5c : Cannot lower compatibility level. Whitelist address-list (%s) configured on this system requires current compatibility level.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The system already has a configuration that depends on the currently-configured compatibility system level.

Impact:
The user can't lower the value of the compatibility level with an existing whitelist address list.

Recommended Action:
Remove the whitelist before the compatibility level can be lowered on a supported platform.

01071d5f : Entry already exist in extened white list(%s).

Location:
GUI, CLI

Conditions:
A user has tried to add a duplicate entry.

Impact:
The system performs validation to prevent duplicate entries.

Recommended Action:
Correct the configuration to prevent attempts to add duplicate entries.

01071d60 : %s failed with an I/O error: %s.

Location:
/var/log/ltm

Conditions:
An attempt is made to configure a WOM local-endpoint from tmsh or the GUI.

Impact:
mcpd logs the error and rolls back the transaction. The configuration associated with the transaction is not applied, and mcpd is left in the state it was in prior to the transaction. The WOM local-endpoint is not configured.

Recommended Action:
Try again. If that fails, save the current configuration and restart mcpd.

01071d61 : Failed to allocate memory at %s:%d.

Location:
/var/log/ltm

Conditions:
The mcpd daemon is out of memory, causing a memory allocation of unknown size to fail. This can occur during an attempt to process a very large transaction.

Impact:
A hard exit from mcpd will probably occur.

Recommended Action:
Consider provisioning mcpd with more memory. This will cause the TMM to have less memory for itself, but mcpd will be able to process larger and more complex configurations.

01071d62 : CMI device (%s) attempted to connect but is running an incompatibly old version of TMOS.

Location:
/var/log/ltm

Conditions:
The remote device is running an older software version that did not indicate a required DSC handshake protocol version in the message.

Impact:
Config sync is disabled between this device and another trust domain member. Config sync will remain disabled until the other device is upgraded to a compatible version.

Recommended Action:
Upgrade the other device to a compatible version and reboot the other device into the new installation volume.

01071d62 : Unsupported route-type (%d) seen for mgmt-route (%s).

Location:
/var/log/ltm

Conditions:
Management-route is an unsupported route type.

Impact:
There is a possible management-route misconfiguration.

Recommended Action:
Verify that management-route is of type Gateway, Interface, or Blackhole only.

01071d63 : CMI device (%s) attempted to connect but is running a version of TMOS with incompatible version (%s) (expected %s).

Location:
/var/log/ltm

Conditions:
The remote device is running an older software version that did not indicate a required DSC handshake protocol version in the message.

Impact:
Config sync is disabled between this device and another trust domain member. Config sync will remain disabled until the other device is upgraded to a compatible version.

Recommended Action:
Upgrade the other device to a compatible version.

01071d63 : No value specified for supersede-option: %s

Location:
/var/log/ltm

Conditions:
No value is specified to supersede the DHCP server-provided value for the tmsh supersede-option setting.

Impact:
Configuration of the supersede-option in "tmsh sys management-dhcp" fails.

Recommended Action:
Ensure that every supersede-option in "tmsh sys management-dhcp" has at least one value specified to supersede the DHCP server-provided value for the given option.

01071d65 : DNSSEC External Zone (%s) must be a descendant of DNSSEC Zone (%s).

Location:
/var/log/gtm

Conditions:
The external zone is not a descendant of the parent zone. (e.g. external zone: child.f5.com, parent: notf5.com). The parent name must be a suffix of the child name.

Impact:
The external zone must be a descendant of the parent zone in order to establish the DNSSEC chain of trust. If the parent zone name is not a suffix of the child zone name (child not descendant of parent), a chain of trust cannot be established.

Recommended Action:
Verify zone name of external zone to ensure it is a descendant of the parent zone.

01071d65 : Invalid name value (%s) specified for URL Category %s.

Location:
/var/log/ltm

Conditions:
The user is trying to create a new URL category, and the category name has an invalid start character (that is, any character within "*/-:_?=@,&()0123456789", including a character such as ".*/-:_?=@,&() ".

Impact:
The configuration is not saved and the user will be unable to create a new custom category.

Recommended Action:
Remove the invalid or special characters in the category name and then rename the category that contains the valid characters.

01071d66 : DNSSEC External Zone (%s:%s) duplicates existing DNSSEC zone (%s) with the same name (case-insensitive and unique across folders).

Location:
/var/log/gtm

Conditions:
This occurs when attempting to create an External Zone, while a DNSSEC Zone sharing the same name already exists.

Impact:
Creation of a duplicate DNSSEC Zone will fail.

Recommended Action:
Modify the existing DNSSEC Zone under the specified name, otherwise delete it before creating the External Zone. Be sure to verify if the zone you want to be created is internal or external.

01071d66 : System iRule (%s) cannot be associated to oauth server (%s).

Location:
/var/log/ltm

Conditions:
A system iRule is associated with an OAuth server.

Impact:
The configuration is invalid. System iRules are specific iRules created to solve certain use cases, which do not include association with an OAuth server.

Recommended Action:
Do not associate system iRules with an OAuth server.

01071d67 : DNSSEC External Zone (%s:%s) duplicates existing external zone (%s:%s) with the same name (case-insensitive).

Location:
/var/log/gtm

Conditions:
This occurs when attempting to create an External Zone, while an External Zone sharing the same name already exists.

Impact:
Creation of a duplicate External Zone will fail.

Recommended Action:
Modify the existing External Zone under the specified name, otherwise delete it before creating the zone again.

01071d67 : Provider type F5 only supports introspect endpoint.

Location:
/var/log/ltm, GUI, or CL, depending on where the command is for setting introspect-support to false on a provider object of type "F5".

Conditions:
introspect-support is set to "false" on provider object of type "F5".

Impact:
A provider object of type "F5" fails to create/modify when introspect-support is set to "false".

Recommended Action:
For a provider object of "F5", always set introspect-support to "true".

01071d68 : DNSSEC External Zone (%s) references a nonexistent DNSSEC zone (%s)

Location:
/var/log/gtm

Conditions:
This occurs when an External Zone being created references a non-existant parent zone.

Impact:
Creation of External Zone will fail. It must have a valid parent zone to maintain DNSSEC chain
of trust.

Recommended Action:
Verify name of External Zone and make sure it references an existing parent zone.

01071d68 : EntityID attribute of %s (%s) contains a session variable. SAML metadata exported by this object must be edited manually to replace session variables with valid hostnames before metadata is shared with external parties.

Location:
/var/log/ltm, VPE UI, CLI

Conditions:
For an Access Policy Manager (APM) Single Sign-On (SSO) saml object, the BIG-IP system has taken the role of SAML Identity Provider and the "entityID" property contains a session variable instead of a valid host name.

Impact:
SAML metadata cannot be shared with external parties.

Recommended Action:
Do one of the following:
 
- Do not use session variables when configuring the entityID property of an APM SSO saml object, or

- When exporting SAML IdP metadata produced by the configured APM SSO saml object, modify the metadata manually to replace all instances of session variables with the host name of configured IdP.

01071d69 : DNSSEC Zone %s duplicates existing external zone (%s:%s) with the same name (case-insensitive).

Location:
/var/log/gtm

Conditions:
This occurs when attempting to create a DNSSEC Zone, while an External Zone sharing the same name already exists.

Impact:
Creation of a duplicate External Zone will fail.

Recommended Action:
Modify the existing External Zone under the specified name, otherwise delete it before creating the DNSSEC zone. Be sure to verify if the zone you want to be created is internal or external.

01071d69 : Frequency for SAML IdP automation (%s) cannot be zero.

Location:
/var/log/ltm, CLI

Conditions:
An attempt was made to save a configuration with SAML IdP automation having a value of zero for the field "Frequency".

Impact:
Saving the configuration fails.

Recommended Action:
Enter a non-zero value in the "Frequency" field.

01071d6a : Unable to parse DNSSEC secure delegation record (%s:%s):%s (%s).

Location:
/var/log/gtm

Conditions:
This occurs when attempting to create an External Zone with an invalid DS Record, leading to parse failures.

Impact:
Creation of a External Zone will fail.

Recommended Action:
Verify the DS Record is has the correct format, it should follow this structure:
"zone_name ttl type class tag alg digest_type digest"
e.g:
"myzone. 86400 IN DS 46851 7 1 4a7d19625ebc07e6aad53aad043e15d578e605e8"

01071d6a : At least one metadata URL must be configured for SAML SP metadata automation (%s).

Location:
/var/log/apm or GUI

Conditions:
An administrator attempts to configure SAML SP automation service, but the automation object does not specify any URLs from where SAML metadata is to be fetched.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Specify at least one URL from where automation service will retrieve SAML metadata.

01071d6a : Client SSL profile (%s): Configured certificates are incompatible with TLS 1.3.

Location:
/var/log/ltm

Conditions:
A Client SSL profile is created that can only negotiate TLS 1.3, even though all of its associated certificates are on a FIPS or NetHSM device.

Impact:
The profile cannot be saved.

Recommended Action:
Configure the profile to negotiate TLS versions other than 1.3 or have at least one certificate that is not on a FIPS or NetHSM device.

01071d6b : DNSSEC secure delegation record (%s:%s) has DS with different owner name: %s.

Location:
/var/log/gtm

Conditions:
This occurs when attempting to create an External Zone, while the DS record owner does not match the zone name.

Impact:
Creation of a duplicate External Zone will fail.

Recommended Action:
Verify that the DS Record owner matches the zone name.

01071d6b : Frequency for SAML SP metadata automation (%s) cannot be zero.

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure SAML SP automation service, but the specified frequency of metadata fetching is invalid ("0").

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Specify a valid frequency in minutes, or keep the default value, 60.

01071d6b : Client SSL profile (%s): Configured certificates are incompatible with TLS 1.3, so TLS 1.3 will not be negotiated.

Location:
/var/log/tmm

Conditions:
A Client SSL profile is created with TLS 1.3 enabled, even though all certificates are stored on a FIPS or NetHSM device that is incompatible with TLS 1.3.

Impact:
TLS 1.3 is not negotiated.

Recommended Action:
Either disable TLS 1.3 on the profile, or include at least one certificate that is not stored on a FIPS or NetHSM device.

01071d6c : SAML SP metadata automation (%s) cannot be associated with sso saml (%s) because sso saml is already associated with SP automation (%s). SAML server can only be associated with one automation.

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure a SAML SP automation service, but the specified SSO SAML object is already used by another SP automation service.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Specify a different SSO SAML object that is not in use by other SP automation services.

01071d6c : Client SSL profile (%s): Some configured certificates are incompatible with TLS 1.3, so will not be used if TLS 1.3 is negotiated.

Location:
/var/log/ltm

Conditions:
A Client SSL profile is configured to enable TLS 1.3, even though some of the certificates are stored on a FIPS or NetHSM device.

Impact:
The certificates stored on the FIPS or NetHSM device are not used if TLS 1.3 negotiation is attempted.

Recommended Action:
Disable TLS 1.3 on the Client SSL profile, or remove the certificates that are stored on a FIPS or NetHSM device.

01071d6d : SAML SP metadata automation (%s) specifies SAML SSO server (%s) that cannot be found on the system.

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure a SAML SP automation service, but the specified SSO SAML object does not exist.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Specify an existing SSO SAML object on the system.

01071d6d : IPv6 management addresses are unsupported in 1NIC mode.

Location:
/var/log/ltm, CLI

Conditions:
The BIG-IP Virtual Edition (VE) is in 1NIC mode, and an attempt is made to add an IPv6 address as a management IP address.

Impact:
Adding an IPv6 address for a management IP address is disallowed.

Recommended Action:
Do not use IPv6 addresses for the management-ip on a 1NIC VE.

01071d6e : SAML SSO server (%s) associated SAML SP metadata automation (%s) are not in the same partition.

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure a SAML SP automation service, but the specified SSO SAML object is in a different administrative partition than the SAML SP metadata automation service.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Ensure that the specified SSO SAML object is located in the same partition as the SAML SP metadata automation service.

01071d6f : SAML SP metadata automation (%s) contains invalid metadata URL value (%s). Error (%s).

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure a SAML SP automation service, but at least one of specified metadata URLs is not valid.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Specify a valid metadata URL.

01071d6f : The Traffic Acceleration FPGA is not allowed when TAM is not provisioned.

Location:
/var/log/ltm

Conditions:
The Traffic Acceleration FPGA firmware is loaded in the configuration, but Traffic Acceleration Module (TAM) is not provisioned.

Impact:
The configuration is rejected.

Recommended Action:
Provision TAM on the system and the Traffic Acceleration FPGA firmware will automatically be loaded. The FPGA firmware does not need to be manually changed.

01071d70 : SAML SP metadata automation (%s) must have server SSL profile configured.

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure a SAML SP automation service. The administrator has specified at least one metadata URL that is protected by SSL, but has not specified a Server SSL profile to be used to connect to the remote server hosting the metadata file.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Specify a Server SSL profile in the SAML SP automation service.

01071d70 : LDAP config (%s) must either have a matching client certificate and client key, or both of these fields must be empty.

Location:
/var/log/ltm, GUI, CLI

Conditions:
LDAP configuration contains either an SSL client certificate without a matching key or an SSL key without a matching certificate.

Impact:
Configuration is not accepted, and LDAP authentication will not work.

Recommended Action:
When configuring LDAP authentication with SSL, configure both an SSL client certificate and an SSL key.

01071d71 : SAML SP metadata automation (%s) must have DNS resolver configured.

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure a SAML SP automation service, but a DNS resolver is not specified.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Configure a DNS resolver on the SAML SP automation service.

01071d71 : Can't create scheduled-report (%s). You currently have %u scheduled-reports set, while this is above the max allowed scheduled-reports (%u).

Location:
/var/log/audit, /var/log/ltm, GUI, CLI

Conditions:
A user has created too many AVR scheduled-reports. The maximum number allowed is 100.

Impact:
No additional scheduled-reports can be created.

Recommended Action:
Delete unused scheduled-reports from the system to allow for new reports to be created.

01071d72 : Metadata URL (%s) value cannot be empty in SAML SP metadata automation (%s).

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure a SAML SP automation service, but at least one of the specified metadata URLs does not contain any value.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Specify a value for the specified metadata URL. All metadata URL objects configured as part of SAML SP automation service require a URL value.

01071d72 : %s.

Location:
/var/log/ltm

Conditions:
The mcpd debug log level is enabled (via tmsh modify sys db log.mcpd.level value debug) and the user modifies sys management-ip.

Impact:
Debug messages start to log.

Recommended Action:
None.

01071d73 : SAML SP metadata automation (%s) must specify value for sso-config-saml object.

Location:
/var/log/apm or GUI

Conditions:
An administrator attempts to configure a SAML SP automation service, but an attribute specifying the SSO SAML object has not been configured.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Specify the SSO SAML object to be used by the SAML SP automation service.

01071d73 : The Traffic Accelerated virtual(%s) is required to have a destination address set

Location:
/var/log/ltm

Conditions:
The configuration contains a Traffic Acceleration Module (TAM) virtual server with either no destination address or the destination address 0.0.0.0.

Impact:
The configuration is rejected.

Recommended Action:
Add a valid Destination address to the TAM virtual server referenced in the error message.

01071d74 : SAML SP metadata automation (%s) contains duplicated URL value (%s).

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to configure an SAML SP automation service, but the service contains duplicated URLs.

Impact:
The misconfigured SAML SP automation object is not saved.

Recommended Action:
Remove duplicated URLs from the configured AML SP automation service.

01071d74 : Anti-Fraud URL '%s' is invalid. Only SPA URLs and their views can have destination URLs in the Anti-Fraud profile '%s'.

Location:
/var/log/ltm, cli

Conditions:
There is an attempt to configure destination URLs for a protected URL that has no views.

Impact:
The configuration fails.

Recommended Action:
Only configure destination URLs either for a protected URL that has at least one view or for protected view.

01071d74 : Opening socket on interface %s failed: %s

Location:
/var/log/ltm, GUI, CLI

Conditions:
DHCP is disabled on a BIG-IP Virtual Edition (VE) that is in 1Nic mode.

Impact:
Validation fails.

Recommended Action:
Enable DHCP.

01071d75 : SAML SP connector (%s) cannot be deleted because it is managed by SP connector automation (%s).

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to manually remove the SAML SP connector object that was created by SAML SP automation.

Impact:
The SP Connector object is not removed.

Recommended Action:
There are several ways to remove SP connector objects managed by an SP automation service:

1) Modify the SAML SP automation service to remove the metadata URL that was used to created the SP automation service. Note that when you remove the metadata URL, all SP connectors associated with this URL are deleted.

2) Remove the SP automation service. This action removes all SP connectors created by the service.

3) Not recommended: Use tmsh to change the “automation-object'” property of the SAML SP connector object to “none”, and then delete the SP connector manually. Note this this option is not recommended because the automation service might recreate the SP connector object later (for example. when the service restarts or the content of the remote metadata file changes).

01071d75 : Db variable %s(%u) should be greater than %s(%u).

Location:
/var/log/ltm

Conditions:
The value of the db variable "dos.dnsnxdomain.period" is less than or equal to the value of the variable "dos.dnsnxdomain.learnperiod".

Impact:
none.

Recommended Action:
Change the value of the db variable "dos.dnsnxdomain.period" to be greater than the value of the variable "dos.dnsnxdomain.learnperiod".

01071d75 : %s IP for interface %s failed: %s

Location:
/var/log/ltm, GUI, CLI.

Conditions:
DHCP is disabled on a BIG-IP VE in 1Nic mode.

Impact:
Validation fails.

Recommended Action:
Enable DHCP.

01071d76 : SAML SSO config (%s) is assigned to a SAML resource (%s), and therefore can only have one SP connector object associated with it.

Location:
/var/log/apm or GUI

Conditions:
An administrator has attempted to bind multiple SP connector objects to a SAML SSO object that is assigned to a SAML resource.

Impact:
The modified SAML SSO object configuration is not saved.

Recommended Action:
Specify a single SP connector only for a SAML SSO object that is assigned to a SAML resource. When multiple SP connectors are required, you can replicate the SAML SSO object as needed.

01071d76 : FDB MAC %s cannot be broadcast/multicast

Location:
/var/log/ltm, GUI, CLI

Conditions:
An attempt was made to add a multicast MAC address on a VLAN as a static entry to the FDB.

Impact:
Any attempt for adding a multicast MAC static FDB entry will be reported as a failure and the multicast MAC address will not be added to the FDB. For more information, see bug ID 681673 titled "tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results".

Recommended Action:
Consider adding unicast MAC addresses as static FDB entries instead.

01071d77 : SAML SSO configuration (%s) cannot specify both (%s) and (%s) at the same time.

Location:
/var/log/apm, UI, CLI

Conditions:
An administrator has configured a SAML SSO (IdP) object on the BIG-IP system and the object specifies either of the following:

1) Both the signing certificate and the session variable referring to a signing certificate.

2) Both the signing key and session variable referring to a signing key.

Impact:
The created or modified SSO object is not saved.

Recommended Action:
Specify either the signing certificate or a session variable specifying the signing certificate, but not both. The same applies to a signing key.

01071d78 : Attribute (%s) in %s (%s) must be in session variable format

Location:
/var/log/apm, UI, CLI

Conditions:
The user has changed the BIG-IP configuration, but the provided value for the relevant attribute specified in the error message is not in APM session variable format.

Impact:
The modified configuration object is not saved.

Recommended Action:
Specify the relevant attribute in APM session variable format, for example:

 "%{session.value}"

01071d79 : SAML Artifact Resolution Service (%s) is configured to sign requests. However, the correponding SAML SSO Config (%s) does not have signing %s configured. Please specify an IdP signing %s.

Location:
/var/log/apm, UI, CLI

Conditions:
An administrator has attempted to create or modify a SAML SSO (IdP) object, but either a certificate or a key is not configured on the SAML SSO object.

Impact:
The modified SAML SSO object configuration is not saved.

Recommended Action:
Configure both a signing certificate and a key on the specified SAML SSO object.

01071d79 : Interface %s cannot be used in passive/virtual-wire mode.

Location:
/var/log/ltm

Conditions:
An interface is set to Passive or Virtual Wire mode.

Impact:
The interface cannot be used in Passive or Virtual Wire mode.

Recommended Action:
Try configuring Virtual Wire or Passive mode on another port, one that is either not in use or is operating in Layer 3 (L3) mode. Note that changing the mode of a port currently operating in L3 mode to Virtual Wire mode results in changes to the network.

01071d7a : Master Key not yet ready. Delaying DNSSEC Key Generation Events for %u seconds.

Location:
/var/log/ltm

Conditions:
A DNSSEC key generation event occurs. For example, a key expires or rolls over, either before or during Master Key initialization. Generally, the only time this collision of events can occur is during a reboot or "bigstart restart" operation with a DNSSEC key that is configured to expire or roll over during the window of time that the box is offline or initializing.

Impact:
DNSSEC key generation events are delayed until the Master Key becomes available. This means the configuration will contain stale key generations until they can be successfully regenerated (that is, until the Master Key is initialized and available).

Recommended Action:
None.

01071d7b : Cannot assign access profile and both clientssl and serverssl profiles with ssl proxy enabled to the same virtual server (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
The following profiles are attached to the same virtual server:

- clientssl with "proxy ssl" enabled
- serverssl with "proxy ssl" enabled
- access profile

Impact:
The configuration with these conditions is invalid and therefore rejected.

Recommended Action:
Change any of the listed conditions.

01071d83 : Failed to configure iptables rules for config sync CGC routing: %s

Location:
/var/log/ltm

Conditions:
The cgc-setup script indicates an error when mcpd tries to initialize the iptables rules and routing for config-sync.

Impact:
Config-sync might not work. This error message will include the output of the script, which contains additional clues as to why the script failed.

Recommended Action:
Review the specific error messages for details, and engage with F5 Support, if needed.

01071d84 : Configured iptables rules for config sync CGC routing: %s

Location:
/var/log/ltm

Conditions:
This is an informational message indicating the cgc-setup script ran correctly. This message is not reported unless log.mcpd.level is set to info or debug.

Impact:
This is an informational message.

Recommended Action:
None.

01071d85 : Config sync over the management port requires big3d, which is not currently running. Config sync will not work until big3d is running.

Location:
/var/log/ltm

Conditions:
This message is reported if config-sync is configured to use the management port and mcpd fails to detect big3d running at the time mcpd sets up the config sync network sockets.

You might also see this message if big3d is in the middle of restarting when mcpd checks for it, in which case config-sync operation starts as soon as big3d starts. If you see this message for this reason, you can ignore the message, as the situation corrects itself.

Impact:
Config-sync over the management port does not work without big3d.

If you have intentionally disabled big3d, you must re-enable it or reconfigure config sync to not use the management port.

Recommended Action:
Make sure big3d is enabled or do not use the management port for config sync.

01071d93 : Unable to find customization source (%s) for customization group (%s).

Location:
When you have specified a customization source of a customization group that does not exist on the device but customization source name validation passed it.

Error might be noticeable in CLI and logs for MCPD and LTM.

Conditions:
This message appears when a customization group is created or modified, and it has a customization source. The customization source name is validated before mcpd proceeds. If it appears that mcpd passed the customization source name as valid, but it has no corresponding object or files.

Impact:
Setting invalid customization source invalidates customization and it falls back to defaults.

Recommended Action:
No workaround.

01071d93 : Profile %s the set Certificate Chain Traversal Depth (authenticate-depth), %u, is invalid. This must be 0 (infinite) or between 1 and %u inclusive.

Location:
/var/log/ltm

Conditions:
An SSL profile is being created or modified, and the authenticate depth (also known as Certificate Chain Traversal Depth) is greater than 15.

Impact:
The profile is not saved.

Recommended Action:
When creating or modifying an SSL profile, use a value between 0 through 15 inclusive in the Certificate Chain Traversal Depth field.

01071d93 : Single-ip %s - cluster member IP address %s cannot be configured for cluster %s.

Location:
/var/log/ltm

Conditions:
The cluster single management IP feature is enabled, which causes the system to disallow configuration of the cluster member IP addresses.

Impact:
The system informs the user of the reason that the attempt to configure the cluster member IP addresses is denied.

Recommended Action:
Disable the cluster single management IP feature.

01071d94 : Bot Defense Profile (%s) Micro Service (%s): Missing required field (%s).

Location:
/var/log/ltm

Conditions:
ASM is provisioned and one of required fields is missing in the tmsh command.

Impact:
The system will not store the configuration in the mcp database.

Recommended Action:
Supply the required field in the tmsh command.

01071d95 : Per-request access policy (%s) is not referenced by any existing customization group set

Location:
/var/log/ltm, GUI, CLI

Conditions:
The user has not defined a Customization Group Set for a given Per-request Access Policy.

Impact:
The modified configuration cannot be loaded. If this is the initial configuration load, the BIG-IP system is non-operational.

Recommended Action:
Correct BIGIP configuration or changes to it by checking that each explicit definition of a Customization Group Set object refers to an existing Per-Request Access Policy object.
The description of a Customization Group Set object must contain an explicit reference to the name of an existing Per-Request Access Policy object:

apm policy customization-group-set /Common/test_rap_cgs {
    access-policy /Common/test_rap
}

01071d95 : FipsUserMgr Error: %s.

Location:
The message is one of several internal errors that occurs when a BIG-IP device containing an NGFIPS or N3FIPS hardware accelerator fails to set up the FIPS accelerator.

Conditions:
[1] BIG-IP device contains an NGFIPS or N3FIPS accelerator.
[2] An internal error occurs due to one of the following:
    - Command execution
    - File, database table, and key access
    - Setting up and accessing shared memory
    - Accessing FIPS card
    - Generating and processing random passwords and keys
    - Login attempts to FIPS card
    - Attempting to set up an N3FIPS accelerator on a vCMP Host

Impact:
[1] BIG-IP device fails to set up the FIPS accelerator.
[2] TMM fails to login to the FIPS accelerator, and does not start.

Recommended Action:
Although there is no workaround for this issue, you can use the following procedure to return to a previously working location and try the operation again.

Important: This procedure completely re-initializes the accelerator, so ensure you have copies of the private keys before proceeding, or have the encrypted ..exp. files and another FIPS accelerator in the same security domain from which you can .fips-card-sync. after re-initialization.

-- If the error state persists after restarting using 'bigstart restart' or 'tmsh sys services restart' you can use these steps:

1. Reboot back to the prior location where this was working.
2. Run the fipsutil command:
fipsutil init -f

3. Restart the BIG-IP system using either command:
-- bigstart restart
-- tmsh sys services restart

4. Delete the upgrade volume, reinstall the BIG-IP ISO file into a new volume, and boot into the new volume.

01071d96 : Failed to send DDL to PostgreSQL: %s

Location:
/var/log/ltm

Conditions:
The mcpd daemon is trying to populate the PostgreSQL database's structure.

Impact:
The content of the PostgreSQL database is not consistent.

Recommended Action:
None.

01071d96 : The customization group set (%s) cannot share an access policy (%s) with other customization group set (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
The user has attempted to configure two Customization Group Set objects to refer to the same Per-Request Access Policy object. This configuration is not allowed.

Impact:
The modified configuration cannot be loaded. If this is the initial configuration load, the BIG-IP is non-operational.

Recommended Action:
Correct the BIG-IP system configuration or any changes to it by checking that each explicit definition of a Customization Group Set object refers to a unique, existing Per-Request Access Policy object. The description of a Customization Group Set object must contain an explicit reference to the name of an existing Per-Request Access Policy object:

apm policy customization-group-set /Common/test_rap_cgs {
    access-policy /Common/test_rap
}

01071d97 : Anti-Fraud URL '%s' is invalid. URL path cannot have trailing slashes in the Anti-Fraud Profile '%s'.

Location:
var/log/ltm, cli

Conditions:
The name of the URL being created contains trailing slashes (in the path segment, not in query string).

Impact:
URL object creation fails.

Recommended Action:
Remove all trailing slashes from the URL's name (within the path segment only).

01071d97 : Access policy name cannot be changed in customization group set (%s)

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to change the name of the Per-Request Access Policy in an existing Customization Group Set object.

Impact:
The modified configuration cannot be loaded.

Recommended Action:
Check the name of the Per-Request Access Policy in modification commands for the named Customization Group Set object, or exclude the Access Policy name from these commands. Then repeat the modifications to the BIG-IP system configuration.

01071d98 : Customization group set (%s) does not refer to access policy

Location:
/var/log/ltm file, CLI, GUI

Conditions:
The named Customization Group Set object does not contain a Per-Request Access Policy object name. This is a mandatory attribute and must be included in any Customization Group Set object definition.
.

Impact:
The modified configuration cannot be loaded. If this is the initial configuration load, the BIG-IP system is non-operational.

Recommended Action:
Check all explicit Customization Group Set object definitions and add 'access-policy' attribute where necessary, for example:

apm policy customization-group-set /Common/test_rap_cgs {
    access-policy /Common/test_rap
}

Any Per-Request Access Policy object name can be used only once in Customization Group Set object definitions.

01071d98 : Empty IP protocol name specified for rule (%s). Please specify a valid string corresponding to the IP protocol number.

Location:
/var/log/ltm

Conditions:
A custom script or other application has passed an empty/null string for "ip_protocol_name" when configuring firewall rule. Both GUI and tmsh specify "ip_protocol_name" string along with "ip_protocol" number when configuring firewall rule.

Impact:
Firewall rule configuration fails. If this is a "create" operation, the rule is not added into the configuration. If this is a "modify" operation, the rule is not modified.

Recommended Action:
When configuring a firewall rule, modify your client script/application to always specify the "ip_protocol_name" string along with the "ip_protocol" number.

01071d9b : PEM Gx/Sd reporting volume threshold cannot be smaller than 8K bytes.

Location:
CLI

Conditions:
A user has attempted to set the reporting volume threshold to a value smaller than 8KB.

Impact:
The configuration change request is denied.

Recommended Action:
None.

01071d9c : PEM Mandatory-Action-List cannot be set when Single-Rule-Match-Mode is disabled.

Location:
GUI, CLI

Conditions:
A user has tried to modify the PEM mandatory-action-list when single-rule-match-mode is disabled.

Impact:
The configuration change request is denied and an error message is displayed.

Recommended Action:
None.

01071d9d : Address Exclusion is not supported for Security NAT translation object (%s) of type %s.

Location:
GUI, CLI

Conditions:
An attempt is made to add an exclusion to the static NAT/static PAT object. Address exclusion is supported only on a dynamic PAT translation object.

Impact:
The configuration fails.

Recommended Action:
Remove the exclusion object from the static NAT/static PAT translation object.

01071d9d : Neighbor entry (%s) can not be resolved%s.

Location:
/var/log/ltm

Conditions:
There is no directly-connected network for the address.

Impact:
The static arp/ndp entry cannot be resolved. The condition prevents either:

1) The deletion of the self IP address or static route that could strand the static ARP entry, or

2) The creation of the static ARP entry.

Recommended Action:
If you are in the process of deleting a self IP address or static route entry, delete the static arp entry first. If you are in the process of creating a static ARP entry, create the network object that would make the IP address of the static arp entry reachable.

01071d9e : Bot defense anomaly %s not found.

Location:
/var/log/ltm

Conditions:
The ASM module is provisioned, a user has used an illegal tmsh/REST command, and within the tmsh/REST command, the mentioned anomaly name does not exist in the MCP database.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01071d9f : Bot defense anomaly category %s not found.

Location:
/var/log/ltm

Conditions:
The ASM module is provisioned, a user is using illegal tmsh/REST commands, and within the tmsh/REST command, the mentioned category name does not exist in the MCP database.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01071d9f : %s.

Location:
/var/log/ltm

Conditions:
MCPd has encountered an exception condition related to sending data to one or more processes. If this happens, the connection to that process will be shut down and an error message logged.

Impact:
The process that was communicating with MCPd will have it's connection severed, and it's expected that the process will automatically reconnect or restart.

n the event that the error message is logged *because* the process disconnected as part part of normal operations, there is no impact beyond useful diagnostic information.

If this message occurs frequently, it may indicate there is a problem. This can result in interruption of traffic processing and problems managing the system.

Recommended Action:
No action needed if the system is functioning normally.

Please contact F5 support if this message is occurring frequently and system is not functioning correctly.

01071da0 : Bot defense class %s not found.

Location:
/var/log/ltm

Conditions:
The ASM module is provisioned, a user is using illegal tmsh/REST commands, and within the tmsh/REST command, the mentioned class name does not exist in the MCP database.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01071da0 : %s.

Location:
/var/log/ltm

Conditions:
The mcpd daemon has encountered an exception condition related to sending data to one or more processes.

The associated process might have shut down or restarted as part of normal operations. The exception can also occur when the connection between mcpd and the associated process fails for an unknown reason.

Impact:
The connection for the process that was communicating with mcpd is severed, and it's expected that the process will either reconnect or restart.

In the event that the error message is logged because the process disconnected as part part of normal operations, there is no impact beyond useful diagnostic information.

If this message occurs frequently, it might indicate there is a problem. This can result in interruption of traffic processing and problems managing the system.

Recommended Action:
No action is needed if the system is functioning normally.

Please contact F5 support if this message is occurring frequently and the system is not functioning correctly.

01071da1 : %s: When %s is (%s) and %s (%s) is %s address, %s (%s) represents '%s %s addresses'.

Location:
/var/log/ltm

Conditions:
A user has added or modified the source/destination of dos.network-whitelist entries or extended-entries.

Impact:
This message provides detailed information about the semantic meanings of ip-address 'any' and 'any6'. The meanings of 'any' and 'any6' vary depending on the value of match-ip-version.

Recommended Action:
Inspect the relevant object configuration and make sure that the semantics of 'any' and 'any6' with match-ip-version are correctly configured. To see the log, the user must set the "sys db log.mcpd.level" value to "info".

01071da2 : Virtual Server %s's Traffic Matching Criteria %s illegally shares destination address, source address, service port, and ip-protocol with Virtual Server %s's Traffic Matching Criteria %s.

Location:
/var/log/ltm, TMSH, iControl REST, GUI

Conditions:
A new virtual server has been created with traffic-matching criteria that has an IP protocol, IP address, and destination port combination that overlaps with the traffic-matching criteria of an existing virtual server.

Impact:
The system rejects the creation of the new virtual server.

Recommended Action:
Modify the traffic-matching criteria of the new virtual server to avoid overlaps.

01071da2 : Blacklist-category %s must have match type destination to enable scrubbing.

Location:
GUI, CLI

Conditions:
A user has attempted to enable scrubbing on a blacklist category using the command "modify security scrubber profile scrubber-profile-default scrubber-categories add ...", and the match type for the blacklist category is not set to the match type "Destination".

Impact:
Enabling the scrubbing on the blacklist category fails.

Recommended Action:
Modify the match type to "Destination" before enabling the scrubbing on the blacklist category.

01071da3 : Virtual Server %s's Traffic Matching Criteria %s illegally shares destination address, source address, service port, and ip-protocol with Virtual Server %s destination address, source address, service port.

Location:
/var/log/ltm, GUI, CLI, API

Conditions:
A virtual server has been created with traffic-matching criteria that has an IP protocol, IP address, and destination port combination that overlaps with an existing virtual server.

Impact:
The system rejects the creation of the new virtual server.

Recommended Action:
Modify the traffic-matching criteria of the new virtual server to avoid overlaps.

01071da3 : Cannot change match type to source or source-and-destination if scrubbing is enabled on the blacklist category. Disable scrubbing before changing the match type.

Location:
GUI, CLI

Conditions:
A user has attempted to change the match type of the blacklist category to a value other than "Destination", and the user has already enabled the scrubbing on this category.

Impact:
The modification of the match type to a value other than "Destination" fails.

Recommended Action:
Disable the scrubbing on the blacklist category before attempting to modify the match type to a value other than "Destination".

01071da4 : Uri Type %s out of its minimum %d or maximum %d characters range.

Location:
CLI

Conditions:
A user has specified a Uri Type name value and file-extensions values that are outside of the allowed range in character length. The values must fit conditions in the error message.

Impact:
The TMSH command fails, and the configuration is not saved.

Recommended Action:
Ensure that the values fit the conditions specified in the error message. See the command 'tmsh help analytics uri-type" for more information.

01071da5 : Uri Type must have at least %d %s associated with it.

Location:
CLI

Conditions:
A user has attempted to create a Uri Type without any file extensions, or has attempted to delete all values from the file-extensions list. The file-extensions list must contain at least one value.

Impact:
The TMSH command fails, and the configuration is not changed.

Recommended Action:
Ensure that the file-extensions list contains at least one value. For more information, see the command "tmsh help analytics uri-type".

01071da6 : No more than %d total file extensions can be defined (across all Uri Types).

Location:
CLI

Conditions:
A user has attempted to specify a value that exceeds the maximum number of Uri Type file-extensions allowed.

Impact:
The TMSH command fails, and the configuration is not saved.

Recommended Action:
Try to delete unused file-extensions and replace them with new ones. For more information, see the command "tmsh help analytics uri-type".

01071da7 : No more than %d total Uri Types can be defined.

Location:
CLI

Conditions:
A user has attempted to define more than the maximum number of Uri types allowed.

Impact:
The TMSH command fails, and the configuration is not saved.

Recommended Action:
Try to delete unused Uri types and replace them with new ones. For more information, see the command "tmsh help analytics uri-type".

01071da8 : File extension '%s' already exists in '%s' Uri Type.

Location:
CLI

Conditions:
A user has attempted to define file extensions that already exist on the system, thereby attempting to share the same file extensions across multiple Uri Type configuration objects.

Impact:
The TMSH command fails, and the configuration is not saved.

Recommended Action:
Ensure that you create unique file extensions across all Uri Types, rather than creating duplicates file extensions. For more information, see the command "tmsh help analytics uri-type".

01071da9 : Uri Type objects must be in the '%s' folder only.

Location:
CLI

Conditions:
A user has attempted to create a Uri Type object in a folder (administrative partition) that is not "/Common".

Impact:
The TMSH command fails, and the configuration is not saved.

Recommended Action:
Do not prefix the Uri Type name with any folder name other than "/Common/". For more information, see the command "tmsh help analytics uri-type".

01071daa : %s

Location:
CLI

Conditions:
One of the characters in the Uri Type name or file-extensions values is invalid.

Impact:
The TMSH command fails, and the configuration is not saved.

Recommended Action:
Use only allowed characters in names. For more information, see the error output. Usually these properties only support alphanumeric characters, digits, and "-" or "_", as in "[a-zA-Z0-9_-]". The Uri Type name must start with an alphanumeric character.
The file-extensions values must use lower-case characters only. For more information, see "tmsh help analytics uri-type".

01071dac : Bot signature category %s not found.

Location:
GUI, CLI, API

Conditions:
ASM is provisioned, and within the TMSH/REST command used, the mentioned category name does not exist in the MCP database.

Impact:
The configuration will not be stored in the MCP database.

Recommended Action:
None.

01071dac : Cannot change match type to destination or source-and-destination if blacklist publisher profile is attached to the category.

Location:
GUI, CLI

Conditions:
A user has tried to change the match type of the IP intelligence blacklist category, if the category has blacklist publisher configuration enabled.

Impact:
The match type is not allowed to change to destination or source-and-destination without first removing the category from the blacklist publisher.

Recommended Action:
None.

01071dad : Bot defense profile (%s) class override (%s) error: %s.

Location:
GUI, CLI, API

Conditions:
The ASM module is provisioned, and the TMSH command contains incorrect values.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01071dad : Policy '%s', rule '%s'; target '%s' action '%s' cannot have same fallback pool (%s) and default pool (%s).

Location:
/var/log/ltm

Conditions:
A fallback pool and the default (primary) pool in an LTM policy action have the same value.

rules {
    1 {
        actions {
              1 {
                forward
                select
                fallback-pool http_pool <------ The pool and fallback pool can't be same.
                pool http_pool
            }
        }
    }
}

Impact:
The LTM policy won't compile.

Recommended Action:
None.

01071dae : Bot Defense Profile (%s) Micro Service (%s): %s.

Location:
GUI, CLI, API

Conditions:
The ASM module is provisioned, and the TMSH command contains incorrect values.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01071dae : Policy '%s', rule '%s'; target '%s' action '%s' requires default pool. Please specify default pool along with fallback pool (%s).

Location:
/var/log/ltm

Conditions:
When "fallback-pool" parameter is specified without the "pool" parameter in LTM policy action.
rules {
    1 {
        actions {
              1 {
                forward
                select
                fallback-pool http_pool <---- The default pool is missing.
            }
        }
    }
}

Impact:
The LTM policy won't compile.

Recommended Action:
None.

01071daf : Bot Defense Profile (%s) Micro Service (%s) Url (%s): %s.

Location:
GUI, CLI, API

Conditions:
The ASM module is provisioned, and the TMSH command contains incorrect values.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01071daf : Throwing Invalid Monitor Rule Instance: %s

Location:
/var/log/ltm

Conditions:
MCPD logs this message before an "Invalid monitor rule instance identifier" error is logged.

Impact:
No impact. This is information only.

Recommended Action:
None.

01071db0 : Throwing Invalid Monitor Rule Instance: %s

Location:
/var/log/ltm

Conditions:
MCPD logs this message before an "Invalid monitor rule instance identifier" error is logged.

Impact:
No impact. This is information only.

Recommended Action:
None.

01071db0 : %s %s.

Location:
/var/log/ltm, GUI, CLI

Conditions:
Product management has configured flexible notifications in the license file. , .

Impact:
No functional impact. The BIG-IP system generates the notifications with the given string in the license file. This is a notification to customers to remind them about license renewal.

Recommended Action:
None.

01071db1 : Bot defense profile (%s) Signature (%s) should be Mobile Application Class signature.

Location:
GUI, CLI, API

Conditions:
ASM is provisioned, and the TMSH command contains incorrect values.

Impact:
The configuration will not be stored in the MCP database.

Recommended Action:
When you are defining a mobile signature on a bot defense profile, ensure that the signature is of a category that belongs to a class named "Mobile Application".

01071db1 : Throwing Invalid Monitor Rule Instance: %s

Location:
/var/log/ltm

Conditions:
MCPD logs this message before an "Invalid monitor rule instance identifier" error is logged.

Impact:
No impact. This is information only.

Recommended Action:
None.

01071db2 : Bot defense signature category illegal class (%s).

Location:
GUI, CLI, API

Conditions:
ASM is provisioned, and the values within the TMSH command are incorrect. It is illegal to set a Browser or Unknown bot defense class for a signature category.

Impact:
The configuration will not be stored in the MCP database.

Recommended Action:
None.

01071db2 : Throwing Invalid Monitor Rule Instance: %s

Location:
/var/log/ltm

Conditions:
MCPD logs this message before an "Invalid monitor rule instance identifier" error is logged.

Impact:
No impact. This is information only.

Recommended Action:
None.

01071db3 : Bot defense profile (%s) signature category override not supported for (%s) which belongs to (%s) class.

Location:
GUI, CLI, API

Conditions:
ASM is provisioned, the TMSH command contains incorrect values It is illegal to define override settings for several signature categories, for example, categories of mobile signatures.

Impact:
The configuration will not be stored in the MCP database.

Recommended Action:
None.

01071db3 : Throwing Invalid Monitor Rule Instance: %s

Location:
/var/log/ltm

Conditions:
MCPD logs this message before an "Invalid monitor rule instance identifier" error is logged.

Impact:
No impact. This is information only.

Recommended Action:
None.

01071db4 : Bot defense profile (%s) signature override not supported for (%s) which belongs to (%s) class.

Location:
GUI, CLI, API

Conditions:
ASM provisioned, and the TMSH command contains incorrect values. It is illegal to define override settings for a signature that belongs to a category that cannot be overidden, such as mobile signatures.

Impact:
The configuration will not be stored in the MCP database.

Recommended Action:
None.

01071db4 : Removing monitor rule instance: %s

Location:
/var/log/ltm

Conditions:
This message occurs under either of these conditions:

1. A monitor has been removed from a node, pool member, or a pool with one or more pool members.

2. A node, pool member, or a pool with one or more pool members that has a monitor attached is deleted.

Impact:
No impact. This is information only.

Recommended Action:
None.

01071db5 : Bot defense profile (%s) Micro Service (%s) class override (%s) error: %s.

Location:
/var/log/ltm, CLI, API

Conditions:
ASM is provisioned, and the TMSH command contains incorrect values. It is illegal to define override settings for a class on a micro service level; the exception is the "Trusted Bot" class.

Impact:
The configuration will not be stored in the MCP database.

Recommended Action:
None.

01071db5 : Saving monitor rule instance: %s

Location:
/var/log/ltm

Conditions:
A monitor is attached to a node, pool member, or a pool that contains one or more pool members.

Impact:
No impact. This is information only.

Recommended Action:
None.

01071db6 : Bot defense profile (%s) error: %s.

Location:
/var/log/ltm, CLI, API

Conditions:
ASM is provisioned, and the TMSH command contains incorrect values.

Impact:
The configuration will not be stored in the MCP database. The error is a generic template for arbitrary error messages resulting from MCP validation code; the specific error description is appended to the end of the error message after "error:".

Recommended Action:
None.

01071db6 : Creating a new monitor rule instance: %s

Location:
/var/log/ltm

Conditions:
A monitor is attached to a node, pool member, or a pool that contains one or more pool members.

Impact:
No impact. This is information only.

Recommended Action:
None.

01071dba : Warning (%s): %u bit keysize is insecure, it will be disabled in the future.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has created 512-bit RSA/DSA keys, which are insecure.

Impact:
The system displays a warning message that it might not support the creation of 512-bit RSA/SDA keys in the future.

Recommended Action:
None.

01071dba : Cannot delete SSO configuration (%s) because it is referenced by a SSO configuration select agent (%s)

Location:
/var/log/ltm, GUI

Conditions:
A user has attempted to remove an SSO configuration that is referenced by an SSO configuration select agent.

Impact:
The SSO configuration will not be deleted.

Recommended Action:
Remove all references from SSO configuration select agents to a given SSO configuration before the SSO configuration is removed. Once the references are removed, attempts to delete the SSO configuration should succeed.

01071dbc : Fail to commit due to the preset autodiscovery-enable VS number limit is %d.

Location:
CLI

Conditions:
A user has attempted to enable auto-discovery on a virtual server, which causes the number of auto-discovery-enabled virtual servers to exceed the value in the database.

Impact:
Minimal. This message is for a specific case only.

Recommended Action:
Consider modifying the BigDB variable "auto.discover.mvs.count" to the desired value.

01071dbd : Fail to change the value to be less than the current number (%d) of VS that enables auto_discovery.

Location:
CLI

Conditions:
The existing number of virtual servers that enable auto-discovery is larger than the desired value.

Impact:
Minimal.

Recommended Action:
Consider changing the desired value to be not less than the existing number, or disabling the auto-discovery service on some of the virtual servers first.

01071dbf : Setting DB variable %s to %s. Restarting services.

Location:
/var/log/ltm

Conditions:
The BIG-IP VE device (non-cloud and cloud editions) did not have a FIPS 140-2 Level 1 license, and a FIPS 140-2 Level 1 license has been procured and installed.

Impact:
Processes are restarted, and the prompt changes back to the normal prompt. No reboot is required. A new log message indicating that processes are restarting is now present.

Recommended Action:
None.

01071dbf : The requested otp source (%s) is invalid: %s

Location:
/var/log/ltm, VPE UI, CLI

Conditions:
An administrator has attempted to define a custom session variable for an invalid OTP source in an access per-session OTP verify agent.

Impact:
An OTP source field cannot be configured in a per-session OTP Verify agent. Such an attempt might lead to authentication failures for APM end users.

Recommended Action:
None.

01071dc0 : %s changing OpenSSL FIPS flag from (%d) to (%d). Restarting services.

Location:
/var/log/ltm

Conditions:
The BIG-IP VE device (non-cloud and cloud editions) did not have a FIPS 140-2 Level 1 license, and a FIPS 140-2 Level 1 license has been procured and installed.

Impact:
Processes are restarted, and the prompt changes back to the normal prompt. In particular, processes linking with the system OpenSSL's libcrypto* restart and execute FIPS 140-2-specific code paths present in libcrypto*. A new log message indicating that system OpenSSL is switching to FIPS mode and that associated processes are restarting is now present.

Recommended Action:
None.

01071dc5 : The Group SIDs session variable name in AAA Kerberos agent (%s) is empty

Location:
/var/log/ltm
Also observed in TMSH.

Conditions:
When the configured session variable name is empty for Group SIDs when 'Extract Group SIDs' is Enabled in Kerberos Auth agent.

Impact:
Error message is logged and also printed in TMSH, preventing you from creating the invalid configuration.

Recommended Action:
Fix the error conditions by defining a value for the corresponding session variable.

01071dc6 : The Group SIDs session variable name '%s' in AAA Kerberos agent (%s) is invalid

Location:
/var/log/ltm. Also appears in TMSH and the Visual Policy Editor (VPE) in TMUI (GUI).

Conditions:
When you configure a session variable whose name is longer than 247 characters (%{session_var_name} has a maximum 250 chars, so name inside %{} must be reduced by 3 characters), or contains an asterisk * or space characters for Group SIDs in Kerberos Auth agent.

Impact:
Error message is logged and also printed in GUI or TMSH, preventing you from creating an invalid configuration.

Recommended Action:
Fix the error conditions causing the invalid configuration.

01071dc7 : The %s session variable name in AAA Active Directory agent (%s) is empty

Location:
/var/log/ltm
Also observed in TMSH.

Conditions:
When the configured session variable name is empty for Group SIDs or Group Names in AD Group SID Resolver agent.

Impact:
Error message is logged and also printed in TMSH, preventing you from creating the invalid configuration.

Recommended Action:
Fix the error conditions by defining a value for the corresponding session variable.

01071dcd : Keytab file is not specified for AAA Active Directory Server (%s)

Location:
-- /var/log/apm.
-- On the TMUI while adding/modifying the Active Directory server properties

Conditions:
This error happens only when the Active Directory server's 'kdc-validation' property is enabled while adding/modifying an Active Directory server, and the corresponding 'keytab-file-obj' property is not specified.

Impact:
Corresponding KDC (Key Distribution Centre) cannot be validated while performing ADAuth.

Recommended Action:
No workaround. The 'keytab-file-obj' property has to be set whenever the property 'key-validation' is enabled while adding/modifying an Active Directory server on BIG-IP systems.

01071dce : Service name is not specified for AAA Active Directory Server (%s)

Location:
-- /var/log/apm.
-- On the TMUI while adding/modifying the Active Directory server properties

Conditions:
This error happens only when the Active Directory server's 'kdc-validation' property is enabled while adding/modifying an Active Directory server, and the corresponding 'service-name' property is not specified.

Impact:
Corresponding KDC (Key Distribution Centre) cannot be validated while performing ADAuth.

Recommended Action:
No workaround. The 'service-name' property has to be set whenever the property 'key-validation' is enabled while adding/modifying an Active Directory server on BIG-IP systems.

01071dd4 : DOS Profile (%s) cannot be attached to Zone as it is BDOS enabled.

Location:
/var/log/ltm

Conditions:
DoS profile has BDOS enabled and it is being attached to the Zone.

Impact:
DoS profile is not attached to the Zone.

Recommended Action:
Disable BDOS on the DoS profile and then attach it to the Zone.

Note: If the DoS profile being modified is already attached to another object (e.g., a virtual server), then BDOS is disabled for that object.

01071dd8 : SIP cannot be enabled on the DOS profile (%s) as it is already attached to zone.

Location:
/var/log/ltm

Conditions:
SIP cannot be enabled on a particular DoS profile if that DoS profile is already attached to a Zone.

Impact:
DoS profile attached to a Zone cannot have SIP enabled.

Recommended Action:
Detach DoS profile from the Zone and then enable SIP on the DoS profile.

Note: If the DoS profile being modified is already attached to another object (e.g., a virtual server), SIP DoS is enabled on that object.

01071dd9 : VLAN (%s) cannot be attached to Zone (%s) as it is part of another Zone (%s) which is also has DOS profile attached.

Location:
/var/log/ltm

Conditions:
One VLAN cannot be attached to two Zones simultaneously, if both Zones have DoS Profiles configured.

Impact:
Only one VLAN can be attached to one Zone at a time with a DoS profile attached.

Recommended Action:
Do one of the following:

-- Detach the VLAN from the first zone and attach the VLAN to the second Zone.

-- Detach the DoS profile from one of the zones.

Impact of detaching the VLAN from the Zone:
If the Zone being modified is already attached to another object, such as ACL, the ACL rules will not be applied to the VLAN that is removed from the Zone.

01071ddc : DOS Profile (%s) cannot be attached to the Zone as SIP is enabled on the profile.

Location:
/var/log/ltm

Conditions:
The DoS profile that is being attached to the Zone has SIP enabled.

Impact:
DoS profile is not attached to the Zone.

Recommended Action:
Disable SIP from DoS profile and then attach to the Zone.

Note: If the DoS profile being modified is already attached to another object (e.g., a virtual server), SIP DoS is disabled on that object.

01071ddc : DOS Profile (%s) cannot be attached to the Zone (%s) as the profile has Bad Actor/Attacked Destination Detection enabled.

Location:
/var/log/ltm

Conditions:
The DoS profile that is being attached to the Zone has Bad Actor/Attacked Destination Detection enabled.

Impact:
DoS profile is not attached to the Zone.

Recommended Action:
Disable Bad Actor/Attacked from the DoS profile and then attach it to the Zone.

01071dde : Log profile (%s) cannot be found.

Location:
/var/log/ltm

Conditions:
Log profile that is being attached to the Zone is not configured.

Impact:
Log profile cannot be attached to the zone.

Recommended Action:
Create the Log profile first, and then attach the profile to the Zone.

01071de0 : Dos profile (%s) cannot be attached to Protected-zone as BDOS is enabled.

Location:
/var/log/ltm

Conditions:
DoS profile is already attached to a Zone, and BDOS is being enabled.

Impact:
BDOS cannot be enabled on the DoS profile.

Recommended Action:
Detach DoS profile from Zone and then enable BDOS.

Note: If the DoS profile being modified is already attached to another object (e.g., a virtual server), then BDOS is enabled for that object.

01071de3 : Vector Threshold Mode cannot be enabled on the DOS profile (%s) as it is already attached to a Protected-zone.

Location:
/var/log/ltm

Conditions:
-- A DoS profile is attached to a Zone.
-- A Vector Threshold mode that is not 'Fully Manual' is being enabled on it.

Impact:
The Vector Threshold mode other than 'Fully Manual' is not enabled on the DoS profile.

Recommended Action:
Detach the DoS profile from the Zone and then enable the desired Vector Threshold mode.

Note: If the DoS profile being modified is already attached to another object (e.g., a virtual server), the Vector Threshold mode is changed for that object.

01071de4 : DNS cannot be enabled on the DOS profile (%s) as it is already attached to zone.

Location:
/var/log/ltm

Conditions:
DNS cannot be enabled on a particular DoS profile if that DoS profile is already attached to a Zone.

Impact:
DoS profile attached to a Zone cannot have DNS enabled.

Recommended Action:
Detach DoS profile from the Zone and then enable DNS on the DoS profile.

Note: If the DoS profile being modified is already attached to another object (e.g., a virtual server), DNS DoS is enabled for that object.

01071de5 : DOS Profile (%s) cannot be attached to the Zone as DNS is enabled on the profile.

Location:
/var/log/ltm

Conditions:
The DoS profile that is being attached to the Zone has DNS enabled.

Impact:
DoS profile is not attached to the Zone.

Recommended Action:
Disable DNS from the DoS profile and then attach it to the Zone.

Note: If the DoS profile being modified is already attached to another object (e.g., a virtual server), DNS DoS is disabled for that object.

01071e02 : DOS profile (%s) not found.

Location:
/var/log/ltm

Conditions:
DoS profile being attached to the Zone has not been configured.

Impact:
DoS profile specified cannot be attached to the Zone.

Recommended Action:
Create the DoS profile, and then attach it with Zone.

01071e03 : Maximum (%s) can be attached per Zone containing DOS profiles.

Location:
/var/log/ltm

Conditions:
16 Zones are already attached with DoS profiles, and an additional Zone is being attached with a DoS profile.

Impact:
DoS profile cannot be attached to the Zone.

Recommended Action:
Detach a DoS profile from one of the existing Zones, and then attach the DoS profile to the new Zone.

01071e09 : DOS Profile (%s) cannot be attached to zone as threshold mode is not Fully Manual.

Location:
/var/log/ltm

Conditions:
-- A DoS profile is attached to a Zone.
-- A Vector Threshold mode that is not 'Fully Manual' is being enabled on it.

Impact:
DoS profile is not attached to the Zone.

Recommended Action:
Set the Vector Threshold mode of the DoS profile being attached to the Zone 'Fully manual'.

Note: If the DoS profile being modified is already attached to another object (e.g., a virtual server), the Vector Threshold mode is changed for that object.

01071e0d : Security log profiles '%s' and '%s' cannot be associated simultaneously with a Zone '%s', since they have same or mutually exclusive parts enabled.

Location:
/var/log/ltm

Conditions:
The security log profiles have the same parts enabled and are being attached to the same Zone.

Impact:
Log profile is not attached to the Zone.

Recommended Action:
Ensure that log profiles have only mutually exclusive parts enabled, and then attach them to the Zone.

Note: If the log profile being modified is already attached to another object (e.g., a virtual server), the parts being changed affect that object.

01071e0e : Security log profiles '%s' and '%s' cannot be associated simultaneously with a Zone '%s', since they both have local logging enabled.

Location:
/var/log/ltm

Conditions:
Zone has a security log profile with local logging enabled and another security log profile with local logging enabled is being attached to the Zone.

Impact:
Log profile cannot be attached to the Zone.

Recommended Action:
Disable local logging on the log profile and then attach to the Zone.

Note: If the log profile being modified is already attached to another object (e.g., a virtual server), local logging will be disabled for that object.

01071e0f : DOS profile (%s) cannot be attached to the Zone (%s) as the Zone has one or more VLANs that are part of other Zones and a VLAN cannot be a member of more than one Zone which have DDoS protections enabled.

Location:
/var/log/ltm

Conditions:
DoS profiles cannot be attached to two Zones simultaneously, if both Zones have the same VLAN configured.

Impact:
DoS profile can be attached to only one Zone at a time with a VLAN attached.

Recommended Action:
Do either of the following:
-- Detach the VLAN from Zone and attach DOS profile to it.

-- Detach the DoS profile from the first Zone and attach the DoS profile to another Zone.

Impact of detaching the VLAN from the Zone:
-- If the Zone being modified is already attached to another object, such as ACL, then the ACL rules will not be applied to the VLAN that was removed from the Zone.

01073035 : The encryption key for OAuth profile (%s) cannot be modified directly. Use encryption secret to generate a new encryption key.

Location:
/var/log/apm, TMSH

Conditions:
If jwt-refresh-token-enc-key is specified directly.

Impact:
Object won't be saved.

Recommended Action:
Do not specify key. Instead use jwt-refresh-token-enc-secret to generate key.

01073039 : All the JWK configs in a JWT config must have unique cert-thumbprint-sha1. The cert-thumbprint-sha1 '%s' is already present in JWT config '%s'.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Misconfiguration.
Admin attempts to add a JWK config to a JWT config, and the JWK config has cert-thumbprint-sha1 that is already present in the JWT config through some other JWK config. The cert-thumbprint-sha1 must be unique within a JWT config.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
When attempting to add a JWK config to a JWT config, check that the operation will not result in a JWT config with more than one instance of the same cert-thumbprint-sha1.

01073040 : All the JWK configs in a JWT config must have unique cert-thumbprint-sha256. The cert-thumbprint-sha256 '%s' is already present in JWT config '%s'.

Location:
/var/log/ltm, tmsh, GUI

Conditions:
Misconfiguration.
Admin attempts to add a JWK config to a JWT config, and the JWK config has cert-thumbprint-sha256 that is already present in the JWT config through some other JWK config. The cert-thumbprint-sha256 must be unique within a JWT config.

Impact:
This is an mcp configuration error. Object containing this configuration will not be saved.

Recommended Action:
When attempting to add a JWK config to a JWT config, check that the operation will not result in a JWT config with more than one instance of the same cert-thumbprint-sha256.

010c0009 : Lost connection to mcpd - reestablishing

Location:
/var/log/ltm. Neither the Console nor the GUI provides it.

Conditions:
When SOD loses its connection to MCPD for whatever reason, this message is logged.

Impact:
SOD won't have communication with MCPD. Any device status/configuration updates wouldn't be possible until the communication is re-established.

Recommended Action:
If the connection is not re-established automatically, try restarting all services with bigstart restart.

010c0018 : Standby

Location:
/var/log/ltm. The GUI provides other prompts that indicate a device is in Standby mode; and the Console provides a prompt with Standby State in it.

Conditions:
A device goes to standby by user manual intervention, or when some other device is the active one in the failover group.

Impact:
If it is due to a user intervention, all failover objects in the device will be serviced by the next active device in the failover group, for example, traffic groups.

Recommended Action:
None.

010c0022 : Opening %s for failover monitoring

Location:
/var/log/ltm.

Conditions:
This log is informational and indicates that SOD has opened the failover serial port. This occurs on the startup of SOD. The use of the serial port for failover status is determined by the configuration of the BIG-IP.

Example:
Nov 11 07:35:13 lead info sod[6502]: 010c0022:6: Opening /dev/tty01 for failover monitoring.

Impact:
None.

Recommended Action:
None.

010c002a : Requesting tmm to resend gratuitous arps for traffic group %s.

Location:
/var/log/ltm

Conditions:
In an Active-Active scenario, once it is decided which device will become standby and which will remain active (internal logic), the active device will request tmm to resend gratuitous arp messages. When this occurs, this log message appears in the device that remained active.

Impact:
None.

Recommended Action:
None.

010c002b : Traffic group %s received a targeted failover command for %s.

Location:
/var/log/ltm

Conditions:
This log entry appears when the active device has received and is processing a targeted-failover command that is issued by an administrator for a specified traffic group.

Impact:
This is an informational log entry that indicates that the administrator has issued a failover for a specific traffic group on the active device.

Recommended Action:
None.

010c002c : Traffic group %s received a targeted failover command from cluster mate for %s.

Location:
/var/log/ltm

Conditions:
This log message appears when a blade in a cluster has received and is processing a targeted-failover command from one of the other blades in the cluster for a specified traffic group.

Impact:
This is an informational log message that indicates that the administrator has issued a failover for a specific traffic group in a cluster and this blade is processing that command.

Recommended Action:
None.

010c002d : Traffic group %s going standby via targeted failover command.

Location:
/var/log/ltm

Conditions:
This log message appears when a specified traffic group is going from active to standby, caused by a targeted-failover command that is issued by an administrator for a specified traffic group.

Impact:
This is an informational log message that indicates that the administrator has issued a targeted failover command to change a specific traffic group from an active to standby. device.

Recommended Action:
None.

010c0037 : Up service module error %s.

Location:
/var/log/ltm

Conditions:
These messages indicate that the failover daemon encountered an unexpected system call failure, and is not functioning correctly.

If the specific message is "Up service module error: .... Too many open files", then the system is probably running a version of software that contains defect Bug ID 451917 or Bug 516669.

Any other runtime errors require diagnosis.

Impact:
If this condition occurs, HA failover might not work correctly.

Recommended Action:
Depending on the root cause of the runtime error, restarting the BIG-IP device might clear the condition.

Upgrade to a BIG-IP software release that contains the fixes for Bug 451917 and Bug 516669.

010c003b : Bind fails on %s addr %s port %d error %s

Location:
/var/log/ltm

Conditions:
An invalid address has been configured as a unicast address on the device.

Impact:
The invalid unicast address cannot be used to send or receive network failover data.

Recommended Action:
Change the unicast address to be a valid management IP or self-IP.

010c003c : Connect fails on %s addr %s port %d error %s

Location:
/var/log/ltm

Conditions:
The code paths in question can only be executed if secure network failover is enabled. This error can occur if no route exists to the remote unicast address ("Network is Unreachable").

Impact:
Network failover communication to the remote unicast address does not work.

Recommended Action:
Repair the network partition.

010c003e : Offline

Location:
/var/log/ltm

If this offline state was requested by the user, the GUI provides other status fields that indicate a device is in Forced Offline mode, and the Console provides a prompt with ForcedOffline State in it.

Conditions:
It is a transitional state that is logged when the device comes up or when SOD restarts.
It will also occur when the user forces a device to stay offline.
The device encounters networking problems.

Impact:
Device won't be online. Network connectivity for services won't be available.

Recommended Action:
Bring the device back online if the offline state was a consequence of a user action.
Restart sod daemon. If that doesn't work, restart all services.

010c003f : Forced offline

Location:
/var/log/ltm

Conditions:
This log message occurs when the SOD updates an internal state to offline as a result of detecting that a traffic group has been forced offline by the admin.

Impact:
The log (level Notice) is generated by SOD after it changes an internal state for a traffic group has been forced offline and is no longer accessible to the user. This log is an informational/debug log of a SOD internal state change to forced offline and not that useful to the user.

Recommended Action:
None.

010c0044 : Command: %s

Location:
The message appears only in /var/log/ltm. It does not appear on the console or on the GUI screen.

Conditions:
This is a log entry that displays a failover command, executed by means of the GUI, tmsh, or iControl. The following examples show some of the possible logs, but not all.

The following log corresponds to making a traffic group go to standby from the GUI.
010c0044:5: Command: go standby /Common/TG2 /Common/BIGIP-2.localdomain GUI.

The following log corresponds to making a traffic group go to standby from tmsh.
010c0044:5: Command: go standby /Common/TG2 /Common/BIGIP-1.localdomain tmsh.

The following when making the BIGIP go ForcedOffline mode via tmsh
010c0044:5: Command: go offline all tmsh.

The following when making the BIGIP come back online from ForcedOffline mode via GUI
010c0044:5: Command: release offline all GUI.

The following log comes when making the BIGIP go offline from iControl
010c0044:5: Command: go offline all iControl.

Impact:
None. This is a notification that a system failover command was executed.

Recommended Action:
None.

010c0048 : Bcm56xxd and lacpd connected - links up

Location:
/var/log/ltm

Conditions:
This message is information, and is logged by SOD when the links to Bcm56xxd and lacpd are up. This is part of the normal startup process for SOD.

Example:
Nov 11 07:36:15 lead notice sod[6502]: 010c0048:5: Bcm56xxd and lacpd connected - links up.

Impact:
None

Recommended Action:
None.

010c0049 : Tmm ready - links up.

Location:
/var/log/ltm

Conditions:
This is a message from SOD to indicate that the TMM has reached the running state, and can handle passing and receiving traffic on the self-IPs often used for failover addresses.

This message is seen on initial startup, as well as if SOD or the TMM is restarted.

Impact:
None.

Recommended Action:
None.

010c0050 : Sod requests links down

Location:
/var/log/ltm

Conditions:
This is an information message that is logged during the shutdown of the SOD daemon. It indicates that the links to Bcm56xxd and lacpd have been marked down.

Example:
Nov 11 07:29:03 lead notice sod[6214]: 010c0050:5: Sod requests links down.

Impact:
None.

Recommended Action:
None.

010c0052 : Standby for traffic group %s

Location:
This log only appears in /var/log/ltm. It does not appear on the Console or the GUI.

Conditions:
When a traffic group transitions to the standby state, this log message is logged by the system.

For example when a device is released from the forced offline state; the sequence of logs includes the following:

Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0044:5: Command: release offline all GUI.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0054:5: Offline for traffic group TG2.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0054:5: Offline for traffic group traffic-group-1.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c003e:5: Offline
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c006d:5: Leaving Offline for Standby for dbvar is redundant.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0052:5: Standby for traffic group TG2.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0052:5: Standby for traffic group traffic-group-1.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0018:5: Standby
Oct 11 13:30:04 BIGIP-2 info sod[28395]: 010c0096:6: Next active for traffic group traffic-group-1.
Oct 11 13:30:04 BIGIP-2 info sod[28395]: 010c0096:6: Next active for traffic group TG2.

Impact:
None. This is a notification of what is happening with the traffic-group in the device.

Recommended Action:
None.

010c0054 : Offline for traffic group %s.

Location:
/var/log/ltm. Neither the Console nor the GUI show it.

Conditions:
When a traffic-group is about to become active or standby, it starts with the transitional state of offline, which 0is when the log appears. For example the following sequence of logs appear when the device is booting up:

Oct 11 13:00:46 BIGIP-2 notice sod[5403]: 010c0057:5: Activating traffic group TG2.
Oct 11 13:00:46 BIGIP-2 notice sod[5403]: 010c0054:5: Offline for traffic group TG2.
Oct 11 13:00:46 BIGIP-2 notice sod[5403]: 010c0057:5: Activating traffic group traffic-group-1.
Oct 11 13:00:46 BIGIP-2 notice sod[5403]: 010c0054:5: Offline for traffic group traffic-group-1.

This could also be a result of initial configuration or releasing a device from a forced offline state. A common log sequence will look like this:

Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0044:5: Command: release offline all GUI.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0054:5: Offline for traffic group TG2.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0054:5: Offline for traffic group traffic-group-1.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c003e:5: Offline
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c006d:5: Leaving Offline for Standby for dbvar is redundant.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0052:5: Standby for traffic group TG2.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0052:5: Standby for traffic group traffic-group-1.
Oct 11 13:30:04 BIGIP-2 notice sod[28395]: 010c0018:5: Standby
Oct 11 13:30:04 BIGIP-2 info sod[28395]: 010c0096:6: Next active for traffic group traffic-group-1.
Oct 11 13:30:04 BIGIP-2 info sod[28395]: 010c0096:6: Next active for traffic group TG2.

Impact:
None. This is a notification of what is happening with the traffic-group in the device.

Recommended Action:
None.

010c0055 : Forced offline for traffic group %s.

Location:
/var/log/ltm

Conditions:
This log message occurs if the SOD detects that a traffic group has been forced offline by the admin.

Impact:
The log (level Notice) is generated by SOD after a traffic group has been forced offline and is no longer accessible to the user.

Recommended Action:
The admin has forced the specified traffic group offline and the user must use other traffic groups.

010c0056 : Deactivating traffic group %s

Location:
/var/log/ltm. Neither the Console nor the GUI provide it.

Conditions:
SOD has to reactivate the traffic groups in the device when certain configuration changes occur on the box, specially at boot time. This requires a deactivate/activate sequence, and, when the deactivate occurs, this log appears.

Impact:
None. This is a notification of what is happening with the traffic group on the device.

Recommended Action:
None.

010c0057 : Activating traffic group %s

Location:
/var/log/ltm. Neither the Console nor the GUI provide it.

Conditions:
SOD has to activate the traffic groups in the device when certain configuration changes occur on the box, specially at boot time. This requires a deactivate/activate sequence, and, when the activate occurs, this log appears.

Impact:
None. This is a notification of what is happening with the traffic group on the device.

Recommended Action:
None.

010c005a : Dropping a failover packet that is too small (%u)

Location:
/var/log/ltm

Conditions:
This message indicates that a message was received by SOD on one of its failover listening addresses, but the message was not big enough to be a valid failover packet.

Impact:
Messages that arrive at the failover listening addresses that are too small to be valid are dropped. There is no other effect on system behavior beyond this.

Recommended Action:
If failover messages are not being received from another device in the failover-sync group, and these messages are present in the log, it may indicate an issue with the SOD daemon on the other device. Restarting SOD on the other device may clear the issue. If not, then support will need to be contacted.

Spurious occurrences of this log without other system issue, are not a cause for concern.

010c005b : Dropping a packet that is not a failover packet.

Location:
/var/log/ltm

Conditions:
This log message occurs if the SOD process receives a packet that is not a failover packet.

Impact:
The log (level Notice) is generated when an unknown packet is received by the SOD process and the packet is dropped.

Recommended Action:
None.

010c005e : Waiting for mcpd to reach phase base, current phase is %s

Location:
/var/log/ltm

Neither the GUI nor the console should display it.

Conditions:
This log appears when the switch over (failover) daemon is trying to establish a connection with MCP (configuration daemon). It reports the current MCPD phase in its boot-up sequence.

Impact:
None. This log is informing that MCPD is not ready yet to take any connection.

Recommended Action:
None.

010c005f : Mcpd has reached phase base, current phase is %s

Location:
/var/log/ltm

Conditions:
This is an informational message that SOD has connected to MCPD, and MCPD has reached a state where SOD can continue starting up. This is logged whenever SOD starts up and connected to MCPD and MCPD reaches at least the base phase.

Example:
Nov 11 07:35:24 lead notice sod[6502]: 010c005f:5: Mcpd has reached phase base, current phase is running.

If the following message is seen, and the "MCPD has reached phase base" is not seen afterwards, it may indicate an issue with MCPD.

Nov 11 07:35:00 localhost notice sod[6502]: 010c005e:5: Waiting for mcpd to reach phase base, current phase is platform.

Impact:
None.

Recommended Action:
None.

010c0063 : Waiting for Mcpd without a response. Try again...

Location:
/var/log/ltm

Conditions:
This log message occurs if the SOD process has not established a connection with the MCPD process.

Impact:
The log (level Notice) is generated once during every connection attempt to the MCPD process until a successful connection is established. The SOD process will not operate until this connection is established.

Recommended Action:
Investigate the state of the MCPD process and possibly try a process restart.

010c006a : Configuration CRC values disagree amongst peers. Suggest configsync peers.

Location:
/var/log/ltm
Observed in the UI Device Management "Details" status display.
In the "show cm traffic-group" command.

Conditions:
Configuration relevant to network failover is not in-sync between devices in a failover device group. This message can appear briefly when traffic-group configuration has changed but configsync has not yet completed to the other devices.

Impact:
Network failover calculations might not be correct, resulting in inconsistent (or no) selection of a next-active device, and failover to an unintended location.

Recommended Action:
Enable automatic sync for the failover device group (preferred).
Manually sync the new configuration to the device group.

010c006b : Configuration CRC values agree amongst peers

Location:
/var/log/ltm

There are other indications of configuration being out of sync between devices in the GUI and command line, but the setting and clearing of these indications are unrelated to this log message.

Conditions:
When traffic-group state from other devices is processed, this log appears if the devices in the failover-group did not previously have their configurations in sync.

Oct 13 06:59:37 BIGIP-1 notice sod[6779]: 010c006b:5: Configuration CRC values agree amongst peers.

Impact:
None: Indicates that configurations are now in-sync between devices in the failover-group.

Recommended Action:
None.

010c006c : proc stat: [0] %s

Location:
/var/log/ltm. Neither the console nor the GUI provide it.

Conditions:
SOD has a list of processes it monitors. When any of the processes goes away, this log message appears.

An example of relevant logs when tmm is restarted with bigstart restart follows:

Oct 12 10:23:14 BIGIP-2 warning sod[28395]: 01140029:4: HA proc_running tmm fails action is go offline and down links.
Oct 12 10:23:14 BIGIP-2 notice sod[28395]: 010c0050:5: Sod requests links down.
...
Oct 12 10:23:21 BIGIP-2 notice sod[28395]: 01140045:5: HA reports tmm NOT ready.
Oct 12 10:23:22 BIGIP-2 notice sod[28395]: 010c006c:5: proc stat: [0] pid:28459 comm:(tmm.0) state:S utime:93 stime:103 cutime:1 cstime:10 starttime:7709594 vsize:6928031744 rss:18225 wchan:18446744073709551615 blkio_ticks:9 [-1] pid:1887 comm:(tmm.0) state:S utime:158666 stime:34358 cutime:0 cstime:13 starttime:85235 vsize:6932230144 rss:19317 wchan:18446744073709551615 blkio_ticks:7 [-2] pid:1887 comm:(tmm.0) state:S utime:158655 stime:34355 cutime:0 cstime:13 starttime:85235 vsize:6932230144 rss:19317 wchan:18446744073709551615 blkio_ticks:7 .
Oct 12 10:23:24 BIGIP-2 notice sod[28395]: 01140030:5: HA proc_running tmm is now responding.
...
Oct 12 10:23:31 BIGIP-2 notice sod[28395]: 01140044:5: HA reports tmm ready.
Oct 12 10:23:31 BIGIP-2 notice sod[28395]: 010c0049:5: Tmm ready - links up.
Oct 12 10:23:34 BIGIP-2 notice sod[28395]: 010c006c:5: proc stat: [0] pid:27987 comm:(bigd) state:S utime:6 stime:2 cutime:13 cstime:5 starttime:7709247 vsize:47583232 rss:6415 wchan:18446744071579502277 blkio_ticks:1 [-1] pid:3648 comm:(bigd) state:S utime:1920 stime:604 cutime:12 cstime:10 starttime:176428 vsize:50548736 rss:6472 wchan:18446744071581059260 blkio_ticks:15 [-2] pid:3648 comm:(bigd) state:S utime:1920 stime:604 cutime:12 cstime:10 starttime:176428 vsize:50548736 rss:6472 wchan:18446744071581059260 blkio_ticks:15 .

The log will appear when the process goes away, and when it comes back.

Impact:
None. This log on itself only provides a notification that SOD detected a process going away. The rest of the logs relevant to the process that went away should give more information of what went wrong.

Recommended Action:
None.

010c006d : %s.

Location:
/var/log/ltm

Conditions:
Reports information about the system. It can change from release to release because it is a complete free-form log, and has no rules of what information it can convey.

Some examples are:
"Leaving Offline for Active for dbvar not redundant (tmm ready)"
"Leaving Offline for Standby for dbvar not redundant (tmm not ready)"
"Leaving Offline for Active for mate is active"
"Leaving Offline for Standby for dbvar is redundant"
"Leaving Standby for Offline for ha table offline_cond"
"Leaving Standby for Active for dbvar not redundant (tmm ready)"
"No peer active but stay put for longer."
"Leaving Standby for Active (best ha score)"
"Leaving Standby for Active (mate ha score)"

Impact:
None.

Recommended Action:
None.

010c006e : All devices in traffic group %s %s have a HA group.

Location:
/var/log/ltm

Conditions:
Two different cases for this log message.
Case 1: 'All devices in traffic group %s now have a HA group'
This case indicates that HA group is configured correctly on all devices for a traffic group.

Case 2: 'All devices in traffic group %s should have a HA group'
This case indicates that HA group is not configured correctly on all devices for a traffic group.

Impact:
Case 1 is informational, indicating that HA group is configured correctly.

Case 2 is an error condition, indicating that the configuration of HA group is not configured correctly on one or more of the devices. HA group will not operate correctly for this traffic group.

Recommended Action:
Fix the configuration of the HA group in the traffic group on all devices for case 2 log message.

010c0076 : Exceeded mcp recv soft limit: %d. Succeeded after %d messages.

Location:
/var/log/ltm

Conditions:
When SOD is starting, it establishes a connection with MCP. If initialization exceeds the expected number of messages, it will log this notification with the original expected limit and the actual number.

Impact:
None.

Recommended Action:
None.

010c0077 : Listening for unicast failover packets on address %s port %d.

Location:
/var/log/ltm

Conditions:
This message indicates that SOD is listening on the specified address and port for unicast network failover packets. It is logged when SOD starts up and begins listening for failover packets. It is also logged when a new unicast failover address is configured while SOD is running.

Impact:
None.

Recommended Action:
None.

010c007b : Deleted unicast failover address %s port %d for device %s.

Location:
/var/log/ltm

Conditions:
This log message appears when a unicast ip address is deleted on a device by the admin.

Impact:
This log message is an informational message that shows that a unicast address was deleted on a device.

Recommended Action:
None.

010c007e : Not receiving status updates from peer device %s (Disconnected).

Location:
/var/log/ltm

Conditions:
This message is logged on a peer device in the failover-sync group when it does not receive any network failover packets for the network timeout. This timeout defaults to 3 seconds.

Impact:
The device mentioned in the log message is marked as offline by the device logging the message, and is not eligible to be the next failover device.

Recommended Action:
The state of the device that was disconnected should be checked on the reported device. It could be a networking issue, a hardware issue, or an environmental issue.

Once the issue is corrected the device will start sending network failover packets and will be marked online again.

010c0082 : Sorted Load-Aware failover %s.

Location:
/var/log/ltm

Conditions:
This log message occurs if there is a change by the SOD process in the use of the internal Sorted Load-Aware failover algorithm. The message will appear if it was previously disabled and is now enabled, or if it was previously enabled and is now disabled.

Impact:
The log (level Informational) is generated once during a change in the internal algorithm state. The Load Aware algorithm is more efficient when Sorted is used, but it can only be used if all devices are capable of running it. The user cannot configure this or determine if it is in use solely by means of this log.

Recommended Action:
None.

010c0083 : No failover status messages received for %s seconds, from device %s (%s).

Location:
/var/log/ltm

Conditions:
This log message occurs when the SOD process has not received a failover packet from a peer connection during the configured timeout interval.

Impact:
The log (level Warning) is generated after an expected failover packet is not received before the configured timeout interval. This indicates that the peer is no longer sending failover updates to the SOD process, possibly indicating that the peer has become busy or is offline.

Recommended Action:
Investigate the state of the peer connection.

010c0084 : Failover status message received after %s second gap, from device %s (%s).

Location:
/var/log/ltm

Conditions:
This log message occurs when the SOD process receives a failover packet from a peer connection that it marked as no longer sending failover updates.

Impact:
This log (level Warning) is generated by a peer, which is no longer sending failover packets to the SOD process during the expected timeout interval, that has resumed sending packets. The time between packets (in seconds) is displayed.

Recommended Action:
This message is informational.

010c0085 : First failover status message received from device %s (%s).

Location:
/var/log/ltm

Conditions:
This log message occurs if the SOD process has received a message for the first time on a peer connection.

Impact:
The log (level Informational) is generated after the SOD process receives a message for the first time on a new peer connection. This log provides information to the user about this peer connection.

Recommended Action:
None.

010c0089 : Invalid go standby command. %s is not a valid traffic-group or device.

Location:
/var/log/ltm

Conditions:
If an administrator runs the cmd_sod command directly from the Linux shell, and provides an invalid argument.

Impact:
No failover.

Recommended Action:
Use the correct device or traffic group name.

010c008a : Invalid go standby command. %s is not a valid device.

Location:
/var/log/ltm

Conditions:
If an administrator runs the cmd_sod command directly from the Linux shell, and provides an invalid argument.

Impact:
No failover.

Recommended Action:
Use the correct device name.

010c008b : Unable to send to unreachable unicast address %s port %d.

Location:
/var/log/ltm

Conditions:
The failover daemon (sod) periodically sends UDP packets to other devices in the Device Service Cluster. A packet could not be sent, usually because the current routing table indicates there is no route to the destination device.

Impact:
When sod is unable to transmit Network Failover packets, other devices in the Device Service Cluster may conclude that the device is inoperative, and take over service.

Recommended Action:
Restore network connectivity between the devices.

010c008c : Previously unreachable unicast address %s port %d is now reachable.

Location:
/var/log/ltm

Conditions:
Clears the prior error condition has cleared.

Impact:
Restores normal transmission of network failover packets.

Recommended Action:
None.

010c0098 : Multicast socket connect failure: %s.

Location:
/var/log/ltm

Conditions:
An invalid multicast address is configured as the multicast-ip for a device.

Impact:
Multicast failover packets will not work on the multicast interface, thus reducing the reliability of operation in an HA cluster.

Recommended Action:
Configure a valid multicast address on all devices in the HA cluster. IPv4 multicast addresses must be in the 224.0.0.0/4 subnet and IPv6 multicast addresses must use the ff00:/8 prefix.

010c0099 : Connected to multicast group %s port %d on interface %s.

Location:
/var/log/ltm

Conditions:
The SOD high-availability (HA) daemon is able to successfully connect to the HA multicast interface configured in the device configuration.

Impact:
None.

Recommended Action:
None.

010c009a : Disconnected from multicast group %s port %d on interface %s.

Location:
/var/log/ltm

Conditions:
The SOD high-availability (HA) daemon disconnects from the multicast HA group. This can be due to the shutdown of the SOD HA daemon, or it can happen when the multicast-ip is changed.

Impact:
None.

Recommended Action:
None.

010c009b : Availability log %s failed '%s'.

Location:
/var/log/ltm

Conditions:
A read or write action to the availability log failed (for example, /var/log/availability.0).

Impact:
Gaps can be present in the availability log that might cause inaccurate system availability metrics or might prevent the display of availability metrics.

Recommended Action:
Remove the availability log or reset the stats. This will resolve the issue if you are unable to display availability metrics.

010c009c : Timer interval set to %u.%06us (was %u.%06u).

Location:
/var/log/ltm

Conditions:
The failover daemon has changed the polling interval.

Impact:
None. The system is acting normally.

Recommended Action:
None.

010c009d : Poll interval %dms, estimated %d packets/sec.

Location:
/var/log/ltm

Conditions:
Failover device group configuration has caused the failover daemon to recalculate the estimated update rate.

Impact:
None. The system is operating normally.

Recommended Action:
None.

010c009e : Config crc changed: old 0x%x new 0x%x.

Location:
/var/log/ltm

Conditions:
The high-availability configuration digest CRC has been changed due to a configuration change that affects the selection of the next-active location for traffic groups in a device service cluster.

Impact:
The message allows the user to determine which device in the device service cluster "differs" when the devices do not agree on the configuration. In this case where different nodes have different CRC values, default rules are followed.

Recommended Action:
None.

010d0005 : Chassis fan %d: status (%d) is bad

Location:
/var/log/ltm

Conditions:
A sensor determined that the fan speed is zero (0) RPM, indicating the chassis fan is not rotating.

Impact:
One or more faulty fans reduces the cooling capacity of the system, which can result in overheating issues. This log entry triggers the alarm LED to turn red and display an alert on the LCD.

Recommended Action:
Check for obstructions blocking the fan blades. Replace the fan tray for the faulty fan.

010d0006 : Chassis power supply %d has experienced an issue. Status is as follows: %s

Location:
/var/log/ltm

Appears in GUI, console, and LCD.

Conditions:
A system power supply has failed.

Impact:
In a redundant power supply system, only one power supply will be operational.

Recommended Action:
Replace the failed power supply. If the message persists, file a support ticket.

010d0009 : %s: voltage (%d) is too high

Location:
/var/log/ltm

Conditions:
A voltage sensor reading exceeded the operational limits.

Impact:
Continued operation during these conditions can produce component failure or unexpected behavior. This log triggers a red LED alarm and displays an alert on the LCD.

Recommended Action:
Contact support for resolution.

010d0010 : %s: fan speed (%d) is too low

Location:
/var/log/ltm

Appears in GUI, console, and LCD.

Conditions:
A system fan failed to operate at the minimum speed.

Impact:
Depending on the failed fan, the system could power off if chassis or CPU temperatures exceed maximum operating temperatures.

Recommended Action:
Determine the failed fan by typing 'system_check -d' at the command line. File a support ticket to diagnose and resolve this hardware problem.

010d0017 : %s: milli-voltage (%d) is too low

Location:
/var/log/ltm

Appears in GUI, console, and LCD.

Conditions:
Loss of power, or input power is out of recommended range.

Impact:
If a loss of power caused the condition, power redundancy is compromised.
If a loss of power did not cause the condition, indeterminate behavior can result.

Recommended Action:
Verify power is applied to unit.
Verify that the power is the correct input range.
Replace PSU associated with the alarm.

010e0001 : Cannot communicate with MCPD server

Location:
/var/log/ltm

Conditions:
This can be a result of BIG-IP device being very busy. The SNMP agent is unable to communicate with MCPd and thus logs this message. This situation can recover if BIG-IP device becomes less busy. Internally the SNMP requests come into the agent via the MCPd daemon. Responses back to the requester traverse the path back by means of the MCPd as well.

Impact:
All user requests either by means of the cli or the access to SNMP agents will not be honored. The SNMP data will not be retrieved as the interface to the SNMP daemon is down.

Recommended Action:
As a last option, reboot the BIG-IP device.

010e0002 : Established new connection to MCPD server

Location:
/var/log/ltm

Conditions:
This message occurs when a connection or new connection is established with the MCPD server. This message is internal to our software and is only an informational message. MCPD is the master control process daemon which has a number of connections to other processes of which one is the snmpd. When it establishes a communication channel to the snmpd process this message is printed in the log.

Impact:
An internal informational message is logged each time the mcpd communication channel is established with the snmpd.

Recommended Action:
None.

010e0004 : MCPD query response exceeding %d seconds

Location:
/var/log/ltm

Conditions:
This error message occurs when the MCPd response time is very slow. The SNMP subagent is encountering long timeouts while communicating with MCPd. The system may be very busy.

Impact:
The SNMP request fails.

Recommended Action:
One can retry the request. Also, it is worth executing an unrelated tmsh command to see if the same slow response times are seen. Wait to see if it is temporary slowdown of MCPd. Stop any of the SNMP queries that are currently running. As a last option, restart the BIG-IP device.

01100002 : alertd is going down

Location:
/var/log/ltm

Conditions:
BIG-IP device is restarting, or just the alertd daemon is stopping or restarting.

Impact:
None, informational only.

Recommended Action:
None.

01100017 : Email action is failed for toaddress %s

Location:
/var/log/ltm
LCD
SNMP Trap

Conditions:
Email notification for system alert failed to be sent.

Impact:
No additional impact to the system.

Recommended Action:
Recommendation is to review SOL3667 at AskF5 where email notification configuration is described. Make sure there are valid "To" and "From" addresses configured.

01100042 : Failed with MCPD at: %s (%s)

Location:
/var/log/ltm

Conditions:
The alertd daemon has encountered an inter-process communication error with the mcpd daemon. When this happens, there is likely a problem with mcpd either being down or too busy.

Impact:
If the error is simply "Socket read", and non-repeating, it was likely a single case of congestion and should not have long-term impact.

Most of the other errors such as "Connect", "Subscribe", "MCP msg receive", "Socket/pipe select", "Socket error event", "syslog pipe error event", or "errdefs scoket error event" indicate a failure for the alertd daemon to initialize properly. In this situation, alert generation and their associated SNMP traps are likely to be inoperational.

Recommended Action:
Issue a 'bigstart status alertd mcpd' from the CLI. If either process is not in 'run' state, or if the associated log messages are persisting, try issuing a 'bigstart restart <alertd|mcpd>' depending on whether one is malfunctioning, or perhaps both.

01100043 : logcheck Notice: %s %d

Location:
/var/log/ltm

Conditions:
1. "Disconnect mcpd". alertd disconnects from mcpd when alertd is exiting, due to a restart or the BIG-IP system shutting down.
2. "Receive alert msg from diskmonitor". alertd received a message from the disk monitoring subsystem, leading to a check for log rotation.
3. "logrotate triggered by large log <name_of_log_file> of size <size> KB -"Available disk space is <size> KB". Occurs when logrotate is running to compress logs.

Impact:
None. This is not an error condition, but normal operation. logrotate runs periodically to compress logs.

Recommended Action:
None.

01100048 : "Log disk usage still higher than %d%% after logrotate and %d times log deletion"

Location:
/var/log/ltm

Conditions:
Disk usage has surpassed the percentage threshold specified by the DB variable "logcheck.warnthres", whose default value is set at 80%. This warning is given after the system has already tried to compress or delete older log files over a number of iterations indicated in the message (default is 24 iterations).

Impact:
Disk space is running low, which could impact the system's ability to perform logging functions, receive new software for upgrades, or perform any other function requiring additional disk space.

Recommended Action:
1. Delete any unnecessary large files on the system or older logs.

Use "du" to find where the largest files are located:
du -a | sort -n -r

Inspect /shared/images for any unwanted ISO files.

Inspect /var/log for any undesirable large files.

2. Modify the "logcheck.warnthres" value if user believes that the disk usage threshold for the warning is too low.

modify sys db logcheck.warnthres Value
Values:
  [enter integer value min:0 max:100]

3. Consider adding additional storage capacity.

01100049 : logcheck Info: %s %d

Location:
/var/log/ltm

Conditions:
Informational messages that indicate DB variable values, free disk space in /var/log, and notifications that old compressed files are being deleted to free up space.

Impact:
Informational, but in some cases, might indicate a low amount of disk space free and deletion of the oldest compressed log archives in /var/log/ltm.

Recommended Action:
If message indicates deletion of old, compressed files, try deleting any unnecessary files that may be contributing to low amount of free disk space.

01100053 : %s

Location:
/var/log/ltm

Conditions:
This message occurs when a system administrator uses the command "lcdwarn -p emergency MESSAGE". In this case, the BIG-IP system logs the string "MESSAGE" and displays "MESSAGE" on the LCD pane, under priority "emergency".

Impact:
The Alert LED on the front panel of the box blinks red.

Recommended Action:
Use the command "lcdwarn -c emergency" to clear all messages of priority "emergency" from the LCD panel.

01100054 : %s

Location:
/var/log/ltm

Conditions:
This message occurs when a system administrator uses the command "lcdwarn -p critical MESSAGE". In this case, the BIG-IP system logs the string "MESSAGE" and displays "MESSAGE" on the LCD pane, under priority "critical".

Impact:
The Alert LED on the front panel of the box is solid red unless a higher priority message is also being displayed.

Recommended Action:
Run the command "lcdwarn -c critical" to clear all messages of priority "critical" from the LCD panel.

01100055 : %s

Location:
/var/log/ltm

Conditions:
This string is generated when an administrator uses the command "lcdwarn -p alert MESSAGE". In this case, the BIG-IP system logs the string "MESSAGE" and displays "MESSAGE" on the LCD panel under priority "alert".

Impact:
The Alert LED on the front panel of the box will be solid red unless a higher priority message is also being displayed.

Recommended Action:
Run 'lcdwarn -c alert' to clear all messages of priority 'alert' from the LCD panel.

01100056 : %s

Location:
/var/log/ltm

Conditions:
This string is generated when an administrator uses the command "lcdwarn -p error MESSAGE". In this case, the BIG-IP system logs the string "MESSAGE" and displays "MESSAGE" on the LCD panel under priority "error".

Impact:
The Alert LED on the front panel of the box will blink yellow unless a higher priority message is also being displayed.

Recommended Action:
Run 'lcdwarn -c error' to clear all messages of priority 'error' from the LCD panel.

01100057 : %s

Location:
/var/log/ltm

Conditions:
This string is generated when an administrator uses the command "lcdwarn -p warning MESSAGE". In this case, the BIG-IP system logs the string "MESSAGE" and displays "MESSAGE" on the LCD panel under priority "warning".

Impact:
The Alert LED on the front panel of the box will be solid yellow unless a higher priority message is also being displayed.

Recommended Action:
Run 'lcdwarn -c warning' to clear all messages of priority 'warning' from the LCD panel.

01100058 : %s

Location:
/var/log/ltm

Conditions:
An administrator has run the command 'lcdwarn -p info MESSAGE'. MESSAGE is the text string logged and displayed on the LCD panel under priority 'info'.

Impact:
None.

Recommended Action:
Run the command 'lcdwarn -c info' to clear all messages of priority 'info' from the LCD panel.

01100059 : Found db_name %s without value - reset to default %s.

Location:
/var/log/ltm

Conditions:
The user issues the command 'tmsh modify reset-to-default' against sys db variables that are in use by the alertd daemon.

Impact:
None.

Recommended Action:
None.

01100060 : trap string (%s) count (%d) (%s)");

Location:
/var/log/ltm file (debug level)

Conditions:
alertd-level debugging is enabled to test trap suppression and tune some DB variables.

Impact:
The system reports on the trap suppression handling of a message. It reports the OID and the message string being tracked, plus the count of times the strings have been seen within the suppression interval and whether the trap is being suppressed. For debugging only, this enables field support and administrators to decide if the values of their DB variables for trap suppression are correct for their environment.

Recommended Action:
If traps are either not being suppressed when you would like them to be or being suppressed when they don't want them to be, use the data reported in the log messages to adjust the values configured for the DB variables "snmp.BIG-IPtraps.suppress.interval" and "snmp.BIG-IPtraps.suppress.count".

01100061 : clear suppression map (count %d)");

Location:
/var/log/ltm file (debug log level)

Conditions:
alertd-level debugging is enabled to report when the map used to track trap suppression has been cleared.

Impact:
The map is cleared when trap suppression in disabled (that is, the db variable "snmp.bigiptraps.suppression.interval" is set to 0) or when the map has grown to 1K entries.

Recommended Action:
None.

01110001 : Error running %s

Location:
This message will be generated in the LTM log.

Conditions:
These messages will only be generated when configuration is being synchronized between a pair of devices running a version of TMOS prior to 11.0. In 11.0, a new synchronization system was introduced and this message is longer be generated.

Impact:
The sync request fails, and the other device still has the configuration prior to 11.0.

Recommended Action:
Determine why the sync failed. Disk usage on the local or peer device might be a factor, as well as differences in the base configuration on the peer device, which can cause validation errors. Those errors will be found in the peer device's logs.

01110034 : The configuration for running config-sync is incorrect.

Location:
/var/log/ltm

Conditions:
This message is only generated on versions of TMOS prior to 11.0. Any of the following conditions will cause it to be generated:

- The device is not part of a redundant pair (see DB variable failover.isredundant).
- The device does not have a peer IP configured (either configsync.peeripaddr or statemirror.peeripaddr is acceptable).
- This device is unable to reach the other device over iControl SOAP to determine that it is configured as part of a redundant pair.
- This device has the same hostname configured as the other device, or cannot reach the other device to obtain its hostname (see DB variable hostname).

Impact:
Sync is not possible until all of the above conditions are resolved.

Recommended Action:
Inspect the values of the DB variables and check for iControl connectivity between the two devices.

0114001a : HA stale %s pid %d detected.

Location:
/var/log/ltm

Conditions:
When daemons restarted, stale data was detected in the internal HA table.

Impact:
This is an informational message, indicating that stale data was detected and ignored.

Recommended Action:
None.

01140029 : HA %s %s fails action is %s.

Location:
/var/log/ltm

Conditions:
This message occurs when a component detects an HA failure condition, and requests the system to take corrective action.

The first field is the feature type, and the second field is the component name. The list of configured HA features is available through the 'show sys ha-status' command.

Impact:
The impact depends upon what corrective action is configured for the specified component.

Recommended Action:
Correct the issue that caused the component to fail.

0114002a : HA %s %s created.

Location:
/var/log/ltm

Conditions:
The creation of a new HA table entry. The first parameter is the HA table feature name, the second is the component that the feature was created for. The "show sys ha-status" command lists all the current HA Table entries.

Impact:
None. This is a debug-level informational message and is only observed if the component logging level changes from the default to 'debug'.

Recommended Action:
None.

0114002b : HA %s %s enabled.

Location:
/var/log/ltm

Conditions:
An HA Table entry is enabled for failure monitoring. The first parameter is the HA table feature name, the second is the component that the feature was created for. The "show sys ha-status" command lists all the current HA Table entries.

Impact:
None.

Recommended Action:
None.

0114002c : HA %s %s disabled.

Location:
/var/log/ltm

Conditions:
Failure monitoring is disabled for an HA Table entry. The first parameter is the HA table feature name, the second is the component that the feature was created for. The "show sys ha-status" command lists all the current HA table entries.

Impact:
Failure of the designated component will not be detected.

Recommended Action:
None.

01140030 : HA %s %s is now responding

Location:
/var/log/ltm

Conditions:
An HA error condition no longer exists for the specified feature.

Impact:
The system may be able to exit the failure condition required by the HA error condition.

Recommended Action:
None.

01140043 : Ha feature %s reboot requested

Location:
/var/log/ltm

Conditions:
This message is issued when an HA system detects that a reboot should be performed. The most common occurrences are during administrator-requested reboots or a change of boot location:

Ha feature reboot_request_t reboot requested.
Ha feature software_update reboot requested.

Other components may be administratively configured to cause a reboot on failure.

Impact:
The device reboots.

Recommended Action:
If the reboot was unintentional, identify the failing component indicated by the 'feature', and other preceding log message that references this 'feature', and determine why that component failed. If a reboot is not an appropriate action for that component failure, reconfigure it for a different action.

01140044 : HA reports tmm ready

Location:
/var/log/ltm

Conditions:
The TMM is ready to process traffic.

Impact:
It's not an error.

Recommended Action:
None.

01140045 : HA reports tmm NOT ready

Location:
/var/log/ltm

Conditions:
It occurs any time that the tmm starts (or restarts), during the period from startup until when the TMM completes initialization.

Impact:
No traffic is processed until the TMM is ready.

Recommended Action:
Wait for the TMM to become ready.

01140100 : Overdog daemon startup

Location:
/var/log/ltm

Conditions:
The system is starting up and the HA watchdog is now active.

Impact:
The system will now respond to HA error conditions.

Recommended Action:
None.

01140101 : Overdog daemon shutdown

Location:
/var/log/ltm

Conditions:
The system watchdog daemon (overdog) has been shut down, typically because the system is shutting down or rebooting.

Impact:
Watchdog monitoring is no longer active.

Recommended Action:
Wait for the system to finish shutting down.

01140102 : Overdog daemon requests reboot

Location:
/var/log/ltm

Conditions:
The overdog daemon has detected that a subsystem has requested an HA action of "reboot", and is initiating the operation.

Impact:
The system will reboot.

Recommended Action:
None.

01140103 : Watchdog touch enabled with %d seconds

Location:
/var/log/ltm

Conditions:
This message is issued when the system watchdog process (overdog) initiates the hardware watchdog feature.

Impact:
If the system becomes non-responsive, it will automatically reboot.

Recommended Action:
None.

01140104 : Watchdog touch disabled

Location:
/var/log/ltm

Conditions:
This message is issued when the hardware watchdog process (overdog) disarms the hardware watchdog and stops periodic updates. This occurs automatically when the system is already rebooting, or when the administrator disables the hardware watchdog by setting the watchdog.state DB variable to "disable".

Impact:
The hardware watchdog will not automatically reboot the system.

Recommended Action:
Enable the watchdog function by setting the watchdog.state DB variable to "enable".

01140106 : Overdog daemon calling bigstart restart

Location:
/var/log/ltm
console

Conditions:
An HA Table failover action that specifies 'restart-all' has been triggered.

Impact:
All traffic groups will fail over to a peer device, and all local services are restarted.

Recommended Action:
None.

01150216 : Notice from %s: %s

Location:
/var/log/gtm

Conditions:
This is a generic logging message for the daemon "named" that occurs when the daemon checks if the current config file or current zone file is valid, and encounters an unknown error.

Impact:
Any recent changes to the named or zone file configuration will not take effect.

Recommended Action:
Use any information presented in the message to determine what action, if any, is required. This message could indicate an error in the named config or zone files, located in the directory "/var/named/config".

01150515 : Processing Resource Record (%s:%s) failed due to error '%s'.

Location:
/var/log/gtm

Conditions:
A DNS record contains a malformed RDATA field.

Impact:
The validation fails and the DNS record is not created or parsed.

Recommended Action:
Ensure that the RDATA field is not malformed.

01150a51 : %s/%s change detected %s.

Location:
In /var/log/gtm

Conditions:
This is a debug message to indicate when the named.conf file has been changed.

Impact:
None. This is an informational message.

Recommended Action:
None.

01150a52 : Sync Zones Parameters: Ciphers = %s, Use expired CRL = %s, Use Not Yet Active CRL = %s, Use Revoked Certificates = %s, Validation Depth = %s

Location:
This is a DEBUG level log message, shown when DNS zones are being synchronized in /var/log/gtm.

Conditions:
When log level is set to debug, and the DNS zones are being synchronized.

The log message contains the following information:

Ciphers: Cipher list supported
Use expired CRL: Whether to use expired CRL (Yes/No)
Use Not Yet Active CRL: Whether to use not yet active CRL (Yes/No)
Use Revoked Certificates: Whether to use revoked certificates (Never/Always)
Validation Depth: CRL validation depth (Device/Full)

Impact:
The log message shows the CRL (Certificate Revocation List) parameters used when zones are being synchronized. It is useful for debug purposes when DNS zones fail to synchronize.

Recommended Action:
None

01150d03 : Attempting to %s loopback address %s

Location:
/var/log/gtm

Conditions:
A new IP address is being created on the tmm loopback address.

Impact:
None.

Recommended Action:
None.

01151500 : NamedWatcher: Error encountered during initialization of named configuration monitor: %s.

Location:
/var/log/gtm

Conditions:
An error has occurred during the setup of named configuration file monitoring.

Impact:
Named configuration monitoring might not be set up correctly, and changes to named.conf might not be synced.

Recommended Action:
None.

01151501 : NamedWatcher: Watching cur stat for dir:%s ts:%ld inode:%llu with id:%d.

Location:
/var/log/gtm

Conditions:
This message occurs during normal, successful monitoring of the named configuration.

Impact:
None. This is an information message only.

Recommended Action:
None.

01151502 : NamedWatcher: Error %s setting up watch for dir:%s.

Location:
/var/log/gtm

Conditions:
An error has occurred during the setup of the named configuration file monitoring.

Impact:
The named configuration monitoring might not be set up correctly, and changes to named.conf might not be synced.

Recommended Action:
None.

01151503 : NamedWatcher: Unexpected EOF %s from named configuration monitor file descriptor.

Location:
/var/log/gtm

Conditions:
An error has occured reading notification information for the named configuration file. monitor.

Impact:
The named configuration monitoring might not be set up correctly, and changes to named.conf might not be synced.

Recommended Action:
None.

01151504 : NamedWatcher: Error %s reading from named configuration monitor file descriptor.

Location:
/var/log/gtm

Conditions:
An error has occurred while reading notification information.

Impact:
A change to the named configuration might not have generated a proper notification. The named configuration monitoring might not be set up correctly, and changes to named.conf might not be synced.

Recommended Action:
None.

01151505 : NamedWatcher: Expected at least %d bytes, only %d bytes are available.

Location:
/var/log/gtm

Conditions:
A notification was not the proper length.

Impact:
The named configuration monitoring might not be set up correctly, and changes to named.conf might not be synced.

Recommended Action:
None.

01151506 : NamedWatcher: Kernel monitor overflow %s.

Location:
/var/log/gtm

Conditions:
A kernel notification buffer has overflowed. The kernel error occurred while processing the named configuration file monitoring.

Impact:
The named configuration monitoring might not be set up correctly, and changes to named.conf might not be synced.

Recommended Action:
None.

01151507 : NamedWatcher: %s monitor wd:%d len:%d events:%s dir:'%s' name:'%s'.

Location:
/var/log/gtm

Conditions:
This is an informational debug message only.

Impact:
None.

Recommended Action:
None.

01151508 : NamedWatcher: Read ignored event.

Location:
/var/log/gtm

Conditions:
This is a debug message only.

Impact:
None.

Recommended Action:
None.

0115150a : NamedWatcher: %s stat for %s ts:%ld inode:%llu.

Location:
/var/log/gtm

Conditions:
During notification processing, this debug message is generated for each file being monitored.

Impact:
None.

Recommended Action:
None.

0115150b : NamedWatcher: stat for '%s' failed:%s.

Location:
/var/log/gtm

Conditions:
A user has attempted to get status information for a file that has already been deleted.

Impact:
This is ignored because the file is no longer present.

Recommended Action:
None.

0115150c : NamedWatcher: Skipping event %s (len:%d) for '%s' because it contains the %s.

Location:
/var/log/gtm

Conditions:
During normal named configuration monitoring operations, certain changes to certain files are deliberately ignored.

Impact:
None.

Recommended Action:
None.

0115150d : NamedWatcher: Deleting watch for dir:%s with id:%d.

Location:
/var/log/gtm

Conditions:
During normal operations, zonerunner will stop the monitoring
of the named configuration files for certain operations. This message has occurred because a monitor has been deleted.

Impact:
None.

Recommended Action:
None.

0115150f : NamedWatcher: Watch added for dir %s with ts:%ld with id:%d

Location:
/var/log/gtm

Conditions:
This is a debug message used to indicate when ZoneRunner starts watching a directory (typically /var/named/config) for changes.

Impact:
None. This is an informational message.

Recommended Action:
None.

01151510 : NamedWatcher: Watch added for file:%s in dir:%s with ts:%ld, inode:%llu.

Location:
/var/log/gtm

Conditions:
A debug message logged when ZoneRunner starts watching a particular file.

Impact:
None. This is an informational message.

Recommended Action:
None.

01151511 : NamedWatcher: Watch removed for file %s in dir %s.

Location:
/var/log/gtm

Conditions:
A debug messaged logged when ZoneRunner is no longer watching a file (usually named.conf).

Impact:
None. This is an informational message.

Recommended Action:
None.

01151512 : NamedWatcher: Watch removed for dir %s.

Location:
/var/log/gtm

Conditions:
A debug message logged when ZoneRunner is no longer watching a directory (/var/named/config).

Impact:
None. This is an informational message.

Recommended Action:
None.

01151513 : NamedWatcher: Read event for dir:'%s'.

Location:
/var/log/gtm

Conditions:
A user attempted to get read notification for a file that has already been deleted.

Impact:
This is ignored because the file is no longer present.

Recommended Action:
None.

01151513 : NamedWatcher: Watch already exists for dir %s.

Location:
/var/log/gtm

Conditions:
A debug message logged when ZoneRunner requests to watch a file that is already on the watch list.

Impact:
None. This is an informational message.

Recommended Action:
None.

01151514 : NamedWatcher: Watch already exists for file:%s in dir:%s.

Location:
/var/log/gtm

Conditions:
A debug message logged when ZoneRunner requests to watch a file that is already on the watch list.

Impact:
None. This is an informational message.

Recommended Action:
None.

01151515 : NamedWatcher: Dont care about event wd:%d events:%s name:'%s'.

Location:
/var/log/gtm

Conditions:
During normal named configuration monitoring operations,
certain events are deliberately ignored.

Impact:
None.

Recommended Action:
None.

01151515 : NamedWatcher: Error %s setting up watch for dir:%s.

Location:
/var/log/gtm

Conditions:
This logs a system error encountered when ZoneRunner is unable to watch a directory.
Possible conditions:
Out of memory

Impact:
ZoneRunner is unable to monitor directories for changes, which may cause zone syncing to fail. Temporary loss of ability to manage Zones and Records.

Recommended Action:
Restart ZoneRunner.

01151516 : NamedWatcher: No matching watch for dir:%s with id:%d.

Location:
/var/log/gtm

Conditions:
A debug message logged when ZoneRunner receives a change notification for a directory that no longer exists.

This can theoretically happen if event notifications are backlogged by the kernel and zonerunner gets a notification of a change, but the directory has already been deleted.

Impact:
None. The message indicates that a directory was deleted and we can no longer watch it.

Recommended Action:
None.

01151517 : NamedWatcher: No matching event type:%s for file:%s in dir:%s with id:%d.

Location:
/var/log/gtm

Conditions:
A debug message logged when ZoneRunner receives a change notification for a file that no longer exists.

This can theoretically happen if event notifications are backlogged by the kernel and ZoneRunner gets a notification of a change, but the file has already been deleted.

Impact:
None. The message indicates that a file was deleted and we can no longer watch it.

Recommended Action:
None.

01151518 : NamedWatcher: event->len == %d.

Location:
/var/log/gtm

Conditions:
This is a debug message used to log how many bytes were read from the kernel during a notification.

Impact:
None. This is an informational message.

Recommended Action:
None.

01151519 : NamedWatcher: Initializing...

Location:
/var/log/gtm

Conditions:
A debug message logged when Zonerunner initializes the file/directory watching component during ZoneRunner start up.

Impact:
None. This is an informational message.

Recommended Action:
None.

01160004 : LACPD reporting error conditions

Location:
/var/log/ltm

Conditions:
LACPD system encountered an unexpected I/O error when communicating with configuration delivery system (MCPD).

Impact:
No link aggregation functionality.

Recommended Action:
Inspect the /var/log/ltm file for additional errors and warnings and try to correlate the LACPD messaging error with MCPD errors.

01160005 : LACPD reporting internal error conditions

Location:
/var/log/ltm

Conditions:
LACPD system encountered an unexpected error within the BIG-IP system, when transmitting PDUs to the Broadcom switch daemon (bcm56xxd) or requesting PDUs from bcm56xxd via HAL messaging.

Impact:
Degraded or no link aggregation functionality.

Recommended Action:
Inspect the /var/log/ltm file for additional errors and warnings, and try to correlate the LACPD messaging error with bcm56xxd errors.
Issue "tmsh show sys service bcm56xxd" and "tmsh show sys service lacpd", and verify the status of the services.

01160009 : LACPD reporting a link being added to aggregation

Location:
/var/log/ltm

Conditions:
A link was added to aggregation.

Impact:
The user configuration changed to add a new port to the LACP trunk. This message is informational only.

Recommended Action:
None.

01160010 : LACPD reporting a link being removed from aggregation

Location:
/var/log/ltm

Conditions:
A link was removed from aggregation.

Impact:
The user configuration changed to remove the port from the LACP trunk. This message is informational only.

Recommended Action:
None.

01160011 : LACPD reporting a churn condition

Location:
/var/log/ltm

Conditions:
LACP detects an operable port, but the Actor has not attached the link to an Aggregator and brought the link into operation within a bound time period. Continued failure to reach agreement can be symptomatic of device failure.

Impact:
The churn condition is informational.

Recommended Action:
Inspect the /var/log/ltm file for additional LACP errors and warnings.
Inspect the LACP configuration of the devices.

01160012 : LACPD reporting a churn condition

Location:
/var/log/ltm

Conditions:
LACP detects an operable port, but the Partner has not attached the link to an Aggregator and brought the link into operation within a bound time period. Continued failure to reach agreement can be symptomatic of device failure.

Impact:
The churn condition is informational.

Recommended Action:
Inspect the /var/log/ltm file for additional LACP errors and warnings.
Inspect the LACP configuration of the devices.

01160016 : LACP reporting an internal condition as informational message

Location:
/var/log/ltm

Conditions:
Internal LACP system has encountered an unexpected condition. Conditions can vary and be caused by but not limited to:
- Linux socket errors, which may be temporary in nature
- Device misconfiguration

Impact:
Varies considerably with specific message. It may indicate a configuration error somewhere else in the system.

Recommended Action:
Inspect the /var/log/ltm file for additional errors and warnings and try to correlate the LACP messaging with another system that may be misconfigured or malfunctioning.

01160017 : Internal Link %s is AVAILABLE.

Location:
/var/log/ltm

Conditions:
When an internal trunk's member interface is up. This should only happen on a BIG-IP version 9.0 platform (3400, 6400, 6800, 8400, or 8800).

Impact:
This is an Information only message, and not an error message. It is logged at INFO level.

Recommended Action:
None.

01160018 : Internal Link %s is UNAVAILABLE.

Location:
/var/log/ltm

Conditions:
When an internal link for an internal trunk goes down. This only applies to BIG-IP version 9.0 platforms (3400, 6400, 6800, 8400 and 8800) and should only happen when tmm or bcm56xxd goes down or is restarted.

Impact:
This is an information message on an internal link status.

Recommended Action:
None.

01160024 : %s

Location:
/var/log/ltm

Conditions:
Sample messages: warning: no receive on 0.1 for 15s (timeout=30s)
                 warning: no receive on 4.3 for 30s (timeout=60s)

This warns when the timeout reaches the halfway point for early diagnosis of potential LACPd issues when monitoring customer trunks.

Impact:
None.

Recommended Action:
Check /var/log/ltm to see if there are any other log messages that can explain lacpd issues.
Investigate lacpd statistics.

01170003 : halGetDossier returned error (%d): Dossier generation failed.

Location:
/var/log/ltm/, console

Conditions:
This error occurs whenever dossier fields like the MAC address, unique device ID (AOM ID) is empty. These fields can be empty if there is a manufacturing error, or if BMC (in case of BIG-IP iseries) or LOP (in case of BIG-IP 4000-series, 5000-series, 7000-series, 10000-series) is not responsive. The details as to which dossier field is unavailable can be seen in /var/log/ltm.

For example. in /var/log/ltm:
err chmand[837]: 012a0003:3: getAomDeviceId error: No AOM id found ...
err chmand[837]: 012a0003:3: DossierReq exception: BmcDev: getAomDeviceIdIpmiCmdDev: f5OEMCmd: command 115 (cc=193) Invalid Command

warning get_dossier[8502]: 012a0004:4: hal_request_dossier: request failed
err get_dossier[8502]: 01170003:3: halGetDossier returned error (1): Dossier generation failed.

Impact:
Without a valid dossier, one cannot license a BIG-IP system. Every time a dossier request is sent, this error will be displayed on the console and logged in /var/log/ltm.

Recommended Action:
None. Contact F5 support.

01170005 : %s stat fails: %s.

Location:
/var/log/ltm

Conditions:
The F5_API_COM interface is trying to extract information about the current version from the /VERSION file, the /proc/version file, or the Certificate-Request (CSR) file, but at least one of these files missing. (The certificate request file is usually a temporary file created in /config/ssl/ssl.csr with the file name f5-api-com.csr_<random_number>.)

Impact:
The API call fails because the required information cannot be obtained, and therefore the program fails. This error is not expected to happen and is intended to be a safeguard.

Recommended Action:
No fix is available from the API itself. Diagnose the BIG-IP system to determine the reason for the missing file.

01170012 : Unsupported argument (-%c).

Location:
/var/log/ltm

Conditions:
A user provides an unsupported argument when using the get_dossier application. The erroneous execution also provides the list of supported arguments in its output.

Impact:
get_dossier application fails to generate the dossier.

Recommended Action:
Provide arguments that are supported by the get_dossier application.

01170019 : Detected Registration Key-Less dossier generation for CSP.

Location:
/var/log/ltm

Conditions:
The BIG-IP system is licensing with an Hourly Billing license in a cloud environment supported by BIG-IP VE.

Impact:
Not an indicator of any kind of error with dossier generation or licensing.

Recommended Action:
None.

01170020 : Option -%c requires an argument.

Location:
/var/log/ltm

Conditions:
Some command-line options in get_dossier also require an argument value.

Impact:
get_dossier application fails to generate the dossier.

Recommended Action:
Must provide an argument value for get_dossier command line options that require a value.

01170021 : Invalid value (%s) passed for option (-%c).

Location:
/var/log/ltm

Conditions:
When using get_dossier, an invalid value for a command line option.

Impact:
get_dossier application fails to generate the dossier.

Recommended Action:
Provide correct values for command line options that are supported by the get_dossier application.

01180005 : Evaluation license has expired.

Location:

Conditions:
An Evaluation license has expired.

Impact:
None.

Recommended Action:
None.

01180010 : [license processing][error]: %s

Location:
/var/log/ltm

The contents of /var/log/ltm can be viewed in the GUI under System > Logs > Local Traffic.

Conditions:
This group of messages includes messages that are generated internally by the license parsing code. They include three general cases:
1) The license file contains errors
2) The parsing code contains errors
3) mcpd's license load/validation code contains errors

The probable cause for this message is an error in copying the license file, for example, introduced during a manual license installation.

Impact:
The BIG-IP system does not function until it can successfully parse and evaluate the installed license file.

Recommended Action:
Re-license the box. If re-licensing does not solve the problem, contact F5 Support.

01180017 : Subscription license has expired.

Location:
/var/log/ltm

Conditions:
A subscription-based license has expired.

Impact:
BIG-IP functionality and traffic processing is disabled.

Recommended Action:
Renew the license.

01190003 : arp_input: packet too short (%lu/%lu)

Location:
/var/log/ltm

Conditions:
The received ARP packet is invalid because the packet is too short.

Impact:
The packet will be dropped.

Recommended Action:
None.

01190004 : address conflict detected for %a (%m) on vlan %d

Location:
/var/log/ltm

Conditions:
Another node on the network issued a gratuitous ARP for an address configured on the BIG-IP device.

Impact:
An interruption for traffic using that IP is likely.

Recommended Action:
Assign a different IP address to the other node. The MAC address logged in the message can be used to identify the node.

01190007 : Neighbor update, route lookup failed, address = %la%%%u

Location:
/var/log/ltm

Conditions:
Creating a static ARP entry in which there is no route associated with that IP address.

Impact:
A static ARP entry becomes bogus in TMM, although it is still shown in the MCP database.

Recommended Action:
Before creating a static ARP entry, make sure that there is a route associated with the IP address of the static ARP entry.

01190008 : Neighbor update, route is not link type, address = %la%%%u

Location:
/var/log/ltm

Conditions:
Creating a static ARP entry in which the route associated with that IP address is not a link (interface) route.

Impact:
A static ARP entry becomes bogus in TMM, although it is still shown in the MCP database.

Recommended Action:
Before creating a static ARP entry, make sure that there is a link (interface) route associated with the IP address of the static ARP entry.

01190009 : Neighbor update failed, err = %E, address = %la%%%u, ifc name = %s

Location:
/var/log/ltm

Conditions:
Internal TMM error (e.g., out of memory) when creating a static ARP entry.

Impact:
A static ARP entry becomes irrelevant in TMM, although it is still shown in the MCP database.

Recommended Action:
Delete a static ARP entry and re-create it again.

01190010 : Neighbor delete failed, err = %E, address = %la%%%u

Location:
/var/log/ltm

Conditions:
When trying to delete an non-existing static ARP entry in TMM.

Impact:
No static ARP entry is deleted in TMM.

Recommended Action:
None.

011a0011 : SYNC Possible conflicting config changes between %s (%s) and %s (me), both at timestamp %llu. Config changes ignored.

Location:
/var/log/gtm

Conditions:
Timestamp on two config files is the same.

Impact:
Configuration change is not applied.

Recommended Action:
None. This is an informational message.

011a0060 : Compression Stream failure: %s

Location:
/var/log/gtm

Conditions:
The system is out of memory. If this happens, the problem is probably elsewhere.

Impact:
The system is unable to monitor other GTM systems.

Recommended Action:
Use "top -a' or 'ps v | sort -k 8 -g -r | head" to look for processes occupying excessively large amounts of memory. Consider restarting said process(es), saving the core(s), and filing a bug. Note that a restart could cause a temporary service outage.

011a0061 : License is not operational

Location:

Conditions:

Impact:

Recommended Action:

011a0300 : There was an error trying to send a DNSSEC Key Generation %s msg to MCP

Location:
/var/log/gtm

Conditions:
An existing DNSSEC Key Generation is due to rollover or expire, but gtmd encountered an issue sending the update message to mcpd.

Impact:
The existing DNSSEC Key Generation is not rolled-over and/or expired.

Recommended Action:
None.

011a0300 : There was an error trying to send a DNSSEC Key Generation %s msg to MCP

Location:
/var/log/gtm

Conditions:
An existing DNSSEC Key Generation is due to roll over or expire but gtmd encountered an issue sending the update message to mcpd.

Impact:
The existing DNSSEC Key Generation is not rolled over and/or expired.

Recommended Action:
None.

011a0302 : %s : %llu.

Location:
/var/log/gtm

Conditions:
This is a developer debug log option.

Impact:
None. The message does not appear in customer scenarios.

Recommended Action:
None.

011a0302 : There was an error trying to send a DNSSEC Zone SOA serial modify msg to MCP

Location:
/var/log/gtm

Conditions:
There is a DNSSEC Zone configured that has processed a zone transfer at some point. Then gtmd experiences an error trying to message mcp about updating a DNSSEC Zone serial number.

Impact:
DNSSEC Zone serial number might not be updated in the mcpd database.

Recommended Action:
None.

011a0305 : DNSSEC Zone %s cannot process a partial SOA serial update message

Location:
/var/log/gtm

Conditions:
TMM sent a request for a partial serial update.

Impact:
No serial update is for the given DNSSEC zone.

Recommended Action:
None.

011a0306 : Encountered error %s while trying to set a DNSSEC Key Generation event timer

Location:
/var/log/gtm

Conditions:
The user has configured automatic rolling DNSSEC Keys and there was a problem setting up a timer to roll and/or expire a DNSSEC key generation.

Impact:
A DNSSEC key might not be rolled and/or expired as reported in the configuration.

Recommended Action:
None.

011a0307 : Processing %s Event for DNSSEC Key %s, ID %llu

Location:
/var/log/gtm

Conditions:
A DNSSEC Key Generation event is about to be processed.

Impact:
None. This is informative debug output only and does not represent an issue.

Recommended Action:
None.

011a0308 : Unable to determine GTM local id, must skip processing DNSSEC Key Generation events

Location:
/var/log/gtm

Conditions:
The GTM local ID cannot be determined for the purposes of DNSSEC Key Generation event processing (list sys db gtm.peerinfolocalid == -1).

Impact:
No DNSSEC Key Generation events are processed by this BIG-IP GTM system.

Recommended Action:
None.

011a0309 : DNSSEC DEBUG: %s.

Location:
/var/log/gtm

Conditions:
Debug message for development and debugging purposes.

Impact:
None.

Recommended Action:
None.

011a0309 : Failed to create new DNSSEC Key Generation %s:%llu due to %s.

Location:
/var/log/gtm

Conditions:
GTM failed to generate the new DNSSEC Key Generation.

Impact:
GTM will re-try to create the DNSSEC Key Generation, but if failure persists, GTMD will not be able to create the new DNSSEC Key Generation. If the DNSSEC Key does not have other generations, TMM will not be able to sign DNSSEC responses with that key.

Recommended Action:
Check logs to identify the reason of the creation failure. When the root cause fixed, try to re-create the DNSSEC Key.

011a030a : Failed to import DNSSEC Key Generation %s:%llu due to %s.

Location:
/var/log/gtm

Conditions:
GTM failed to import the DNSSEC Key Generation to the FIPS card.

Impact:
BIG-IP will not be able to sign responses with the DNSSEC Key Generation.

Recommended Action:
Check logs to identify reason of the import failure. When the root cause fixed, try to re-create the DNSSEC Key on the primary GTM.

011a030b : Failed to delete DNSSEC Key Generation with handle: %s due to %s.

Location:
/var/log/gtm

Conditions:
GTM is not able to delete the DNSSEC Key Generation from the FIPS or Thales HSM.

Impact:
DNSSEC Key Generation will be removed anyway, but the key will persist on the HSM.

Recommended Action:
Remove the key from the HSM manually.

011a030c : Postponing expiration of DNSSEC Key Generation %s:%llu as the next generation not created yet.

Location:
/var/log/gtm

Conditions:
DNSSEC Key Generation is about to expire, but it is the last generation of the key, and the new generation is in progress.

Impact:
GTM will try to expire the DNSSEC Key Generation in one second.

Recommended Action:
None.

011a030d : Canceling expiration of the latest DNSSEC Key Generation %s:%llu, resetting events of the Key.

Location:
/var/log/gtm

Conditions:
DNSSEC Key Generation is about to expire, but it is the last generation of the key. The issue most likely is caused as a result of a failure to create a new generation.

Impact:
The expiration will be canceled, and GTM will try to create a new generation in the rollover period of the key.

Recommended Action:
The issue most likely is caused as a result of failure to create a new generation. Check logs to identify a reason of the failure.

011a030e : Action execution of DNSSEC Key Generation %s:%llu takes too long, canceling the action.

Location:
/var/log/gtm

Conditions:
It takes too long to execute one of the actions against DNSSEC Key Generation: create, import to the FIPS card, or delete from the HSM device (FIPS or Thales).

Impact:
GTM will try to execute the action again.

Recommended Action:
None.

011a030f : Action of DNSSEC Key Generation %s:%llu failed or canceled, re-runing the action.

Location:
/var/log/gtm

Conditions:
GTM failed to perform one of the actions against DNSSEC Key Generation: create, import to the FIPS card, or delete from the HSM device (FIPS or Thales).

Impact:
GTM will try to execute the action again.

Recommended Action:
Check logs to identify and address the reason for the failure.

011a0310 : Action of DNSSEC Key Generation %s:%llu failed or canceled, all attempts are exhausted.

Location:
/var/log/gtm

Conditions:
GTM failed (a number of times) to perform one of the actions against DNSSEC Key Generation: create, import to the FIPS card, or delete from the HSM device (FIPS or Thales).

Impact:
The DNSSEC Key Generation will not be created, imported to the FIPS card, or deleted from the HSM device.

Recommended Action:
Check logs to identify and addres the reason for the failure.

011a0311 : Failed to join worker-thread of DNSSEC Key Generation.

Location:
/var/log/gtm

Conditions:
The main process of GTM failed to join the designated worker-thread.

Impact:
GTM may have some data for the thread that is not cleaned up completely. No real functional impact.

Recommended Action:
None.

011a0312 : Failed to initiate session with FIPS card.

Location:
/var/log/gtm

Conditions:
GTMD is not able to initiate a session with the FIPS card.

Impact:
GTMD will not able to communicate with the FIPS card to: create/import/delete keys.

Recommended Action:
Make sure that FIPS card is configured properly; re-initialize the FIPS card if needed:
> fipsutil reset
> fipsutil init

011a0313 : Key size %u is not suported by FIPS card.

Location:
/var/log/gtm

Conditions:
FIPS card failed to generate the RSA pair for DNSSEC Key Generation due to invalid key bitwidth.

Impact:
GTMD will not be able to create new DNSSEC Key Generation.

Recommended Action:
Try to re-create the DNSSEC Key using a valid bitwidth for the FIPS card.

011a0314 : FIPS card failed to generate RSA pair for DNSSEC Key Generation.

Location:
/var/log/gtm

Conditions:
FIPS card failed to generate the RSA pair for DNSSEC Key Generation.

Impact:
GTMD will not be able to create the new DNSSEC Key Generation. If the DNSSEC Key does not have other generations, TMM will not be able to sign DNSSEC responses with that key.

Recommended Action:
Make sure that FIPS card is configured properly; re-initialize the FIPS card if needed:
> fipsutil reset
> fipsutil init

011a0315 : FIPS card failed to delete private part of DNSSEC Key Generation.

Location:
/var/log/gtm

Conditions:
GTMD is not able to delete the key from the FIPS card.

Impact:
The key is not removed from the FIPS card, but the corresponding DNSSEC Key Generation is removed from the BIG-IP system anyway. There is no impact if the key did not exist on the FIPS card.

Recommended Action:
Remove the key manually.

1. Find the name of the key:
  tmsh show sys crypto fips key
2. Remove it:
  tmsh delete sys crypto fips key <KEY_NAME>

011a0316 : FIPS card failed to import private part of DNSSEC Key Generation.

Location:
/var/log/gtm

Conditions:
GTMD is not able to import the key to the FIPS card on a secondary peer of the GTM sync group.

Impact:
TMM (on a secondary peer of the GTM sync group) will not be able to sign DNSSEC responses by that key.

Recommended Action:
Make sure that key exists on a FIPS card on the primary peer of the GTM sync group.

011a0317 : Failed to %s PEM file %s for FIPS card.

Location:
/var/log/gtm

Conditions:
The FIPS card failed to generate the RSA pair for DNSSEC Key Generation due to an open or read issue with file of the public key under the /config/ssl/ssl.cavfips directory.

Impact:
GTMD will not be able to create new DNSSEC Key Generation.

Recommended Action:
None.

011a0318 : Failed to rename file %s to %s for FIPS card.

Location:
/var/log/gtm

Conditions:
GTMD could not rename the file created by FIPS card using the public text of the key.

Impact:
DNSSEC Key Generation will be created anyway, but GTMD and FIPS will refer to the key by a different name. The impact should not be noticeable.

Recommended Action:
None.

011a0319 : Failed to initiate session with Thales.

Location:
/var/log/gtm

Conditions:
GTMD is not able to initiate the session with the Thales net HSM device.

Impact:
GTMD will not able to communicate with Thales net HSM device to: create/delete key.

Recommended Action:
Make sure that Thales net HSM device is configured properly.

011a031a : Key size %u is not suported by Thales.

Location:
/var/log/gtm

Conditions:
Thales net HSM device failed to generate the RSA pair for DNSSEC Key Generation due to invalid key bitwidth.

Impact:
GTMD will not be able to create new DNSSEC Key Generation.

Recommended Action:
Try to re-create the DNSSEC Key using a valid bitwidth for the Thales net HSM device.

011a031b : Thales failed to generate RSA pair for DNSSEC Key Generation.

Location:
/var/log/gtm

Conditions:
Thales net HSM device failed to generate the RSA pair for DNSSEC Key Generation.

Impact:
GTMD will not be able to create new DNSSEC Key Generation. If the DNSSEC Key does not have other generations, TMM will not be able to sign DNSSEC responses with that key.

Recommended Action:
Make sure that Thales net HSM device is configured properly.

011a031c : Failed to get %s key from Thales after RSA pair generation.

Location:
/var/log/gtm

Conditions:
GTMD cannot get private or public text of the key from the Thales net HSM device.

Impact:
GTMD will not be able to create new DNSSEC Key Generation.

Recommended Action:
None.

011a031d : Thales failed to delete private part of DNSSEC Key Generation: %s.

Location:
/var/log/gtm

Conditions:
GTMD is not able to delete the key from the Thales net HSM device.

Impact:
The key is not removed from the Thales net HSM device, but the corresponding DNSSEC Key Generation is removed from the BIG-IP system anyway.

Recommended Action:
Remove the key manually.

1. Find the name of the key:
  nfkminfo -l
3. Remove it from the /shared/nfast/kmdata/local directory locally and from RFS.

011a031e : Failed to re-encrypt DNSSEC Key Generation %s:%llu.

Location:
/var/log/gtm

Conditions:
Failed to re-encrypt the private text of the DNSSEC Key Generation in the config file after a master key change on the BIG-IP system.

Impact:
GTM config may not be loaded on the next attempt.

Recommended Action:
1. Remove the DNSSEC Key Generation completely in bigip_gtm.conf.
2. Reload the config to let GTM generate it from scratch.

011a031f : DNSSEC Key Generation %s:%llu created: %s and %s.

Location:
/var/log/gtm

Conditions:
New DNSSEC Key Generation was created; the log contains information indicating which HSM was used for creation and which peer initiated that.

Impact:
This is an informational message that has no functional impact.

Recommended Action:
None.

011a0320 : DNSSEC Key Generation %s:%llu imported to local FIPS card under identifier: %s.

Location:
/var/log/gtm

Conditions:
DNSSEC Key Generation was imported to the FIPS card under the identifier specified.

Impact:
This is an informational message that has no functional impact.

Recommended Action:
None.

011a0321 : DNSSEC Key Generation %s:%llu removed: expired or removed from config.

Location:
/var/log/gtm

Conditions:
DNSSEC Key Generation was removed due to expiration or because it was removed from the config.

Impact:
This is an informational message that has no functional impact.

Recommended Action:
None.

011a0322 : DNSSEC Key Generation %s:%llu expired.

Location:
/var/log/gtm

Conditions:
The specified DNSSEC Key Generation has expired.

Impact:
This is an informational message that has no functional impact.

Recommended Action:
None.

011a500f : %s (%s) identified as self, %s

Location:
/var/log/gtm

Conditions:
The gtmd daemon has determined that a configured GTM device or server represents the local device. This determination is made by matching any of the local self IP addresses to any IP address (including translated addresses) of the configured GTM servers/devices.

Impact:
The local gtmd instance considers the indicated device to be the local system, and makes specialized decisions in relation to that configured device (the instance does not attempt to form an iQuery connection with that device, etc.).

Recommended Action:
If the indicated device is not the one intended to match with the local system, then verify that the IP address configuration of that device is correct ("tmsh list gtm server <server_name> devices") and that the local self-IP addresses are properly configured.

If both of these fields are correctly specified and the system is still making an incorrect determination, then the command "tmsh modify sys db gtm.self value <correct_self_device_name>" can force the local system to recognize the named device as the local system. Note that the name of the device and the configured gtm.self value must match exactly, character for character. If a matching device for this field is not found, the system falls back to attempting to use the IP address; the logged message should indicate how gtmd made its determination.

011a5010 : Unable to identify which gtm server represents the local device

Location:
/var/log/gtm

Conditions:
The gtmd daemon has attempted to identify which of the configured GTM devices or servers represents the local machine and was unable to make a determination. This determination is made by matching any of the configured self IP addresses of the local device to any of the IP addresses (including translated addresses) of the configured GTM servers/devices.

Impact:
If the local machine is not able to establish which server is itself, it might be unable to establish an iQuery connection with the other GTM servers, which affects GTM config synchronization, GTM monitoring, and several other functions.

Recommended Action:
Verify that a GTM device that matches the local system is configured ("tmsh list gtm server all devices"); the GTM device should include at least one of the local system's self IP addresses.

011a6006 : SNMP_TRAP: VS %s (ip:port=%s) (Server %s) state change %s --> %s (%s)

Location:
/var/log/gtm

Conditions:
This occurs when gtmd sends a monitor probe, but does not receive a response from big3d.

Impact:
This state change message might represent a number of conditions: network delays, incorrect monitor configuration, and other situations that might cause a timeout.

Recommended Action:
You can find more information in K52381445: DNS monitor state showing "no reply from big3d: timed out" :: https://support.f5.com/csp/article/K52381445 and K15408: Troubleshooting BIG-IP DNS monitors :: https://support.f5.com/csp/article/K15408 .

011ad103 : BoxIP was NULL

Location:
gtm logs are reported in /var/log/gtm

Conditions:
This is a debug message printed when gtmd has attempted to find the ip address of a particular connection but found that it was NULL. This by itself does not indicate an error state and is meant to provide additional context on other issues observed on the system.

Impact:
This gtm instance will not be able to receive messages over that connection from other gtmd instances or from big3d.

Recommended Action:
It is advised to disable debug logging in gtmd if it is not required for informational purposes. This can be done via "tmsh modify sys db log.gtm.level value [desired_logging_level]"

011ae045 : XML Buffer size (%lu bytes) exceeded when attempting to send %s.

Location:
/var/log/gtm

Conditions:
The buffer exceeded 64k when a replacement iQuery connection attempt was made.

Impact:
The replacement connection continues. However, the server side of the connection (big3d) will not fully implement the "replacement" protocol. This is highly unlikely because the contents of the connection attempt buffer should never approach the limit, but the error serves as a safety check.

Recommended Action:
None.

011ae050 : SSL Context set to use cipher list '%s'\n

Location:
/var/log/gtm

Conditions:
The SSL Cipher List is set or changed on a global GTM SSL Context.

Impact:
No impact. This message is informational only.

Recommended Action:
None.

011ae051 : SSL Context set to use minimum TLS version '%s'\n

Location:
/var/log/gtm

Conditions:
The Minimum TLS Version has been set or changed on global GTMD SSL Context.

Impact:
No impact. This message is informational only.

Recommended Action:
None.

011ae052 : Using Server specific(%s) cipher list '%s'\n

Location:
/var/log/gtm

Conditions:
A GTM Server specific cipher list has been used on an iquery connection, instead of the global GTM cipher list specified in GTM globals.

Impact:
None. This message is informational only.

Recommended Action:
None.

011ae053 : Using Server specific(%s) minimum TLS version '%s'\n

Location:
/var/log/gtm

Conditions:
A GTM Server specific minimum TLS version has been set on an iquery connection instead of the value in the GTM Globals.

Impact:
None.

Recommended Action:
None.

011ae054 : New key or certificate file detected, attempting to create new SSL Context.

Location:
/var/log/gtm

Conditions:
A new key or certificate file has been placed on the BIG-IP system.

Impact:
gtmd will use the key or certificate file to create a new SSL context for new connections. This is an informational message only.

Recommended Action:
None.

011ae055 : Creating replacement iQuery connection on all servers.

Location:
/var/log/gtm

Conditions:
A user has requested that all existing iQuery connections be reconnected (that is, replaced) after changing SSL cipher list or minimum TLS version.

Impact:
None. This message is informational only.

Recommended Action:
None.

011ae056 : Creating replacement iQuery connection to server %s.

Location:
/var/log/gtm

Conditions:
A GTM Server's iquery connections have been replaced after a user request.

Impact:
None. This message is informational only.

Recommended Action:
None.

011ae057 : Creating replacement iQuery connection to ip %s.

Location:
/var/log/gtm

Conditions:
A specific iQuery connection has been reconnected/replaced because of a user request.

Impact:
None.

Recommended Action:
None.

011ae058 : iQuery connection ID:%d to Remote IP:%s replaced with connection ID:%d.

Location:
/var/log/gtm

Conditions:
An iQuery connection has been replaced/reconnected, indicating the IP Address, the old connection ID, and the new connection ID.

Impact:
None. This message is informational only.

Recommended Action:
None.

011ae059 : The specified TLS version (%s) is not a valid selection, SSL CTX not changed.

Location:
/var/log/gtm

Conditions:
The Minimum TLS Version is not a valid value.

Impact:
The desired value is not set, and the previous setting is used.

Recommended Action:
Use iqtest or openssl to test for valid values, and change the setting as appropriate.

011ae05a : The specified TLS version (%s) is not a valid selection.

Location:
/var/log/gtm

Conditions:
A user has entered a Minimum TLS Version that is invalid. The previous value is retained.

Impact:
None. The previous value continues to be used. However, if the value is not corrected, this message appears at every startup, since gtmd starts with a preprogrammed value (the default) and attempts to switch to the value that the user entered in GTM Globals.

Recommended Action:
Correct the TLS version to one of the supported strings:
TLSv1
TLSv1.1
TLSv1.2

The iqtest tool can be used to validate tls (and cipher strings)
Example:
iqtest -t tlsv2 10.100.0.1
error from gzip_ssl_ctx_init failure to set minimum tls version to tlsv2

011ae05a : The specified TLS version (%s) is not a valid selection, server (%s) value not changed.

Location:
/var/log/gtm

Conditions:
A user has entered a value for a GTM Server's TLS version list that does not match an expected value.

At this time, the expected values are:
TLSv1
TLSv1.1
TLSv1.2

Impact:
The impact is that the user-supplied value is ignored. The previous value continues to be used.

Recommended Action:
Examine the value and enter a correct value.

011ae05b : SSL Cipher List unchanged since requested value is identical to current value %s".

Location:
/var/log/gtm

Conditions:
GTM has received an update to the SSL Cipher List that is the same as the current setting.

Impact:
GTM logs the message and makes no change to internal settings.

Recommended Action:
None.

011ae05c : SSL Minimum TLS Version unchanged since requested value is identical to current value %s".

Location:
/var/log/gtm

Conditions:
GTM has received an update to the Minimum TLS version List that is the same as the current setting.

Impact:
None. GTM logs the message and makes no change to internal settings.

Recommended Action:
None.

011ae05d : Replacement iQuery connection to %s already in progresss. Ignoring request.

Location:
/var/log/gtm

Conditions:
A replacement iQuery connection has been initiated, but not finalized, and a new iquery reconnect command was issued by a user.

The timeline is:

0. There is an existing iQuery connection: Connection ID 1
1. User issues iQuery reconnect for a given iQuery connection (or all connections)
2. GTM begins the connection setup, Conn ID = 2
3. User issues another iQuery reconnect for the same connection
   GTM detects there is a replacement in progress and logs this message.
   to the requester
4. Conn ID 2 completes successfully.
5. Conn ID 1 is removed.

Impact:
None. The connection in progress runs to completion (either success or failure).

Recommended Action:
None.

011ae05e : iQuery connection ID:%d to Remote IP:%s created.

Location:
/var/log/gtm

Conditions:
A new iQuery connection has been fully established (either an initial connection or a replacement).

Impact:
None. This message is informational only and includes the connection ID, assigned by big3d, and the IP address used to connect to big3d.

Recommended Action:
None.

011ae05f : SSL Context created with cipher list '%s' and minimum TLS version '%s'.

Location:
/var/log/gtm

Conditions:
A new SSL context has been created.

Impact:
This is a "Notice" level message and lists the cipher list and minimum TLS version used to create the SSL context. The message helps a user verify that the desired cipher list and TLS version are used.

Recommended Action:
None.

011ae060 : Attempt(ignored) to replace an existing iquery connection with an invalid replacement.

Location:
/var/log/gtm

Conditions:
An attempt has been made to replace an iQuery connection with an inappropriate iQuery connection. This should not occur unless there is a bug in the code.

Impact:
The replacement attempt failed and the existing connection remains active. This is a Debug-level message.

Recommended Action:
Retry the connection.

011ae106 : The monitor probing frequency has been adjusted because more than %d synchronous monitors were detected.

Location:
The system writes this message to /var/log/gtm, and is not visible in the GUI or on the console.

The system logs error messages similar to the following to /var/log/gtm:

notice gtmd[23186]: 011ae106:5: The monitor probing frequency has been adjusted because more than 20 synchronous monitors were detected.

Conditions:
This occurs when 'a' divided by 'b' is greater than 'c'.

Assuming these definitions for the variables:

a = The number of the monitor instances with same monitor interval.
b = The monitorInterval.
c = max-synchronous-monitor-requests.

'max-synchronous-monitor-requests' is a GTM (DNS) global setting for maximum synchronous monitor requests being sent out at one time for a given probing interval. The default value is 20. You can configure the setting using the following command:

# tmsh modify gtm global-settings metrics max-synchronous-monitor-requests 10

Impact:
The log indicates that the number of monitor instances active within the configured monitor interval exceeds the calculated capacity of the system.

Note that the system needs to send synchronous monitor requests at the volume of max-synchronous-monitor-requests for every sub-second.

This message notifies the administrator to watch for signs of overload, whether there are resources flapping (quick flap to available after a timeout) and adjust the configuration or max-synchronous-monitor-requests value accordingly.

BIG-IP systems monitor software performance by first identifying performance metrics and then calibrating the measurement to the actual production baseline performance. Currently, only log messages identify degraded performance, so the only approach is to test and calibrate (i.e., trial and error) to achieve a configuration that no longer produces these symptoms.

Recommended Action:
The condition that triggers this error message is the number comparison, so changing those values can help prevent the error condition:

To eliminate this error message:
-- Increase the value of max-synchronous-monitor-requests.
-- Reduce the number of monitor instances configured with the same interval.
-- Increase the monitor interval.

When adjusting these variables, here are some things to keep in mind:
-- Increasing the value of max-synchronous-monitor-requests results in more synchronous monitor requests sent to big3d. If the value is very large, the system spends a lot of time generating monitor requests, which may deprive operations in other parts of the system, but at that point, the configuration might be facing a system-sizing issue.

-- The needs of the configuration determine the number of monitor instances that must be active within a certain time interval.

-- Increasing the monitor interval can result in resource status not being updated in a timely fashion.

011ae10e : Autoconf deleted link (%s)

Location:
/var/log/gtm

Conditions:
Debug logging is enabled, auto-discovery is enabled, and the auto-configuration utility has determined that a link should not exist because it does not have a matching pool member on any of the servers in the same datacenter.

Impact:
The auto-configuration utility deletes the named link.

Recommended Action:
No workaround required, this is expected behavior.

If it is desired to keep a Global Traffic Manager (GTM) link even when there is no matching member, then disable auto-discovery via the command "tmsh modify gtm global-settings general auto-discovery no".

011ae10f : Autoconf deleted linkIP (%s)

Location:
/var/log/gtm

Conditions:
Debug logging is enabled, auto-discovery is enabled, and the auto-configuration utility has determined that an IP address associated with a link should not exist. This is because a matching member does not exist on any known server in the same datacenter.

Impact:
The IP address is deleted from the associated link's list of IP addresses, and if this is the last remaining address in the list, the link is deleted.

Recommended Action:
No workaround required, this is expected behavior.

If it is desired to keep a Global Traffic Manager (GTM) link even when there is no matching member, then disable auto-discovery via the command "tmsh modify gtm global-settings general auto-discovery no".

011ae110 : Autoconf skipped deletion of link (%s) because %s

Location:
/var/log/gtm

Conditions:
Debug logging is enabled, auto-discovery is enabled, and the auto-configuration utility has determined that a link should not be deleted for the stated reason.

Impact:
None.

Recommended Action:
Disable debug logging unless it is required for other reasons. This can be done via the command "tmsh modify sys db log.gtm.level value <desired_logging_level>".

011ae111 : Autoconf skipped deletion of linkIP (%s) because member (%s) exists on box (%s)

Location:
/var/log/gtm

Conditions:
Debug logging is enabled, auto-discovery is enabled, and the auto-configuration utility has determined that an IP address should not be deleted from a link's list of addresses because the specified member exists on the specified device.

Impact:
None.

Recommended Action:
Disable debug logging unless it is required for other reasons. This can be done via the command "tmsh modify sys db log.gtm.level value <desired_logging_level>".

011ae112 : SSL Cipher List must not be empty. Previous setting remains in effect.

Location:
/var/log/gtm

Conditions:
The GTM globals cipher list is NULL or an empty string.

Impact:
The previous setting remains in effect.

Recommended Action:
Configure a value for the GTM globals cipher list.

011ae113 : SSL verification of SSL connection to: %s %s

Location:
/var/log/gtm

Conditions:
SSL verification has been started on an iQuery connection. This can happen at connection time, or after the renegotiation time as expired.

Impact:
None. This is an information message only. The message includes the IP address of the server and the certificate information.

Recommended Action:
None.

011ae114 : %s: SSL error: %s (%d) from connection %s

Location:
/var/log/gtm

Conditions:
An SSL error occurred during an SSL operation such as read, write, or connect.

Impact:
This is a general purpose error code to report the error as the SSL library specifies.

Recommended Action:
Examine the error message and attempt to address the issue.

011ae115 : SSL Minimum TLS Version must not be empty. Previous setting remains in effect.

Location:
/var/log/gtm

Conditions:
The GTM globals cipher list is NULL or an empty string.

Impact:
The previous setting remains in effect.

Recommended Action:
Configure a value for the SSL Minimum TLS Version setting.

011ae116 : Topology detected bad order value (%u) for topology entry (%s), reset order to (%u)

Location:
/var/log/gtm

Conditions:
The topology library has determined that the topology records that it contains do not conform to a complete and ordered list.

Impact:
The system re-orders the indicated topology entry. In general, when using topology-based load balancing, there might be unexpected behavior regarding the order in which topology records are processed.

Recommended Action:
Re-load the GTM configuration using the command "tmsh load sys config gtm-only". If the message still persists, it might indicate an error in the GTM configuration. Re-loading the GTM configuration overwrites the running GTM configuration with the saved GTM configuration.

Enabling longest-match ordering using the command "tmsh modify gtm global-settings load-balancing topology-longest-match yes" might also resolve this issue; however, the command will also modify the order of all configured topology records to the default ordering. Enabling longest-match ordering re-orders all topology records into the default ordering.

011ae116 : The list processing time (%d seconds) exceeded the interval value. There may be too many monitor instances configured with a %d second interval.

Location:
/var/log/gtm

Conditions:
The gtmd service attempted to process a given list of monitor probe instances before the next scheduled probing interval for this same list. Basically the monitoring timers could not fire quickly enough to process an entire probe interval list.

Impact:
Monitor flapping occurs, and/or resources are marked as down when they actually up.

Recommended Action:
Since there are too many monitor instances configured at this interval, we recommend reducing the number of monitor instances at the given interval.

For example, if all of your monitors are firing at a 10-second interval, and you are seeing this log message, try modifying some of your intervals be 9 seconds, and some to 11 seconds, leaving some still at 10 seconds. This should alleviate some of the pressure by moving monitor probes into different interval lists.

011ae117 : Unable to process DB Variable (%s)

Location:
/var/log/gtm

Conditions:
The gtmd process is out of memory while trying to process a db variable.

Impact:
The default db variable is not accessible during a reset-to-default command from TMSH.

Recommended Action:
Consider restarting gtmd process.

Note: Restarting gtmd brings down GSLB momentarily. Global traffic functionality is not performed.

011ae118 : Master Key encryption failed: %s.

Location:
/var/log/gtm

Conditions:
GTMD failed to encrypt text with the specified master key.

Impact:
The impact varies depending on the functionality that uses the decryption.

Recommended Action:
None.

011ae119 : Master Key decryption failed: %s.

Location:
/var/log/gtm

Conditions:
GTMD failed to decrypt text with the specified master key.

Impact:
The impact varies depending on the functionality that uses the decryption.

Recommended Action:
None.

011ae11a : Master Key updated, re-encrypting private texts of DNSSEC Key Generations.

Location:
/var/log/gtm

Conditions:
Master key of the BIG-IP system was updated to a new one.

Impact:
GTMD re-encrypts the private text of DNSSEC Key Generations with new master key. This log message is informational.

Recommended Action:
None.

011ae200 : CRL file %s created, enabling CRL validation on all remote iQuery connections.

Location:
/var/log/gtm

Conditions:
The CRL File was created.

Impact:
CRL Validation checking is enabled for all iQuery connections. Existing iQuery connections could be reverified against the current set of CRLs if configured to do so.

Recommended Action:

011ae201 : CRL file %s removed, disabling CRL validation on all remote iQuery connections.

Location:
/var/log/gtm

Conditions:
The CRL file was deleted.

Impact:
CRL Validation is disabled for all iQuery connections.

Recommended Action:

011ae203 : CRL file %s contains no CRLs, or an invalid CRL. Remote iQuery connections may be rejected.

Location:
/var/log/gtm

Conditions:
Unable to find a valid CRL who's issuer matches the issuer of the given peer certificate in iQuery connection.

This means that a CRL needs to exist for the certificate authority that signed the incoming peer device's certificate.

Impact:
iQuery connection is rejected, if it is a new connection, or the connection is disconnected, if it's an existing connect.

Recommended Action:
No workaround as this is expected behavior.

011ae206 : CRL from issuer %s will expire on %s.

Location:

Conditions:

Impact:

Recommended Action:

011ae207 : Using expired CRL form issuer %s.

Location:
/var/log/gtm

Conditions:
A client iQuery connection certificate's best-matching CRL is expired (i.e., its NextUpdate field is in the past), but due to the current configuration, this field is ignored.

Impact:
A CRL that is expired (NextUpdate in the future) is still checked for a given certificate's revocation status.

Recommended Action:

011ae209 : Using not yet active CRL from issuer %s.

Location:
/var/log/gtm

Conditions:
A client iQuery connection certificate's best-matching CRL is not yet active (i.e., its LastUpdate field is in the future), but due to the current configuration, this field is ignored.

Impact:
A CRL that is Not-Yet-Active (LastUpdate in the future) is still checked for a given certificate's revocation status.

Recommended Action:

011ae20a : CRL not found for certificate with subject %s from issuer %s.

Location:
/var/log/gtm

Conditions:
Unable to find a valid CRL whose issuer matches the issuer of the given peer certificate in the iQuery connection.

It means that a CRL needs to exist for the certificate authority that signed the incoming peer device's certificate.

Impact:
iQuery connection is rejected if it is a new connection, or the connection will be disconnected if it is an existing connect.

Recommended Action:
No workaround as this is expected behavior.

011ae20b : Certificate with subject %s from issuer %s is revoked.

Location:
/var/log/gtm

Conditions:
GTMD received a connection with a certificate that was found to be revoked via the CRL file.

Impact:
The iQuery connection is denied, unless configured otherwise.

Recommended Action:
Configuration can be changed to allow connections utilizing revoked certificates.

011ae20c : Certificate with subject %s from issuer %s will not be rejected due to revocation status.

Location:
/var/log/gtm

Conditions:
Big3d receives a connection with a certificate that was found to be revoked via the CRL file, but due to the configuration, the connection is still allowed.

Impact:
An iQuery connection is established despite the certificate provided being revoked.

Recommended Action:
This is due to a configuration of the DB variable or the command-line arguments passed to Big3d. Change the configuration if you do not want revoked certificates to be accepted.

011ae20d : Error in %s: Cannot get current time.

Location:
/var/log/gtm

Conditions:
Unable to get the current system time while trying to set a timer to reverify existing iQuery connections in compliance with GTM Globals settings:
-- iquery-reverify-on-crl-becoming-active.
-- iquery-reverify-on-crl-expiring.

Impact:
iQuery reverification may not occur when a CRL expired or becomes active.

Recommended Action:
None.

011ae20e : Will reverify all SSL connections in %ld seconds.

Location:
/var/log/gtm

Conditions:
The system will reverify the existing iQuery connections in the specified number of seconds based on the DB variables:
-- big3d.ssl.reverify_on_crl_expiring.
-- big3d.ssl.reverify_on_crl_becoming_active.

Impact:
Existing iQuery connections will have the SSL certificates that were used during initial connection establishment reverified, and potentially disconnected.

Recommended Action:
No workaround, as this is expected, configurable behavior.

011ae20f : Certificate validation failure. The iQuery connection to %s has been closed.

Location:
/var/log/gtm

Conditions:
An iQuery connection is being disconnected due to CRL reverification or renegotiation failure.

Impact:
iQuery connection is being closed down.

Recommended Action:
None.

011ae210 : Unable to verify the iQuery connection to %s: Cannot verify the peer certificate.

Location:
/var/log/gtm

Conditions:
A problem occurs while trying to reverify an existing an iQuery connection.

Impact:
The iQuery connection is not verified and will be disconnected.

Recommended Action:
None.

011ae211 : %s: Error converting time

Location:
/var/log/gtm

Conditions:
An error occurred while attempting to compare the times on CRLs.

Impact:
Potentially unable to set a timer to reverify existing iQuery connections when a CRL expires or becomes active.

Recommended Action:
Restart GTMD.

011b0203 : Error '%s' opening file %s

Location:
/var/log/ltm

Conditions:
This error indicates that the merge daemon, merged, or statistics daemon, statsd, failed to open a file to read. This error identifies the file that failed to open. For example, the message "Error 'No such file or directory' opening file /sys/block/sda/stat" could mean that a drive is defined by the operating system, but the statistics are not yet available, or are no longer available. This error could happen on disk failure.

Impact:
Statistics for the disk are not available when the file is /sys/block/sda/stat. For files in /var/rrd, historical statistics are not be available.

Recommended Action:
No known workaround is available for /sys/block/sda/stat. Rebooting or replacing the failed drive might make statistics available for a failed drive. For /var/rrd, ensure that the directory exists, and is writable and executable. Ensure that the info files in /var/rrd are readable, and that the data files are readable and writable.

011b020b : Error '%s' scanning buffer '%s' from file '%s'

Location:
/var/log/ltm

Conditions:
A round-robin database (RRD) info file is not valid. At the end of the file, there should be a checksum hash on a line that begins "#CRC " followed by a number. This line was not found.

Impact:
The RRD files store historical statistics. The invalid info file prevents certain historical statistics from being read and updated. This affects specific reporting of these statistics like TMSH show commands and TMUI statistics views.

Recommended Action:
Remove or move away the invalid info file and restart statsd. You may need to remove or move away the corresponding data file with the same prefix.

011b0233 : CACHE MISS during %s, prev=%s, curr=%s.

Location:
/var/log/ltm

Conditions:
This log will occur if a statsd query fails to find the requested data in the cache. There is an internal cache within statsd that will store previously gathered full rows of stats data, thus allowing quicker access to the user. The stats cache is a certain size. If a user queries a stat and it is not present, then a cache miss occurs. The statsd process then needs to gather the requested stats for that query.

Impact:
If there are a lot of cache misses, then a performance impact is expected.

Recommended Action:
None.

011b0236 : Merged iStats merge interval changed to be every %d seconds.

Location:
/var/log/ltm

Conditions:
Logged at Notice level when the istats merge interval is modified by changing the value of the merged.istats.merge.interval variable.

Impact:
Reports a configuration change for a user.

Recommended Action:
None.

011b0237 : Merged iStats merge interval called with %d.

Location:
/var/log/ltm

Conditions:
A debug level message logged when the istats interval has expired and there are dynamic statistics to merge.

Impact:
Informational only.

Recommended Action:
None.

011b0309 : %s %s %s

Location:
/var/log/ltm

Conditions:
This error is reported when statsd or merged gets an error from mcpd. The most common example is "tmstat_sample not ready". This message typically happens on startup when statsd requests data from mcpd but merged has not yet merged any data. This message can also occur if there is an error with the /var/tmstat/cluster directory.

Impact:
Statsd will not be able to collect historical statistics, so they will not be available to tmsh show commands and tmui views.

Recommended Action:
If the message only occurs on startup, then it can be safely ignored. Otherwise, verify /var/tmstat/cluster exists and has permissions for merged.

011b032e : Graph '%s' is not supported, possibly because it is not licensed, or a license has expired.

Location:
/var/log/ltm

Conditions:
This message generated by the statsd daemon. The daemon provides services related to statistical data.

It is possible that the license has expired or that the particular graph is not licensed. A user action is required to update the license, so that graph creation is permitted.

Impact:
The Graph is not created and the message is logged.

Recommended Action:
Either update the license or call F5 support to acquire the needed license. A "tmsh install sys license" command will install the license.

011b0600 : Error '%s' during rrd_update for rrd file '%s'

Location:
/var/log/ltm

Conditions:
An attempt to update a round-robin database (RRD) file for historical statistics failed. This error typically means that the data file is corrupt. This error can also be caused by problems with the /var/rrd directory, such as the directory is missing or does not have write and execute permissions.

Impact:
The specific historical statistics are not updated so they are no longer reliable. If the data file is corrupt, this error can also affect reading the old historical statistics, so that statistics reports like TMSH show command or TMUI statistics views might not properly report the specific statistics.

Recommended Action:
Verify that the /var/rrd directory exists, and has write and execute permission. If the directory exists with write and execute permission, remove the specific data files, and then restart statsd to recreate the file.

011b0601 : Error '%s' during rrd_graph for graph '%s'

Location:
/var/log/ltm

Conditions:
This error is logged whenever the rrdGraph function fails for any reason.

Impact:
The specific graph is not created.

Recommended Action:
Reattempt the creation. If that fails, restart statsd daemon using "bigstart restart statsd" command.

011b0816 : Statistic collection has ALREADY been started.

Location:
/var/log/ltm

Conditions:
A message is informational (not an error) and is logged when a stat collection is already initiated, and is somehow re-initiated.

This condition can occur when a device in a clustered environment transitions from the HA failover state of primary, to backup, and then back to primary within the stat collection period. Stats collection is initiated on the primary device within an HA clustered environment.

Impact:
None.

Recommended Action:
None.

011b0826 : Cluster collection start error.Exitting

Location:
/var/log/ltm

Conditions:
The statsd daemon failed to read the /config/statsd.conf file, and configure itself to collect historical statistics. This condition might be caused by this file being invalid or a problem with permissions to read the file. It might also be a problem with system resource exhaustion, where file descriptors or memory are not available.

Impact:
No historical statistics will be collected. This issue occurs in all statistics reports that include historical statistics, such as various TMSH show commands and TMUI statistics views.

Recommended Action:
Verify that the /config/statsd.conf file has read permissions and that the file exists. Verify that the file format is valid using the -p (dash p) option of /usr/bin/statsd. Verify that adequate system resources are available. After fixing the problem, restart statsd by using the command "bigstart restart statsd".

011b0900 : TMSTAT error %s: %s

Location:
/var/log/ltm

Conditions:
This error means that the merge daemon, merged, or statistics daemon, statsd, failed to query statistics. This generic error reports a range of underlying causes for the failed query. For example, the error "TMSTAT error max disk stat: read failed." can mean that a drive is defined by the operating system, but that the statistics are not yet available, or are no longer available. This can happen on disk failure. Another example is the error "TMSTAT error tmstat_query cpu_info_table: Cannot allocate memory", which can mean that merged has run out of memory.

Impact:
Statistics for a disk are not available when the error "max disk stat" occurs. For other errors, the message details indicate the statistics that are not available. For example, "cpu_info_table" indicates that the CPU usage statistics have failed.

Recommended Action:
There is no known workaround for a "max disk stat" message. Rebooting or replacing the drive might cause the operating system to make statistics available for a failed drive. For a "Cannot allocate memory" message, restarting merged might make statistics available.

011b090c : tmstat_query_rollup on table %s called

Location:
/var/log/ltm

Conditions:
If debug log is turned on for statsd, then when a stats table roll up is done, typically every 30 seconds, a log message is generated indicating which table roll up is being done.

Impact:
Lots of log messages with the log level set to Debug.

Recommended Action:
Turn off the debug log level to something like informational.

011b090e : getTMValueUNKeyed start

Location:
/var/log/ltm

Conditions:
One is trying to get a statistics value from a table that does not have a key column or the key column is ignored, for example, for a roll up query.

Impact:
No impact. This log message is informational and not an error. A roll-up query is a valid type of query where keys are not specified and data from several tables is summarized.

Recommended Action:
None.

011b090f : DNS Services request rate limiter engaged.

Location:
/var/log/ltm

Conditions:
The error message DNS Services request rate limiter engaged will appear in the /var/ltm log file when the DNS Services Requests Per Second license limit has been exceeded.

Impact:
Subsequent requests are dropped until the number of requests falls below the licensed threshold.

Recommended Action:
View the licensed DNS rate limit using the "tmsh show ltm profile dns" command.

011b0910 : DNS Services request rate limiter disengaged.

Location:
/var/log/ltm

Conditions:
The message DNS Services request rate limiter disengaged will appear in the /var/log/ltm log file when Requests Per Second returns to within the licensed limit.

Impact:
Subsequent requests are processed.

Recommended Action:
View the licensed DNS rate limit using the "tmsh show ltm profile dns" command.

011b0914 : No individual CPU information is available.

Location:
/var/log/ltm

Conditions:
On systems with HT Technology CPUs with split planes enabled, data plane tasks and control plane tasks are split and handled by separate logical cores (hyper-threads). If an error is encountered while collecting statistics on CPU usage in this environment then this message is logged.

Impact:
A transient error. No serious impact.

Recommended Action:
Subsequent statistics requests should recover from this error.

011b0999 : %s: %s

Location:
/var/ltm/log

Conditions:
This message generated by statsd. The daemon provides services related to statistical data.
These are debug logs that can only be turned on thru tmsh.

Impact:
The /var/log/ltm file starts filling up if debug is not turned off. The system does not have this enabled by default.

Recommended Action:
Change the setting through a tmsh command. For example, it can be changed to info or warn as shown below.

tmsh modify sys db log.statsd.level value info
OR
tmsh modify sys db log.statsd.level value warn
OR
tmsh modify sys db log.statsd.level value warning

011b1100 : FIPS Device: Temperature approaching maximum range (%dC).

Location:
/var/log/ltm

If a trap destination is configured, a trap is also delivered.

Conditions:
On a FIPS-enabled device, this warning message is issued if the device temperature has exceeded 80 degrees Celsius (176 degrees Farenheit).

Impact:
This is a warning message, and the environment issue should be addressed right away. The FIPS device can be damaged by excessive heat.

Recommended Action:
Modify the environment to lower the operating temperature of the FIPS-enabled system.

011b1101 : FIPS Device: Temperature met or exceeded critical range (%dC).

Location:
/var/log/ltm

If a trap destination is configured, a trap is also delivered.

Conditions:
On a FIPS-enabled system, this critical warning is issued if the temperature of the FIPS device has exceeded 85 degrees Celsius (176 degrees Fahrenheit).

Impact:
This message indicates a critical condition. The environment issue should be addressed immediately. Excessive heat damages the FIPS devices.

Recommended Action:
Modify the environment to lower the operating temperature of the FIPS-enabled system.

011b1102 : FIPS Device: Temperature returned to normal range (%dC).

Location:
/var/log/ltm

If a trap destination is configured, a trap is also delivered.

Conditions:
On a FIPS-enabled system, if the FIPS device temperature rises above 80 degrees Celsius (176 degrees Farenheit), warning messages are issued. When the temperature returns to the normal range, this message is issued.

Impact:
If a trap destination is configured, a trap is issued.

Recommended Action:
This is an informational message.

011b1103 : FIPS Device: Resetting statistics to synchronize counts.

Location:
/var/log/ltm

Conditions:
On a FIPS-enabled device, this notification occurs when the device statistics and persistent record on disk are synchronized.

Impact:
This is an informational message.

Recommended Action:

011b1104 : FIPS Device: Unable to read or recreate FIPS data file for statistics history.

Location:
/var/log/ltm

Conditions:
On a FIPS-enabled system, the /shared/fips/fips_data file cannot be read or re-created if it does not exist.

Impact:
FIPS statistics are still kept and can be viewed with tmctl, but they are not recorded in the /shared/fips/fips_data file for persistence.

There is no other impact.

Recommended Action:
Restarting the merged daemon may clear the condition.

011b1105 : FIPS Device: Deleting FIPS statistics TMSTAT segment.

Location:
/var/log/ltm

Conditions:
On a FIPS-enabled system, when the merged daemon shuts down, it removes the TMSTAT FIPS segment. This is not an error. It records the time of shut down.

Impact:
When the TMSTAT segment is removed, the /shared/fips/fips_data file is updated with current statistics values so that they are preserved across reboots and restarts.

Recommended Action:
This is a notification.

011b1106 : FIPS Device: Could not initialize statistics, timer not started.

Location:
/var/log/ltm

Conditions:
On a FIPS-enabled system when the TMSTAT tables cannot be created and initialized.

Impact:
FIPS statistics cannot be recorded if this happens.

Recommended Action:
One possible workaround is to restart the merged daemon.

Note: This error should not occur on a system that is not having other memory problems, and the workaround has no effect if the system is having other memory problems.

011d0002 : No diskmonitor entries in database

Location:
/var/log/ltm

Conditions:
MCP is down, or the database is unavailable.

Impact:
The diskmonitor script will not run.

Recommended Action:
Check 'bigstart singlestatus mcpd' and verify it is in 'run'. If not, try rebooting the box. If the problem persists a support ticket should be filed.

011d0004 : Disk partition %s has only %d free

Location:
/var/log/ltm

Conditions:
When the BIG-IP file systems become full, the diskmonitor utility generates warning messages and traps. The diskmonitor utility script runs periodically on the BIG-IP system, alerting you if the partition space or volumes reach a defined threshold.

Impact:
- Upgrades or hotfix installations might fail to proceed.
- Daemon log messages might appear similar to the following examples:
    Couldn't write to <file> / <partition>
    Failed to open file
- System performance can degrade, for example, slow or failed disk writes can occur.

Recommended Action:
Please, refer to https://support.f5.com/kb/en-us/solutions/public/14000/400/sol14403.html for possible actions.

011e0001 : Limiting %s from %d to %d packets/sec for traffic-group %s

Location:
/var/log/ltm

Conditions:
The BIG-IP device throttles the rate of response messages that it sends in certain situations. It is a part of the DoS mechanism. This log information is generated when the BIG-IP device stops throttling the bandwidth for a class of response messages. Depending on the beginning of the log message, it indicates:
- "icmp unreach response" - throttling of ICMP unreachable responses.
- "icmp ping response" - protection from ping floods.
- "icmp tstamp response" - throttling of ICMP response timestamp responses.
- "closed port RST response" - throttling of TCP unreachable messages (no listener).
- "open port RST response" - throttling of responses about aborted TCP connections.
- "unreachable response" - a generic throttle for other kinds of messages, it also covers the specific case of IP reject.

Impact:
It is an information message. The BIG-IP device stopped throttling traffic that likely was generated by a DoS attack.

Recommended Action:
None.

011e0002 : %s: Aggressive mode %s %s (%llx) (%s %s). (%llu/%llu %s)

Location:
/var/log/ltm

Conditions:
1. db variable log.sweeper.activation.enabled is enabled.
2. The sweeper aggressive mode is activated or deactivated.

The BIG-IP device, or virtual server on BIG-IP sweeper, enters or leaves the aggressive mode and starts or stops to kill connections, reflecting the connflow load change on the BIG-IP device.

BIGIP aggressive mode is activated or deactivated, reflecting the traffic load change on BIG-IP device or the affected virtual server. If it is activated, it indicates that the BIG-IP device is overloaded by connflows in the related virtual server. If it is deactivated, it indicates that the load of connflows is reduced to normal level.

Note that if the db variable is disabled, the log will not show up.

Impact:
It is an informational message only.

Recommended Action:
The message is informational and as designed.
Reducing traffic to the BIG-IP device might prevent this message from appearing.
Turn off the db variable to turn off the log if the log is the only concern.

011e0003 : mode sweeper: %s (%llx) (%s %s) %d Connections killed

Location:
/var/log/ltm

Conditions:
1. db variable log.sweeper.activation.enabled is enabled.
2. At least one connection is killed by sweeper due to connflow overloaded on impacted BIG-IP device or the virtual server.

Note if the db variable is disabled, the log will not show up but the connection will still be killed.

Impact:
Connection gets killed by BIG-IP sweeper.

Recommended Action:
The connection gets killed by design. It might suggest that the impacted BIG-IP device or the impacted virtual server is overloaded.

Here are the options to avoid this:
1. Reduce the traffic load to BIG-IP device or affected virtual server.
2. Change eviction policy or adjust the policy parameter of the impacted virtual server.
3. Turn off the db variable to turn off the log, if the log is the only concern.

011f0001 : %s: Bad chunk state %d

Location:
/var/log/ltm

Conditions:
This error occurs due to an invalid or non-compliant HTTP chunking format, while parsing a chunked HTTP response and attempting to retrieve the chunk size. Possible conditions that trigger this error include a malformed HTTP response from the back-end web server, or a faulty LTM virtual server iRule that affects the HTTP response.

Impact:
When this error occurs, the TMM gracefully aborts (resets) the active HTTP connection with the malformed chunked response.

Recommended Action:
A workaround involves either a detailed server-side logging (on the back-end server) to track possible malformed HTTP chunked responses, or the addition of minimal instrumentation logs to the iRules that are potentially altering the HTTP response.

011f0004 : Invalid header insert profile, missing the colon separator in - %s

Location:
/var/log/tmm

Conditions:
HTTP's header insertion profile feature is used with invalid text. The expected value is of the form:

Header: Value

Impact:
The header will not be inserted.

Recommended Action:
Change the text for the inserted header to match the expected form.

011f0005 : HTTP header (%d) exceeded maximum allowed size of %d

Location:
/var/log/ltm

Conditions:
HTTP headers have a configurable size limit. The request or response includes headers that are too large. The size of headers (in bytes) exceeds the limit configured in the http profile.

Impact:
The connection will be dropped.

Recommended Action:
The size limit for http headers can be modified in the http profile.

011f0007 : %s - Invalid action:0x%x %s (%C) %s (%C)

Location:
/var/log/ltm

Conditions:
This error describes the state of the HTTP filter, and the attempted action. The IP address of the client and server (if available) are shown.

The HTTP Filter encountered an unexpected situation, for example:
- Internal Errors.
- Complex unexpected interactions between filters.
- Complex IRule interactions.
- HA desynchronization.
- RFC violations

Impact:
The connection will be dropped.

Recommended Action:
A TCP Dump might be required in order to determine the exact sequence of events required to trigger the issue. Typically, this error is triggered by an unusual situation not covered by other error messages.

011f0008 : %s - Invalid state transition to %s

Location:
/var/log/ltm

Conditions:
A faulty iRule typically triggers this error, interfering with the normal flow of events in the TMM connection flow. For example, this error can occur when forcibly closing an HTTP connection while redirecting, all within an iRule handling the HTTP request event.

Impact:
This error can result in a range of conditions: from receiving a simple, benign notification to resetting (or aborting) the active connection, depending on how the iRule handles the related connection flow events.

Recommended Action:
When this error occurs, it indicates that an iRule attempts to alter the traffic flow on a virtual server in an unexpected way. The cause can be determined with additional logging in the iRule, and examination of the invalid state transition that is logged by the error.

011f0011 : HTTP header count exceeded maximum allowed count of %d

Location:
/var/log/ltm

Conditions:
The request or response has headers that are too large. The number of headers exceeds the limit configured in the http profile.

Impact:
The connection will be dropped.

Recommended Action:
The limit for the number of http headers can be modified in the http profile. Note that increasing this limit will increase the total amount of TMM memory that can be taken by a http connection.

011f0012 : HTTP profile option %s incompatible with proxy_type. Using default instead.

Location:
/var/log/tmm

Conditions:
Some HTTP profile field options are gated by the HTTP proxy type. If the field value is disallowed, then the default will be used.

This typically occurs due to the use of non-default enforcement options when the proxy type is not "transparent".

Impact:
This is a warning that the particular profile options selected are not in effect. The default behavior will be used instead.

Recommended Action:
1) Revert the profile field value to the default, or to a value allowed by the HTTP proxy type.

2) Inherit from a HTTP profile with a different proxy type that allows the wanted values.

011f0016 : %s - Invalid action:0x%x Server sends too much data. serverside (%C) clientside (%C)

Location:
/var/log/tmm

Conditions:
The HTTP server has responded with more data than expected. It either is returning more data than indicated by the Content-Length header, or more data after the ending chunk in Chunked Encoded transfers. This behavior is not compliant with the RFC.

Impact:
The TMM has lost synchronization with the HTTP servers data stream. The BIG-IP device cannot parse headers any more. The connection to the server will be aborted.

Recommended Action:
The back-end web application should return the correct size of its content body in the Content-Length header or Chunk headers.

If the back-end is the Internet (in a forward proxy scenario), setting the "pipeline" option to passthrough might be appropriate.

011f0017 : Config error: HTTP Header Entry [%s:%d] update: agent clone failed

Location:
/var/log/tmm

Conditions:
The probable cause for this message is internal to the BIG-IP system: when an http_header_entry agent, in a per request policy in APM, is modified, failure can happen while cloning it, because the pointer to the agent entry is NULL.

Impact:
The update made to the HTTP Header Modify agent in per-request policy is lost and logs this error message.

Recommended Action:
Update to HTTP Header Modify agent in per-request policy can be made again.

01200009 : Packet rejected remote IP %*A port %d local IP %*A port %d proto %s: Connection limit exceeded.

Location:
/var/log/ltm

Conditions:
The connection has been rejected because the per-virtual connection limit has been reached.

Impact:
New connections will not be established until the open connection count falls below the limit.

Recommended Action:
None.

01200012 : Warning, connections equals limit %F, proto %s, VS %s: Connection limit reached.

Location:
/var/log/ltm

Conditions:
The connection limit for the virtual address/node address/snat address has been reached. In a single tmm system, it is the total connection limit for that tmm. In a cmp system, the tmm's connection limit is determined by the conn_limit/number of active blades. If it does not divide evenly, then the remainder is distributed among the members of low pg number blades.

The connection limit can be set by modifying "connection-limit" for an ltm virtual-address, virtual, snat-translation, node, or pool members. A value of 0 indicates no limit.

Impact:
Any future connection to this tmm for the particular address will result in it being rejected by the tmm.

Recommended Action:
Adjust the connection-limit as appropriate.

01200014 : Warning, connections equals limit %F, proto %s, RD %s: Connection limit reached.

Location:
/var/log/ltm

Conditions:
This will occur if BIG-IP reaches the maximum number of connections for the given protocol on the given route domain.

Impact:
The new connection will not be made.

Recommended Action:
None.

01200016 : Warning, node IP %*A has reached its connection limit.

Location:
/var/log/ltm

Conditions:
Connection limit has been reached on the specified Node.

Impact:
It's an information message. The user can expect TMM to refuse further connections for that Node.

Recommended Action:
Consider reviewing your configuration to possibly increase the Node connection limit if the situation is frequent.

01200017 : Warning, pool member IP %*A port %u for pool %s has reached its connection limit.

Location:
/var/log/ltm

Conditions:
Connection limit has been reached on the specified Pool Member.

Impact:
It's an information message. The user can expect TMM to refuse further connections for that Pool.

Recommended Action:
Consider reviewing your configuration to possibly increase the Pool Members connection limit if the situation is frequent.

01220001 : TCL error: %s

Location:
/var/log/tmm

This error appears in both GUI and console. The exact error message is in the printout.

Conditions:
An error occurred during iRule execution. The exact error message is in the printout.

Impact:
If the error occurred on a connection, the connection can become terminated.

Recommended Action:
To repress the error, use a catch command to prevent the error pass up.

01220002 : Rule %s: %s

Location:
/var/log/ltm

Conditions:
This error is present in the log when one of the following conditions occurs:
1. The iRule code includes a log statement which does not use any of the component, facility, and priority options.
   For example, the statement looks like:

   <some code>
   ...
   log "this is a log message without facility and priority"

2. There an error occurred during TCL compilation of the script.
   In this case, the message will include details of the error generated by the compiler
   and will be of the form "Rule <rule name> compilation failed: <compiler error here>"

Impact:
In the first case, normal log messages appear in the log with this code.

In the second case, the iRule will need to be modified to correct the error.

Recommended Action:
For the first case, it is recommended that the usage of the log command be changed to include facility and priority. For example, change the statement below:
   log "this is a log message without facility and priority"
to
   log local0.info "this is an info level log message"

For the second case, resolution is highly dependent on the error generated, but will most likely require modification
of the iRule source.

01220007 : No pending rule event found for %F

Location:
/var/log/ltm

Conditions:
This message indicates that upon resumption of iRule execution,
after a suspending operation has been executed (for example executing [table lookup key]),
the state of the flow is not as expected and is no longer in a suspending state.

A possible scenario involves an iRule that performs a side band connection as part of its logic, and has the connection reset by the peer while waiting for a response. For example, perform DNS resolution, or obtain some information from a server using HTTP request, and
wait for the answer.
When the suspending operation is completed, the flow cannot resume normal operation.

This condition should rarely be present during normal operation.

Impact:
If the flow was externally affected (terminated), it is likely not in service, so no impact is caused to traffic associated with the flow.
If the flow was not terminated, it is possible traffic associated with the flow may be impacted.

Recommended Action:
Ensure network conditions around the BIG-IP device does not contribute to this issue.

It is possible to forcibly terminate the flow if it still exists (for long held connections) by issuing the following command:
tmsh del sys conn cs-client-addr a.a.a.a cs-server-addr s.s.s.s cs-server-port p

01220008 : Unable to resume pending rule event %s for closed %F

Location:
/var/log/ltm

Conditions:
This message indicates that upon resumption of iRule execution,
after a suspending operation has been executed (for example executing [table lookup key]),
the flow is terminated due to another event.

A possible scenario involves an iRule that performs a side band connection as part of its logic, and has the connection reset by the peer while waiting for a response. For example, perform DNS resolution, or obtain some information from a server using HTTP request, and wait for the answer.
When the suspending operation is completed, the flow cannot resume normal operation.

This condition should rarely be present during normal operation.

Impact:
If the flow was externally affected (terminated), it is likely not in service, so no impact is caused to traffic associated with the flow.
If the flow was not terminated, it is possible traffic associated with the flow may be impacted.

Recommended Action:
Ensure network conditions around the BIG-IP device do not contribute to this issue.

It is possible to forcibly terminate the flow if it still exists (for long held connections) by issuing the following command:
tmsh del sys conn cs-client-addr a.a.a.a cs-server-addr s.s.s.s cs-server-port p

01220009 : Pending rule %s aborted for %F

Location:
/var/log/ltm

Conditions:
This is an information message, issued when one of the following event occurs:

A connection is torn down or aborted, where the connection has an iRule
   currently executing a suspending command (eg. [table lookup key])

Impact:
This is an information message only.

Recommended Action:
None.

01220010 : %d previous aborted rule log messages suppressed

Location:
/var/log/ltm

Conditions:
This log message is emitted under the following conditions:
1. The control used to suppress rule aborted messages is set to a non-default number greater than 1 (TBD see reference for ltm global-settings rule rule-aborted-log-ratio)
2. There were N (the number set for the control) aborted rule events.

This message indicates that the previous N occurrences of aborted rules were suppressed.
The message is generated to ensure that when the control is set to a value larger than 1 (presumably a large number), the actual number of aborted rule executions is recorded.

Impact:
When a user sets the control referred to above to a number other than 1 (and presumably large), the number of log messages in /var/log/ltm is reduced, but this message is emitted whenever a sufficient number of aborted rule executions has occurred.

In effect, the number of logged messages is reduced from 1 message per occurrence to 2 per N occurrences.

Recommended Action:
The user can set the value of the control referred to above to the default of 1 to prevent this message from appearing in the log.

01220011 : Pending rule %s aborted for context %llx

Location:
/var/log/ltm

Conditions:
An iRule using a parking command (table, after, etc) is on a virtual server. A flow on that virtual server is running the iRule and the iRule is parked, but the flow has been closed before the iRule could unpark (usually because of an abort).

Impact:
The iRule does not finish executing.

Recommended Action:
The primary recommended action is to ensure that aborts are not common for flows on virtual servers with parking iRules. The secondary recommended action is to put as much of the state changing operation of the iRule before any parking commands.

01220012 : Failed to configure rule %s for virtual %s.

Location:
/var/log/ltm

Conditions:
The system attempted but failed to find or allocate the configured listener to which an iRule is being attached.

This is and internal error not an indication of a configuration issue.

Impact:
The system fails to set up the virtual server object or its dependencies. Therefore, the configured virtual server fails to process traffic or does not have the desired iRule in effect, resulting in a service disruption.

Recommended Action:
Consider issuing the "bigstart restart" command.

01230001 : Interface %d.%d: link is up, %dMbps %s

Location:
/var/log/ltm

Conditions:
Occurs on startup as informational message about an internal interface link status. If this message doesn't occur, then likely a different issue occurred related to device initialization.

Impact:
None.

Recommended Action:
None.

01230002 : Interface %d.%d: link is down

Location:
/var/log/ltm

Not on console or in GUI

Conditions:
This message is logged when internal interfaces used to communicate with F5 internal high speed bridges transition from up to down in tmm and report to the master control process (mcp). This is not a spontaneous link failure, but a controlled action, when the tmm process is exiting.
This is an informational log on an internal link status.

This message will appear once for every internal interface when the tmm processes restart. The user can verify that the interface comes back up with the following command:
tmsh show net interface <interface_number> -hidden

At this time, there is not a corresponding message when the interface comes back up.

Impact:
None, this is informational

Recommended Action:
None.

01230032 : Interface %s not found

Location:
/var/log/ltm

Conditions:
When processing a trunk member configuration change, if the tmm can not find the interface in its interface list then it logs this message.

Impact:
The trunk configuration or status might not be configured properly and not deliver traffic.

Recommended Action:
Check the configuration. Restart system. Force-load mcp binary db (https://support.f5.com/csp/article/K13030)

01230066 : Vlan %s - untagged interface %d/%d currently in use on vlan %s

Location:
/var/log/ltm

Conditions:
This VLAN is trying to use an interface as untagged when the interface is already used as untagged on another VLAN.

Impact:
The interface will not be used.

Recommended Action:
Do one of the following: Use the interface as a tagged interface, change the interface to a tagged interface on the other VLAN, or choose a difference interface.

01230074 : Vlan %s, member %s - unsupported type %d

Location:
/var/log/ltm

Conditions:
An attempt was made to add a VLAN member that is neither an interface or a trunk.

Impact:
Requested VLAN member is not added.

Recommended Action:
Add interfaces and trunks only as VLAN members. If this error occurs when adding an interface or trunk VLAN member, file a bug.

01230087 : Vlan %s, member %s instance add error %u

Location:
/var/log/ltm

Conditions:
1. TMM is out of memory (error value in the log message will be 1 in this case).
2. There is an error in the member interface that was not caught by the configuration subsystem.

Impact:
The error can occur when configuring to add a member interface or trunk to a VLAN. When the error occurs, the error is logged, but the VLAN member configuration is allowed to proceed. The only feature impacted by this error in 13.0.0 is Layer 2 cloning (packets will not be cloned to the member interface where the error is encountered).

Recommended Action:
For error due to out of memory condition, locate processes occupying large amounts of memory, and restart if possible.

01230088 : Couldn't %s vlangroup %s

Location:
/var/log/ltm

Conditions:
This message occurs when one of the following occurs:

1) TMM is parsing a configuration message from MCP, and TMM is out of memory.

2) The system previously received an out-of-memory message. Now, the system has tried to modify a configuration that was never added, due to the previous out-of-memory condition.

Impact:
The relevant VLAN group does not receive or pass traffic.

Recommended Action:
Restart TMM. TMM will not pass traffic during the restart.

01230111 : Interface %d.%d: HSB DMA lockup on %s.

Location:
/var/log/ltm

Conditions:
The HSB hardware experiences some lockup conditions under certain circumstances.

A tmm reports that one of the internal interface that connects to the HSB DMA engine is in a bad lockup state on either the transmitter or receiver side.

Jun 14 04:46:12 slot1/BIG-IP1 crit tmm4[34471]: 01230111:2: Interface 0.5: HSB DMA lockup on transmitter failure.

Impact:
Traffic will be interrupted, and failover might be triggered. The BIG-IP system might reboot to recover. A core file might also be generated because this condition usually leads to the tmm missing heartbeats, and thus is aborted by sod.

Recommended Action:
When this condition happens, collect an HSB register dump by running the hsb_snapshot command before the BIG-IP system is rebooted, such that it may be examined by the firmware team for root cause analysis. If the condition continues, send the register dumps to the firmware team for analysis of possible hardware issues.

01230113 : "Unsupported media setting %s for interface %s"

Location:
/var/log/ltm, console

Conditions:
A media setting for an interface such as speed or duplex does not match the type supported by the physical port.

Impact:
The interface change will not occur. Normally, these settings are caught in configuration validation and not expected to be logged by tmm.

Recommended Action:
Check the configuration for the interface.

01230140 : RST sent from %A:%d to %A:%d, %s

Location:
/var/log/ltm

Conditions:
This message is logged only when the db variable tm.rstcause.log is set to TRUE.
This message includes the source address and port, destination address and port, and a description, if available. For example, "RST sent from 1.2.3.4:80 to 5.6.7.8:56789, No flow found for ACK".

Impact:
When the db variable tm.rstcause.log is enabled, performance might be affected.

Recommended Action:
This db variable tm.rstcause.log is off by default. To turn off these messages, set the db variable tm.rstcause.log to disabled (tmsh modify sys db tm.rstcause.log value disabled).

01240006 : Error querying request URI: %s

Location:
/var/log/tmm

Conditions:
Inflate or Deflate filter is enabled on the virtual server, and no URI was found in the request. This might happen if client specifies legacy HTTP version 0.9 request without a URI, or an intentionally malformed request.

Impact:
Inflate/Deflate filter logs message, but continues processing. This condition does not trigger a connection reset or other response.

Recommended Action:
Check that all requests to virtual server are supplying a valid URI.

01260000 : Profile %s: %s

Location:
/var/log/ltm

Conditions:
This message occurs in the following cases:
* Cannot load a required file (key, certificate, CRL, CA)
* Forward Proxy is enabled, but not licensed
* The supplied cipher string resulted in no ciphers
* Problems with a FIPS key
* Invalid OCSP configuration.

Impact:
Any virtual server reporting this SSL configuration will not work as expected.

Recommended Action:
The message contains details about which error occurred. Use those details to determine a course of action. For example, if the detail is `could not load key file' determine which file it cannot load and why.

01260006 : Peer cert verify error: %s (depth %d; cert %s)

Location:
/var/log/ltm

Conditions:
The peer certificate failed to validate for any number of reasons (invalid certificate, out of date, and so on).

Impact:
The SSL handshake will be aborted.

Recommended Action:
The CA file might need to be updated. More likely, the peer certificate is simply invalid. This is mostly informative.

01260008 : SSL transaction (TPS) rate limit reached

Location:
/var/log/ltm

Conditions:
The SSL license has a limited number of transactions per second, and the incoming rate exceeds this.

Impact:
Any transactions exceeding the licensed limit will be aborted.

Recommended Action:
This is mostly informational, though an, `unlimited,' license is available.

01260009 : Connection error: %s:%d: %s (%d)

Location:
/var/log/ltm

Conditions:
* Various internal errors (unexpected states)
* An attempt to initiate a handshake while a handshake is in progress
* Anytime an SSL alert is sent

Impact:
This is informative and should have no effect on an existing connection.

Recommended Action:
Informative only. No workaround.

01260010 : FIPS acceleration device failure: %s

Location:
/var/log/ltm

Conditions:
The internal FIPS card is not responding correctly to requests. This is a hardware error.

Impact:
Performance degradation to performance cessation.

Recommended Action:
There is no workaround for this issue.

01260012 : Self-initiated renegotiation attempted while renegotiation disabled: %s

Location:
/var/log/ltm

Conditions:
An SSL client or server requests renegotiation when the corresponding SSL profile has renegotiation disabled.

Impact:
Renegotiation will not happen.

Recommended Action:
Enable `renegotiation' is the associated profile.

01260013 : SSL Handshake failed for <PROTOCOL> <SRC> -> <DST>

Location:
/var/log/ltm

Conditions:
The connection is closed before the SSL handshake completes.

Impact:
This is informative only. The peer closed the connection during an SSL handshake.

Recommended Action:
Informative only.

01260014 : Cipher %x:%x negotiated is not configured in profile %s

Location:
/var/log/ltm

Conditions:
Proxy-ssl is configured on the virtual server, passthru is not enabled, and the cipher negotiated by the client and server is not supported in the SSL profile.
Note: This message is deprecated. The new message is, ``Cipher %x:%x negotiated is not supported by Proxy SSL configured in virtual server %s''.

Impact:
The connection will not be allowed.

Recommended Action:
Add the necessary ciphers to the SSL profiles, or reconfigure the SSL server to only negotiate ciphers allowed by the profiles.

01260014 : Cipher %x:%x negotiated is not configured in profile %s

Location:
/var/log/ltm

Conditions:

Impact:
The connection will not be allowed.

Recommended Action:
Add the necessary ciphers to the SSL profiles, or reconfigure the SSL server to only negotiate ciphers allowed by the profiles.

01260015 : Certificate supplied by server (subject CN: %s) was not configured on virtual: %s

Location:
/var/log/ltm

Conditions:
Proxy SSL is configured and the certificate from the SSL server does not exist in any profiles attached to the virtual.

Impact:
An alert will be sent closing the connection.

Recommended Action:
Add the SSL server's certificate to a profile connected with the virtual.

01260017 : Connection attempt to insecure SSL server (see RFC5746) aborted: %A:%d

Location:
/var/log/ltm

Conditions:
Strict renegotiation is enabled on a server-ssl profile, and the SSL server is not capable of secure renegotiation.

Impact:
The connection to the SSL server will be aborted.

Recommended Action:
Only use SSL servers that support secure renegotiation.

01260018 : Connection attempt to insecure SSL server (see RFC5746): %A:%d

Location:
/var/log/ltm

Conditions:
An SSL server does not support secure renegotiation (defined by RFC 5746).

Impact:
This is informational only.

Recommended Action:
None.

01260024 : OCSP failure on profile %s, certificate with issuer %s and serial number %lx: %s - %s

Location:
/var/log/tmm

Conditions:
This message is seen when there is a failure in fetching OCSP response.

Impact:
None.

Recommended Action:
None.

01260025 : Cipher %x:%x negotiated is not supported by Proxy SSL configured in virtual server %s

Location:
/var/log/ltm

Conditions:
Proxy-ssl is configured on the virtual server, passthru is not enabled, and the cipher negotiated by the client and server is not supported in the SSL profile.

Impact:
The connection will not be allowed.

Recommended Action:
Add the necessary ciphers to the SSL profiles, or reconfigure the SSL server to only negotiate ciphers allowed by the profiles.

01260026 : No shared ciphers between SSL peers %A.%d:%A.%d.

Location:
/var/log/ltm

Conditions:
An SSL client attempts to connect to a BIG-IP device, but none of the sent ciphers match the configured ciphers in the client-ssl profile.

Impact:
The SSL client will be unable to connect to the BIG-IP device.

Recommended Action:
Determine which ciphers the SSL client is sending, and add one or more of them to the relevant client-ssl profile.

01260034 : SSL decryption canceled.

Location:
/var/log/ltm

Conditions:
When the SSL decryption process is intentionally canceled during the SSL handshake. Usually a result of a SSL client side's terminating of an SSL connection.

Impact:
None.

Recommended Action:
None.

01260045 : Certificate with subject name (%s) and serial number (%s) is revoked

Location:
/var/log/ltm:

01260045:4: Certificate with subject name (/CN=Joe-IntermediateCA.example.com/ST=California/C=US/O=Example, Inc./OU=ExampleSUB) and serial number (0X1000) is revoked.

Conditions:
At least one certificate in the peer certificate chain is revoked.

Impact:
-- If the revoked certificate is a CA certificate, the SSL handshake fails.

-- If the revoked certificate is an end-entity certificate and the revoked-cert-status-response-control is 'drop', then the SSL handshake fails.

Recommended Action:
No workaround

0127000c : Coalesced (%lu) requests for the previous command into 1 execution

Location:
/var/log/ltm

Conditions:
Disabled by default. When syscalld debugging is enabled, appears in /var/log/ltm.

The same syscalld command is invoked in rapid succession.

Impact:
Instead of running the command once for every request, in order to prevent the system from being overrun, syscalld will combine invocations of the same command with the same arguments.

Recommended Action:
No action required. This message does not indicate a problem.

01280045 : Debug: %s

Location:
/var/log/ltm

Conditions:
STPD is running and debug logging is enabled.

Impact:
No impact - debug messages are to aid developers.

Recommended Action:
None.

01290003 : HALMSG reporting error conditions

Location:
/var/log/ltm

Conditions:
Various logs associated with errors encountered by the hardware abstraction layer (HAL) when using the inter daemon messaging interface during startup or normal operation.
Some typical examples are:
    "HalmsgTerminalImpl_::sendMessage() Can't create HalmsgConnection_"
    "HalmsgTerminalImpl_::sendMessage() Unable to send to any %s address", str

Impact:
The HAL messaging service might not create or maintain a connection between affected daemons, for transferring messages between registered HAL messaging component end points.

Recommended Action:
The specific log indicates if the error relates to system instability, where relevant daemons might not be running or responding. If the issue persists across daemon or system restarts, file a support ticket with more specific information, as indicated in the relevant log message.

01290004 : HALMSG reporting warning conditions

Location:
/var/log/ltm

Conditions:
Internal HAL messaging system has encountered an unexpected condition. Conditions can vary and be caused by but not limited to:
- Linux socket errors, which may be temporary in nature
- File operations that encounter names that are too long
- Messages from other processes that are too long

Impact:
Varies considerably with specific warning. It might indicate a configuration error somewhere else in the system.

Recommended Action:
Inspect the /var/log/ltm file for additional errors and warnings, and try to correlate the HAL messaging error with another system that might be misconfigured.

012a0000 : "LIBHAL reporting system is unusable"

Location:
/var/log/ltm

Conditions:
During startup or normal operation, the system logs various emergency level messages associated with errors encountered by the hardware abstraction layer (HAL) daemon. Some typical examples are:

      "Automatically rebooting to complete firmware update"
      "System rebooting ..."
      "Reboot required to fix PCIe hardware failure"
      "Blade %d power DOWN effected (as requested by %d via CAN bus %d)",...

Impact:
A system reboot might be required for continued operation, due to a possible failure of the HAL daemon or because firmware was updated.

Recommended Action:
The specific log indicates whether the error is related either to expected system restarts after firmware updates or to hardware and system instability issues. If the issue persists across daemon/system restarts, file a support ticket.

012a0002 : "LIBHAL reporting critical conditions"

Location:
/var/log/ltm

Conditions:
Various critical logs associated with errors encountered by the hardware abstraction layer (HAL) daemon during startup or normal operation.
Typical examples include:
   "platform_detect: no recognized platform detected."
   "critical platform initialize failure. exiting..."
   "hal_get_dossier: space allocation error"
   "Error creating interface_bundle = %x",err
   "SSD (%s) at bay %d shelf %s: current available space (%d%%) has reached its threshold (%d%%)",...

Impact:
The HAL daemon might not be able to correctly identify the platform or publish the hardware abstraction configuration at startup, or has encountered a critical failure during normal operation.

Recommended Action:
The specific log will indicate if the error relates to platform-specific issues, or system instability. If the issue persists across daemon/system restarts, a support ticket should be filed.

012a0003 : LIBHAL reporting error conditions

Location:
/var/log/ltm

Conditions:
Various error level logs, associated with errors, were encountered by the hardware abstraction layer (HAL) daemon during startup or normal operation.
Some typical examples are:
    "DossierReq exception: %s", str
    "StorageReadReq failure error = %s", str
    "Unable to attach to LCD: %s", str
    "HAL unsupported platform : %s", str

Impact:
The HAL daemon might not be able to correctly identify the platform or publish the hardware abstraction configuration at startup, or has encountered a critical failure during normal operation.

Recommended Action:
The specific log indicates if the error relates to platform specific issues, or system instability. If the issue persists across daemon or system restarts, file a support ticket with more specific information as indicated in the relevant log message.

012a0004 : LIBHAL reporting warning conditions

Location:
HAL daemon (chmand) warning logs reported in /var/log/ltm

Conditions:
Various warning logs associated with problems or anomalies encountered by the hardware abstraction layer (HAL) daemon during startup or normal operation.
Typical examples include:
   "hal_stop_chman: sendMessage failed"
   "AomSelLogger: unable to process SEL logs"
   "halAnnunciatorSet: sendMessage failed"
   "halGetInterfaceOwner: sendMessage failed"
   "halGetSystemSerialId: sendMessage failed",...

Impact:
The HAL daemon may not be able to correctly identify the platform or publish the hardware abstraction configuration at startup, or has encountered a problem during normal operation.

Recommended Action:
The specific log will indicate if the error relates to platform specific issues, or system instability. If the issue persists across daemon/system restarts and causes problems in system operation, a support ticket should be filed.

012a0005 : LIBHAL reporting normal but significant condition

Location:
/var/log/ltm

Conditions:
An event associated with the hardware platform monitoring code has been observed and highlighted as important information. The events can range from state changes in the system to unexpected events that might indicate an error. Some examples are: platform firmware version checks, delays or timeouts when taking actions, and processes starting or stopping.

Impact:
Impact might be very context specific. In most cases, the message itself should indicate whether it is an unexpected event, state change, or important information.

Recommended Action:
If the message indicates a state change, review whether it was expected based upon any changes that were made at that time to the system. If the message indicates an error, look for additional errors of higher or similar severity at the same time that would provide greater clarity to the problem.

012a0006 : LIBHAL reporting informational

Location:
/var/log/ltm

Conditions:
An informational event associated with the hardware platform monitoring code has been observed and reported. It is used widely for indicating chassis and blade status related to disk media and sensor monitoring.

Impact:
The messages are for informational purposes only.

Recommended Action:
There are no workarounds or actions required based on these log messages.

012a0007 : LIBHAL reporting debug-level messages

Location:
/var/log/ltm

Conditions:
These only occur when someone has manually configured the 'log.libhal.level' DB variable to 'Debug'.

Impact:
No impact, these are only intended to be used by F5 development and support for additional diagnostics.

Recommended Action:
Recommend setting log.libhal.level DB variable back to default value of 'Notice'.

modify sys db log.libhal.level value Notice

012a0012 : Blade %d is about to be powered off!

Location:
The error will be in /var/log/ltm

A blade in one of the chassis slot is about to be powered off, initiated by an alert message from the hardware Always-On Management (AOM) processor due to some critical conditions related to some hardware components. For example,

slot1/localhost emerg chmand[5710]: 012a0012:0: Blade 1 is about to be powered off!

Conditions:
When the hardware Always-On Management (AOM) processor sends a sensor update with the action flag bit 'BIG-IP power off' set, the blade will be powered off.

Impact:
The blade will be powered off.

Recommended Action:
No workaround. If you can power the blade back up, you should look at the log file to see which sensor alert caused the power-off, and run End User Diagnostics (EUD) software for any hardware issues.

012a0013 : Blade %d hardware sensor critical alarm: %s

Location:
/var/log/ltm

Conditions:
A hardware sensor reported a potentially critical condition, depending on context.
For example:
- An excessively high temperature reading
- An excessively high or excessively low voltage reading
- Loss of power to a power supply

Impact:
Evaluate this error message in context to determine whether a critical, transitory, or expected condition applies.
- If the error occurs once, it might indicate a transient communication error in the sensor-monitoring subsystem, and not an actual hardware failure or critical environmental condition.
- If the error occurs due to an external event (for example, disconnected external power from a power supply during a maintenance procedure), the message confirms the result of the external action, and no further action is required.
- If the error occurs repeatedly, without the apparent result of a known external event, perform additional diagnosis to identify the faulty hardware or environmental condition causing the critical sensor report.

Recommended Action:
1. If the reported condition appears to be caused by a known external event, no further action is required.
2. If the error occurs only once, examine the logs for entries indicating a transitory communication error (for example, a related daemon restarting). If no obvious explanation is found, perform an EUD during the next available maintenance window. Continue to monitor the system unless additional messages occur.
3. If the error continues with no obvious external cause, perform an EUD as soon as feasible. Evaluate applicable external contributing factors. Consider an RMA for the affected component.

012a0016 : Blade %d hardware sensor notice: %s

Location:
/var/log/ltm and LCD if connected

Conditions:
One of the hardware sensors has indicated the presence or absence of a notable condition.
Examples: Temperature going too high or returning to normal, fan speeds going too low or returning to normal, power going too low or returning to normal.

Impact:
Varies by condition.

Recommended Action:
Inspect /var/log/ltm for additional details. This message is typically accompanied by several other log messages that specify the exact nature of the sensor alarm.

012a0017 : Chassis power module %d turned on

Location:
/var/log/ltm

Conditions:
A power supply status has changed from being powered off to powered on.

Impact:
Informational.

Recommended Action:
It is not an error, no action required.

012a0019 : Chassis power module %d is on.

Location:
/var/log/ltm

Conditions:
A power supply unit is active with sufficient input power.

Impact:
None.

Recommended Action:
None.

012a0021 : Chassis power module %d absent.

Location:
/var/log/ltm

Conditions:
This occurs when power supply module #x is missing or removed from the chassis, where "x" is greater than 4.

Impact:
The chassis is missing one of the power supply modules and may not have full power capacity or redundant recovery in case the other supplies fail.

Recommended Action:
Replace or reinsert a power supply module in bay #x to restore full power capacity and redundancy.

012a0022 : %s

Location:
/var/log/ltm, LCD

Conditions:
The BIG-IP system experienced a communication error with the AOM. This could be due to successive errors or timeouts.

The BIG-IP system received an alert from the AOM that was classified as a 'warning' level priority. Examples are CPU faults and unexpected or unidentified sensors that the BIG-IP system could not otherwise interpret.

Impact:
Impact varies by specific incident.

Recommended Action:
Inspect /var/log/ltm for additional errors or indications around the time that the log message occurred.

If present, inspect /var/log/sel for additional errors or indications around the time that the log message occurred.

012a0023 : %s

Location:
/var/log/ltm, LCD

Conditions:
The BIG-IP system received an alert from the AOM that was classified as an 'error' level priority. While the message infrastructure exists, there are no uses of this message.

Impact:
Impact would vary by specific incident.

Recommended Action:
Inspect /var/log/ltm for additional errors or indications around the time that the log message occurred.

If present, inspect /var/log/sel for additional errors or indications around the time that the log message occurred.

012a0024 : %s

Location:
/var/log/ltm, LCD

Conditions:
The BIG-IP system received an alert from the AOM that was classified as an 'alert' level priority. While the message infrastructure exists, there are no uses of this message.

Impact:
Impact would vary by specific incident.

Recommended Action:
Inspect /var/log/ltm for additional errors or indications around the time that the log message occurred.

If present, inspect /var/log/sel for additional errors or indications around the time that the log message occurred.

012a0025 : %s

Location:
/var/log/ltm, LCD

Conditions:
The BIG-IP system detected that a FRU component has corrupted or missing information.

The BIG-IP system detected that a fan tray was removed.

The BIG-IP system detected that an internal hardware module is absent (ex. internal switch, LCD, HSB, CPU).

The BIG-IP system detected that the chassis air filter replacement is overdue.

The BIG-IP system detected a problem communicating with the LCD module.

The BIG-IP system detected a CPU fault CATERR, IERR, or MCERR.

The BIG-IP system received a 'critical' level alert from the AOM for a sensor type that it didn't expect or could not interpret.

Impact:
Impact varies by specific incident.

Recommended Action:
Inspect /var/log/ltm for additional errors or indications around the time that the log message occurred.

If present, inspect /var/log/sel for additional errors or indications around the time that the log message occurred.

012a0026 : %s

Location:
/var/log/ltm, console, LCD

Conditions:
The BIG-IP device detected a CPU FIVR error.

The BIG-IP device received an 'emergency' level alert from the AOM for a sensor type that it didn't expect or could not interpret.

Impact:
Impact varies by specific incident.

Recommended Action:
Inspect /var/log/ltm for additional errors or indications around the time that the log message occurred.

If present, inspect /var/log/sel for additional errors or indications around the time that the log message occurred.

012a0027 : %s

Location:
/var/log/ltm, LCD

Conditions:
AOM SEL is full.

Any one of the AOM WARN, ERROR, ALERT, CRIT, or EMERG level alert conditions previously reported has now cleared.

Impact:
If the AOM SEL is full, the AOM will no longer be able to log messages to it. This could result in losing valuable information associated with a future problem. Reaching this condition in the first place also suggests that there could be a serious problem with the hardware, since the SEL should remain rather inactive at steady state conditions and it supports tens of thousands of entries.

For other log messages, the impact varies by specific incident, but they are primarily informational and indicate that a condition has recovered from a previously bad state.

Recommended Action:
If the SEL is full, it can be cleared using the ipmiutil command: 'ipmiutil sel -d'
NOTE: It is highly recommended to make sure that /var/log/sel has the latest information from the SEL before clearing it. The /var/log/sel file gets updated automatically every two minutes.

For other log messages, inspect /var/log/ltm for additional information around the time that the log message occurred.

012a0028 : %s

Location:
/var/log/ltm, LCD

Conditions:
AOM has indicated that a temperature sensor has crossed a 'warning' threshold.

Impact:
Integrity of the hardware could be at risk if overheating is not mitigated.

Recommended Action:
Check the fan status of the unit using 'tmsh show sys hardware'.

Inspect the LCD and/or /var/log/ltm for any fan related problems.

Ensure that ambient room temperature in which the device is located has sufficient cooling.

Inspect /var/log/ltm and /var/log/sel around the time of the message for any additional indications as to why the unit might be starting to overheat.

012a0029 : %s

Location:
/var/log/ltm, LCD

Conditions:
The BIG-IP system detected an error while monitoring a temperature sensor.

Impact:
Diagnostic temperature information might be unavailable or inaccurate.

Recommended Action:
Inspect /var/log/ltm and /var/log/sel around the time of the message for any additional indications as to why the sensor might have encountered a problem.

Inspect the following tmctl table for errors in the row 'GetSensRead'.
# tmctl ipmi_ops

If sensor reading errors are continuously incrementing in the above table, try reseting the AOM through the AOM menu, followed by a re-start of chmand after waiting about 5 minutes from the AOM restart:
# bigstart restart chmand

012a0030 : %s

Location:
/var/log/ltm, LCD

Conditions:
AOM has indicated that a temperature sensor has crossed an 'alert' level threshold.

Impact:
Integrity of the hardware could be at risk if overheating is not mitigated.

Recommended Action:
Check the fan status of the unit using 'tmsh show sys hardware'.

Inspect the LCD and /var/log/ltm for any fan related problems.

Ensure that ambient room temperature in which the device is located has sufficient cooling.

Inspect /var/log/ltm and /var/log/sel around the time of the message for any additional indications as to why the unit may be starting to overheat.

012a0031 : %s

Location:
/var/log/ltm, LCD

Conditions:
AOM has indicated that a temperature sensor has crossed a 'critical' level threshold.

Impact:
Integrity of the hardware could be at risk if overheating is not mitigated.

Recommended Action:
Check the fan status of the unit using 'tmsh show sys hardware'.

Inspect the LCD and /var/log/ltm for any fan related problems.

Ensure that ambient room temperature in which the device is located has sufficient cooling.

Inspect /var/log/ltm and /var/log/sel around the time of the message for any additional indications as to why the unit may be starting to overheat.

012a0032 : %s

Location:
/var/log/ltm, console, LCD

Conditions:
AOM has indicated that a temperature sensor has crossed an 'emergency' level threshold.

Impact:
This will likely result in an automatic power down event by the AOM.

Recommended Action:
Integrity of the hardware could be at risk from overheating. Careful inspection for the cause of overheating should be performed and an EUD should be run next time the unit is powered on.

012a0033 : %s

Location:
/var/log/ltm, LCD

Conditions:
AOM has indicated that a temperature sensor has experienced an 'information' level state change. These are almost always the result of a temperature returning back to normal after having experienced an abnormal reading.

Impact:
Likely indicates that the unit has returned to a good state after having experienced a temperature anomaly.

Recommended Action:
Make sure root cause for any preceding temperature anomaly is understood in order to prevent recurrence.

012a0034 : %s

Location:
/var/log/ltm, LCD

Conditions:
AOM has indicated that a fan sensor has crossed a 'warning' threshold.

Impact:
Integrity of the hardware could be at risk for eventual overheating if problem is not mitigated.

Recommended Action:
Check the fan status of the unit using 'tmsh show sys hardware'.

Inspect the LCD and/or /var/log/ltm for any other fan related problems.

Inspect /var/log/ltm and /var/log/sel around the time of the message for any additional indications as to why the fan might be malfunctioning.

Check for any objects obstructing free movement of the fan.

If the fan is associated with the chassis fan tray, make sure that the fan tray is fully inserted and fastened with the set screws. Also try re-seating the fan tray if problem persists.

012a0035 : %s

Location:
/var/log/ltm, LCD

Conditions:
The BIG-IP system detected an error while monitoring a fan sensor.

Impact:
Diagnostic fan information may be unavailable or inaccurate.

Recommended Action:
Inspect the following tmctl table for errors in the row 'GetSensRead':
# tmctl ipmi_ops

If sensor reading errors are continuously incrementing in the above table, try reseting the AOM through the AOM menu followed by a re-start of chmand after waiting about 5 minutes from the AOM restart:
# bigstart restart chmand

012a0036 : %s

Location:
/var/log/ltm, LCD

Conditions:
AOM has indicated that a fan sensor has crossed an 'alert' threshold.

Impact:
Integrity of the hardware could be at risk for eventual overheating if problem is not mitigated.

Recommended Action:
Check the fan status of the unit using 'tmsh show sys hardware'.

Inspect the LCD and/or /var/log/ltm for any other fan related problems.

Inspect /var/log/ltm and /var/log/sel around the time of the message for any additional indications as to why the fan may be malfunctioning.

Check for any objects obstructing free movement of the fan.

If the fan is associated with the chassis fan tray, make sure that the fan tray is fully inserted and fastened with the set screws. Also try re-seating the fan tray if problem persists.

012a0037 : %s

Location:
/var/log/ltm, LCD

Conditions:
AOM has indicated that a fan sensor has crossed a 'critical' threshold.

Impact:
Integrity of the hardware could be at risk for eventual overheating if problem is not mitigated.

Recommended Action:
Check the fan status of the unit using 'tmsh show sys hardware'.

Inspect the LCD and/or /var/log/ltm for any other fan related problems.

Inspect /var/log/ltm and /var/log/sel around the time of the message for any additional indications as to why the fan may be malfunctioning.

Check for any objects obstructing free movement of the fan.

If the fan is associated with the chassis fan tray, make sure that the fan tray is fully inserted and fastened with the set screws. Also try re-seating the fan tray if problem persists.

012a0038 : %s

Location:
/var/log/ltm, console, LCD

Conditions:
AOM has indicated that a fan sensor has crossed an 'emergency' threshold.

Impact:
Integrity of the hardware could be at risk for eventual overheating if problem is not mitigated.

Recommended Action:
Check the fan status of the unit using 'tmsh show sys hardware'

Inspect the LCD and/or /var/log/ltm for any other fan related problems.

Inspect /var/log/ltm and /var/log/sel around the time of the message for any additional indications as to why the fan may be malfunctioning.

Check for any objects obstructing free movement of the fan.

If the fan is associated with the chassis fan tray, make sure that the fan tray is fully inserted and fastened with the set screws. Also try re-seating the fan tray if problem persists.

012a0039 : %s

Location:
/var/log/ltm, LCD

Conditions:
AOM has indicated that a fan sensor has experienced an 'information' level state change. These are almost always the result of a fan returning back to normal after having experienced an abnormal reading.

Impact:
Likely indicates that the unit has returned to a good state after having experienced a fan anomaly.

Recommended Action:
Make sure root cause for any preceding fan anomaly is understood in order to prevent recurrence.

012a0040 : %s

Location:
/var/log/ltm, LCD

Conditions:
AOM has indicated that a power sensor has crossed a 'warning' threshold. Likely causes are:

- A PSU is insufficiently powered or malfunctioning.
- An internal power fault has occurred within the unit.

Impact:
Unit might be malfunctioning or insufficiently powered.

Recommended Action:
Check the PSU status of the unit using 'tmsh show sys hardware'

Inspect the LCD and /var/log/ltm for any other power related problems.

Inspect /var/log/ltm and /var/log/sel around the time of the message for any additional indications as to why the power might be malfunctioning.

Make sure each PSU in the system is properly seated with an appropriate power source supplied to it.

012a0041 : %s

Location:
/var/log/ltm, LCD

Conditions:
The BIG-IP system detected an error while monitoring a power sensor.

Impact:
Diagnostic power information might be unavailable or inaccurate.

Recommended Action:
Inspect the following tmctl table for errors in the row 'GetSensRead':
# tmctl ipmi_ops

If sensor reading errors are continuously incrementing in the above table, try reseting the AOM through the AOM menu followed by a re-start of chmand after waiting about 5 minutes from the AOM restart:
# bigstart restart chmand

012a0042 : %s

Location:
/var/log/ltm, LCD

Conditions:
AOM has indicated that a power sensor has crossed an 'alert' threshold. Likely causes are:

- A PSU is insufficiently powered or malfunctioning.
- An internal power fault has occurred within the unit.

Impact:
Unit might be malfunctioning or insufficiently powered.

Recommended Action:
Check the PSU status of the unit using 'tmsh show sys hardware'.

Inspect the LCD and /var/log/ltm for any other power related problems.

Inspect /var/log/ltm and /var/log/sel around the time of the message for any additional indications as to why the power might be malfunctioning.

Make sure each PSU in the system is properly seated with an appropriate power source supplied to it.

012a0043 : %s

Location:
/var/log/ltm, LCD

Conditions:
AOM has indicated that a power sensor has crossed a 'critical' threshold. Likely causes are:

- A PSU is insufficiently powered or malfunctioning.
- An internal power fault has occurred within the unit.

Impact:
Unit might be malfunctioning or insufficiently powered.

Recommended Action:
Check the PSU status of the unit using 'tmsh show sys hardware'.

Inspect the LCD and /var/log/ltm for any other power related problems.

Inspect /var/log/ltm and /var/log/sel around the time of the message for any additional indications as to why the power might be malfunctioning.

Make sure each PSU in the system is properly seated with an appropriate power source supplied to it.

012a0044 : %s

Location:
/var/log/ltm, console, LCD

Conditions:
AOM has indicated that a power sensor has crossed an 'emergency' threshold. Likely causes are:

- A PSU is insufficiently powered or malfunctioning.
- An internal power fault has occurred within the unit.

Impact:
Hardware integrity of the unit is in jeopardy and will likely be powered down automatically.

Recommended Action:
If the unit can still be powered on, inspect /var/log/ltm and /var/log/sel around the time of the message for any additional indications as to why the power might be malfunctioning.

Make sure each PSU in the system is properly seated with an appropriate power source supplied to it.

012a0045 : %s

Location:
/var/log/ltm, LCD

Conditions:
AOM has indicated that a power sensor has experienced an 'information' level state change. These are almost always the result of a power reading returning back to normal after having experienced an abnormal reading, or a message providing the initial status on first power up.

Impact:
Likely indicates that the unit has returned to a good state, after having experienced a power anomaly, or the unit has just been powered on.

Recommended Action:
Make sure root cause for any preceding power anomaly is understood in order to prevent recurrence.

012a0046 : Chassis power module 1 turned on.

Location:
/var/log/ltm

Conditions:
Power supply 1 is powered on.

Impact:
None.

Recommended Action:
None.

012a0047 : Chassis power module 2 turned on.

Location:
/var/log/ltm

Conditions:
Power supply 2 is powered on.

Impact:
None.

Recommended Action:
None.

012a0048 : Chassis power module 3 turned on.

Location:
/var/log/ltm

Conditions:
Power supply 3 is powered on.

Impact:
None.

Recommended Action:
None.

012a0049 : Chassis power module 4 turned on.

Location:
/var/log/ltm

Conditions:
Power supply 4 is powered on.

Impact:
None.

Recommended Action:
None.

012a0050 : Chassis power module 1 turned off.

Location:
/var/log/ltm

Conditions:
A chassis power module is present in slot 1 but does not have an input power supply. This could be because the unit is switched off, the external power supply is inadequate, or a malfunction has occurred.

Impact:
Power supply redundancy is compromised since the power supply unit in slot 1 is not actively supplying power to the box.

Recommended Action:
If the condition is unexpected:
Verify that the power supply unit is switched on.
Verify that external source to the power supply unit is functioning properly.
Verify that the power supply unit is seated properly.
Inspect /var/log/ltm for additional power related alarms for indications of any potential malfunctions.

012a0051 : Chassis power module 2 turned off.

Location:
/var/log/ltm

Conditions:
Power supply 2 is powered off.

Impact:
None.

Recommended Action:
None.

012a0052 : Chassis power module 3 turned off.

Location:
/var/log/ltm

Conditions:
Power supply 3 is powered off.

Impact:
None.

Recommended Action:
None.

012a0053 : Chassis power module 4 turned off.

Location:
/var/log/ltm

Conditions:
Power supply 4 is powered off.

Impact:
None.

Recommended Action:
None.

012a0054 : Chassis power module 1 absent.

Location:
/var/log/ltm

Conditions:
The power supply module #1 is missing or removed from the chassis.

Impact:
The chassis is missing one of the power supply modules. If any other power supplies fail, then both the full power capacity and redundant recovery may be compromised.

Recommended Action:
To restore full power capacity and redundancy, replace or reinsert a power supply module in bay #1.

012a0055 : Chassis power module 2 absent.

Location:
/var/log/ltm

Conditions:
The power supply module #2 is missing or removed from the chassis.

Impact:
The chassis is missing one of the power supply modules. If any other power supplies fail, then both the full power capacity and redundant recovery may be compromised.

Recommended Action:
To restore full power capacity and redundancy, replace or reinsert a power supply module in bay #2.

012a0056 : Chassis power module 3 absent.

Location:
/var/log/ltm

Conditions:
The power supply module #3 is missing or removed from the chassis.

Impact:
The chassis is missing one of the power supply modules. If any other power supplies fail, then both the full power capacity and redundant recovery may be compromised.

Recommended Action:
Replace or reinsert a power supply module in bay #3 to restore full power capacity and redundancy.

012a0057 : Chassis power module 4 absent.

Location:
/var/log/ltm

Conditions:
The power supply module #4 is missing or removed from the chassis.

Impact:
The chassis is missing one of the power supply modules. If any other power supplies fail, then both the full power capacity and redundant recovery may be compromised.

Recommended Action:
To restore full power capacity and redundancy, replace or reinsert a power supply module in bay #4.

012a0058 : Chassis with %d blades (%d W) may be inadequately powered - increase active number of power supplies

Location:
/var/log/ltm, console

Conditions:
The number of power supplies installed might not be enough to support the number of blades in the system.

Impact:
The system might not function properly.

Recommended Action:
None.

012a0059 : Chassis power module %d is unidentified.

Location:
/var/log/ltm, LCD

Conditions:
This error message is seen when a power supply that is unsupported or unidentified on the particular platform is inserted or powered on.

Impact:
Since the power supply would be unsupported on the platform under consideration, it will not supply power to the device. All power supply related sensor readings will be unavailable.

Recommended Action:
Replace the unsupported power supply with a good or supported one. We can hot-plug the power supply and in ~30 secs all sensor reading will be available.

012a0060 : Power supplies do not match.

Location:
/var/log/ltm, LCD

Conditions:
Two power supplies of different makes or models are installed and do not interoperate correctly, resulting in an unsupported power supply mismatch.

Impact:
None.

Recommended Action:
Confirm that the power supplies you installed were intended to be used on your platform.

012b0021 : Executable %s version '%s'.

Location:
/var/log/gtm

Conditions:
This log occurs during the big3d installation. In the event that the modification time stamp of big3d under /shared/bin is up to date and its signature is correct, the versions of /shared/bin/big3d and /usr/sbin/big3d are retrieved and written to the log file. This is done to ensure that we copy /usr/sbin/big3d over to /shared/bin/big3d when the version of /usr/sbin/big3d is newer than /shared/bin/big3d.

Impact:
Allows user to verify version types of /shared/bin/big3d and /usr/bin/big3d, so they can manually copy /usr/bin/big3d to /shared/bin/big3d if the time stamp and version of /usr/bin/big3d are more more recent, or if the signature of /shared/bin/big3d fails.

Recommended Action:
Solution Referenced From: https://support.f5.com/csp/article/K13703

Verify Time Stamp

stat /shared/bin/big3d
stat /usr/sbin/big3d

Verify Version
 
/shared/bin/big3d -v
/usr/sbin/big3d -v

or

cat /var/log/gtm


Copy over /usr/bin/big4d if these cases are true
/usr/sbin/big3d modification time > /shared/bin/big3d modification time
or
/usr/sbin/big3d version > /shared/bin/big3d version

tmsh stop /sys service big3d && cp -a $(which big3d) /shared/bin/ && tmsh start /sys service big3d

012b0022 : Executable %s version is newer than %s.

Location:
/var/log/gtm

Conditions:
This log occurs during the big3d installation. In the event that the modification time stamp of big3d under /shared/bin is up to date and its signature is correct, the versions of /shared/bin/big3d and /usr/sbin/big3d are retrieved and written to the log file. This is done to ensure that we copy /usr/sbin/big3d over to /shared/bin/big3d when the version of /usr/sbin/big3d is newer than /shared/bin/big3d.

Impact:
Allows user to verify version types of /shared/bin/big3d and /usr/bin/big3d, so they can manually copy /usr/bin/big3d to /shared/bin/big3d if the time stamp and version of /usr/bin/big3d are more more recent, or if the signature of /shared/bin/big3d fails.

Recommended Action:
Solution Referenced From: https://support.f5.com/csp/article/K13703

Verify Time Stamp

stat /shared/bin/big3d
stat /usr/sbin/big3d

Verify Version
 
/shared/bin/big3d -v
/usr/sbin/big3d -v

or

cat /var/log/gtm


Copy over /usr/bin/big4d if these cases are true
/usr/sbin/big3d modification time > /shared/bin/big3d modification time
or
/usr/sbin/big3d version > /shared/bin/big3d version

tmsh stop /sys service big3d && cp -a $(which big3d) /shared/bin/ && tmsh start /sys service big3d

012b0023 : Executable %s SELinux context error (%s).

Location:
/var/log/gtm

Conditions:
The big3d daemon has started on a device that has implemented big3d's custom SELinux policy, and big3d has determined that the big3d executable at the given path does not have the correct SELinux file context. Or ,big3d encountered an error when attempting to retrieve said file's context.

This message may also occur if big3d is unable to determine whether it is on a system that has implemented big3d's SELinux policy

Impact:
Big3d rejects the file at the given path as a valid big3d executable and attempts to test the other big3d executable for validity (either the path of the running big3d instance or /shared/bin/big3d).

Recommended Action:
Use "ls -Z /shared/bin/big3d" to verify that the context of said file is either "big3d_exec_t" (for bigip versions 14.1 or later) or "default_t" (for pre 14.1). If this value is incorrect, "restorecon /shared/bin/big3d" should be able to correct the issue. It is recommended that you restart big3d after performing this action (bigstart restart big3d). Restarting big3d can temporarily affect the state of GTM monitors.

Verify the above is also true for /usr/sbin/big3d however a pre 14.1 bigip version will instead have "bin_t" or "sbin_t" in this case.

012b101e : Dropping a message received from an unknown connection type from %s.

Location:
/var/log/gtm

Conditions:
iQuery has received a message from a client that had not properly configured its connection.

Impact:
The iQuery connection from the unknown connection is dropped.

Recommended Action:
None.

012b101f : Deleted connection %s.

Location:
/var/log/gtm

Conditions:
A big3d iQuery connection was removed from the connection list.

Impact:
The connection is closed, for any number of reasons.

Recommended Action:
See other log messages for more details.

012b2007 : %s: Begin xml broadcast

Location:
/var/log/gtm

Conditions:
big3d is set to debug logging and has begun broadcasting a message (usually the results of a probe) to the instances of gtmd that it is aware of. The string before the colon indicates which method is being used to send the message.

Impact:
None.

Recommended Action:
Disable debug logging in big3d if it is not required for informational purposes. This can be done via the command "tmsh modify sys db log.big3d.level value [desired_logging_level]".

012b2008 : %s: End xml broadcast

Location:
/var/log/gtm

Conditions:
big3d is set to debug logging and has finished broadcasting a message (usually the results of a probe) to the instances of gtmd that it is aware of. The string before the colon indicates which method was used to send the message.

Impact:
None.

Recommended Action:
It is advised to disable debug logging in big3d if it is not required for informational purposes. This can be done via the command "tmsh modify sys db log.big3d.level value [desired_logging_level]".

012b2009 : Skipped xml broadcast to: %s reason: %s

Location:
/var/log/gtm

Conditions:
big3d is set to debug logging and has skipped sending a broadcasted message to the specified instance of gtmd for the reason given. It is worth noting that none of the reasons that can be given necessarily indicate an error state. This is simply reporting the status of a normal operation.

Impact:
The message can be used to help diagnose an error observed elsewhere.

Recommended Action:
It is advised to disable debug logging in big3d if it is not required for informational purposes. This can be done via the command "tmsh modify sys db log.big3d.level value [desired_logging_level]".

012b200a : Failed to send xml message: %s

Location:
/var/log/gtm

Conditions:
big3d has attempted to send a message to a gtmd instance but was unable to do so, due to the indicated reason. In many cases this will be due to an SSL error with the connection.

Impact:
The effects of a failed message send can manifest in many different ways including, but not limited to, a server being incorrectly marked down on some of the Global Traffic Manager (GTM) systems in a sync group.

Recommended Action:
Use the information provided in this message and in other log messages to determine what the error is and attempt to address from there. Debug logging can be enabled by running the command "tmsh modify sys db log.big3d.level value debug" to assist with this. In many (but not all) cases, the error will be an SSL error, which will be indicated by a debug log message immediately preceding this one.

012b3005 : Error encountered while opening SSL certificates %s.

Location:
/var/log/gtm

Conditions:
There was an error while big3d was attempting to load the SSL certificates and keys. The message includes the error from the system call.

Impact:
It is unlikely that big3d will be able to accept SSL connections from remote clients since it is unable to load the SSL certificates.

Recommended Action:
Examine the error message and resolve the issue with the certificates.

012b3007 : SSL Context created using minimum TLS version %s, SSL cipher list '%s'.

Location:
/var/log/gtm

Conditions:
This is a "notice" message. It is generated once at start up and lists the SSL parameters in use at the time.

Whenever the big3d DB variable "big3d.ssl.cipherlist" or "big3d.minimum.tls.version" is set, a new SSL Context is created and this message is displayed.

Impact:
No impact. This message is for information and troubleshooting only.

Recommended Action:
None.

012b3008 : SSL Context Cipher list set to: %s.

Location:
/var/log/gtm

Conditions:
The SSL context cipher list has been set or changed.

Impact:
None. This message is informational only.

Recommended Action:
None.

012b3009 : SSL Context minimum TLS Version set to: %s.

Location:
/var/log/gtm

Conditions:
The SSL Minimum TLS Version has been set or changed.

Impact:
None. This message is informational only.

Recommended Action:
None.

012b300a : SSL Cipher list converted from:'%s' to:'%s'

Location:
/var/log/gtm

Conditions:
big3d has corrected a cert list by removing redundant escape characters. Because valid cipher lists can contain the '!', it must be escaped at the command line.

Impact:
None. This message is informational only.

Recommended Action:
None.

012b300a : SSL Context Cipher list converted from:'%s' to:'%s'

Location:
/var/log/gtm

Conditions:
The SSL Cipher List value contains embedded escape characters (\).

Impact:
The message contains the escaped and unescaped string.

Recommended Action:
None.

012b300b : Replacing iQuery connection (%s:%d) with connection (%s:%d)

Location:
/var/log/gtm

Conditions:
A replacement iQuery connection has been created to a big3d.
The included information will be
Replacing iQuery connection (1.2.3.4:1) with connection (1.2.3.4:2)
The IP address is the remote GTM.
The number following the ":" is the connection ID assigned by big3d.

Impact:
The included information in the message is "Replacing iQuery connection (1.2.3.4:1) with connection (1.2.3.4:2)", where the IP address is the remote GTM, and the number following the ":" is the connection ID that big3d assigns. This is a debug message only.

Recommended Action:
None

012b300c : iQuery connection with id %d not found.

Location:
/var/log/gtm

Conditions:
big3d has attempted to shift probe and monitor requests from an old connection to a new connection but cannot find the old connection.

Impact:
This is expected to happen, depending upon timing issues, and does not indicate a serious error.The impact is that pending probes and monitors are not able to be shifted to a new connection. When the pending probe or monitor in question is run, the results are broadcast to all connections rather than to the requester.

Recommended Action:
None.

012b300d : Error setting SSL Cipher list to: %s, previous value (%s) remains in effect.

Location:
/var/log/gtm

Conditions:
big3d is unable to set the SSL cipher list to the desired value.

Impact:
The desired cipher list is not set, and the previous value is used instead. This might be due to an error in specifying the cipher list or due to the cipher not being available. Connections will remain up.

Recommended Action:
Use iqtest or OpenSSL tools to determine a valid cipher list.

012b300e : SSL Error: %s on connection to %s.

Location:
/var/log/gtm

Conditions:
An SSL error occurred during SSL connection setup.

Impact:
The connection has failed. The error string as reported by the SSL library is output, as well as the IP address of the client.

Recommended Action:
Examine the reported error string to determine the appropriate corrective action.

012b300f : Error setting SSL Context options.

Location:
/var/log/gtm

Conditions:
There is an unexpected error when setting the SSL Context options during SSL context creation.

Impact:
The SSL context is not created. New connections will not be established.

Recommended Action:
None. This is an unexpected error and there is no troubleshooting possible.

012b3010 : The specified TLS version (%s) is not a valid selection, SSL CTX not changed.

Location:
/var/log/gtm

Conditions:
The value of the db variable: big3d.minimum.tls.version is invalid.

Impact:
The invalid value is not used. The previous setting is retained.

Recommended Action:
Specify a valid value for the db variable.

012b3011 : Found an unexpected connection of type %d when looking for a GTM connection.

Location:
/var/log/gtm

Conditions:
An attempt was made to replace a non-GTM iQuery connection with a new GTM iQuery connection.

Impact:
The replacement iQuery connection continues to operate. The old connection will be terminated normally. This is a debug message, as it is unlikely to happen and serves as a sanity check.

Recommended Action:
None.

012b3014 : Routine renegotiation of SSL connection with %s completed.

Location:
/var/log/gtm

Conditions:
Indicates the completion of an iQuery SSL connection renegotiation.

Impact:
This message is informational only.

Recommended Action:
None.

012b3100 : CRL file %s created, enabling CRL validation on all remote iQuery connections.

Location:
/var/log/gtm

Conditions:
The CRL File was created.

Impact:
CRL Validation checking is enabled for all iQuery connections. Existing iQuery connections might be reverified against the current set of CRLs if configured to do so.

Recommended Action:

012b3101 : CRL file %s removed, disabling CRL validation on all remote iQuery connections.

Location:
/var/log/gtm

Conditions:
The CRL file was deleted.

Impact:
CRL Validation is disabled for all iQuery connections.

Recommended Action:

012b3102 : CRL file %s was updated, replacing iQuery CRLs.

Location:
/var/log/gtm

Conditions:
The CRL file's timestamp was updated.

Impact:
The list of CRLs that Big3d was using is removed, and the current CRLs in the CRL File are used instead. Reverification of existing iQuery connections might occur if configured to do so.

Recommended Action:

012b3103 : CRL file %s contains no CRLs, or an invalid CRL. Remote iQuery connections may be rejected.

Location:
/var/log/gtm

Conditions:
The provided CRL file contains no valid CRLs (meaning that the file is either corrupted or empty).

Impact:
All iQuery connections are rejected.

Recommended Action:
Use either of the following workarounds:

-- Disable CRL validation by deleting the CRL file.
-- Add CRLs to the CRL file.

012b3104 : Unable to allocate memory for crl: %s.

Location:
/var/log/gtm

Conditions:
Big3d is out of memory when trying to allocate memory for CRLs.

Impact:
Various issues can occur due to big3d being out of memory:
-- At start up while trying to allocate memory for the name of the CRL file.
-- Trying to allocate memory while running the lookup for the CRL store.
-- Allocating memory for strings that are used in login.

Recommended Action:

012b3104 : %s: out of memory.

Location:
/var/log/gtm

Conditions:
Big3d is out of memory.

Impact:
Big3d is unable to properly utilize CRL validation.

Recommended Action:

012b3105 : CRL from issuer %s has expired.

Location:
/var/log/gtm

Conditions:
A client iQuery connection certificate's best-matching CRL is expired (its NextUpdate field is in the past). Since the best-matching CRL is not used, the client iQuery connection is rejected.

Impact:
A client iQuery connection is rejected or closed.

Recommended Action:

012b3106 : CRL from issuer %s will expire on %s.

Location:
/var/log/gtm

Conditions:
A CRL in the CRL File will expire soon.

Impact:
When the CRL expires, reverification of existing iQuery connections occurs, and if there is not a non-expired best-matching CRL, an iQuery connection might be rejected or closed (unless configured otherwise).

Recommended Action:
Update CRL file with a new CRL.

012b3107 : Using expired CRL from issuer %s.

Location:
/var/log/gtm

Conditions:
A client iQuery connection certificate's best-matching CRL is expired (its NextUpdate field is in the past), but due to the current configuration, this field is ignored.

Impact:
A CRL that is expired (NextUpdate in the future) is still checked for a given certificate's revocation status.

Recommended Action:

012b3108 : CRL from issuer %s is not yet active, will become active %s.

Location:
/var/log/gtm

Conditions:
A client iQuery connection certificate's best-matching CRL is not yet active (its LastUpdate field is in the future). Since the best-matching CRL is not used, the client iQuery connection is rejected.

Impact:
An iQuery connection is rejected or closed.

Recommended Action:

012b3109 : Using not yet active CRL from issuer %s.

Location:
/var/log/gtm

Conditions:
A client iQuery connection certificate's best-matching CRL is not yet active (its LastUpdate field is in the future), but due to the current configuration, this field will be ignored.

Impact:
A CRL that is Not-Yet-Active (LastUpdate in the future) is still checked for a given certificate's revocation status.

Recommended Action:

012b310a : CRL not found for certificate with subject %s from issuer %s.

Location:
/var/log/gtm

Conditions:
Big3d is unable to find a CRL whose issuer matches the issuer of the certificate provided by an incoming client connection.

Impact:
An iQuery connection is rejected or disconnected.

Recommended Action:
Update the CRL file to contain a CRL for the provided certificate issuer.

012b310b : Certificate with subject %s from issuer %s is revoked.

Location:
/var/log/gtm

Conditions:
Big3d received a connection with a certificate that was found to be revoked via the CRL file.

Impact:
An iQuery connection will be denied, unless configured otherwise.

Recommended Action:
Configuration can be changed to allow connections utilizing revoked certificates.

012b310c : Certificate with subject %s from issuer %s will not be rejected due to revocation status.

Location:
/var/log/gtm

Conditions:
Big3d received a connection with a certificate that was found to be revoked via the CRL file, but due to the configuration, the connection will still be allowed.

Impact:
An iQuery connection will be established despite the certificate provided being revoked.

Recommended Action:
This is due to a configuration of the DB variable or the command-line arguments passed to Big3d. Change the configuration if you do not want revoked certificates to be accepted.

012b310d : Error in %s: Unable to get current time.

Location:
/var/log/gtm

Conditions:
Unable to get the current system time while trying to set a timer to reverify existing iQuery connections, in compliance with db variables
-- big3d.ssl.reverify_on_crl_becoming_active.
-- big3d.ssl.reverify_on_crl_expiring.

Impact:
iQuery reverification may not occur when a CRL expires or becomes active.

Recommended Action:
None.

012b310e : Will reverify all SSL connections in %ld seconds.

Location:
/var/log/gtm

Conditions:
The system will reverify the existing iQuery connections in the specified number of seconds based on the DB variables:
-- iquery-reverify-on-crl-expiring.
-- iquery-reverify-on-crl-becoming-active.

Impact:
Existing iQuery connections will have the SSL certificates that were used during initial connection establishment reverified, and potentially disconnected.

Recommended Action:
No work around, as this is expected, configurable behavior.

012b310f : Unable to reverify the iQuery connection to %s: Cannot verify the peer certificate.

Location:
/var/log/gtm

Conditions:
A problem occurs while trying to reverify an existing iQuery connection.

Impact:
The iQuery connection is not verified and will be disconnected.

Recommended Action:
None.

012b3110 : Certificate validation failure. The iQuery connection to %s has been closed.

Location:
/var/log/gtm

Conditions:
An iQuery connection is being disconnected due to CRL reverification or renegotiation failure.

Impact:
iQuery connection is being closed down.

Recommended Action:
None.

012b3111 : %s: Error converting time

Location:
/var/log/gtm

Conditions:
An error occurred while attempting to compare the times on CRLs.

Impact:
Potentially unable to set a timer to reverify existing iQuery connections when a CRL expires or becomes active.

Recommended Action:
Restart Big3d.

012b400b : Moved %d pending and %d active probers from connection %u to connection %u

Location:
/var/log/gtm

Conditions:
N pending and N active probers have been moved from an old iquery connection ID to a new iquery connection ID.

Impact:
big3d sends an information message.

Recommended Action:
None.

012b7010 : No Route Domain support, cannot create a listener for Route Domain %u.

Location:
/var/log/gtm

Conditions:
big3d is unable to detect support on this BIG-IP for route domains, yet there are route domains configured. This should not be possbile.

Impact:
big3d will not listen for connections on non-zero route domains.

Recommended Action:
It is possible that the wrong version of big3d has been loaded on this BIGIP.
Check the running version via the command:
/shared/bin/big3d -v
to make sure it is the expected version.
If it is not the desired version, remove it and allow the default version to run via:
bigstart stop big3d
rm /shared/bin/big3d
bigstart start big3d

012c0004 : Lost connection with MCP: %d ... Exiting

Location:
/var/log/ltm. Not in GUI or console.

Conditions:
This is an internal error indicating that the bcm56xxd daemon lost communication with the mcpd process.

Impact:
The bcm56xxd daemon will restart. That will bounce all external interfaces.

Recommended Action:
No workaround, this is an internal error. Look in /var/log/ltm or /var/tmp/mcpd.out for any indication of why the mcpd process stopped communicating or restarted.

012c0010 : BCM56XXD driver error

Location:
/var/log/ltm

Conditions:
Various error logs associated with errors encountered by the switch daemon when attempting to configure the switch.
Some typical examples are:
    "Vlan %s invalid vid", vlan_name
    "Unable to set mac address for unit=%d, port=%d",unit, port
    "Unable to set bundle state for interface %s", name
    "Cannot set flow control for %s", name

Impact:
The switch daemon might not correctly configure the switch based on the existing configuration.

Recommended Action:
Verify that these errors relate to platform-specific configuration issues, or system instability. If the issue persists across daemon or system restarts, a support ticket should be filed.

012c0011 : BCM56XXD SDK error

Location:
/var/log/ltm.

This message is not available in the GUI or the console.

Conditions:
This message indicates that the Broadcom SDK library runs into an error condition when executing a command from the BIG-IP system's bcm56xxd switch daemon to configure broadcom switch.

Impact:
Typically this message indicates a critical error that prevents the broadcom switch from operating at the proper configuration required by BIG-IP. It might impact packets passing on some production traffic, or statistics reporting. Often, bcm56xxd also logs another error message, indicating which application level API is failing.

Recommended Action:
This error rarely occurs. When it does occur, in some cases restarting bcm56xxd ("bigstart restart bcm56xx"), or rebooting the box, will resolve the issues. Otherwise, the error persists after a bcm56xxd restart or reboot, and if it affects production traffic, an SR should be submitted to the F5 support team.

012c0012 : BCM56XXD info

Location:
/var/log/ltm

Conditions:
These messages occur during the normal initialization process of the bcm56xxd daemon. They are used to track the initialization progress of the daemon.

Impact:
None, these are informational messages only.

Recommended Action:
None.

012c0013 : BCM56XXD starting

Location:
/var/log/ltm

Conditions:
Anytime the bcm56xxd daemon starts up as a result of booting or restarting. This message is just a marker to indicate that bcm56xxd has begun executing.

Impact:
No impact, informational only

Recommended Action:
None.

012c0014 : SAMPLE: bcm56xxd - Exiting...

Location:
/var/log/ltm

Conditions:
This message occurs as a result of an orderly bcm56xxd daemon shutdown. The shutdown can occur as a result of the 'bigstart restart' or 'bigstart stop' commands or a self-initiated restart to affect an interface bundling change.

Impact:
None, this is informational only.

Recommended Action:
None.

012c0015 : Link: %s is %s

Location:
/var/log/ltm

Conditions:
Reporting link status of an interface. This is not an error, but an informational message.
Link status can be "DISABLED" "UP" "UNPOPULATED" or "DOWN"

UP means the interface is enabled, communicating and has link.
DOWN means the interface is enabled, but is not able to establish link.
UNPOPULATED means there is no optic inserted in the interface.
DISABLED means the interface is administratively disabled.

Impact:
No impact, informational only.

Recommended Action:
None.

012c0016 : BCM56XXD SDK info

Location:
/var/log/ltm

Conditions:
These messages occur during the normal initialization process of the bcm56xxd daemon. They are used to track the initialization progress of the daemon.

Impact:
None, these are informational messages only

Recommended Action:
None.

012c0023 : Optic in wrong port

Location:
/var/log/ltm, LCD

Conditions:
An F5 optic is plugged into the wrong port on a platform that 1) uses F5 optics to validate the optical transceivers plugged into the external interfaces, and 2) supports this specific F5 optic.

Impact:
The port does not come up.

Recommended Action:
On a platform that uses F5 optics to validate optics (currently a B4400 or an i15X000 Series platform), move the optic to a supported interface. For example, move a 100G optic to a 100G port, or a 40G optic to a 40G port. The optic will function.

012c0024 : Optic Warning

Location:
/var/log/ltm, CLI, LCD

Conditions:
The error message "Unsupported optic in interface %s." occurs when an optic that is unsupported on the respective platform is plugged into any of its front panel interfaces.

Impact:
The respective front panel interface into which this optic is plugged will be disabled, to avoid any possible hardware damage to the optic.

Recommended Action:
None.

012c0025 : F5 Optics not supported on platform

Location:
/var/log/ltm

Conditions:
The error message "Optic %s in Interface %s: Unsupported on platform." is seen when an optic that is unsupported on the respective platform is plugged into any of its front panel interfaces.

Impact:
The respective front panel interface into which this optic is plugged in will be disabled to avoid any possible hardware damage to the optic.

Recommended Action:
None.

012d0007 : Lost connection with MCP: %08x

Location:
/var/log/ltm

Conditions:
This happens when eventd's attempt to make a connection to MCP fails. This is most likely because MCP is down.

Impact:
MCP is down so eventd cannot make a connection to it.

Recommended Action:
Check MCP daemon log to see why it's down. The work around is to restart MCP.

012e0029 : The configuration was successfully loaded.

Location:
/var/log/ltm

Conditions:
This is a deprecated message that was used by bigpipe (prior to tmsh) to indicate successful configuration loads.

Impact:
Cosmetic.

Recommended Action:
None.

01300001 : RAMCACHE Initialize - Not enough memory available to create the cache. Please try reducing the cache size and max entries

Location:
/var/log/ltm

Conditions:
A low or out of memory condition.

Impact:
Caching is disabled.

Recommended Action:
Reduce memory usage in other profiles. Use of memory statistics to find profiles or systems that use or reserve too much memory is advised.

01300002 : RAMCACHE Response - Too many Cache-Control headers in response, max is %d.

Location:
/var/log/ltm

Conditions:
If an HTTP response contains multiple cache-control headers, it is possible for the total number of cache-control headers to exceed the maximum allowed.

Impact:
All of the cache-control headers are ignored.

Recommended Action:
Reduce the number of cache-control headers.

01300003 : RAMCACHE - Header too long. Header %d of length %d exceeds the max %lu bytes.

Location:
/var/log/ltm

Conditions:
At least one cache-control header field exceeds the maximum size allowed by RAM cache.

Impact:
The response is not cachable.

Recommended Action:
Modify the response to have shorter cache-control lines.

01310027 : ASM subsystem error (%s,%s): %s

Location:
/var/log/asm

Conditions:
This generic error might indicate any fault encountered by ASM control plane daemons, such as asm_start, asm_config_server.pl, asmlogd, and asmcrond.

Impact:
ASM control plane daemons encountered a fault and might restart.

Recommended Action:
ASM logs should be investigated for other issues encountered.

01330024 : Regular expression compilation failed on recv string: %s

Location:
/var/log/gtm

Conditions:
The user-supplied string has escape characters that were not properly converted.

Impact:
The standard C library function regcomp() fails, and tmonitor that owns the recv regex string will not be monitoring as the user intended.

Recommended Action:
Ensure that you escape the characters and the escape sequences. If the problem persists, you might need the latest hotfix.

01330025 : Unable to get a session to cache for %s:%d

Location:
/var/log/gtm

Conditions:
A SSL session cache entry is not found for a specific connection.

Impact:
This is a NOTICE log message.

Recommended Action:
None

01340001 : HA Connection with peer %la:%d for traffic-group %s established.

Location:
/var/log/ltm

Conditions:
HA HELLO message is successfully processed.

Impact:
HA connection is successfully established. HA system compatibility check is done. Not an error.

Recommended Action:
None.

01340002 : HA Connection with peer %la:%d for traffic-group %s lost

Location:
TMM log files.

Conditions:
Indicates that the mirroring connection with the peer was dropped. This error only occurs if the connection was up, and subsequently lost. This message might indicate that the peer is rebooting, including for administrative action, network failures, and failures within mirroring.

Impact:
This message can occur during initial startup, and does not indicate an error unless it repeats or is not explicable by administrative reboots. When loss of mirroring connectivity occurs, L7 mirrored flows are no longer mirrored. New connections are mirrored as normal.

The connection will automatically be recreated. If errors recur, refer to the workaround. If this error occurs sporadically, it might be related to bursts of client traffic. Use the workarounds to ensure that the bandwidth and the statemirror.queuelen support the traffic bursts.

Recommended Action:
Ensure that the channel bandwidth supports the needed volume. For example, if mirroring 10G of traffic across a 1G link, this error will recur until the mirroring connection supports the amount of data that needs to be mirrored. Also, adjust the database statemirror.queuelen as appropriate for your platform and mirroring needs.

01340003 : Cluster error: %s

Location:
/var/log/ltm

Conditions:
This error category is used for critical errors in communication between TMM threads,
specifically by MPI proxy.

Impact:
The system may be in an unpredictable state.

Recommended Action:
All occurrences of this error should be reported to TMM developers.

01340004 : HA Connection detected dissimilar peer: local npgs %u, remote npgs %u, local npus %u, remote npus %u, local pg %u, remote pg %u, local pu %u, remote pu %u. Connection will be aborted.

Location:
/var/log/ltm

Conditions:
This message appears when attempting to mirror dissimilar peers. This message indicates a different number of tmms between two HA peers, for example, mirroring from a BIG-IP appliance with 8 tmms to an appliance with 12 tmms. This message also appears when the blades in two chassis are in different locations, or when VCMP guests are on different slots on the same tmms.

Impact:
HA config sync functions normally, but mirroring is not operational. If failover occurs, connections will be lost.

Recommended Action:
Mirroring is only supported between similar peers. For VCMP, guests must be on the same slots on the same physical blades. For appliances, mirroring is only supported between appliances with the same number of tmms.

01340007 : HA Connection with peer %la:%d for traffic-group %s closing.

Location:
/var/log/ltm

Conditions:
This message appears when HA connection is closing. Usually this means that one of the peers might've gone inactive.

Impact:
HA mirror is not available for these HA peers.

Recommended Action:
No workaround available. Verify that HA peers can communicate with each other and are both available. Virtual server serving mirrored traffic has to have mirror enabled.

01340009 : HA reconnect with peer %la:%d for traffic-group %s postponed.

Location:
/var/log/ltm

Conditions:
A reconnect attempt on an HA channel was rescheduled. This normally should not happen. There is no direct path leading to this situation in the system. Rare occurrences of this message indicate an inconsequential issue. Multiple messages can indicate a lock up.

Impact:
It is an information message. It can indicate a lock up if it appears multiple times.

Recommended Action:
None.

01340012 : HA context missing for %s on virtual %s

Location:
/var/log/ltm

Conditions:
The current and next-active device configurations are probably not in sync. A possible reason is that a profile assigned to the virtual server on the next-active device does not exist on the active device. As a result, the active device does not send HA context, which the next-active device requires for the assigned profile.

Impact:
Mirrored connections that cannot find an expected HA context on the next-active device are not established on that device.

Recommended Action:
Resolve configuration differences between the current and next-active devices.

01360008 : ERROR: Cannot connect to GWM server %s; Will try it again in 30 seconds.

Location:
/var/log/ltm

Conditions:
This message is logged when the SASP monitor daemon loses connectivity with a Group Workload Manager (GWM) server. The GWM server might be down, or improperly configured, or the SASP monitor might be improperly configured.

Impact:
This message indicates that the SASP monitoring daemon is not receiving GWM health monitor status updates. The SASP monitor has lost connectivity with a GWM server, and will attempt to reconnect. No further GWM health results for SASP monitoring will be received until this connection is restored.

This might be normal behavior when user-initiated activity has (temporarily) taken the GWM server offline (such as to perform configuration or other administrative activities), or might indicate a configuration error or failure of a network resource.

Recommended Action:
No recommended action in the case where user-initiated activities temporarily remove from service the GWM server, as SASP monitoring will automatically be restored when the GWM server is placed back into service.

When this error is unexpected (such as not resulting from user-initiated action on the GWM server), the user should verify the configuration of the SASP monitor; and verify configuration and availability of the GWM server. Upon repairing an improper GWM server configuration or making the GWM server available, SASP monitoring should resume automatically.

01380002 : Certificate '%s' in file %s will expire on %s

Location:
/var/log/ltm
console

Conditions:
The warning message is directly printed on the console right after the "checkcert" command is given.
The certificate specified in the warning message is going to expire within one month.

Impact:
The warning message doesn't indicate any error. It is to remind the user to update the certificates that will expire soon. If the user doesn't take any action, then those certificates will expire and it could fail some of the certificate verification process and hence fail the SSL connections that rely on these certificates.

Recommended Action:
Renew or remove the expiring certificates.

013a0004 : %s

Location:
/var/log/ltm, stdout

Conditions:
A clusterd is emitting a log message at log level ERROR.

Impact:
An ERROR log message is emitted from clusterd to the /var/log/ltm and to stdout.

Recommended Action:
None.

013a0005 : %s

Location:
/var/log/ltm

Conditions:
A clusterd is emitting a log message at log level WARNING.

Impact:
A WARNING log message is emitted from clusterd to the /var/log/ltm.

Recommended Action:
None.

013a0006 : %s

Location:
/var/log/ltm

Conditions:
A clusterd is emitting a log message at log level NOTICE.

Impact:
A NOTICE log message is emitted from clusterd to the /var/log/ltm.

Recommended Action:
None.

013a0007 : %s

Location:
/var/log/ltm

Conditions:
A clusterd is emitting a log message at log level INFO.

Impact:
An INFO log message is emitted to the /var/log/ltm.

Recommended Action:
None.

013a0008 : %s

Location:
/var/log/ltm

Conditions:
A clusterd is emitting a log message at log level DEBUG.

Impact:
A DEBUG log message is emitted from clusterd to the /var/log/ltm.

Recommended Action:
None.

013a0014 : %s

Location:
/var/log/ltm

Conditions:
A cluster member has transitioned to Slot State FAILED.
This message is emitted only when a clusterd is not receiving packets from peer cluster members on the mgmt_bp. That is, a partial partition on the mgmt_bp has been detected.

Impact:
While the error log message itself is purely informational, the slot on which clusterd has failed will be unavailable until cluster health is restored.

If the user has set sys db clusterd.communicateovertmmbp true:
- The cluster will mend itself when the mgmt_bp partition is dissolved.

If tmm.communicateovertmmbp is set to false:
- The cluster might remain in a degraded state with the partitioned member marking peers FAILED.
- That cluster member will elect itself primary of its own cluster (of size equal to one cluster member).
- This partitioned member will then attempt to usurp, from the majority cluster, the chassis-wide cluster-floating manangement-ip for its newly created minority cluster.
- The unwitting primary of the majority cluster will flap in a primary election loop.

On peers not experiencing the partition, which can still receive packets from the member that cannot, the FAILED member is reported as available and running due to the receipt of packets that the failed member can still send.

No mechanisms are available for the automatic resolution of the inconsistent state encountered in this scenario.
Manual intervention is required.

Thus, if this message is observed when tmm.communicateovertmmbp is false, users are advised that the cluster might encounter an inconsistent state.

Recommended Action:
On the afflicted cluster member, run the following command in order to give the failed slot a chance to rejoin the cluster:
$ bigstart restart clusterd

Watch the output of the following command in order to observe the outcome of restarting clusterd on the failed slot:
tmsh show sys cluster

If the partition on the mgmt_bp has already dissolved when clusterd comes back up on the formerly-failed slot, then the slot will join the cluster as usual.

013a0015 : %s

Location:
/var/log/ltm

Conditions:
"Blade N quorum state increasing from ST_FOO to ST_BAR." is observed.

The clusterd State is increasing, e.g.
from State ST_INITIAL to ST_QUORUM_WAIT,
from ST_QUORUM_WAIT to ST_QUORUM,
from ST_QUORUM to ST_RUNNING,
or from ST_RUNNING to ST_SHUTDOWN,
or from Any Lower State to Any Higher State.

Impact:
Clusterd is transitioning from ST_FOO to ST_BAR, as indicated by the log messages, while simultaneously these log messages are emitted by clusterd.

Recommended Action:
None.

013a0016 : %s

Location:
/var/log/ltm

Conditions:
"Blade N quorum state decreasing from ST_BAR to ST_FOO." is observed.

The clusterd State is decreasing.
The clusterd is transitioning from state ST_BAR to ST_BAZ, where ST_BAR > ST_BAZ according to clusterd.

For example:
to State ST_INITIAL from ST_QUORUM_WAIT,
to ST_QUORUM_WAIT from ST_QUORUM,
to ST_QUORUM from ST_RUNNING,
or to Any Lower State from Any Higher State.

Impact:
Clusterd is transitioning from ST_FOO to ST_BAR as indicated by the log messages, while simultaneously these log messages are emitted by clusterd.

Recommended Action:
None.

013a0018 : "%s"

Location:
/var/log/ltm

Conditions:
A cluster member has transitioned to clusterd Availability State RED.

Impact:
A cluster member is indicating that it has transitioned to Availability State RED.
This coincides with the cluster member reporting a status of Slot Failed.
You might want to investigate the current cluster status with:
(tmos)# show sys cluster

Recommended Action:
Investigate the reason for clusterd transitioning to Availability State RED by grepping the /var/log/ltm for RED.
The reason for the transition follows this Log, as below:
cat /var/log/ltm | grep RED
example:
Apr 3 23:31:33 slot2/sk0 err clusterd[5936]: 013a0018:3: Blade 2 turned RED: Run, HA TABLE offline
Apr 3 23:31:33 slot3/sk0 err clusterd[5659]: 013a0018:3: Blade 3 turned RED: Run, HA TABLE offline
Apr 3 23:31:33 slot4/sk0 err clusterd[4903]: 013a0018:3: Blade 4 turned RED: Run, HA TABLE offline
Apr 3 23:29:52 slot1/sk0 err clusterd[5763]: 013a0018:3: Blade 1 turned RED: Quorum: waiting for lind, HA TABLE offline

013a0019 : %s

Location:
/var/log/ltm

Conditions:
A cluster member has transitioned to clusterd Availability State YELLOW, indicating a transition to cluster state Quorum.

Impact:
The cluster member will not be available until it transitions to Availability State GREEN. The cluster will automatically try to bring the cluster member up to Availability State GREEN, running.

Recommended Action:
None.

013a0020 : %s

Location:
/var/log/ltm

Conditions:
A cluster member has transitioned to clusterd Availability State GREEN.

Impact:
No impact. This notice log purely informational.

Recommended Action:
No workaround is required.
You might wish to run the following command in order to confirm the expected cluster state:
(tmos)# show sys cluster

013a0024 : %s

Location:
/var/log/ltm

Conditions:
The cluster has selected a new cluster member to take on the role of primary cluster member.

The following message is observed:
"Blade N: Changing primary from J to K"
Where N may be any valid slot id of a cluster member,
and J and K may also be the valid slot id of a cluster member, as well as (self) or (none).

Impact:
The cluster member J which was formerly the primary will now be a secondary. The cluster member K indicated in the log message will become the cluster's new primary member.

Recommended Action:
None.

013b0004 : %s

Location:
/var/log/ltm

Conditions:
This is a catch-all error message emitted for any error in the csyncd daemon. On all devices, this daemon watches for certain file changes (such as, copying an ISO image of a new TMOS version to the device) and performs actions as a result of those changes (such as, informing the rest of the system that a new installable ISO is available). On chassis, in addition to this, it ensures that updates on some files (such as the system configuration) are kept in sync across all blades.

Impact:
Variable.

Recommended Action:
Variable.

013b0008 : %s

Location:
/var/tmp/csyncd.out

Conditions:
When csyncd logging is enabled, many events will log messages describing what they are doing. csyncd is the system service that watches the filesystem to take certain actions, such as informing TMOS about an ISO image for a new release copied onto the filesystem. It also synchronizes certain files between blades of a chassis.

Impact:
This is not an error message. Error messages will be logged at a higher log level.

Recommended Action:
None.

013c0004 : %s

Location:
/var/log/ltm

Conditions:
There are many conditions that are reported under the context of this error message.

failure communicating with the mcp daemon - error may include "IO error on recv from mcpd - connection lost"
failure interacting with storage devices - error may include "volumeset does not exist HD1.1", or "Failed to create volumeset"
failure interacting with the system hypervisor - error may include "Fatal error: vcmp_media_insert failed"
failure interacting with the kernel - error may include "audit failed, cannot continue
failure parsing the startup commands - error may include "audit failed, cannot continue

Impact:
Software management will not be possible.

Recommended Action:
- You might be out of disk space and you might encounter this when creating new volumes. Check the amount of available disk space. For more information, see SOL14403: Maintaining disk space on the BIG-IP system (11.x - 12.x).
- If this occurs while trying to load an image or when provisioning a VCMP instance with a new image, the permissions on the image might be incorrect. Make sure that the .iso images in /shared/images have 644 permissions.
- If this occurs on a VIPRION, you may need to re-insert the blade if you recently added it.
- You might need to back up the configuration, re-install new software, and reload the configuration.
- If your hard drive firmware is running version 01.03E01, you might need to obtain a hard drive firmware update from F5, referencing ID363930.

013c0006 : %s

Location:
/var/log/ltm

Conditions:
Image files are being removed from the /shared/images directory.

Example: 013c0006:5: Image (BIGIP-12.1.0.0.0.1434.iso) has a software image entry in MCP database but does not exist on the filesystem.

Impact:
None.

Recommended Action:
None.

013d0006 : cand done

Location:
/var/log/ltm

Conditions:
BIG-IP is shutting down, or the cand daemon is restarting.

Impact:
None, this is informational not an error condition.

Recommended Action:
None.

013e0000 : Tcpdump starting locally on %la:%u from %la:%u

Location:
/var/log/ltm

Conditions:
A tcpdump capture was started directly for a specific tmm.

Impact:
It is just an information message. The output of this tcpdump capture will contain only packets from the single specified tmm.

Recommended Action:
None.

013e0001 : Tcpdump starting bcast on %la:%u from %la:%u

Location:
/var/log/ltm

Conditions:
tcpdump was running to collect some traffic data. This message is internal to the BIG-IP implementation of tcpdump. It can be useful to correlate logs with the .pcap file content.

Impact:
Running tcpdump in a production environment can have some unexpected side effects.

Recommended Action:
None.

013e0002 : Tcpdump stopping on %la:%u from %la:%u

Location:
/var/log/ltm

Conditions:
Tool tcpdump, which was listening on a specific interface, stopped listening due to close, abort, or expire.

Impact:
None.

Recommended Action:
None.

013e0005 : Tcpdump starting remote to %A from %A

Location:
/var/log/ltm

Conditions:
A remote tcpdump session (tcpdump with the --remote-dest option) was started.

Impact:
Remote tcpdump session was started, so captured packets will be sent to the remote destination.

Recommended Action:
None.

013e0006 : Tcpdump to %A failed to connect : %E

Location:
/var/log/ltm

Conditions:
- A remote tcpdump session (tcpdump with the --remote-dest option) was attempted to be started.
- An attempt to connect to the remote destination resulted in a fatal error.

Impact:
Remote tcpdump session could not be started, so captured packets will not be sent to the remote destination.

Recommended Action:
The error code printed in the log message can be used to determine cause for failure. For example, "10" is ERR_RTE, which means there was a routing error. In this case it can be checked to see if the destination is reachable from the BIG-IP system.

A restart of the remote tcpdump session can be attempted to see if the condition is temporary.

013e0007 : Tcpdump stopping remote to %A from %A

Location:
/var/log/ltm

Conditions:
- A remote tcpdump session needs to have been successfully started (tcpdump with the --remote-dest option).
- This remote tcpdump session is now ending, whether it is due to user initiation of close or closure due to network or internal error conditions.

Impact:
The remote tcpdump session will not be functioning anymore, and captured packets will not be sent to the remote destination.

Recommended Action:
This message indicates that the remote tcpdump session is ending.
If it is user initiated, then there is nothing to be done.
If it is not user initiated, then normal troubleshooting using other LTM and TMM log messages can be used to see if the cause can be determined.

The only workaround is to restart the remote tcpdump session if this was not a user initiated closure.

013e0008 : Tcpdump ICMP error Type:%d Code:%d from %A

Location:
/var/log/ltm

Conditions:
- A remote tcpdump session (tcpdump with the --remote-dest option) was started.
- This remote tcpdump session encountered a fatal ICMP error.

Impact:
Remote tcpdump session will be stopped, so captured packets will not be sent to the remote destination anymore.

Recommended Action:
The Type and Code of the ICMP error can be used to determine what kind of a ICMP error was encountered, and actions to mitigate these could be done.
The Type and Code are standard from ICMP RFC 792.

013e0009 : Tcpdump DPT session end error provider:%s id:%d err:%d

Location:
/var/log/ltm

Conditions:
When a tcpdump session was being terminated, an internal, provider-specific error happened in one of the debug providers (such as the "Noise" or "EPVA debug" provider) when that provider was asked to terminate its actions for this tcpdump session.

Impact:
Because this is an internal, provider-specific error, the effects will vary:

1. The debug provider that had the error might continue to use system resources if it did not clean up.

2. The debug provider that had the error might have switched to an internal, inconsistent state, which either prevents any future tcpdump sessions that require debug from this same provider from getting any debug, or causes any future tcpdump sessions to get erroneous debug.

Recommended Action:
As this is an internal, provider specific error,any possible workaround will vary. They may be:

1) Try another tcpdump session, using the "--f5" option and requesting debug from the same provider. This might reset it to an internally-consistent state again.

2) Do not use this debug provider until the next time tmm restarts. Other providers may be used till then.

Note that this might require a restart of tmm if the debug provider does not reset it when invoked again in a new session.

013e000d : AUDIT - %s

Location:
/var/log/audit

Conditions:
The value of the BigDB variable "tcpdump.sslprovider" value has been changed
For example:

[root@BIGIP-4CPU:Active:Standalone] config # tmsh modify sys db tcpdump.sslprovider value disable

In /var/log/audit:
Feb 7 12:58:08 BIGIP-4CPU.f5net.com notice mcpd[6817]: 01070417:5: AUDIT - client tmsh, tmsh-pid-7955, user root - transaction #569947-2 - object 0 - modify { db_variable { db_variable_name "tcpdump.sslprovider" db_variable_value "disable" } } [Status=Command OK]
Feb 7 12:58:08 BIGIP-4CPU notice tmm2[21166]: 013e000d:5: AUDIT - The DB variable tcpdump.sslprovider has been disabled.

Impact:
This is not an error, it is to audit the fact that the dbvar which permits additional ssl debugging information in tcpdump has been changed. The log message looks similar to the following:

Feb 7 12:58:08 BIGIP-4CPU.f5net.com notice mcpd[6817]: 01070417:5: AUDIT - client tmsh, tmsh-pid-7955, user root - transaction #569947-2 - object 0 - modify { db_variable { db_variable_name "tcpdump.sslprovider" db_variable_value "disable" } } [Status=Command OK]
Feb 7 12:58:08 BIGIP-4CPU notice tmm2[21166]: 013e000d:5: AUDIT - The DB variable tcpdump.sslprovider has been disabled.

Recommended Action:
None.

01410000 : %s

Location:
/var/log/ltm

Conditions:
Debugging log message for RTSP.

Impact:
None.

Recommended Action:
None.

01410004 : RTSP: client_port and server_port not paired

Location:
/var/log/ltm

Conditions:
During final transport generation, a BIG-IP system combines what was in the client transport header with what was in the server transport header, and puts the result in the client session. Server parameters win. This is a warning about different server and client parameters.

Impact:
Just a warning.

Recommended Action:
None.

01410005 : RTSP: client_port and server_port not specified

Location:
/var/log/ltm

Conditions:
In the case of unicast or interleaved, no client ports specified.

Impact:
Session aborted.

Recommended Action:
Analyze the RTSP traffic.

01410006 : RTSP: multicast not compatible with unicast or interleaved

Location:
/var/log/ltm

Conditions:
During final transport generation, it turns out that the parameters are incompatible, namely multicast is combined with unicast or interleaved.

Impact:
The session is aborted.

Recommended Action:
Analyze the RTSP traffic.

01410007 : RTSP: incompatible port specifications

Location:
/var/log/ltm

Conditions:
Both multicast port and unicast/interleaved ports specified.

Impact:
Session aborted.

Recommended Action:
Analyze RTSP traffic.

01410008 : RTSP: no multicast port(s) specified

Location:
/var/log/ltm

Conditions:
In the case of multicast, no multicast port(s) specified.

Impact:
Session aborted.

Recommended Action:
Analyze RTSP traffic.

01410009 : RTSP: no multicast address specified

Location:
/var/log/ltm

Conditions:
In case of multicast, no multicast address specified

Impact:
Session aborted.

Recommended Action:
Analyze RTSP traffic.

0141000a : RTSP: Expiring active RTP peer connection

Location:
/var/log/ltm

Conditions:
Clean up both RTP and RTCP connections because a port is no longer available for one or both connections.

Impact:
Cleanup.

Recommended Action:
None.

0141000b : RTSP: Expiring active RTCP peer connection

Location:
/var/log/ltm

Conditions:
Clean up both RTP and RTCP connections because a port is no longer available for one or both connections.

Impact:
Cleanup.

Recommended Action:
None.

0141000c : RTSP: Expiring active RTP connection

Location:
/var/log/ltm

Conditions:
Clean up both RTP and RTCP connections because a port is no longer available for one or both connections.

Impact:
Cleanup.

Recommended Action:
None.

0141000d : RTSP: Expiring active RTCP connection

Location:
/var/log/ltm

Conditions:
Clean up both RTP and RTCP connections because a port is no longer available for one or both connections.

Impact:
Cleanup.

Recommended Action:
None.

0141000e : RTSP: release RTP peer conn flow

Location:
/var/log/ltm

Conditions:
Clean up both RTP and RTCP connections because a port is no longer available for one or both connections.

Impact:
Cleanup.

Recommended Action:
None.

0141000f : RTSP: release RTCP peer conn flow

Location:
/var/log/ltm

Conditions:
Clean up both RTP and RTCP connections because a port is no longer available for one or both connections.

Impact:
Cleanup.

Recommended Action:
None.

01410010 : RTSP: release RTP conn flow

Location:
/var/log/ltm

Conditions:
Clean up both RTP and RTCP connections because a port is no longer available for one or both connections.

Impact:
Cleanup.

Recommended Action:
None.

01410011 : RTSP: release RTCP conn flow

Location:
/var/log/ltm

Conditions:
Clean up both RTP and RTCP connections because a port is no longer available for one or both connections.

Impact:
Cleanup.

Recommended Action:
None.

01410012 : RTSP: Can't create RTP endpoints: %E

Location:
/var/log/ltm

Conditions:
During connflow setup, RTP endpoints cannot be created.

Impact:
The connflow setup is aborted.

Recommended Action:
Analyze the RTSP traffic.

01410013 : RTSP: Can't create RTCP endpoints: %E

Location:
/var/log/ltm

Conditions:
During connflow setup, RTCP endpoints cannot be created.

Impact:
The connflow setup is aborted

Recommended Action:
Analyze the RSTP traffic.

01410014 : RTSP: Failed to set up sa_entry on client

Location:
/var/log/ltm

Conditions:
While setting up the RTP and possibly RTCP connflows, source address cannot be obtained.

Impact:
Processing is aborted.

Recommended Action:
Analyze the RTSP traffic.

01410015 : RTSP: Can't find a port for media connections

Location:
/var/log/ltm

Conditions:
During processing of RTSP client setup request, port for media connections cannot be found.

Impact:
Event processing is aborted.

Recommended Action:
Analyze RTSP traffic.

01420001 : %s

Location:
/var/log/ltm

Conditions:
TMSH uses this code to indicate internal operation errors, possibly caused by user input. Often, the TMSH session is terminated along with this log message.

Some of the sample error messages for this code include:

1. Errors related to idle timeout.

"Unable to call thread method watch_time_left: "
"Unable to access user tty path"
"Failed to create timeout thread: "

2. Errors related to internal functioning of TMSH. These could also be user input related.

"fatal: <error_string>"
"exception: <error_string>"
"cfg exception: <error_string>"
"std exception: <error_string>"
"unexpected exception"
"boost assertion failed: <error_msg> file: <filename> line: <line_number>"

Impact:
TMSH application exits.

Recommended Action:
None.

01420002 : SAMPLE: tmsh - AUDIT - pid=13324 user=root query_partitions=all update_partition=Common module=(tmos)# status=[Command OK] cmd_data=list ltm virtual idnshare3-139

Location:
/var/log/audit

Conditions:
These messages appear whenever tmsh processes a command while auditing is turned on (GUI: system->logs->configuration->options->audit-logging->tmsh).

Impact:
These messages are strictly informational. They simply record the commands received by tmsh (and the success or failure there-of) for later use by auditors.

Recommended Action:
These messages do not represent warning or error conditions. They can be disabled by turning off the audit logging (see Conditions above).

01420003 : "%s"

Location:
/var/log/ltm

Conditions:
1. User sets cli global-settings idle-timeout. This idle timer expires.

The tmsh cli global-settings idle-timeout can be configured to terminate the user sessions. The timeout expiry results in the session termination along with this log generation.

"User idle time out reached; logged out of tmsh."

2. The roles for a user with an ongoing tmsh session changes.

"Your user account role has been changed, you must re-authenticate. Current session has been terminated."

3. User authentication failure.

"Cannot authenticate <username> with mcpd. mcpd did not return a result message elements. Current session has been terminated."

"Cannot load user credentials for user <username>. Current session has been terminated."

// failure to get result message from backend
"<msg> Current session has been terminated."

4. partition-access for the current user has changed.

"Your user account partition-access has been changed, you must re-authenticate. Current session has been terminated."

Impact:
Ongoing tmsh session terminates.

Recommended Action:
None.

01420004 : %s

Location:
/var/log/ltm

Conditions:
This is a user defined log message that allows a user with the role of administrator or resource administrator to log from a tmsh cli Tcl script. See "tmsh help cli script", the section on Logging. The tmsh Tcl script command is tmsh::log

Impact:
None.

Recommended Action:
None.

01420006 : %s

Location:
/var/log/ltm

Conditions:
Errors due to incorrect user entered data, syntax errors, or errors received from the backend database. This error does not result in termination of the TMSH session.

Some error strings include:

- "error opening %s: %s" when processing stats script commands.
- "Invalid input for tmsh idle-timeout: <value>. Value not changed."

Because extensive feature-specific and generic application errors map to this error code, exhaustive coverage of the error messages is not provided.

Impact:
None.

Recommended Action:
None.

01420007 : Certificate '%s' in file %s expired on %s

Location:
/var/log/ltm
console

Conditions:
The warning message is directly printed on the console right after the "tmsh run sys crypto check-cert" command is given.
The certificate specified in the warning message has been expired since the specified date.

Impact:
The expired certificates could fail some of the certificate verification process and hence fail the SSL connections that rely on these certificates.

Recommended Action:
Renew or remove the expiring certificates.

01420008 : Certificate '%s' in file %s will expire on %s

Location:
/var/log/ltm
console

Conditions:
The warning message is directly printed on the console right after the "tmsh run sys crypto check-cert" command is given.
The certificate specified in the warning message is going to expire within one month.

Impact:
The warning message doesn't indicate any error. It is to remind the user to update the certificates that will expire soon. If the user doesn't take any action, then those certificate will expire and it could fail some of the certificate verification process and hence fail the SSL connections that rely on these certificates.

Recommended Action:
Renew or remove the expiring certificates.

01420010 : %s

Location:
/var/log/ltm

Conditions:
A condition occurred in TMSH that might be caused by internal functioning errors, for example: could not connect to back end daemon etc.

Because several system conditions map to this error code, an exhaustive list is not provided. Instead, example error messages appear in the known issue text.

TMSH logs messages with this code when a nonfatal condition occurs for the application. The TMSH session does not terminate when this warning message is logged.

sys config component related warnings
- Failed: ("<message>)"
- "Getting emergency configuration options in /config/.bigip_emergency.conf from the last successful save."
- "Failure to save the temporary SCF. Error message: <message>"

Subscription related warnings
- "subscription cannot establish mcp connection\n"
- "subscription has failed to establish mcp connection. Exception: <message>"
- "subscriber identification failed. Exception: <message>"
- "subscription failed, no response from mcpd\n"
- "subscription failed: <message>"
- "subscription failed to register. Exception: <message>"
- "subscription failed to receive message. Exception: <message>"

master key related warnings
- "Exception during query for initial master key value\n"
- "General exception during query for initial master key value\n"

Impact:
None.

Recommended Action:
None.

01460005 : SAMPLE: promptstatusd - mcpd.running(1) held, wait for mcpd

Location:
This message appears in the LTM log.

Conditions:
The promptstatusd is the system service that keeps the files updated that control the dynamic parts of the bash and tmsh prompts. For example, this includes the part that shows whether the system is active, standby, offline, or waiting to come up.

These messages are of level 'warn', which may indicate that something is wrong. Since promptstatusd is a service that only reports information, it does not indicate a problem with promptstatusd, but with another part of the system. As one example, 'mcpd.running(1) held, wait for mcpd' indicates that mcpd has restarted and that promptstatusd is waiting for it to come up again.

Impact:
promptstatusd will return to a healthy state when the underlying condition is fixed.

Recommended Action:
Other errors, proximate in time, will describe the issue (for example, why mcpd restarted or is having trouble coming up). promptstatusd will return to normal once that issue is resolved.

01460006 : SAMPLE: promptstatusd - semaphore tmm.running(1) held

Location:
This message appears in the LTM log.

Conditions:
The promptstatusd is the system service that keeps the files updated that control the dynamic parts of the bash and tmsh prompts. For example, this includes the part that shows whether the system is active, standby, offline, or waiting to come up.

These messages are of level 'notice', which record state but do not require immediate action. For example, 'semaphore tmm.running(1) held' is a common log message, which means that the TMM is in the process of starting up.

Impact:
These are not error messages. No action is required.

Recommended Action:
These are not error messages. No action is required.

01460007 : SAMPLE: promptstatusd - semaphore tmm.running(1) released

Location:
This message appears in the LTM log.

Conditions:
The promptstatusd is the system service that keeps the files updated that control the dynamic parts of the bash and tmsh prompts. For example, this includes the part that shows whether the system is active, standby, offline, or waiting to come up.

These messages are of level 'info', which record state but do not require immediate action. For example, 'semaphore tmm.running(1) released' is a common log message, which means that the TMM just finished starting up, and things that depend on it are now allowed to proceed with their startup.

Impact:
These are not error messages. No action is required.

Recommended Action:
These are not error messages. No action is required.

01470000 : iSession: Connection error: %s:%u: %s:%d

Location:
/var/log/ltm

Conditions:
A fatal error occurred on an iSession tunnel, producing the following message:
01470000:3: iSession: Connection error: <function>:<line number>:<cause>, <TMM error>.
- The <function>:<line number> text identifies the code location.
- The <cause> text describes the error.
- The <TMM error> text provides the TMM error text.

There are three kinds of iSession tunnels: user data connections, deduplication control connections, and WAN optimization control daemon (wocd) connections.

Fatal errors include deduplication and compression codec errors, memory management errors, and iSession protocol errors.

Impact:
Transient errors on deduplication control connections are common when a deduplication endpoint is initializing. Deduplication connections and wocd connections are automatically re-established after a fatal connection error. User data connections must be re-established by the client application after a fatal connection error.

Recommended Action:
If iSession connection errors persist, verify network connectivity to the iSession peer endpoint associated with the aborted flows.

01470002 : iSession: tunnel %F: connection error: deduplication: unrecognized control message %d

Location:
/var/log/tmm

Conditions:
An iSession endpoint receives an invalid deduplication control message for an iSession connection.

Impact:
The iSession connection aborts.

Recommended Action:
None.

01470006 : iSession: tunnel %F: internal error: %s:%d: %s: %E; connection aborted

Location:
/var/log/tmm

Conditions:
A generic internal iSession error is logged when an error condition occurs that lacks a more specific log message. The message is logged when aborting an iSession; the connection fails to clean up pending deduplication cache hits.

Impact:
Memory associated with deduplication cache hits may leak.

Recommended Action:
None.

01470007 : iSession: internal error: %s:%d: %s: %E

Location:
/var/log/tmm

Conditions:
Unexpected TDR-2 internal errors are logged using this general error message.
The specific error message cause is supplied as an argument to this general error message. The "i_tdr2_detach_dedup_flow" argument indicates a failure to release a reference count for pending TDR-2 cache hit. The "isession_dedup_abort_ack_seg zero seg_idx" argument indicates an invalid segment index value of zero for a TDR-2 cache hit acknowledgement.

Impact:
Both errors described in the Conditions section occur when an iSession connection is being aborted. These errors might occur if datastor has been restarted.

Recommended Action:
If the errors persist, try "bigstart restart tmm".

01480001 : %s

Location:
/var/log/ltm

Conditions:
Contains one of the following:
- "Transaction is already sunk."
- "No transaction in progress to sink."

The message is displayed by the plugin framework when the transaction sinking api is incorrectly used, that is, a plugin signals the end of a L7 request, but it never signalled the start of a L7 request.

Impact:
The plugin affected may not function correctly.

Recommended Action:
Look for a plugin specific workaround.

01480002 : %s

Location:
/var/log/ltm

Conditions:
General high-level error message indicating function or subsystem failure. This is usually due to failure deeper in the system for other reasons.

Impact:
Specific functionality failed, error string indicates failure point.

Recommended Action:
Look for specific subsystem errors in order to determine why the function/subsystem failed.

01480010 : Got a message(%d) for a non existent flow

Location:
/var/log/ltm

Conditions:
A plugin, such as ASM, is configured on the virtual server. When a flow is aborted or expired there might still be control messages from the plugin queued. When the control messages are processed but the aborted flow is not found, this message is logged.

Impact:
None.

Recommended Action:
Investigate why flows are being aborted. Reasons that flows are aborted include external connection resets and the TMM aggressively aborting flows to free memory.

01480024 : Can't bind the flow, waiting for config response on channel %s

Location:
/var/log/ltm

Conditions:
The message appears when traffic is sent to a virtual server that has a plugin profile, and the TMM has not yet completed establishing a connection to the plugin. This usually occurs when there are configuration changes to the virtual server or the plugin. During configuration changes, the TMM and plugin negotiate the plugin configuration. This happens very quickly; however, in instances of high load, the TMM might try to accept a client connection before the TMM connection with the plugin has been established.

Impact:
Connections initiated while the plugin connection is not established will be dropped.

Recommended Action:
A successful configuration update to a virtual or plugin may display this message under high load but only briefly. If the messages persist, the plugin is not responding to the TMM request for a configuration update. The plugin may be restarting or had failed to start. Check the plugin specific configuration and status.

01480031 : headers limited to %d bytes

Location:
/var/log/ltm

Conditions:
A component implemented as a TM plugin failed to configure. The component attempted to subscribe to receive an HTTP header which was longer than supported. It's possible the component is internally subscribing to the long header based on a user configuration.

Impact:
The plugin will fail to configure if the user configuration causes the plugin to subscribe to the long header. This indicates an internal error where the plugin component failed to validate the configuration with appropriate feedback to the user.

Recommended Action:
What headers a plugin subscribes to depends on the component. Check the component configuration for any specification of long headers.

01480052 : Profile %s missing plugin_type field.

Location:
/var/log/ltm

Conditions:
A plugin-related profile is missing an internal field.

Impact:
The profile becomes unusable.

Recommended Action:
The profile does not function, and a different type might need to be used.

01480053 : Profile %s missing tmi_type field.

Location:
/var/log/ltm

Conditions:
A profile is missing the tmi field.

Impact:
The profile is non-functional.

Recommended Action:
Users might be required to pick a different profile.

01480054 : Command %s not registered.

Location:
/var/log/ltm

Conditions:
The tmm is initializing and a TCL command isn't found.

Impact:
The TCL command listed is not available due to missing functionality of the specific TCL command.

Recommended Action:
Don't use the listed TCL command.

01490510 : %s: Initializing Access with max global concurrent access session limit: %d

Location:
/var/log/apm

Conditions:
- When the device boots up.
- When device license is reactivated.
- When add-on license is installed.
- In an HA setup, when the standby unit becomes active the first time.

Impact:
This is not an error message.

Recommended Action:
None.

01490523 : {{Access Profile, %s}{Partition, %s}{Session ID, %s}{Max Concurrent Sessions, %d}} "#0:#1:#2: Initializing Access with max global concurrent connectivity session limit: #3"

Location:
/var/log/apm

Conditions:
- When the device boots up.
- When device license is reactivated.
- When add-on license is installed.
- In an HA setup, when the standby unit becomes active the first time.

Impact:
This is not an error message.

Recommended Action:
None.

01490526 : %s: Initializing Access with max global concurrent connectivity session limit: %d

Location:
/var/log/apm

Conditions:
- When the device boots up.
- When device license is reactivated.
- When add-on license is installed.
- In an HA setup, when the standby unit becomes active the first time.

Impact:
This is not an error message.

Recommended Action:
None.

01490541 : Access using device name: %s and device ID: %.*s.

Location:
/var/log/apm

Conditions:
1. When the device boots up.
2. When the device name is updated.

Impact:
This is an informational message only.

Recommended Action:
None.

01490555 : %s: Initializing Access with max global concurrent url filtering session limit: %d

Location:
/var/log/apm

Conditions:
Message is observed when the URL Filtering license is initialized and the license key is used.

Impact:
This is not an error, but a notice that informs the user that URL Filtering license has been initialized.

Recommended Action:
None.

01490570 : PPP listener local address %A tunnel nexthop is NULL

Location:
/var/log/apm

Conditions:
PPP tunnel connection is disrupted and the nexthop destination is not present.

Impact:
While unbinding the tunnel listener, the NULL tunnel nexthop cannot release.

Recommended Action:
None.

01490572 : %s: API Protection feature is %s

Location:
/var/log/ltm

Conditions:
The AM module is not licensed but a user is trying to access a virtual server configured with API Protection.

Impact:
The request fails.

Recommended Action:
Get a license for the AM module.

01490573 : %s: Ephemeral Authentication feature is %s.

Location:
/var/log/apm

Conditions:
This message is logged indicating whether the Ephemeral Authentication feature is enabled or not. It depends on whether the Privileged User Access license is deployed on a BIG-IP system.

Impact:
When this feature is not enabled, access is denied to resources for which Ephemeral Authentication is applicable.

Recommended Action:
Acquire the Privileged User Access license.

014b0002 : RADIUS: %s error %lE

Location:
/var/log/ltm

Conditions:
If a 'persist' error is indicated, an error has been encountered while the BIG-IP device is attempting to determine what persistence record should be used for the connection. This can have multiple causes: ERR_BUF or ERR_VAL (however that is displayed in log messages) might mean that the RADIUS message is malformed in various ways; whereas, ERR_MEM means that the BIG-IP device was not able to allocate memory to perform an operation. Other values might also be logged.

Currently, 'persist' is the only class of error that is indicated by this message.

Impact:
If a persistence failure is encountered, RADIUS messages will be load-balanced afresh regardless of existing persistence records.

Recommended Action:
If RADIUS messages are arriving malformed, you can disable persistence on the virtual server, or you can fix the equipment sending the malformed messages.

014c0001 : DIAMETER: %s error: %lE

Location:
This error is logged in /var/log/ltm and can take a few forms:

err tmm1[6286]: 014c0001:3: diameter process ingress error Improper version
err tmm4[7361]: 014c0001:3: diameter hud_dime_handle error Prerequisite operation not in progress
err tmm2[15195]: 014c0001:3: diameter rexmit_callback error Hudfilter teardown
err tmm2[15195]: 014c0001:3: diameter process ingress error Not found
err tmm1[8269]: 014c0001:3: diameter process ingress error Illegal value

Conditions:
This message will be logged if an exception arises in the following conditions:
1. The diameter retransmit callback is called and the message cannot be retransmitted.
2. An egress message fails to be rewritten or the i/o queue fails to be processed.
3. The watchdog callback has been called and a signal fails to be sent to the watchdog.
4. The diameter event handler has been called and one of 23 errors occurs. The most common of these is "Prerequisite operation not in progress," which usually occurs if handshake fails.
5. The input cannot be parsed, or the i/o queue cannot be processed on ingress.
6. An invalid AVP query is attempted.

Impact:
In each condition, an error is logged. In all cases except the invalid AVP case, a HUDEVT_ABORTED event is created and handled.

Recommended Action:
1. If the retransmit callback is called and the message cannot be retransmitted, there is no workaround. To mitigate this problem, try increasing the retransmit attempt limit in the profile configuration.
2. If an egress message cannot be written, it's because an AVP is too big or un-parseable. Make sure peer servers are sending well-formed AVPs.
3. If the watchdog callback fails, it's because of an out of memory error. Try reducing traffic on this hardware, or try making changes to the configuration to free more memory, such as removing unneeded iRules or changing the persistence timeout.
4. If a handshake fails, check your network status and ensure proper configuration of the diameter peer that failed the handshake.
5. If parsing the input fails, it means that the input is not properly formed, or an out of memory error has occurred. Check that you have adequate resources and ensure proper configuration of diameter peers. If the error message says "Improper version," make sure the version of tmos you're running supports the messages you're receiving.
6. If an invalid AVP query occurs, a peer has passed an invalid AVP, possibly maliciously. Make sure the diameter peer is properly configured.

014c000f : DIAMETER: Invalid AVP length: %d

Location:
/var/log/ltm

Conditions:
Actual AVP length does not match the declared one.

Impact:
Session aborted.

Recommended Action:
Diameter traffic should be analyzed.

014c0010 : DIAMETER: Invalid AVP code

Location:
/var/log/ltm

Conditions:
Error while configuring diameter profile persistence.

Impact:
Diameter profile persistence should be reconfigured.

Recommended Action:
Diameter profile persistence should be reconfigured.

014c0010 : DIAMETER: Invalid AVP length: %d

Location:
/var/log/ltm

Conditions:
The attribute-value pair (AVP) header's AVP length doesn't match the real AVP content's length.

Impact:
The connection might be reset.

Recommended Action:
None.

014c0011 : DIAMETER: Invalid AVP code

Location:
/var/log/ltm

Conditions:
The Diameter MRF AVP persistence is enabled, and the persistence configuration doesn't provide the correct format such as: avp1[index1]:avp2[index2]:avp3[index3] ...
or the AVP code cannot be found.

Impact:
The persistence won't work and the connection will be aborted. But it should never be in this situation. The MCP validation will catch the error configuration beforehand.

Recommended Action:
None.

014c0012 : DIAMETER: Invalid event

Location:
/var/log/ltm

Conditions:
Unexpected event occurs, for example, a message that is not suitable for a given diameter scenario.

Impact:
Message handling is aborted.

Recommended Action:
Capture the traffic and analyze it.

014c0013 : DIAMETER: Retransmission triggered by timeout for message: AppId %lu HopByHopId %lu from %s

Location:
/var/log/ltm

Conditions:
a DIAMETER request is triggered due to the configurable retransmission_timeout time being exceeded.

Impact:
The configured retransmission action is performed.

Recommended Action:
None.

014c0014 : DIAMETER: Retransmission triggered by result code %d for message: AppId %lu HopByHopId %lu from %s

Location:
/var/log/ltm

Conditions:
A DIAMETER request has been triggered due to the receipt of an error answer message whose result code matches the configurable array retransmission error codes list.

Impact:
The configured retransmission action is performed.

Recommended Action:
None.

014c0015 : DIAMETER: Retransmission triggered by iRule (note '%s') for message: AppId %lu HopByHopId %lu from %s

Location:
/var/log/ltm

Conditions:
A DIAMETER request has been triggered by the execution of the DIAMETER::retransmit iRule command.

Impact:
The configured retransmission action is performed.

Recommended Action:
None.

014c0016 : DIAMETER: Retransmission generated an error answer of %d for message: AppId %lu HopByHopId %lu EndToEndId %lu from %s

Location:
/var/log/ltm

Conditions:
Diameter retransmission has been triggered and the retransmission action for the request message is set to "busy" or "unable".

Impact:
The appropriate error answer message has been generated as per the retransmission action selected.

Recommended Action:
None.

014c0017 : DIAMETER: Retransmission retransmitted request message: AppId %lu HopByHopId %lu from %s

Location:
/var/log/ltm

Conditions:
Retransmission has been triggered and the retransmission action is set to retransmit.

Impact:
The diameter request message is retransmitted.

Recommended Action:
None.

014c0018 : DIAMETER: Message dropped after routing error %s: AppId %lu HopByHopId %lu EndToEndId %lu from %s

Location:
/var/log/ltm

Conditions:
A routing error has occurred occurred and the "discard-unroutable" attribute of the diameter session profile is set.

Impact:
The message is dropped.

Recommended Action:
None.

014c0019 : DIAMETER: Error answer of %d generated after routing error %s: AppId %lu HopByHopId %lu EndToEndId %lu from %s

Location:
/var/log/ltm

Conditions:
A request message has failed to route and the "respond-unroutable" attribute of the diameter session profile is set.

Impact:
An error answer message is generated and sent back to the originator of the request message that failed to route.

Recommended Action:
None.

014c001a : DIAMETER: Message added to Retransmission queue: AppId %lu HopByHopId %lu from %s

Location:
/var/log/ltm

Conditions:
A DIAMETER message has been added to the retransmission queue.

Impact:
None. This is an informational log event used for debugging.

Recommended Action:
None.

014c001b : DIAMETER: Message removed from Retransmission queue: AppId %lu HopByHopId %lu EndToEndId %lu from %s

Location:
/var/log/ltm

Conditions:
A DIAMETER message has been removed from the retransmission queue.

Impact:
This message is used for debugging.

Recommended Action:
None.

014c001c : DIAMETER: Deleting stale pending request entry: original HopByHopId %lu outgoing HopByHopId %lu persistence key %s expected from %A

Location:
/var/log/ltm

Conditions:
The diameter router removed a pending request entry that has exceeded twice the configured transaction timeout. This warning log message is enabled with the log.diameter.level db variable.

Impact:
None.

Recommended Action:
None.

014c001d : DIAMETER: Unexpected answer message arrived: HopByHopId %lu from %A

Location:
/var/log/ltm

Conditions:
A DIAMETER answer message was received that was not expected (no entry exists in the pending request queue). This warning log message is enabled with the log.diameter.level db variable.

Impact:
The unexpected answer message is dropped.

Recommended Action:
None.

014c001e : DIAMETER: Dropping late answer for original request after request retransmitted: HopByHopId %lu from %A

Location:
/var/log/ltm

Conditions:
An answer for the original request is received after the original request has been retransmitted. This warning log message is enabled with the log.diameter.level db variable.

Impact:
The late answer for the original request is dropped.

Recommended Action:
None.

014c001f : DIAMETER: %s transport window for retransmission queue %c or proxy queue %c

Location:
/var/log/ltm

Conditions:
The transport window (TCP window) has started to close or is reopened.

Impact:
The system logs the message when log.diameter.level is set to Informational or lower.

Recommended Action:
None.

014c0020 : DIAMETER: Looped message detected from peer %s

Location:
/var/log/tmm

Conditions:
The BIG-IP LTM system has received a Diameter request that has been seen once before. This happens when a routing loop exists in the Diameter network. This message is generated by the procedure outlined in RFC 6733 section 6.1.3.

Impact:
The BIG-IP system rejects looped Diameter messages. Alternate routing in the network may pass them to a correct destination eventually, but they will impose unnecessary load on the Diameter network.

Recommended Action:
Revise your Diameter network design and eliminate the routing loop. Note that this could cause a service-impacting event.

014c0022 : DIAMETER: Forced down pool member %A:%u as BIG-IP received DPR from it

Location:
/var/log/ltm

Conditions:
A diameter disconnect peer request has been received from a pool member (server peer), and the disconnect_peer_action is set to force_offline.

Impact:
Pool member is forced down and allows existing connections to time out, but no new connections are allowed.

Recommended Action:
None.

014c0023 : DIAMETER: Disabled pool member %A:%u as BIG-IP received DPR from it

Location:
/var/log/ltm

Conditions:
A diameter disconnect peer request has been received from a pool member (server peer), and disconnect_peer_action is set to disable.

Impact:
Pool member is disabled. Pool member continues to process persistent and active connections. It can accept new connections only if the connections belong to an existing persistence session.

Recommended Action:
None.

014e0001 : mysql failure detected, attempting to restart mysql (attempt %d).

Location:
/var/log/ltm

Conditions:
The HA subsystem has detected that the MYSQL Daemon has failed, and is attempting to restart it.

Impact:
Components that use MYSQL will not function correctly until the MYSQL Daemon has restarted successfully.

Recommended Action:
Wait for the restart to complete.

014e0003 : mysql service back online.

Location:
/var/log/ltm

Conditions:
A previous failure of the MYSQL Daemon has recovered.

Impact:
MYSQL sercvices hve been restored.

Recommended Action:
None.

014e0007 : mysqlhad starting to monitor mysqld

Location:
/var/log/ltm

Conditions:
The HA subsystem has begun monitoring the MYSQL daemon. This will occur whenever the MYSQL daemon starts.

Impact:
None.

Recommended Action:
None.

014f0001 : %s

Location:
/var/log/ltm

Conditions:
scriptd is starting.

Impact:
This is not an error message. No action is necessary. The system is likely starting up.

Recommended Action:
None.

014f0002 : %s

Location:
/var/log/ltm

Conditions:
scriptd is stopping.

Impact:
This is not an error message. No action is necessary. The system is likely shutting down.

Recommended Action:
None.

014f0004 : %s

Location:
/var/log/ltm

Conditions:
An error occurred, usually one generated by a running Tcl script. Some of the more common errors are:

"Lost connection to mcpd": mcpd restarted; therefore, scriptd automatically restarted in order to reconnect to it. No action is required.

"stopping worker process (....) socket error": scriptd maintains a pool of processes, and one of these had an issue and therefore was killed. This requires no action; scriptd will start up another one as necessary.

"scriptd, initialization failed": Another scriptd process is running. This is an F5 bug, but one that does not affect system functionality. No action is required.

Impact:
An iApp template or iCall script is likely failing.

Recommended Action:
Examine the error message to determine the issue.

014f000e : Becoming primary cluster member

Location:
/var/log/ltm

Conditions:
scriptd is running on a chassis, and a new blade became the cluster primary. This message prints on the primary blade to indicate that this scriptd instance is now working. (scriptd does nothing on secondary blades.)

Impact:
This is not an error message. No action is necessary.

Recommended Action:
None.

014f0013 : Script (%s) generated this Tcl error: (%s)

Location:
/var/log/ltm

Conditions:
"Script (%s) generated this Tcl error: (%s)"

The first %s in the string is the name of the script that failed. The second %s is the actual error reported by the script.

This is an error in a TCL script used for iCall. This error message will occur at each invocation of the script, which can be periodic or event-triggered depending on iCall configuration.

An error can be:
- Syntax error.
- TCL initialization error.
- Requires iApp and iApp::legacy packages, which failed to load.
- Requires bash access.
- Script failed to complete.

Impact:
This means the iCall script is not working, and whatever its intended purpose was is not being completed. Further impact can only be determined by examining the contents of the script.

Recommended Action:
Read the error appearing after the log entry "generated this TCL error:", and correct the cause of the error. It reports the error from the script that's being run, and should aid in your script troubleshooting efforts. The reported error is script dependent.

If the error message reads "(Syntax Error: A port number or service name is missing for "21", please specify a port number or service name using the syntax "21:<port>".

If the message appears while executing "exec /usr/libexec/aws/autoscale/aws-autoscale-pool-manager.sh" line:1))", it could be due to the pool name having the same name as the autoscale group name. The names need to be different, and changing the pool name or the AWS group name will correct this problem.

If you have passwords or other strings with a $ character in your custom script, the TCL interpreter might be interpreting the string after the $ as a variable, which could also be triggering the error.

014f0017 : Perpetual handler (%s) exited with failure

Location:
/var/log/ltm

Conditions:
An iCall perpetual handler object was deleted, or scriptd was shutting down.

Impact:
The handler will not process events until restarted.

Recommended Action:
Restart the handler using this tmsh command: "restart sys icall handler perpetual <name>".

01510003 : %s

Location:
/var/log/ltm

Conditions:
This message can indicate a few different serious errors in vcmpd.

"Guest has invalid macsa data or mac pool size. To correct this issue, the guest must be taken to configured state and then redeployed."

"Guest Install failed."

"ShmBlock id(0x) does not match shm key (0x)"

"MgmtNet id(X) does not match (Y)"

A generic critical message might also be seen if the guest fails to start or shut down properly.

Impact:
Impact varies based on the message, but all of the messages indicate a serious issue preventing the guest from starting or shutting down.

Recommended Action:
Most of these indicate an internal validation error with no obvious workaround. For the macsa case, the guest must be taken to the configured state and redeployed.

01510004 : %s

Location:
/var/log/ltm

Conditions:
This is a generic error message that could indicate a variety of error conditions related to vcmpd and vCMP guests.

Impact:
Impact varies depending on the specified error string. The error string itself will provide additional information about impact.

A few examples:
"vCMP is NOT provisioned. Will exit."
vCMP must be provisioned on the host to run vCMP guests.

"Timeout waiting for all VMs to exit"
If VMs take too long to exit the process will be killed immediately.

"Could not create tmstat segment "
vCMP guest stats might be inaccurate or not appear

"MCP object exists for nonexistent template: errno: deleting invalid mcp object"
No impact.

"guest is starting with no trunk virtual mbrs"
Guest may fail to launch and will not function properly.

"License file () not found. Delaying VCMPD start up."
A valid license file is required for vCMP guests to deploy.

Recommended Action:
Workaround varies depending on the specified error string. The error string itself will provide information about possible workaround.

A few examples:
"vCMP is NOT provisioned. Will exit."
Provision vCMP on the host system.

"Timeout waiting for all VMs to exit"
No workaround. It is possible that heavy activity on the guest or host is delaying the shutdown process.

"MCP object exists for nonexistent template: errno: deleting invalid mcp object"
No workaround, the code will detect and attempt to correct the error condition.

"guest is starting with no trunk virtual mbrs"
Take the guest to configured state and attempt to reprovision/redeploy.

"License file () not found. Delaying VCMPD start up."
A valid license file is required for vCMP guests to deploy.

01510005 : SAMPLE: vcmpd - VDisk (LBEMP-LOTWAN01.img/1): Failed to save info file - /shared/vmdisks/LBEMP-LOTWAN01.info

Location:
/var/log/ltm

Conditions:
This is a generic message that could indicate a variety of warning conditions related to vcmpd and vCMP guests. In general these are conditions that are worth noting but not as serious as an error.

Impact:
Impact varies depending on the specified warning string. The error string itself might provide additional information about impact.

Examples:
"Watchdog shared memory was not cleaned up."
"HAL shared memory was not cleaned up."
"Management network taps were not shutdown properly."
No real impact here, the system will attempt to correct the error condition before starting the guest.

"Failed to find enum definition ()"
Specific enum will not be mapped to a string.

"Info file dir () could not be created. Guest will be missing info files."
Guest vminfo files will not be created.

Recommended Action:
Most of these conditions are informational and there is no workaround.

01510007 : %s

Location:
/var/log/ltm

Conditions:
This is an informational log that reports various guest conditions during normal operation such as adding/removing vDisks, deleting files, and guest setup/shutdown.

Impact:
None.

Recommended Action:
None.

01510011 : vCMP guest %s powered off.

Location:
/var/log/ltm

Conditions:
This message is logged whenever the vCMP guest is shut down.

Impact:
The specified vCMP guest is no longer running.

Recommended Action:
None.

01530007 : %s started ===============================

Location:
/var/log/ltm

Conditions:
The DNS Express zone transfer daemon (zxfrd) has successfully initialized and started operating.

Impact:
The zone transfer daemon is ready to perform zone transfers as required.

Recommended Action:
No action required for a single instance of this message. It is a notification displayed when the zone transfer daemon starts up.

If this message persists then it might indicate that a separate issue is causing the zone transfer daemon to restart in a loop. Other log messages should be investigated to determine the cause.

0153000c : Error writing scratch database(%s), serving database is unchanged. zxfrd will exit and restart.

Location:
/var/log/ltm

Conditions:
During a zone transfer, either an IXFR or AXFR, zxfrd was unable to move DNSX RRs from a temporary holding area to a more permanent location. The message can occur if there is an Out of Memory condition.

Impact:
zxfrd exits and retries. The database that was being served before the failed XFR is unchanged and is still valid and will still be served by TMM during the zxfrd restart. Updates from the XFR are not available and are not being served until zxfrd restarts and successfully completes the XFR. This message was added as part of solution to prevent DNSX from serving partial zone information.

The solution now guarantees consistent and complete zone information, but can delay xfr updates if there is an error. Prior to this solution, partial xfr updates could be made available before the xfr completes.

Recommended Action:
None.

0153002c : An instance of zxfrd (pid: %d) is already running! Exiting

Location:
/var/log/ltm

Conditions:
An instance of the DNS Express zone transfer daemon (zxfrd) has attempted to start while another instance was already running.

This is most likely to occur if an instance of the zone transfer daemon was manually started through '/var/service/zxfrd/run'.

Impact:
The second instance of the DNS Express zone transfer daemon will exit leaving the first to continue processing.

Recommended Action:
If there is a single instance of this message, occurring in a situation where the system or zxfrd has recently been started, then there is likely no issue and no action required.

If this message persists or is occurring in a situation where the system or zxfrd has not recently been started, then it might indicate a problem with the status of zxfrd. Restarting the zone transfer daemon by running the command 'bigstart restart zxfrd' as root, might resolve the issue.

01531003 : Failed to sign zone transfer query for zone %s using TSIG key %s

Location:
/var/log/ltm

Conditions:
The DNS Express zone transfer daemon (zxfrd) encountered an error while attempting to sign a zone transfer query for the specified zone using the specified TSIG key.

Impact:
The zone transfer query will not be sent, causing the zone transfer to fail. This in turn might cause the associated zone to be marked invalid and will not be available for dns queries until a successful zone transfer is completed.

Recommended Action:
Verify that the associated TSIG key is correct and that the secret value entered for this key comes from the appropriate key generation utility, such as BIND's "keygen".

0153100c : Failed on receive of %d bytes for transfer of zone %s (%s)

Location:
/var/log/ltm

Conditions:
There was a connection error during a zone transfer for the specified zone. The type of error is specified by the parenthesized portion of the message.

Impact:
The zone being transferred might not be available until a successful zone transfer is completed.

Recommended Action:
Use the parenthesized portion of the log message, combined with other log messages, to diagnose and correct the connection error. The system will automatically schedule a new zone transfer attempt.

0153100e : Transfer of zone %s failed with rcode (%s).

Location:
/var/log/ltm

Conditions:
This error indicates that DNS Express was not able to perform a zone transfer from a master nameserver.

Impact:
If the zone has never been transferred successfully, the zone will not be available. If the zone has previously successfully transferred, it will not be updated until the issue is resolved. If the issue is not resolved before the zone expiration time, the zone will no longer be available on the BIG-IP until the next successful transfer.

Recommended Action:
The rcode in the error message is provided by the master nameserver and can be used to investigate why the master nameserver was not able to provide the zone transfer.

01531010 : Transfer of zone %s failed b/c there are no records

Location:
/var/log/ltm

Conditions:
This error is generated by DNS Express when a zone transfer answer is received from a master nameserver with no records. At a minimum, there should be SOA records in the answer, even if there are no zone resource records.

Impact:
If the zone has never been transferred successfully, the zone will not be available. If the zone has previously successfully transferred, it will not be updated until the issue is resolved. If the issue is not resolved before the zone expiration time, the zone will no longer be available on the BIG-IP until the next successful transfer.

Recommended Action:
Configuration on the master nameserver should be investigated to determine why a malformed zone transfer response is being generated.

01531015 : Failed to retrieve next RR in %s for zone %s

Location:
/var/log/ltm

Conditions:
This error message can only occur when the zone transfer daemon (zxfrd) is processing a response to a zone transfer request. The message means that zxfrd was unable to obtain the next resource record from the packet it is processing.

This can occur if:
- The data in the response is incomplete
- The data in the response is garbled
- The number of records in the ANSWER section of the transfer does not match the amount indicated in the DNS header.

Impact:
This message indicates that the zone transfer has failed and will be rescheduled. If the issue is persistent and prevents a successful transfer from succeeding before the zone expiration time, the zone will no longer be available on the BIG-IP until the next successful transfer.

Recommended Action:
If the issue is persistent, configuration and logs on the master nameserver or intermediate network devices should be investigated to determine why the BIG-IP cannot successfully complete a zone transfer.

01531018 : Failed to transfer zone %s from %s, will attempt %s

Location:
/var/log/ltm

Conditions:
This error indicates that a zone transfer attempt failed. The first argument is the name of the zone, the second is the master nameserver, and the third is the next type of transfer attempt that will occur (AXFR or IXFR). This message should be seen in conjunction with a more specific error message that gives more details about the failure.

Impact:
If the zone has never been transferred successfully, the zone will not be available. If the zone has previously successfully transferred, it will not be updated until the issue is resolved. If the issue is not resolved before the zone expiration time, the zone will no longer be available on the BIG-IP until the next successful transfer.

Recommended Action:
The BIG-IP system continues to attempt to transfer the zone. The cause of this issue could be incorrect configuration on the BIG-IP system, such as the wrong master nameserver IP address, network configuration issues that prevent the BIG-IP system from reaching the master, or configuration issues on the master nameserver, such as incorrect ACLs.

Additional log messages should provide context as to the cause of the transfer failure.

0153101b : Ignoring NOTIFY for zone %s due IXFR in progress

Location:
/var/log/ltm

Conditions:
The DNS Express zone transfer daemon (zxfrd) has received a zone change notification (DNS notify) for the specified zone, but that zone has an incremental zone transfer in progress.

Impact:
The received zone change notification is ignored.

Recommended Action:
There is no action required. The system is simply displaying that it has received the notification and has chosen to ignore it, under the assumption that the current zone transfer will include the change notifications.

0153101c : Handling NOTIFY for zone %s

Location:
/var/log/ltm

Conditions:
The DNS Express zone transfer daemon (zxfrd) is logging that it has received a zone change notification (DNS notify) for the specified zone.

Impact:
A zone transfer will be scheduled to begin within a short period of time for the specified zone.

Recommended Action:
None.

0153101f : %s Transfer of zone %s from %s succeeded

Location:
/var/log/ltm

Conditions:
The DNS Express zone transfer daemon (zxfrd) has successfully completed transferring a zone.

Impact:
The records being transferred are now available on the system and can be returned as the result of incoming dns queries.

Recommended Action:
None.

01531023 : Scheduling zone transfer in %ds for %s from %s

Location:
/var/log/ltm

Conditions:
This message occurs whenever the zone transfer daemon (zxfrd) schedules a zone transfer from a master nameserver.

The logging level for this message was changed from NOTICE to DEBUG beginning in version 11.3.0.

Impact:
The conditions that this message indicates are normal and expected. There is no negative impact to the system.

Recommended Action:
None.

01531025 : Serials equal (%d); transfer for zone %s complete

Location:
/var/log/ltm

Conditions:
This message occurs whenever the zone transfer daemon (zxfrd) requests a zone transfer from a master nameserver and there have been no changes to the zone since the last successful zone transfer.

The logging level for this message was changed from NOTICE to DEBUG beginning in version 11.3.0.

Impact:
The conditions that this message indicates are normal and expected. There is no negative impact to the system.

Recommended Action:
None.

0153102a : Failed connect callback to %s for transfer of zone %s

Location:
/var/log/ltm

Conditions:
This is primarily a diagnostic error message used to provide additional context when a zone transfer fails. The failure is most likely due to a network connectivity or network configuration problem.

Impact:
If the zone has never been transferred successfully, the zone will not be available. If the zone has previously successfully transferred, it will not be updated until the issue is resolved. If the issue is not resolved before the zone expiration time, the zone will no longer be available on the BIG-IP until the next successful transfer.

Recommended Action:
Use this log message in conjunction with other ZXFR log messages that should appear with it to help diagnose the cause of the failure. Investigate network connectivity between the BIG-IP and master nameserver and verify network configuration on all devices including intermediate switches/firewalls.

0153102d : Notify request from %s not in allow-notify-list. Ignoring.

Location:
/var/log/ltm

Conditions:
ZXFRD received a NOTIFY message from a source IP address that was not in its allowed-notify-list, nor was it the configured dns-express-server.

Impact:
The system received a NOTIFY message from an unknown source. This could be from a bad configuration, or it could be from an attempted malicious client targeting your server.

Recommended Action:
None.

0153102e : Error %s during socket %s.

Location:
/var/log/ltm

Conditions:
An attempt was made to create or set up a socket for an AXFR/IXFR.

Impact:
The AXFR/IXFR will not succeed until the error condition is resolved. The message provides additional information about the error.

Recommended Action:
None.

0153102f : Timed out waiting for transfer data for zone %s.

Location:
/var/log/ltm

Conditions:
An XFR has exceeded the time allowed without any data being transferred.
This happens, for instance, if an XFR is started, but the server does not respond with data for more than 5 seconds (the default).

Impact:
The XFR is aborted and then retried after the configured retry delay.

Recommended Action:
If the XFR fails repeatedly, investigate a problem with the downstream DNS server.

01531030 : Kicking read timer for zone %s.

Location:
/var/log/ltm

Conditions:
Every packet received during an XFR has shown that the XFR has not timed out.

Impact:
None. This is a DEBUG informational message.

Recommended Action:
None.

01531031 : Setting read timer for zone %s.

Location:
/var/log/ltm

Conditions:
An XFR has started.

Impact:
None. This message is used to indicate that the timer was initialized.

Recommended Action:
None.

01531032 : There is an existing zone transfer scheduled for zone %s from %s, not re-scheduling.

Location:
/var/log/ltm

Conditions:
This occurs if a Notify message is received for a zone when there is already a zone transfer scheduled, but not started.
This is not an unusual condition, nor does it indicate an error.

Impact:
None. This is an informational message.

Recommended Action:
None

01531033 : There is a backlogged zone transfer scheduled for zone %s from %s, not adding another.

Location:
/var/log/ltm

Conditions:
This occurs when a notify message for a zone is received when there is already a transfer in the backlog. The backlog is used to schedule transfers when the maximum number of pending transfers has been exceeded.

Impact:
None. This is an informational message.

Recommended Action:
None.

01531105 : Zone %s expired. Zone will be unavailable until the next successful zone transfer.

Location:
/var/log/ltm

Conditions:
A zone that was transferred to this system has expired.

Impact:
The expired zone will not be available to dns queries until another zone transfer is successfully completed.

Recommended Action:
None.

0153120c : Zone %s saved to scratch DB with SOA Serial %d.

Location:
/var/log/ltm

Conditions:
During normal XFR processing, data is written to a staging area.
When the XFR is complete, the data is transferred to the scratch area (which is then later moved to the "serving" database).

Impact:
None. This is a debug message only, to indicate that the XFR was successfully written.

Recommended Action:
None.

01531300 : Cluster status changing from %s to %s

Location:
/var/log/ltm

Conditions:
The DNS Express zone transfer daemon (zxfrd) detected that the cluster state has changed. This generally occurs when a blade in a clustered system changes its offline/online status.

Impact:
Depending on the new cluster status, the DNS Express zone transfer daemon (zxfrd) might start or stop zone transfers on this blade. The primary blade on a clustered system handles zone transfers to the system.

Recommended Action:
No action is directly required by this message. However, if this state change was unexpected or unintended, then there should be other log messages on the system, indicating what caused the specified status change. Corrective action can be taken based upon those messages.

0153e0f7 : Lost connection to mcpd

Location:
/var/log/ltm

Conditions:
The DNS Express zone transfer daemon (zxfrd) has lost its connection to the configuration daemon (mcpd). This is expected to be a recoverable transient condition, most likely seen when mcpd has restarted.

Impact:
zxfrd will restart in an attempt to restore its connection with mcpd. Until zxfrd is able to restore its connection to mcpd, zone transfers will not be attempted.

Recommended Action:
The message indicates a problem communicated with mcpd. If the message persists, the logs should be investigated to determine what could be affecting mcpd. If zxfrd is having trouble, other daemons will be as well.

01550004 : Critical:

Location:
/var/log/ltm

Conditions:
During initialization, a critical resource supporting expected operation of the data plane was found to be malfunctioning or missing.

Impact:
The BIG-IP system is not allowed not to go Active. Access to logs and tmsh commands are still possible, since the BIG-IP system continues to run.

Recommended Action:
A reboot or power cycle of the platform hardware might remedy the situation.

01550005 : Critical:

Location:
/var/log/ltm

Conditions:
During initialization of the platform software, no configuration module is detected in a configuration module slot where a configuration module is expected.

Impact:
The BIG-IP system is not allowed not to go Active. Access to logs and tmsh commands are still possible, since the BIG-IP system continues to run.

Recommended Action:
None.

01550006 : Critical:

Location:
/var/log/ltm

Conditions:
During initialization of the platform software, an unsupported Configuration module is detected in one of the platform's configuration module slots.

Impact:
A Configuration Module not supported by the platform has been detected in one of the platforms configuration module slots. The platform hardware should not be used in this condition. The BIG-IP system is not allowed not to go Active. Access to logs and tmsh commands are still possible, since the BIG-IP system continues to run.

Recommended Action:
None.

01570004 : %s

Location:
/var/log/ltm

Conditions:
The connection from lldpd to mcpd is lost. Most possibly mcpd is down or restarted.

Impact:
The lldpd daemon will be restarted and try to connect to mcpd again.

Recommended Action:
None.

015a0000 : SAMPLE: devmgmtd - Initial trust configuration created

Location:
/var/log/ltm

Conditions:
First boot of the device, or reset of the trust domain.

Impact:
This is not an error condition. The system is behaving normally.

Recommended Action:
None.

015a0004 : "%s"

Location:
/var/log/ltm

Conditions:
This error code represents any error in devmgmtd, the daemon used for establishing CMI trust between devices.

Impact:
It is likely that the trust setup failed.

Recommended Action:
Retry creating trust between devices.

015c0004 : %s

Location:
/var/log/ltm

Conditions:
This general error message originates from the iprepd daemon.
These errors typically relate to network availability, brightcloud.com availability, DNS lookups, or memory issues.

Impact:
The iprepd daemon cannot connect to the brightcloud.com service. Consequently, it cannot diagnose traffic coming from IPs with bad reputations. Related features (for example, ASM or irules) will not work, or work with a non-updated IPs database.

Recommended Action:
A customer usually needs to check and fix the network connection or the dns setup. There is no other workaround.

015c0009 : IP Reputation has no license currently

Location:
/var/log/asm

Conditions:
This error message originates from the iprepd daemon.
This error indicates that there is no valid license for the IP Intelligence feature.

Impact:
IP Intelligence feature cannot be used.

Recommended Action:
Update IP Intelligence license.

015c0010 : Initial load of IP Reputation database has been completed

Location:
/var/log/ltm

Conditions:
The IP Reputation database has been downloaded for the first time by the BIG-IP device from the BrightCloud server.

Impact:
From now on, the BIG-IP device can use the IP Reputation database.

Recommended Action:
This message indicates when the IP Intelligence feature starts to work.

015e0002 : [pg:%d pu:%d] %s: %s

Location:
/var/log/ltm
/var/log/tmm

Conditions:
Examples:
015e0002:5: [pg:0 pu:0] Acquired lock on new blob: pktclass1
015e0002:5: [pg:0 pu:0] Loaded blob: pktclass1
015e0002:5: [pg:0 pu:0] Activated blob: pktclass1

This log is a notification of the new security firewall blob being loaded and activated on TMM when there's a new security firewall rule/policy change.

Impact:
No impact on the BIG-IP operation. This log is just a notification that security firewall blob is been updated successfully.

Recommended Action:
None.

015e0004 : [pg:%d pu:%d] %s: %s

Location:
/var/log/tmm, /var/log/ltm

Conditions:
The TMM process failed to load information from the PCCD service. This can occur when there is a problem accessing one of PCCD's files.

Impact:
None of the L2-L4 firewall policies will be enforced.

Recommended Action:
From the Advanced Shell (also known as "bash"), run the following two commands:
# rm -f /var/pktclass/*
# tmsh restart sys service pccd

015f0028 :

Location:
/var/log/ltm, remote syslog, local DB, etc. depending on the log destination configured for the log publisher.

Conditions:
A flowspec advertisement has been sent or withdrawn.

Impact:
No impact. This message is purely informational.

Recommended Action:
None.

015f0029 :

Location:
/var/log/ltm), remote syslog, local DB, etc. depending on the log destination configured for the log publisher.

Conditions:
The threshold criteria that is configured for LSN/FW NAT pool address-utilization, endpoint-utilization, and error count was hit.

Impact:
These log messages are informational and alert. Customers can take appropriate action to increase/decrease the LSN/FW NAT resources (translation addresses and ports).

Recommended Action:
Manage the LSN/FW_NAT resources (translation addresses and ports) according to its use.

015f0029 : date_time, management_ip_address, bigip_hostname, device_product, device_vendor, device_version, msg_name, nps_name, bits_per_second, packets_per_second, connections_per_second, total_bits_per_po, total_packets_per_po, total_connections_per_po

Location:
None.

Conditions:
Netflow protected server (nps) statistics are logged once per log-interval. A log interval ranges from 0 to 60 seconds. If any nps object is configured with 0 as the interval, it means that logging is disabled for that specific nps object.

Impact:
Multiple log messages are logged within seconds. Netflow logging feature supports remote logging only.

Recommended Action:
Make sure that:

- A Netflow global profile is attached to the log publisher.
- The log publisher has a destination specified.
- The log publisher is a remote publisher.

Perform these configuration steps:

1. Configure a pool using this tmsh command:
create ltm pool <pool_name> { members add {

2. Attach a publisher to netflow using this tmsh command:
modify security log profile global-network netflow { log-publisher <publisher_name> }

015f0030 :

Location:
Anti-Fraud security profile's logging destination

Conditions:
Anti-Fraud logging has been enabled in a security log profile.

Impact:
None.

Recommended Action:
None.

015f0031 :

Location:
/var/log/ltm, remote syslog, local DB, etc. depending on the log destination configured for the log publisher.

Conditions:
This message occurs when:

* When you are logging for outbound and inbound DS-Lite connections, and
* A logging profile is specified in a Source-Address Translation object or an LSN Pool, and
* Logging is enabled in the profile.

Impact:
No impact. This message is for logging purposes only.

Recommended Action:
If the intended purpose is not see a log, disable logging from the logging profile. Note: Disabling logging also disables logging for all outbound and inbound events. In this case, There will be no logs related to outbound and inbound events.

015f0032 :

Location:
/var/log/ltm, remote syslog, local DB, etc. depending on the log destination configured for the log publisher.

Conditions:
This message occurs when:

* Logging for errors related to DS-Lite connections, and

* A logging profile is specified in an Source-Address Translation object or an LSN Pool, and

* Logging is enabled in the profile such as "Client Quota Exceeded".

Impact:
Connection is not established between subscriber and internet. Usually, this is due to the connection not being permitted by the configuration specified in the Source Address Translation object.

Recommended Action:
Configure Source Address Translation object as per intended use.

015f0033 :

Location:
/var/log/ltm, remote syslog, local DB, etc., depending on the log destination configured for the log publisher.

Conditions:
This message occurs when:

1. Logging related to port block allocation in DS-Lite connection is enabled when logging profile is specified in a Source-Address Translation object or LSN Pool.

2. Logging is enabled in the profile and Port Block Allocation mode is specified in a Source-Address Translation or LSN Pool object.

Impact:
There is no impact. This message is for logging purpose only.

Recommended Action:
If intended purpose is not seen in log, disable logging from the logging profile. Note: Disabling logging also disables logging for all port block allocation events.

01630002 : (%s) (%s)

Location:
/var/log/ltm

Conditions:
Log template is used for several different messages:
 1. "(Failed to open new read-only trans for query) (listener_name)"
 2. "(Failed to close transaction) (listener_name)"
 3. "(Failed to allocate for sflow_data_source_ctx) (listener_name)"
 4. "(context_owner) (Failed to connect. len(number).)"
 5. "(context_owner) (Last sample yet to be sent. size(number).)"
 6. "(context_owner) (Datagram too big. size(number) max(number).)"
 7. "(context_owner) (Unable to clone xb(length) to ctx->xb(length).)"
 8. "(context_owner) (Failed to send data down. len(%d).)"
 9. "(context_owner) (Failed to construct records for this sample id(0x%x).)"
 10. "(context_owner) (Unable to find datasource ctx for id=%d.)"

Impact:
1. An internal database and/or system memory issue occurred that can affect other system functions.
2. An internal database issue (transaction leak) occurred that can slow performance over time.
3. System is out of memory.
4. SFlow connection failure results in no response to client query.
5. Connectivity issues delaying sflow response.
6. Illegally formatted datagram was encountered and dropped.
7. Object pool exhaustion. Will affect sflow stats if condition persists.

Recommended Action:
1. Reboot Big-IP blade/system.
2. Reboot Big-IP blade/system.
3. Reboot Big-IP blade/system.
4. No workaround.
5. Troubleshoot network connectivity.
6. No workaround.
7. No workaround.
8. No workaround.
9. Reboot Big-IP blade/system.
10. No workaround.

01660009 : %s

Location:
/var/log/ltm

Conditions:
An external interface on a BIG-IP 2000/2200/4000/4200 has experienced a change in link status. For example, when plugging or unplugging the network cable, the remote side device has gone offline or come online.

Impact:
As per the INFO log level, this is not an error. If a port has an unexpected link change event (not caused by manually enabling, disabling, plugging, unplugging, changing port, link configuration, or powering the local or remote device on or off), check for accidentally unplugged cables and the like.

Recommended Action:
None.

01660010 : %s

Location:
/var/log/ltm

Conditions:
Messages will look like the following for a 40G/100G interface:
- DDM interface:5.0 transmit power too high warning.Transmit power(mWatts) 1.2940 1.2418 1.2640 0.9623
- 1G/10G interface errors will only show one one lane of laser power:
- DDM interface:6.0 receive power too low alarm. Received power:0.0000 mWatts

DDM (Digital Diagnostic Monitoring) Warning messages are written for 4 conditions when laser power exceeds the optical transceiver's manufacturing specifications. Warnings are less serious than DDM alarms.
- Transmit optical laser power too low
- Transmit optical laser power too high
- Receive optical laser power too low
- Receive optical laser power too high

Impact:
These warnings are for informational purposes, indicating an optical transceiver has laser levels outside the optical transceiver manufacturer recommended range. This does not indicate any specific functional failure.

Recommended Action:
The AskF5 knowldege article "Monitoring BIG-IP System Traffic with SNMP" provides these recommended actions for each of these DDM conditions.

Refer to the text of the alert: is it a low or high alarm? Is it a transmit or receive alarm? The action to take for F5 branded optics (the following troubleshooting steps) depends on a condition derived from the two states (low/high and transmit/receive):

Low (Alarm)/Transmit (Alarm): See if the BCM port is enabled. If not, then enable it.
High (Alarm)/Transmit (Alarm): Hot swap extract and insert F5 Optics multiple times. Check to see if a link comes up without a DDM error after each insertion. If a problem persists, then it is a bad F5 Optic.
Low (Alarm)/Receive (Alarm): Verify F5 optics module with local loopback cable. Verify that the transmission power on the other end of the cable is correct. Recheck the optical link budget calculations. Clean the optical cables, connectors, and/or lens. For any receive problem, look at the transmitter to make sure it is okay and the correct protocol.
High (Alarm)/Receive (Alarm): Check the protocol setting on both link partners and make sure they are compatible. Verify the transmission power on the other end is okay. Recheck the optical link budget calculations. For any receive problem, look at the transmitter to make sure it is okay and the correct protocol.

01660011 : %s

Location:
/var/log/ltm

Conditions:
Messages will look like the following for a 40G/100G interface:
- DDM interface:5.0 transmit power too high alarm.Transmit power(mWatts) 1.2940 1.2418 1.2640 0.9623
- 1G/10G interface errors will only show one one lane of laser power:
- DDM interface:6.0 receive power too low alarm. Received power:0.0000 mWatts

DDM (Digital Diagnostic Monitoring) Alarm messages are written for 4 conditions when laser power exceeds the optical transceiver's manufacturing specifications. Alarms are more serious than DDM warnings.
- Transmit optical laser power too low
- Transmit optical laser power too high
- Receive optical laser power too low
- Receive optical laser power too high

Impact:
These alarms are for informational purposes, indicating an optical transceiver has laser levels outside the optical transceiver manufacturer recommended range. This does not indicate any specific functional failure.

Recommended Action:
The AskF5 knowldege article "Monitoring BIG-IP System Traffic with SNMP" provides these recommended actions for each of these DDM conditions.

Refer to the text of the alert: is it a low or high alarm? Is it a transmit or receive alarm? The action to take for F5 branded optics (the following troubleshooting steps) depends on a condition derived from the two states (low/high and transmit/receive):

Low (Alarm)/Transmit (Alarm): See if the BCM port is enabled. If not, then enable it.
High (Alarm)/Transmit (Alarm): Hot swap extract and insert F5 Optics multiple times. Check to see if a link comes up without a DDM error after each insertion. If a problem persists, then it is a bad F5 Optic.
Low (Alarm)/Receive (Alarm): Verify F5 optics module with local loopback cable. Verify that the transmission power on the other end of the cable is correct. Recheck the optical link budget calculations. Clean the optical cables, connectors, and/or lens. For any receive problem, look at the transmitter to make sure it is okay and the correct protocol.
High (Alarm)/Receive (Alarm): Check the protocol setting on both link partners and make sure they are compatible. Verify the transmission power on the other end is okay. Recheck the optical link budget calculations. For any receive problem, look at the transmitter to make sure it is okay and the correct protocol.

01660012 : %s

Location:
/var/log/ltm

Conditions:
Messages will look like the following:
- DDM interface:2.0 transmit power too low warning cleared
- DDM interface:2.0 receive power too low warning cleared

A warning condition detected by Digital Diagnostic Monitoring (DDM) has been cleared.
Warnings can be cleared for transmit or receive, high or low optical laser power levels.

Impact:
None.

Recommended Action:
None.

01660013 : %s

Location:
/var/log/ltm

Conditions:
Messages will look like the following:
DDM interface:2.0 transmit power too low alarm cleared
DDM interface:2.0 receive power too low alarm cleared

An alarm condition detected by Digital Diagnostic Monitoring (DDM) has been cleared.
Alarms can be cleared for transmit or receive, high or low optical laser power levels.

Impact:
None.

Recommended Action:
None.

01660014 : %s

Location:
/var/log/ltm, LCD

Conditions:
Unsupported optic in interface:<InterfaceName> See support.f5.com SOL8153 for restrictions on third-party hardware components.

When a non-F5 100G optic is detected.

Impact:
Non-F5 100G optics will not have the proper tuning values applied and will not function.

Recommended Action:
Use an F5 100G optical transceiver.

01660015 : Interface %s. Non-F5 branded optics are not supported

Location:
/var/log/ltm

Conditions:
This is an obsolete error message that will never appear.

Impact:
None.

Recommended Action:
None.

01660016 : %s

Location:
/var/log/ltm, LCD

Conditions:
The BIG-IP system has detected that the wrong speed optic is in an interface on an i2000 or i4000 series appliance. Two different messages are possible: one for the 1GbE optic in a 10G interface, and one for a 10GbE optic in a 1G interface:

 err pfmand[6082]: 01660016:3: Interface 3.0 detected a non 1GbE optic
 err pfmand[6082]: 01660016:3: Interface 6.0 detected a non 10GbE optic

Impact:
The optic will not function.

Recommended Action:
Move the optic to an interface of the correct speed.

01670003 : Inbound entry %A,%d,%A,%A found

Location:
/var/log/ltm

Conditions:
This is a debug message, enabled by setting sys db variable log.lsn.level to "Debug". This debug message is logged when an LSN inbound connection is received and the inbound entry is found in the TMM internal database. During normal operation, log.lsn.level must be set to "Error". This debug message only exists in 11.x.x releases.

Impact:
None.

Recommended Action:
Set sys db log.lsn.level to "Error".

01670006 : [%u.%u] DNAT Picked :%A,%d

Location:
/var/log/ltm

Conditions:
DNAT has chosen a translation endpoint, and debug logging is enabled.

Impact:
None.

Recommended Action:
None.

01670009 : Inbound connection :%A,%d is active

Location:
/var/log/ltm

Conditions:
This is a debug message, enabled by setting sys db variable log.lsn.level to "Debug". This message is logged when we fail to add an inbound entry because the entry already exists. If this happens, TMM will try to pick a different translation IP:port. During normal operation log.lsn.level must be set to "Error". This debug message only exists in 11.x.x releases.

Impact:
None.

Recommended Action:
Set sys db log.lsn.level to "Error".

01670010 : Inbound entry:%A%%%d:%d, ds-lite remote:%A local:%A timeout:%d for key:%A%%%d:%d proto:%d added. ha mirrored: %s

Location:
/var/log/ltm

Conditions:
This is a debug message, enabled by setting sys db variable log.lsn.level to "Debug". This debug message is loggeed when an inbound entry is added to the TMM internal database for an outbound connection. During normal operation, log.lsn.level must be set to "Error". This debug message only exists in 11.x.x releases.

Impact:
None.

Recommended Action:
Set sys db log.lsn.level to "Error".

01670016 : No inbound entry found for %A%%%u:%u proto:%u

Location:
/var/log/ltm

Conditions:
This debug message can be enabled by setting sys db variable log.lsn.level to "Debug". This debug message is logged when an LSN inbound connection is received, and the inbound entry is not found in the TMM internal database. During normal operation, log.lsn.level must be set to "Error".

Impact:
None.

Recommended Action:
Set sys db log.lsn.level to "Error".

01670019 : "DNAT configuration: %s"

Location:
/var/log/ltm

Conditions:
A CGNAT Deterministic NAT LSN Pool is configured and attached to an active virtual server. This log entry records the state information used by the dnatutil to reverse map LSN translations.

Impact:
Log entries are for information only.

Recommended Action:
None.

01670020 : DNAT connection: %s

Location:
/var/log/ltm

Conditions:
This error is logged if the mode in the LSN pool/AFM NAT source translation object is set to "Deterministic", and the config is changed while flows using these objects are active.

Impact:
This log message has no negative impacts. This log message is used by the "dnatutil" to reverse map the subscriber.

Recommended Action:
None.

01670021 : [%u.%u] LSN Pool %s has no usable translation address for DNAT

Location:
/var/log/ltm, /var/log/tmm

Conditions:
The deterministic NAT pool on the indicated TMM has no usable address.

Impact:
Source address translation for the virtual server using the LSN pool will fail, when client connections use the designated TMM.

Recommended Action:
Increase the number of translation addresses for the LSN Pool.

01670028 : LSN pool(%s) inbound route domain id %d\n

Location:
/var/log/ltm

Conditions:
A debug message only in the logs when the Sys DB variable log.lsn.level is set to Debug.
Displays when inbound connections are enabled on an LSN pool and the inbound route domain changes.

Impact:
There is no error condition, but the message may be useful in configurations with complex route domain relationships where the inbound route domain is not obvious.

Recommended Action:
None.

01670029 : Translation failed: %s is unsupported.\n

Location:
/var/log/ltm

Conditions:
An LSN translation is being attempted under these conditions:

1) The ingress interface is the localhost (BIG-IP), and
2) PBA or DNAT mode is configured on the LSN pool.

Impact:
LSN translations fails because PBA/DNAT modes on an LSN pool cannot support ingress connections from localhost.

Recommended Action:
With the conditions listed above, use a NAPT LSN pool instead.

01680027 : netHSM: Thales RFS error [%s].

Location:
/var/log/ltm

Conditions:
The Thales utility "rfs-sync" is missing or not working properly.

Impact:
The Thales key cannot be uploaded to its RFS server, and consequently, other BIG-IP systems cannot get it. For example, at high availability (HA) setup, the key cannot be synced to the standby BIG-IP system.

Recommended Action:
Reinstall the Thales client. This might cause TMM to be restarted, which will interrupt tmm services.

01680028 : netHSM: Cannot load HSM vendor library [%s] with error [%s].

Location:
/var/log/ltm

Conditions:
The pkcs11d daemon is unable to dlopen the pkcs11 vendor library.

Impact:
pkcs11d is unable to connect with the external netHSM. All netHSM operations fail.

Recommended Action:
Restart pkcs11d. This will not add to the existing disruption because netHSM traffic is already failing. If restarting pkcs11d fails, reinstall pkcs11d. However, reinstalling the network HSM causes tmm to restart, which will briefly interrupt all traffic.

01680029 : netHSM: Failed login: password[%s]. Error[%lu].

Location:
/var/log/ltm

Conditions:
The BIG-IP system is unable to log in to the network hardware security module (HSM). There are multiple possible reasons for this (for example, an incorrect, invalid, or expired password, or a locked HSM).

Impact:
All HSM keys are unusable (as well as any configurations depending on them) until the issue preventing the BIG-IP system from logging into the HSM is resolved. Also, the BIG-IP system logs the specific error returned by the HSM, so that the user can look for more specific information in the HSM documentation.

Recommended Action:
There is no specific workaround, but the main issue is that the password that the BIG-IP system is using to log in to the HSM is not what the HSM is expecting. Therefore, verify that the password is correctly entered on the BIG-IP system and matches the password on the HSM. Then restart pkcs11d if necessary.

01680030 : netHSM: Failed to allocate space [%lu] for [%s].

Location:
/var/log/ltm

Conditions:
The BIG-IP system memory is nearly or already exhausted, possibly due to a memory leakage.

Impact:
The pkcs11d daemon does not work properly, and key generation and other operations (example: netHSM SSL key signing) fail.

Recommended Action:
Reboot the system to clean up the used memory. This interrupts all services.

01680031 : netHSM: The session with the network-hsm is invalid.

Location:
/var/log/ltm

Conditions:
The hardware security module (HSM) has returned an error at the request of C_OpenSession.

Impact:
This is the initial HSM operation. Pkcs11d will try to re-run in order to recover. Failure to recover normally indicates that a severe HSM networking issue or integration issue has occurred.

Recommended Action:
Check the availability of the HSM and try re-installing the HSM. This will restart tmm.

01680032 : netHSM: PKCS11d stopped. Verify password, and restart PKCS11d.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The password that the BIG-IP system uses to log into the netHSM is incorrect. This could be because the user changed the password on the netHSM itself or the BIG-IP system was configured with the wrong password.

Impact:
Any configuration that depends on netHSM keys fails to work. There is no way to automatically recover from the BIG-IP system having the wrong password.

Recommended Action:
Either change the netHSM password to match the BIG-IP system's stored password, or change the password on the BIG-IP system to the one that the netHSM is using. Then restart PKCS11d.

01680033 : netHSM: BigDB error [%d][%s].

Location:
/var/log/ltm

Conditions:
The bigdb service is not functioning properly.

Impact:
The pkcs11d service cannot retrieve the DB variable.

Recommended Action:
Restart the bigdbd service or issue the "bigstart restart" command. Other services that use bigbd might be impacted.

01680034 : netHSM: Key name is too long (>=255).

Location:
/var/log/ltm

Conditions:
An SSL key name that is passed to netHSM key pair generation exceeds a limit in size.

Impact:
Key generation might fail. This can normally be avoided by the validation of the callers. Therefore, this is an API level error message that you will not normally see.

Recommended Action:
Reduce the size of the key name.

01680035 : netHSM: PKCS11d (re)initialization is not complete.

Location:
/var/log/ltm

Conditions:
pkcs11d is re-initializing or in the initialization stage too soon after a pkcs11d restart or when the network connectivity between the BIG-IP system and hardware security module (HSM) is being restored from a network disruption.

Impact:
If this happens, pkcs11d operations, such as key creation, cannot finish.

Recommended Action:
Wait for some time and issue a key creation command again.

01680036 : netHSM: Unknown HSM vendor [%s].

Location:
/var/log/ltm

Conditions:
The hardware security module (HSM) client is not installed properly, or a user has manually changed the external_hsm vendor's name.

Impact:
You will need to reinstall the HSM client.

Recommended Action:
Check the vendor name with this tmsh command:
     
     tmsh list sys crypto fips external-hsm vendor

Then reinstall the HSM client on the BIG-IP system.

01680037 : netHSM: Failed to create ec key for key %llu

Location:
/var/log/ltm

Conditions:
An error occurred while creating an ECDSA key.

Impact:
ECDSA key creation fails.

Recommended Action:
Restart pkcs11d. This will impact SSL traffic associated with keys stored on the network HSM.

01680038 : netHSM: Failed to set ec group for key %llu

Location:
/var/log/ltm

Conditions:
An error occurred during creation of an ECDSA key group.

Impact:
ECDSA key creation fails.

Recommended Action:
Restart pkcs11d. This will momentarily impact SSL traffic associated with keys stored on the network hardware security module (HSM).

01680039 : netHSM: Failed to create ec point for key %llu

Location:
/var/log/ltm

Conditions:
The system has failed to create EC key Qx, Qy POINT.

Impact:
ECDSA key creation fails.

Recommended Action:
Restart pkcs11d. This will impact SSL traffic associated with keys stored on the network hardware security module (HSM).

01680040 : netHSM: Failed to find partition with label '%s' on the netHSM.

Location:
/var/log/ltm

Conditions:
The user-specified partition is not accessible because the partition label, password, or permission is wrong.

Impact:
pkcs11d is not able to connect to the partition.

Recommended Action:
Check the netHSM's partition details. Modify the partition information (that is, label and password). Or, specify another partition and use that partition instead.

01680041 : Failed to add key to cache index %lu; err %d. Cache size %lu.

Location:
/var/log/ltm

Conditions:
An action has been taken that has caused the condition where there are too many keys for PKCS11d to keep track of.

Impact:
The key is not inserted into the key table.

Recommended Action:
Remove some keys and try again, and then restart pkcs11d.

01680042 : Failed to find key handle for %s key with %s '%s'.

Location:
/var/log/ltm

Conditions:
The hardware security module (HSM) cannot find the key specified by the CKA_LABEL or CKA_ID.

Impact:
PKCS11d operations using that key will fail.

Recommended Action:
Try either of the following:

1) Verify that the key label or ID exists on the HSM and reimport the key to the BIG-IP system if necessary.

2) Restart pkcs11d to clear its cache. Note that this action interrupts all HSM operations.

01680043 : Failed to find key attribute [%s] for key with handle [%llu] .

Location:
/var/log/ltm

Conditions:
The hardware security module (HSM) or network is non-operational.

Impact:
Although the HSM found the key, moments later the HSM is unable to return the rested key attribute for the specified key handle. This causes PKCS11d operations using that key to fail.

Recommended Action:
Verify that HSM and network are operational. If the HSM or network is not fully operational, there can be downtime while recovering.

01680044 : Thread [%lu] successfully connected to partition labeled '%.*s' in slot '%lu'.

Location:
/var/log/ltm

Conditions:
The pkcs11d thread successfully logged in to the netHSM partition with the given label and slot.

Impact:
None.

Recommended Action:
None.

01680045 : Nethsm: number of slots %u

Location:
/var/log/ltm

Conditions:
A connection has been established to the netHSM. This log is to provide information on how many slots available on the nethsm once connected.

Impact:
The system displays the number of slots available on the netHSM. This is an informational message only.

Recommended Action:
None.

01680046 : pkcs11d loading key handles.

Location:
/var/log/ltm

Conditions:
Key handles are loading.

Impact:
This is an informational message only.

Recommended Action:
None.

01680047 : pkcs11d invalidating key handles.

Location:
/var/log/ltm

Conditions:
pkcs11d has encountered an error due to invalid session handles.

Impact:
The pkcs11 API fails.

Recommended Action:
Inspect the error log and try to find the reason for the pkcs11 api failure.

01680048 : %s: pkcs11_rv=0x%08lx, %-26s.

Location:
/var/log/ltm

Conditions:
For various reasons, the pkcs11d functionality might not be working.

Impact:
A pkcs11 error occurs.

Recommended Action:
Inspect the error log and try to find the reason for the pkcs11 error.

01680049 : [PKCS11D][%u]:%s:%d: %s

Location:
/var/log/ltm

Conditions:
Debug/trace logging is enabled.

Impact:
None.

Recommended Action:
None.

01680050 : %s

Location:
/var/log/ltm

Conditions:
Debug logging is enabled.

Impact:
None.

Recommended Action:
None.

01680051 : %s.

Location:
/var/log/ltm

Conditions:
Informational logging is enabled.

Impact:
None.

Recommended Action:
None.

01680052 : %s.

Location:
Repeating log message: Failed to receive mcp msg.

Conditions:
The purpose of this log message is to detect whether there is a communication problem between pkcs11d and the mcpd service.

Impact:
Most messages represent no cause for concern; however, if these come repeatedly, it might indicate a unrecoverable communication problem between these components.

If this log msg is reported frequently, configurations may not reach netHSM and statistics may not get updated.

Recommended Action:
To recover from this issue restart pkcs11d:

restart sys service pkcs11d

Note: This message does not occur when the log level is set to default.

01690000 : SAMPLE: evrouted - shutdown cleanly

Location:
/var/log/ltm

Conditions:
A daemon is shutting down under expected conditions (that is, the device is being powered down or rebooted).

Impact:
This is not an error message and does not indicate a problem.

Recommended Action:
None.

016b0002 : Rewrite: %s

Location:
/var/log/ltm

Conditions:
These are informational level messages from rewrite filter:

"Initialized rewrite subsystem"
"Initialized rewrite filter"
"Uninitialized rewrite filter"
"No Content-Type header in response"
"Selected type CSS by matching Content-Type header"
"Selected type HTML by matching Content-Type header"

Normal control flow.

Messages can be obtained when log.rewrite.level is set to Informational by:

tmsh modify /sys db log.rewrite.level {value Informational}

Impact:
None.

Recommended Action:
None.

016e0002 : Execution of action '%.*s' failed, error %E

Location:
/var/log/ltm

Conditions:
This error occurs when a TMM fails to execute an LTM policy action. This condition can occur when the TMM connection flow is aborted for unknown or unforeseen reasons (for example, out of memory or extreme load), and the related tear-down workflow transitions through a temporary stale state, while running LTM policy actions that involve the workflows being disposed.

Impact:
This error often indicates a deeper problem, possibly affecting multiple subsystems within the TMM. In this instance, the execution of some LTM policy actions fail, and the underlying LTM traffic or connection cannot be shaped.

Recommended Action:
Open a support ticket.

016e0005 : Unable to resume pending policy event on connflow %F

Location:
/var/log/ltm

Conditions:
A policy event is triggered while another event is executing. The flow is then terminated, for another reason, before the pending policy event is executed.

Impact:
The policy event is not executed due to the corresponding traffic flow no longer existing. Actions triggered in that event (example: logging) will not execute.

Recommended Action:
None.

016e0006 : Pending policy event missmatch found for %F

Location:
/var/log/ltm

Conditions:
A parked policy event is attempting to resume. However, the corresponding traffic flow information disagrees with the saved state. This internal inconsistency should never occur, but if detected, the policy event will abort.

Impact:
An unknown issue is causing parked policy events to resume incorrectly. This will cause the actions triggered in that policy to not occur. The incorrect resuming flow will also be terminated.

Recommended Action:
None.

01700000 : PPTP CALL-REQUEST id;%d from;%A%%%u to;%A nat;%A%%%u ext-id;%d

Location:
/var/log/ltm

Conditions:
The client has sent an outgoing call request.

Impact:
This log entry is for information purposes only.

Recommended Action:
None.

01700001 : PPTP CALL-START id;%d from;%A%%%u to;%A nat;%A%%%u ext-id;%d

Location:
/var/log/ltm

Conditions:
The server has responded with an outgoing call reply indicating that the call was successful.

Impact:
This log entry is for information purposes only.

Recommended Action:
None.

01700002 : PPTP CALL-END id;%d reason;%d from;%A%%%u to;%A nat;%A%%%u ext-id;%d

Location:
/var/log/ltm

Conditions:
The control channel was terminated.

Impact:
This log entry is for information purposes.

Recommended Action:
None.

01700005 : Error creating PPTP-GRE local flows, error %E.

Location:
/var/log/ltm

Conditions:
Creating a GRE flow, and error conditions such as low memory, internal database error, or software bug.

Impact:
GRE flow cannot be created, so the connection cannot complete.

Recommended Action:
If there are no other errors about low memory conditions, then contact support.

01700009 : Unable to locate flow %F.

Location:
/var/log/ltm

Conditions:
Unable to look up PPTP flow that the Application Level Gateway expects to be in the system.
The flow has been removed from the system, for example deleted from the connection table in tmsh, or expired.

Impact:
This message does not indicate an error.

Recommended Action:
None.

0170000a : Received an unexpected PPTP Control Message(%s) while processing connflow %F. Reason: %s.

Location:
/var/log/ltm

Conditions:
A call-clear-request message was received but there was no existing GRE tunnels or pending calls.

Impact:
A call-clear-request will have no impact since there are no tunnels to terminate.

Recommended Action:
None.

0170000b : Connflow(%F) has no peer, ignoring.

Location:
/var/log/ltm

Conditions:
No peer is found for the GRE flow. The peer flow may have already been removed from the flow table.

Impact:
The GRE flow is not processed.

Recommended Action:
None.

01700020 : Unable to locate PPTP GRE flow with %s key %d while processing connflow %F.

Location:
/var/log/ltm

Conditions:
Unable to look up a call-id for a GRE flow that the system expects to exist. This is an internal software error.

Impact:
Packet is dropped and drop count is incremented.

Recommended Action:
If the PPTP Application Level Gateway is not functioning correctly, then contact support. Otherwise, it is safe to ignore the error.

01700021 : Unable to retrieve layer 3 header from packet while processing connflow %F.

Location:
/var/log/ltm

Conditions:
The layer 3 header could not be found in the GRE packet.

Impact:
The packet with the missing header will be dropped.

Recommended Action:
None.

01700023 : Connflow (%F) ignoring an unexpected MPI remote flow response.

Location:
/var/log/ltm

Conditions:
An MPI response was received when one was not expected.

Impact:
None.

Recommended Action:
None.

01700028 : Unable to find serverside PPTP flow for clientside flow %F.

Location:
/var/log/ltm

Conditions:
GRE flows have expired, and an attempt was made to remove the PPTP serverside flow, but it could not be found. This probably occurred because the PPTP serverside flow had already been removed.

Impact:
None.

Recommended Action:
None.

01700029 : PPTP DSLITE-CALL-REQUEST id;%d from;%A%%%u,%A%%%u to;%A nat;%A%%%u ext-id;%d

Location:
/var/log/ltm

Conditions:
The DSLITE client has sent an outgoing call request.

Impact:
This log entry is for information purposes only.

Recommended Action:
None.

01700030 : PPTP DSLITE-CALL-START id;%d from;%A%%%u,%A%%%u to;%A nat;%A%%%u ext-id;%d

Location:
/var/log/ltm

Conditions:
The server has responded with an outgoing call reply indicating that the call was successful.

Impact:
This log entry is for information purposes only.

Recommended Action:
None.

01700031 : PPTP DSLITE-CALL-END id;%d reason;%d from;%A%%%u,%A%%%u to;%A nat;%A%%%u ext-id;%d

Location:
/var/log/ltm

Conditions:
The DSLITE client control channel was terminated.

Impact:
This log entry is for information purposes only.

Recommended Action:
None.

01700032 : PPTP DSLITE-CALL-FAILED id;%d reason;%d from;%A%%%u,%A%%%u to;%A nat;%A%%%u ext-id;%d

Location:
/var/log/ltm

Conditions:
The DSLITE tunnel client outgoing call request failed.

Impact:
This log entry is for information purposes only.

Recommended Action:
None.

01740018 : Profile PCP error: Invalid operation for %s.

Location:
/var/log/ltm

Conditions:
An invalid operation was attempted on a PCP profile.

Impact:
This operation will not be performed.

Recommended Action:
None.

01740023 : Profile PCP error: PCP %s missing from message.

Location:
/var/log/ltm

Conditions:
A name was not provided for the PCP profile or prefix.

Impact:
You will need to provide a name for the PCP profile or prefix.

Recommended Action:
None.

01740036 : PCP: Invalid %s Option length, Expected %lu, Found %d - Client %A rtid %d

Location:
/var/log/ltm

Conditions:
Incorrect length of PCP filter, third party, or prefer failure, options.

Impact:
A PCP error response packet will be sent.

Recommended Action:
None.

01740039 : PCP Request: Client %A - OpCode %s(%d), Lifetime:%u, Packet Length:%lu

Location:
/var/log/ltm

Conditions:
A PCP request packet was received.

Impact:
None.

Recommended Action:
None.

017b0009 : IVS (connecting from parent %F): Internal virtual server %s received injected message %s with data %#x

Location:
/var/log/ltm

Conditions:
An unusual event occurred, indicating some kind of corner case was triggered (not necessarily an error).

Impact:
The internal virtual server received an internal message that did not originate in the parent virtual server, but was injected directly by TMM infrastructure. The message and an associated value are reported.

Recommended Action:
This is a debug message that is useful for debugging issues with an internal virtual server (IVS). If you were asked by F5 Support to set log.ivs.level to "debug" or above, please provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.ivs.level below the "debug" level.

017c0003 : tmm IPsec: Tunnel down %A - %A

Location:
/var/log/ipsec.log

Conditions:
A tunnel's security association is expired or deleted and the tunnel is in a "DOWN" state.

Impact:
IPsec cannot pass ESP encapsulated packets through the tunnel.

Recommended Action:
Alter the configuration so that a new security association can be negotiated, such as in the case where a peer's configuration has also changed. In this case, you must change the configuration in order to match the peer's configuration).

017c0004 : tmm IPsec: Tunnel up %A - %A

Location:
/var/log/ipsec.log

Conditions:
A tunnel has switched to an "UP" state and has become usable because a security association for it is established.

Impact:
IPsec should be able to pass ESP encapsulated packets through the tunnel.

Recommended Action:
None.

017c0005 : listener binding ERR=%d %s listener %s %A:%d FAIL

Location:
/var/log/ipsec.log

Conditions:
An attempt was made to add an IKEv1 or IKEv2 listener for a tunnel.

Impact:
The IPsec tunnel does not work, and cannot pass traffic. When both IKEv1 and IKEv2 listeners try to use the same tunnel local IP address, the second attempt to add a listener fails, regardless of whether the listener is IKEv1 or IKEv2.

Recommended Action:
If you can determine that a configuration policy uses the same local IP address in tunnels for both IKEv1 and IKEv2, change the configuration so that the IKEv1 and IKEv2 listeners use different tunnel local IP addresses.

If something else is causing the problem, no workaround is known at this time.

Restarting the system should not be required, although doing so might clear up any confused state.

017c0006 : NOTE: avoid common IPsec v1 and v2 tunnel local addr

Location:
/var/log/ipsec.log

Conditions:
IKEv1 and IKEv2 might have been competing for the same local IP address. (A tunnel's local IP address should be used for IKEv1 or IKEv2 only, but not both.)

Impact:
The attempt to add a listener for a tunnel failed, due an existing listener being duplicated.

Recommended Action:
Check whether configurations for IKEv1 and IKEv2 accidentally use the same local IP address. Ensure that only one uses a given local IP address.

The fix should take effect immediately and a restart should not be required.

017c0007 : IPsec Tunnel UP destination(%A) source(%A) reqid(%d)

Location:
/var/log/ipsec.log

Conditions:
A tunnel has switched to an "UP" state and has become usable because a security association for the tunnel has been established.

Impact:
IPsec should be able to pass ESP encapsulated packets through the tunnel.

Recommended Action:
None.

017c0008 : IPsec Tunnel DOWN destination(%A) source(%A) reqid(%d)

Location:
/var/log/ipsec.log

Conditions:
A tunnel's security association is expired or deleted and the tunnel is in a "DOWN" state.

Impact:
IPsec cannot pass ESP encapsulated packets through the tunnel.

Recommended Action:
Alter the configuration so that a new security association can be negotiated, such as in the case where a peer's configuration has also changed. In this case, you must change the configuration in order to match the peer's configuration).

017e0004 : GTP: Failed to parse message err (%E) flow (%C)

Location:
/var/log/ltm

Conditions:
This may happen due to a malformed message or internal buffer operation error. This error is shown when there is failure in GTP message parsing. This error has an accompanying error that indicates the failure along the parsing process.

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0005 : GTP: Failed to parse header extension err (%E)

Location:
/var/log/ltm

Conditions:
- GTP message version 1.
- GTP message contains invalid extension header, or there is failure in internal buffer operation.

This error is shown when there is a failure in extension header parsing. This error is accompanied by a different error that indicates the failure along the parsing process. This applies only to GTP message version 1.

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0006 : GTP: Failed to parse element err (%E)

Location:
/var/log/ltm

Conditions:
This may happen due to malformed message or internal buffer operation error. This error is shown when there is a failure in element parsing. This error is accompanied by a different error that indicates the failure along the parsing process.

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0007 : GTP: Failed to parse group element err (%E) internal parent id (%u)

Location:
/var/log/ltm

Conditions:
- GTP message contains group element
- GTP message version 2

This error is shown when there is failure in group element parsing. This error is accompanied by a different error that indicates failure of the inner element parsing. This applies only to GTP message version 2.

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0008 : GTP: Failed to allocate message err (%E)

Location:
/var/log/ltm

Conditions:
This error is shown when there is a failure in internal buffer allocation.

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0009 : GTP: Failed to pullup (%d) bytes err (%E)

Location:
/var/log/ltm

Conditions:
This error is shown when there is a failure in internal buffer pullup operations.

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0010 : GTP: Failed to move (%d) bytes err (%E)

Location:
/var/log/ltm

Conditions:
This error is shown where there is a failure in internal buffer move operations.

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0011 : GTP: Failed in header cache err (%E) type (%u) len (%u)

Location:
/var/log/ltm

Conditions:
This error is shown when there is a failure in the internal parser cache.

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0012 : GTP: End of header contains invalid byte (%u)

Location:
/var/log/ltm

Conditions:
- GTP message version 1
- GTP message contains a non-zero byte at the end-of-header

This error is shown when GTP message contains invalid end-of-header byte. This applies only to GTP version 1.

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0013 : GTP: Version (%u) is invalid

Location:
/var/log/ltm

Conditions:
This error is shown when GTP message contains an invalid version (i.e., a version field value other than 1 or 2).

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0014 : GTP: Element type (%u) is invalid or not supported

Location:
/var/log/ltm

Conditions:
- GTP message contains an invalid element type (zero) or an element type that is not yet supported.
- GTP message version 1.

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0015 : GTP: Message len (%u) does not match buffer len (%u)

Location:
/var/log/ltm

Conditions:
GTP message length field does not match the actual amount of data.

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0016 : GTP: Element to be parsed len (%u) does not match buffer len (%u)

Location:
/var/log/ltm

Conditions:
GTP message is malformed, for example, the element length field may be greater than the remaining data.

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0017 : GTP: Payload offset (%u) + len (%u) does not match buffer len (%u)

Location:
/var/log/ltm

Conditions:
This error is shown when the GTP payload is updated and the final buffer length does not match the expected value. This is likely an internal issue.

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0018 : GTP: Message received (%u) is too short, expect %lu

Location:
/var/log/ltm

Conditions:
GTP message is less than the minimum message size.

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0019 : GTP: Header length (%u) is too short, expect %lu

Location:
/var/log/ltm

Conditions:
- GTP message containing a header that is too short in length.

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0020 : GTP: Number of elements (%lu) is beyond the limit (%lu)

Location:
/var/log/ltm

Conditions:
The GTP message contains a very large number of elements (for example, more than 1024 elements).

Impact:
GTP message and connection are dropped.

Recommended Action:
N/A

017e0021 : GTP: Number of BCD digits (%d) is higher than limit (%lu)

Location:
/var/log/ltm

Conditions:
This error is shown when there is an attempt to set or add new type BCD GTP information elements (IE) that have a number of digits higher than safety limit set internally. The limit is usually set to be very high to prevent odd values.

Impact:
BCD value containing too many digits is blocked.

Recommended Action:
N/A

01810004 : %s

Location:
/var/log/ltm

Conditions:
This is a generic error message that could indicate a variety of error conditions related to the guestagentd daemon, which runs on vCMP guests.

Impact:
Impact varies depending on the specified error string. The error string itself will provide additional information about impact. In general the impact of guestagentd errors will be that host<->guest stat channel communication might not work properly, and host mounted ISOs might not show up in the guest.

A few examples:
"Error on vmchannel respawn. Vmchannel will be unavailable."
"Failed to initialize REST server."
"Failure getting lock on vcmp shared memory prompt block while attempting to pass token to host:"
"error forking vmchannel proxy process: "

Recommended Action:
Workaround varies depending on the specified error string. The error string itself might provide information about possible workaround.

Restarting guestagentd in the guest (bigstart restart guestagentd) might help resolve the errors. A full restart of the guest might also resolve the issues.

01810007 : "%s"

Location:
/var/log/ltm

Conditions:
This message can appear under a few different conditions.

"Constructing a new GuestAgentDHeartbeat"
This informational log means that guestagentd is setting up its heartbeat.

"Exit flags for PID 9676: 0x500"
This informational log means that one of the child processes called by guestagentd has exited, and outputs the PID and exit flags of that process.

"Rest request failed: {"code":400,"message":"Duplicate item. Key already exists: name : auth-token-admin","originalRequestBody":"{\"uuid\":\"bc6a86e0-c285-46dd-9c77-d5ed85436f67\",\"user\":{\"link\":\"https://localhost/mgmt/shared/authz/users/admin\"},\"timeout\":300,\"address\":\"127.0.0.1\",\"generation\":1,\"lastUpdateMicros\":1401988953031700,\"kind\":\"shared:authz:tokens:authtokenitemstate\",\"selfLink\":\"https://localhost/mgmt/shared/authz/tokens/bc6a86e0-c285-46dd-9c77-d5ed85436f67\"}","referer":"/127.0.0.1:38280","restOperationId":145308,"errorStack":["java.lang.IllegalArgumentException: Duplicate item. Key already exists: name : auth-token-admin","at com.f5.rest.common.RestCollectionWorker.onRequest(RestCollectionWorker.java:533)","at com.f5.rest.common.RestServer.trySendInProcess(RestServer.java:234)","at com.f5.rest.common.RestRequestSender.send(RestRequestSender.java:498)","at com.f5.rest.common.RestRequestSender.sendRequest(RestRequestSender.java:430)","at com.f5.rest.common.RestRequestSender.s"
This log indicates an error condition means that a REST request used by the host-guest stat communication channel has failed for the reason specified.

"Unable to open prompt status device. It may not be supported by current hypervisor"
This error log means the guest prompt status might not work due to an unsupported hypervisor.

Impact:
Most of these messages just provide information. The rest of the request failed messages might indicate a problem with the host/guest stats communication, the sharing of host and guest statistics, and the use of block-device-images in the guest. A prompt status message means that the status of the guest prompt will not show up in the hypervisor.

Recommended Action:
None.

01810008 : %s

Location:
/var/log/ltm

Conditions:
These messages provide supplementary information when guestagentd debug logging is enabled. They do not indicate an error condition.

"Registering child callback for PID: X"
"X seconds elapsed since last hb"
"Primary slot ID: X"
"Got token: "
"Receiving update for image from a different slot (0), or we don't know our slot yet. Ignoring..."
"Software block device image deleted by MCP: "
"Removal of software block device image"
"Software block image from MCP added: "
"Receiving update for hotfix from a different slot"
"Software block device hotfix deleted by MCP: "
"Removal of software block device hotfix"
"Software block hotfix from MCP added: "
"Deleting the Heartbeat object"

Impact:
None.

Recommended Action:
None.

01820004 : %s

Location:
/var/log/ltm

Conditions:
This message can indicate a few different issues related to the host/guest communication channel.

Impact:
"Pending guest rest request count exceeds threshold.Clearing pending request queue."
This informational log indicates that there are too many REST requests for the host/guest communication, and that the queue is being cleared.

"Unable to copy from hal token segment: "
This error log indicates that hostagentd was unable to read the hal token in order to read guest stats. Guest stats might not be visible on the hypervisor.

"Unable to subscribe to stats directory: cluster"
This message indicates that hostagentd was unable to subscribe to the specified stat directory, and that it will try again. Stats from the specific directory might not be available.

Recommended Action:
None.

01830003 : Unable to find a flow for remote vtep %A%%%u, tunnel name = %s.

Location:
/var/log/ltm

Conditions:
A network virtualization tunnel (for example, VXLAN, NVGRE) is unable to find a suitable flow to send packets to a remote endpoint.

Impact:
The packets for a remote endpoint are dropped.

Recommended Action:
The recommendation is to check the configurations of a network virtualization tunnel and make sure that the corresponding tunnel FDB records are configured properly.

01830004 : Tunnel output has a potential loop for remote endpoint %A%%%u, tunnel name = %s.

Location:
/var/log/ltm

Conditions:
A tunnel output has a potential loop inside the TMM for a remote endpoint.

Impact:
The packets for a remote endpoint are dropped.

Recommended Action:
The recommendation is to check the configurations (for example, tunnel's remote-address, route settings) and make sure that there is no ill-formed routing loop inside the TMM caused by the configurations.

01850027 : MR: Proxy missing for %s %s

Location:
/var/log/ltm

Conditions:
When attempting to create an outgoing connection, a preloaded proxy was not found (for the specified virtual or transport-config).

Impact:
The system is unable to create an outgoing connection for forwarding a route to the specified endpoint. The message will fail routing and be returned to the originating connection.

Recommended Action:
None.

01850028 : MR: Message drop due to wrong Hop-by-Hop ID (%u)

Location:
/var/log/ltm

Conditions:
The wrong Hop-by-Hop ID is returned by the peer.

Impact:
Peer response is dropped.

Recommended Action:
Check the peer that sends the wrong Hop-by-Hop ID.

01850028 : MR: Message dropped due to wrong Hop-by-Hop ID (%u) or End-to-End ID (%u)

Location:
/var/log/ltm, CLI

Conditions:
MR Diameter is trying to process a message that does not have a matching Hop-by-Hop ID and End-to-End ID in the queue, resulting in the message being dropped.

Impact:
MR Diameter requires the Hop-by-Hop ID and the End-to-End ID to match entries in the queue to correctly process messages.

Recommended Action:
Verify Diameter traffic is not being modified externally or by an iRule, causing the Hop-by-Hop or End-to-End ID to have an unexpected change. If needing to modify the values in an iRule, make sure they are changed back to the original value before egress.

01850033 : MR: Message dropped because ingress queue full (flow %F)

Location:
/var/log/tmm

Conditions:
The number of ingress messages in the MR proxy has exceeded the configured limit in the MR router, and the IP protocol in transport-config is UDP.

Impact:
The message is silently dropped.

Recommended Action:
Ensure that the ingress message queue limit is configured based on the user setup. Note that a large queue size results in increased memory usage.

01850034 : MR: Ingress buffer full, closing TCP window (flow %F)

Location:
/var/log/tmm

Conditions:
The MR proxy is closing the TCP window because the ingress queue is full.

Impact:
The TCP window is closed until the messages in the queue are processed and the number of messages in the queue falls below the configured limit.

Recommended Action:
You can take these actions: 1) Adjust the ingress queue configuration in the MR router according to the traffic conditions seen in customer setups, and 2) Use this informational message for debugging, if you are experiencing connection hang scenarios. Note that configuring a large increase in queue size might result in increased memory usage.

01850035 : MR: Ingress buffer draining, opening TCP window (flow %F)

Location:
/var/log/tmm

Conditions:
An MR proxy is opening a TCP window because the number of messages in the ingress queue is falling below the configured limit.

Impact:
A TCP window that the MR proxy initially closed due to queue fill-up is opened again and the processing of incoming data continues.

Recommended Action:
Use this informational message for debugging, if you are experiencing connection hang scenarios.

01850036 : MR: Passthru_mode state %s side connection: %F is torn down or aborted, reason: %lE

Location:
/var/log/ltm

Conditions:
An MRF session profile is configured with "passthru-mode" enabled, and a virtual server using that profile has received data that appears to be non-protocol-compliant. The server-side of the connection has failed to respond or has torn down a connection request.

Impact:
The flow will be torn down towards the client side.

Recommended Action:
None.

01850037 : MR: Server side connection %F is established and in passthru_enabled state

Location:
/var/log/ltm

Conditions:
An MRF session profile is configured with "passthru-mode" enabled, and a virtual server using that profile has received data that appears to be non-protocol-compliant.

Impact:
The connection in question has been changed to passthru-mode automatically; data received on it will be passed without modification.

Recommended Action:
Turn off passthru-mode if this is not desired behavior.

01850038 : MR: Router %s iRule scope is per %s

Location:
/var/log/ltm

Conditions:
The scope of iRule execution has changed for the protocol managed by this message router. This is controlled by an attribute in the router profile.

Impact:
iRules execute within context that exists within a scope. Tcl variables are visible and shared throughout the scope, and only one iRule event executes at a time within the scope. Traditionally, the scope of an iRule is a connection flow. Some message routing protocols allow the iRule scope to be the message, meaning that different messages on the same connection flow have their own copies of variables and may execute concurrently. The scope is either "flow" (legacy) or "message".

Recommended Action:
Set log.mr.level to "notice" or above. Provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.mr.level below the "notice" level.

01850039 : MR: Diameter: Performing dynamic route lookup, destination host %.*s

Location:
/var/log/tmm

Conditions:
Dynamic routing has been enabled, and a query is being issued to SessionDB for the proper route. This message is issued for every dynamic route lookup.

Impact:
None. This is an informational message only.

Recommended Action:
None.

0185003a : MR: Diameter: Dynamic route lookup failed for %.*s (Reason: %E)

Location:
/var/log/tmm

Conditions:
Dynamic routing is enabled and a dynamic routing lookup has returned "no route found".

Impact:
Routing for this message will continue with a static routing lookup.

Recommended Action:
If err is "Not found", this is a normal result and no action is necessary.

0185003b : MR: Diameter: Dynamic route added for %.*s

Location:
/var/log/ltm

Conditions:
A dynamic route has been added, because a new Diameter peer has connected to a virtual server using a Diameter session profile that is configured with "dynamic-routing-insertion enabled".

Impact:
None. This is an informational message only.

Recommended Action:
None.

0185003c : MR: Diameter: Dynamic route for %.*s set to delete in %d seconds

Location:
/var/log/ltm

Conditions:
A dynamic route has been marked for expiry, because the connection that created it has closed.

Impact:
None. This is an informational message only.

Recommended Action:
None.

0185003d : MR: Diameter: Dynamic route for %.*s deleted

Location:
/var/log/ltm

Conditions:
A dynamic route has been deleted, because it has expired its timeout after the connection closed.

Impact:
None. This is an informational message only.

Recommended Action:
None.

0185003e : MR: Diameter: Dynamic route for %.*s updated, generation %d

Location:
/var/log/ltm

Conditions:
A dynamic route has been updated because a new connection was received (same hostname) before a prior route timed out for deletion.

Impact:
None. This is an informational message only.

Recommended Action:
None.

0185003f : MR: Priority set by the iRule MR::message priority, %d is out of range [1-4]. Changing it to the default value %d

Location:
The message appears in /var/log/tmm.

Conditions:
The priority of the message in the iRule 'MR::message priority' is out of range. The supported values are 1 through 4.

Impact:
If the priority of the message set by the iRule 'MR::message priority' is out of range, the system sets the priority to 1, which is the default value.

Recommended Action:

01850040 : MR: RATELIMIT Traffic rate in %s, crossed %s %s of configured threshold on %s

Location:
/var/log/ltm

Conditions:
When mr-ratelimit profile is configured and the traffic rate limits change based on the thresholds configured in this profile.

Impact:
If mr-ratelimit profile is configured, based on the current traffic rate limit, rate limiting actions get applied.

Recommended Action:

01850041 : MR: RATELIMIT message id %llu delayed on %s

Location:
/var/log/ltm

Conditions:
When mr-ratelimit profile is configured and a message gets delayed as part of the rate limiting.

Impact:
Rate limiting action 'DELAY' gets applied and the message processing is delayed.

Recommended Action:

01850042 : MR: RATELIMIT message id %llu returned on %s

Location:
/var/log/ltm

Conditions:
When mr-ratelimit profile is configured and a message is returned as part of the rate limiting operation.

Impact:
Rate limiting action 'RETURN' gets applied and the message is returned.

Recommended Action:

01850043 : MR: RATELIMIT message id %llu dropped on %s

Location:
/var/log/ltm

Conditions:
When mr-ratelimit profile is configured and a message is dropped as part of the rate limiting operation.

Impact:
Rate limiting action 'DROP' gets applied and the message is dropped.

Recommended Action:

01850044 : MR: RATELIMIT message id %llu dropped due to exceeding delay on %s

Location:
/var/log/ltm

Conditions:
If mr-ratelimit profile is configured and a message exceeds timeout after the rate limiting action 'DELAY' is applied.

Impact:
The message gets dropped.

Recommended Action:

01850046 : MR: RATELIMIT slot %d : accumulated count : %ld

Location:
/var/log/ltm

Conditions:
When message routing (mr) ratelimit profile is configured and the traffic rate crosses above/below different limits, such as limit-50, limit-75, limit-90, and limit-100.

Impact:
Based on the current traffic rate and the configuration in the attached mr ratelimit profile, appropriate ratelimit actions are applied on the messages

Recommended Action:

01850047 : MR: RATELIMIT total count : %d

Location:
/var/log/ltm

Conditions:
When the message-routing (mr) profile mr-ratelimit is configured ,and the traffic rate crosses above/below different limits, such as limit-50, limit-75, limit-90, and limit-100.

Impact:
Based on the current traffic rate and the configuration in the attached mr ratelimit profile, appropriate ratelimit actions are applied on the messages

Recommended Action:

01850048 : MR: Wrong pmbr_rem value is calculated. pmbr_rem: %lu, total active npus: %u

Location:
/var/log/ltm

Conditions:
MRF diameter setup, in the peer profile, 'auto-initialization' and 'per peer' mode are enabled, but no connection attempts towards the pool member occur because when the pmbr_rem value is greater than the tmm_total_active_npus, the code is unable to assign the correct tmm* to take the responsibility to establish the connection to the client.

When the mode is switched to 'per tmm' or 'per blade', connections are established.

Impact:
The 'per peer' setting does not work.

This debug log message is reported when the pmbr_rem value is greater than the tmm_total_active_npus, which should not happen in a typical scenario. The pmbr_rem and tmm_total_active_npus values depend on tmm_cmp_node.pg and tmm count which is hardware specific.

Recommended Action:
Switch the connection mode to 'per tmm' or 'per blade'.

01860000 : MR SIP: %s returned error: %lE

Location:
/var/log/ltm. May be changed by user

Conditions:
SIP processing issued a debugging log message.

Impact:
None.

Recommended Action:
None.

01860001 : MR SIP: %s

Location:
/var/log/ltm. May be changed by user

Conditions:
SIP encountered a major error.

Impact:
The system might not be processing SIP traffic.

Recommended Action:
Restart the system if SIP traffic is not being processed. Please contact F5 Support for assistance with this error if it occurs again.

01860002 : MR SIP: Missing header %s in the message

Location:
Defaults to /var/log/ltm. May be changed by user

Conditions:
A SIP message was encountered that was missing the specified required header.

Impact:
The SIP message will not be processed.

Recommended Action:
Remove the source of defective SIP messages.

01860003 : MR SIP: Decrypt branch parameter failed with error : %lE

Location:
/var/log/tmm

Conditions:
The BIG-IP system encountered an error while decrypting a branch paramater in a via to a SIP message.

Impact:
The message will not be processed.

Recommended Action:
None.

01860004 : MR SIP: Encrypt branch parameter failed with error : %lE

Location:
/var/log/tmm

Conditions:
The BIG-IP encountered an error while encrypting a branch paramater to add a via to a SIP message.

Impact:
The SIP Message will not be sent out of the BIG-IP system.

Recommended Action:
None.

01860005 : MR SIP: %s

Location:
Defaults to /var/log/ltm. May be changed by user

Conditions:
This is not currently used.

Impact:
None.

Recommended Action:
None.

01860006 : MR SIP: Invalid config attribute %s in profile %s

Location:
/var/log/ltm. May be changed by user

Conditions:
An invalid setting for the specified configuration item has been found in the profile.

Impact:
The part of the configuration that is noted as invalid and will not be functional.

Recommended Action:
Correct the invalid part of the configuration.

01860007 : MR SIP: Generated response was not sent '%d - %s' (%F)

Location:
/var/log/tmm

Conditions:
While processing a SIP Request, a SIP Protocol error response condition was encountered in the BIG-IP system. An error response was not sent, either due to the configuration or the error is unrecoverable.

Impact:
The SIP request will not be sent out of the BIG-IP system.

Recommended Action:
Check the status of the configuration item generate response on error.

01860008 : MR SIP: Generated response SENT '%d - %s' (%F)

Location:
/var/log/tmm

Conditions:
While processing a SIP Request, a SIP Protocol error response was generated by the BIG-IP system and sent to the requestor.

Impact:
The SIP request will not be sent out of the BIG-IP system.

Recommended Action:
Rectify the issue that caused the issue.

01860009 : MR SIP: Media flow creation (%F)<->(%F) failed due to collision

Location:
/var/log/tmm

Conditions:
The desired media flow endpoints are in use.

Impact:
The media flow was not created.

Recommended Action:
Try to establish the media flow again.

0186000a : MR SIP: Parse error reading number for %s value near %d. Status Code %d

Location:
/var/log/ltm. May be changed by user

Conditions:
MRF SIP parser encountered a invalid number when parsing a SIP message.

Impact:
The invalid SIP message will not be processed. If the message is a SIP Request, an error response will be sent if configured.

Recommended Action:
Remove the source of the invalid SIP messages.

0186000b : MR SIP: Parse error bad sip protocol version in headline near %d. Status Code %d

Location:
/var/log/ltm. May be changed by user

Conditions:
The SIP parser encountered a message with an invalid or unsupported SIP protocol version in a message Headline.

Impact:
The message will not be processed.

Recommended Action:
Eliminate the messages containing invalid or unsupported SIP protocol version in a message Headline.

0186000c : MR SIP: Parser error invalid or malformed uri in headline near %d. Status Code %d

Location:
/var/log/ltm. May be changed by user

Conditions:
SIP Parser parses a SIP message containing a URI that can not be handled.

Impact:
The message will not be processed. If the message is a SIP Request, a 416 error response message will be sent if configured.

Recommended Action:
Eliminate the source of SIP messages that have URI's that cannot be handled.

0186000d : MR SIP: Parser error invalid headline near %d. Status Code %d

Location:
/var/log/tmm

Conditions:
SIP Parser encountered a SIP message with an invalid headline.

Impact:
The SIP message will not be processed.

Recommended Action:
Eliminate the source of invalid SIP messages.

0186000e : MR SIP: Parser error too many header near %d. Status Code %d

Location:
/var/log/ltm. May be changed by user

Conditions:
MR SIP parser encountered a message with more header lines than the configured maximum.

Impact:
The message will not be processed. If the message is a request, a 413 error response will be sent if configured.

Recommended Action:
Increase the limit on number of headers or eliminate the source of messages with too many headers.

0186000f : MR_SIP: Parser error extraneous header field near %d. Status Code %d

Location:
/var/log/tmm

Conditions:
SIP Parser encounters a header that has too many fields.

Impact:
The message will not be processed. If the message is a request, a 400 error response will be sent if configured.

Recommended Action:
Eliminate the source of the defective SIP messages.

01860010 : MR_SIP: Parser error header too large near %d. Status Code %d

Location:
/var/log/tmm

Conditions:
MR SIP Parser encounter a message with a header line that is too long.

Impact:
The defective message will not be processed. If the message is a request, a 413 error response will be sent if configured.

Recommended Action:
Eliminate the source of the message with overly long header lines. The max header size and max message size can be increased.

01860011 : MR_SIP: Parser error missing header code %d. Status Code %d

Location:
/var/log/ltm. May be changed by user

Conditions:
The SIP parser has encountered a message that is missing a required header.

Impact:
SIP will not process the faulty message. A 400 error response will be sent if the message is a request and this option is configured.

Recommended Action:
Eliminate the source of the defective messages.

01860012 : MR_SIP: Parser error CSEQ method does not match headline tag %s : %s. Status Code %d

Location:
/var/log/ltm. May be changed by user

Conditions:
The BIG-IP system parses a SIP Request where the method in the CSEQ line does not match.

Impact:
The BIG-IP system does not process the faulty SIP Request.

Recommended Action:
None.

01860013 : MR_SIP: Parser max-forwards value has reached zero. Status Code %d

Location:
/var/log/ltm. May be changed by user

Conditions:
A SIP Request message is parsed that has has exceeded the allowed number of max-forwards.

Impact:
The Request will not be processed. If configured, a 483 Response message will be generated and returned to the Request Sender.

Recommended Action:
Do not send SIP Requests that exceed the allowed number of max-forwards.
Reconfigure the BIG-IP system to disable the max-forwards check.

01860014 : MR_SIP: Server in maintence mode. Status Code 503

Location:
/var/log/ltm. May be changed by user

Conditions:
A SIP Message was received when maintenance mode was configured.

Impact:
The SIP Message will not be processed. If configured, a 503 response will be generated.

Recommended Action:
Reconfigure the BIG-IP system and remove the maintenance mode setting.

01860015 : MR_SIP: Loop detected. Status code 482

Location:
/var/log/ltm. May be changed by user

Conditions:
The SIP message processing detected a loop in SIP network routing.

Impact:
The SIP Request will not be processed. If configured, a 482 response will be generated.

Recommended Action:
Correct the SIP network topology to eliminate routing loops.

01860016 : MR_SIP: Missing Media Connection atributes. Status Code 488

Location:
/var/log/ltm. May be changed by user

Conditions:
A SIP Message containing SDP lacking connection attributes was encountered.

Impact:
The SIP message will not be processed. If configured, a 488 response will be generated.

Recommended Action:
Do not allow invalid SIP messages to flow into the BIG-IP system.

01860017 : MR_SIP: Too many media sessions %d / %d. Error Code %d

Location:
/var/log/ltm. May be changed by user

Conditions:
Too many SIP media sessions have been established for the current configuration.

Impact:
SIP media session will be denied. A 488 SIP response message will be sent if configured.

Recommended Action:
Wait for media session load to decrease or modify the configuration to increase the allowed SIP media sessions.

01860018 : MR_SIP: Ingress message queue full, current message dropped (flow %K)

Location:
/var/log/ltm

Conditions:
Messages are being received faster than they can be processed. There is asynchronous iRule processing occurring during a SIP or MR iRule event, and while the iRule script is running, additional messages are received.

Impact:
Once the queue exceeds the limit, additional messages are dropped.

Recommended Action:
Rewrite the iRule script to avoid asynchronous operations.

01860019 : MR_SIP: Ingress message queue full, closing TCP window (flow %K)

Location:
/var/log/ltm

Conditions:
Messages are being received faster than they can be processed. There is asynchronous iRule processing occurring during a SIP or MR iRule event, and while the iRule script is running, additional messages are received.

Impact:
Once the queue exceeds the limit, the TCP window begins to close.

Recommended Action:
Rewrite the iRule script to avoid asynchronous operations.

0186001a : MR_SIP: Ingress message queue draining, opening TCP window (flow %K)

Location:
/var/log/ltm

Conditions:
Messages are being processed faster than they are being received.

Impact:
The TCP window is reopened.

Recommended Action:
None.

01860026 : MR SIP: invalid address: %A

Location:
/var/log/ltm

Conditions:
Traffic has been sent to an invalid address.

Impact:
Traffic cannot be sent to an invalid address.

Recommended Action:
None.

01860027 : MR SIP: Rejecting SIP registration request due to PBA Block timeout blackout. %d seconds left in block, %d-second blackout period

Location:
/var/log/tmm

Conditions:
A SIP ALG is configured with an LSN pool in PBA mode with a block timeout. A registration request is received by the BIG-IP system when the timeout of the active PBA block is too close.

Impact:
The SIP registration request is rejected by the BIG-IP system. A SIP failure response will be generated by the BIG-IP system, if configured. This message is logged if the log is configured to do so.

Recommended Action:
Reconfigure the BIG-IP system so that there is not an LSN pool in PBA mode with a block timeout being used by a SIP ALG.

01860028 : MR SIP: Backdown of SIP registration request expiry due to PBA Block timeout. %d -> %d in message

Location:
/var/log/tmm

Conditions:
A SIP ALG is configured with an LSN pool in PBA mode with a block timeout. A registration request is received by the BIG-IP system when the remaining timeout of the active PBA block is less than the requested expiration time of the registration.

Impact:
The SIP register request will be re-written so that the expiration is less than the remaining timeout of the active PBA block.

Recommended Action:
Reconfigure the BIG-IP system so that there is not an LSN pool in PBA mode with a block timeout being used by a SIP ALG.

01860029 : MR SIP: Re-writing SIP REGISTER response expiration value from registrar due to PBA Block timeout. %d -> %d

Location:
/var/log/tmm

Conditions:
A SIP ALG is configured with an LSN pool in PBA mode with a block timeout. A registration response is received by the BIG-IP system when the timeout of the active PBA block is less then the expiration value of the registration response.

Impact:
The SIP register response will be re-written so the expiration is less than the remaining timeout of the active PBA block.

Recommended Action:
Reconfigure the BIG-IP system so that there is not an LSN pool in PBA mode with a block timeout being used by a SIP ALG.

0186002a : MR_SIP: Non-SIP message received. Client connection %F is in fail_open_enabled state

Location:
/var/log/ltm

Conditions:
The fail-open configuration in SIP ALG virtual is turned on, and the first message is a non-SIP message.

Impact:
The client side's connection is in fail-open mode. The non-SIP traffic will pass-through this connection.

Recommended Action:
Turn off the fail-open mode configuration in the SIP ALG session profile.

0186002a : MR_SIP: Non-SIP message received. Client connection %F is in passthru_enabled state

Location:
TMM log file.

Conditions:
A connection through a SIP message-routing ALG-mode profile has flipped into the "passthru" mode.

Impact:
Traffic on this flow will not be subject to normal SIP processing.

Recommended Action:
None. If "passthru" mode is undesired, turn off the passthru-enabled setting on the SIP MRF ALG profile.

0186002b : MR_SIP: Server side connection %F is established and in fail_open_enabled state

Location:
/var/log/ltm

Conditions:
The fail-open configuration is turned on in SIP ALG session profile, and the first message is a non-SIP message.

Impact:
The fail-open mode server side connection will be established.

Message is informational only

Recommended Action:
None.

0186002b : MR_SIP: Server side connection %F is established and in passthru_enabled state

Location:
TMM log file. This message should come shortly after a message 0186002a.

Conditions:
The server-side connection for the passthru flow has been established successfully.

Impact:
Traffic on this flow will not be subject to normal SIP processing.

Recommended Action:
None. If this is undesired, turn off the passthru-enabled setting on the SIP MRF ALG profile.

0186002b : MR_SIP: Media flow creation (%F)<->(%F), flow index %u, timeout %u s

Location:
/var/log/ltm

Conditions:
A new SIP media flow has been created.

Impact:
The client and server flow keys are reported, along with a flow index (identifies flows associated with the subscriber) and a timeout in seconds. This aids debugging by allowing correlation of media flow creations and deletions.

Recommended Action:
Make sure to set the system BigDB variable "log.mrsip.level" to "notice" or above, and provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the DB variable to a value below the "notice" level.

0186002c : MR_SIP: Fail_open_enabled state %s side connection: %F is torn down or aborted, reason: %lE

Location:
/var/log/ltm

Conditions:
The fail-open configuration is turned on in ALG SIP virtual and the fail-open is turned on in SIP session profile.

Impact:
The fail-open connection is torn down or aborted, with the reason specified in the log.

Recommended Action:
None.

0186002c : MR_SIP: Passthrough_enabled state %s side connection: %F is torn down or aborted, reason: %lE

Location:
/var/log/tmm

Conditions:
A SIP MRF ALG passthru connection has ended or has been aborted.

Impact:
The flow is now closed.

Recommended Action:
None. If this is undesired, turn off the passthru-enabled setting on the SIP MRF ALG profile.

0186002c : MR_SIP: Media flow creation (%F)<->(%F) failed with error: %lE

Location:
/var/log/ltm

Conditions:
SIP media flow creation has failed.

Impact:
The media flow is not established and media content does not flow. The attempted client and server flow keys are reported along with a reason for the error.

Recommended Action:
Check your configuration and system setup to see if misconfiguration or a network issue is preventing creation of the media flow. Examine the log file for other messages preceding this concerning the same flow. If you cannot discern the cause with the information in this and other log messages, provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.mrsip.level below the "notice" level.

0186002d : MR_SIP: Media flow deletion (%F)<->(%F)

Location:
/var/log/ltm

Conditions:
A SIP media flow has been deleted.

Impact:
This message aids debugging by allowing correlation of media flow creations and deletions. The SIP media flow's client and server flow keys are reported.

Recommended Action:
Set log.mrsip.level to "notice" or above. Provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.mrsip.level below the "notice" level.

0186002e : MR_SIP: Subscriber registration created: subscriber URI %s

Location:
/var/log/ltm

Conditions:
A new SIP subscriber has been registered.

Impact:
This message aids debugging by allowing correlation of registrations and deletions of registrations. The subscriber URI is reported.

Recommended Action:
Set log.mrsip.level to "notice" or above. Provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.mrsip.level below the "notice" level.

0186002f : MR_SIP: Subscriber registration deleted: subscriber URI %s

Location:
/var/log/ltm

Conditions:
A SIP subscriber registration has been deleted.

Impact:
This message aids debugging by allowing correlation of deletions with registrations. The subscriber URI is reported.

Recommended Action:
Set log.mrsip.level to "notice" or above. Provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.mrsip.level below the "notice" level.

01860030 : MR_SIP: Subscriber registration updated: subscriber URI %s, lifetime %u s

Location:
/var/log/ltm

Conditions:
An existing SIP subscriber registration has been updated.

Impact:
This message aids debugging by allowing correlation of registrations and deletions of registrations. The subscriber URI is reported, along with the lifetime in seconds.

Recommended Action:
Set log.mrsip.level to "notice" or above. Provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.mrsip.level below the "notice" level.

01860031 : MR_SIP: Non-Registered Subscriber registration created: subscriber URI %s

Location:
/var/log/ltm

Conditions:
The system db variable "log.mrsip.level" is set to 'notice' and an INVITE is received from an unregistered SIP client and 'unregistered-subscribe-callout' is enabled in the siprouter_profile.

Impact:
This log event is written to assist with debugging. This notice-level log event is written to /var/log/ltm when a temporary user registration is create by MRF SIP ALG with SNAT logic.

Recommended Action:
None.

01860032 : MR_SIP: Non-Registered Subscriber registration updated: subscriber URI %s, lifetime %u s

Location:
/var/log/ltm

Conditions:
The system db variable "log.mrsip.level" is set to 'notice' and a subsequent INVITE is received from an unregistered SIP client and 'unregistered-subscribe-callout' is enabled in the siprouter_profile.

Impact:
This log event is written to assist with debugging. This notice-level log event is written to /var/log/ltm when a temporary user registration is updated by MRF SIP ALG with SNAT logic.

Recommended Action:
None.

01860034 : MR_SIP: Routing to topmost Route Header address and port: %A:%d

Location:
/var/log/ltm

Conditions:
-- Log level of MRSIP is set to debug.
-- Message Routing SIP Session Profile configured with 'honor-route-header enabled', 'insert-record-route-header enabled', and 'persist-type none'.
-- SIP Request messages received containing Route headers.

Impact:
This log message is at the debug level because it is a normal occurrence with 'honor-route-header enabled'. However, because any SIP element in the path of a SIP message may add a Record-Route header, which is then added as a Route header to subsequent requests by a UAC or UAS, the messages may be routed to unreachable or undesired destinations. This log message serves as a tool to see the destination value obtained from the Route header that the BIG-IP system is attempting to route the message to.

Recommended Action:
If messages are found to be frequently unroutable, you can do the following:

-- Change the configuration to 'honor-route-header disabled' to return the BIG-IP system to its default routing method.

-- Disable/enable Record-Route header insertion on other network elements that would help result in proper routing when following the Route header values.

Note: Disabling 'honor-route-header' results in a system that is less compliant with RFC 3261.

01860035 : MR_SIP: %s mode with SIP ALG

Location:
/var/log/ltm

Conditions:
An LTM virtual server containing SIP ALG with source address translation as None is not supported a Global SNAT profile.

Impact:
SIP ALG works with LSN. Other translation modes are not supported.

Recommended Action:
None

01890008 : Postgres stopped with a non-zero status (%d).

Location:
/var/log/ltm

Conditions:
When pgadmind shuts down postgres with errors, the following message will be logged:
"Postgres stopped with a non-zero status (<postgres_exit_code>)"

Exit code = 1 means a fatal error occurred, which could be caused by errors like "out of memory", "no space left on device", etc.

Refer to postgres documentation to get more information about exit codes.

Impact:
Modifying a firewall-related configuration in mcpd database could be a problem.

Recommended Action:
1. Execute bigstart restart pgadmind mcpd.
2. Inspect /var/log/ltm file for messages from postgres.

0189000b : Shutting down postgres.

Location:
/var/log/ltm

Conditions:
When postgres is shutting down by pgadmind, the following notice message will be logged.

"pgadmind: 0189000b:5 Shutting down postgres."

Impact:
None.

Recommended Action:
None.

018e0002 : %s

Location:
/var/log/ltm

Conditions:
This message is generated when the sdmd daemon exits normally, for example, by using "bigstart restart sdmd", or, when the ILX feature changes from the state of being provisioned to not being provisioned.

Impact:
The sdmd daemon manages Node.js processes for the iRulesLX feature. If sdmd is not running, then the iRulesLX feature is not operational.

Recommended Action:
If ILX is provisioned, and sdmd is not running, from the BIG-IP shell, enter "bigstart start sdmd".

018e0005 : Exiting, received shutdown signal

Location:
/var/log/ltm

Conditions:
This message is generated when the sdmd daemon receives a sigint, sigterm, or sigquit signal. This will happen normally when the sdmd daemon is stopped or restarted by using the bigstart command, bigstart restart sdmd, bigstart stop sdmd, or when the ILX feature is unprovisioned. The sdmd daemon logs this message during a normal shutdown.

Impact:
The sdmd daemon supports the iRulesLX feature. If the sdmd daemon is not running, iRulesLX is not operational.

Recommended Action:
If ILX is provisioned and the sdmd deamon is not running, from the BIG-IP shell enter "bigstart start sdmd".

018e0017 : %s

Location:
/var/log/ltm
If the ILX plugin extension is configured with ilx-logging enabled, the log message goes to /var/log/ilx/<partition>.<Plugin>.<extension>.

Conditions:
This is a log message generated by an iRulexLX Node.js plugin process that writes to stdout, using the Node.js console.log() API. The F5 sdmd daemon captures all stdout from the Node.js process, and logs it using the BIGIP_SDMD_SDMD_PLUGIN_LOG_MSG_INFO message.

Impact:
User defined.

Recommended Action:
User defined.

018e001d : %s

Location:
/var/log/ilx/<Partition>.<plugin>.<extension>, /var/log/ltm

Conditions:
Error: Out of sync with MCPD. Datagroup [DG-NAME] is not in local storage

The error message will trigger if SDMD local version of ILX configuration (data-groups) goes out of sync with MCPD.

If this happens, there is likely a bug in SDMD (or MCPD) that resulted in SDMD local configuration storage go out of sync with MCPD.

Impact:
When the "OUT OF SYNC" issue happens, the SDMD will be aborted, which in turn will cause all ILX plugins to be restarted (and all active connections stalled or terminated).

Recommended Action:
None.

018e001e : %s

Location:
/var/log/ltm

Conditions:
The files in /var/run/tmm.mp.* are used to create shared memory keys, which are used by the tmm and plugins for the purpose of a shared memory rendezvous. This allows the tmm and plugins to communicate using shared memory. The error message indicates that either a file in /var/run/ with the prefix tmm.mp.ilx could not be removed or the associated shared memory could not be removed. The files and shared memory are removed when sdmd starts and shuts down.

Impact:
The files are zero length in size, but if they were to accumulate indefinitely they could exhaust available inodes in the file system. If the shared memory cannot be removed then the BIG-IP could run out of host memory or shared memory kernel resources.

Recommended Action:
If the error message indicates that files cannot be removed, stop the sdmd daemon using "bigstart stop sdmd", then examine the files in /var/run/tmm.mp.ilx* to determine why they cannot be removed. If the error message indicates there was a problem removing a shared memory segment, then reboot the BIG-IP System.

01900006 : Profile SCTP error: SCTP %s missing from message.

Location:
/var/log/ltm

Conditions:
The SCTP profile name is missing when the control plane sent the multi-homing addresses for SCTP profile.

Impact:
The multi-homing SCTP profile won't be set correctly for the virtual server.

Recommended Action:
None.

01900020 : SCTP %s association (%F) confirmed peer transport address %la.

Location:
/var/log/ltm

Conditions:
When the TMM has successfully received heartbeat ACK from peer.

Impact:
The heartbeat ack has been successfully received by TMM. This indicates that the heartbeat to the peer is working.

Recommended Action:
None.

01900021 : SCTP %s association (%F) peer transport address %la not confirmed, path %F inactive.

Location:
/var/log/ltm

Conditions:
The association to the remote peer is not working. The path to the remote peer is not working and is inactive.

Impact:
The path to the destination peer is inactive, and the association to the remote peer is not working. The following message is logged: The SCTP clientside or serverside association <flow-key> peer transport adddress <remote-address> not confirmed, the path <dst-flow-key> inactive.

Recommended Action:
None.

01900022 : SCTP %s association (%F) %s path %F failed (path-retransmit-exceeded).

Location:
/var/log/ltm

Conditions:
When sending SCTP data or heartbeat through the path, but a response is not received, and retransmission of the data exceeds the maximum retransmit number.

Impact:
The maximum retransmit through the path has been exceeded. This could happen when TMM sent the SCTP data or heartbeat through the path, but did not get response and the retransmit time has exceeded the maximum retransmit number.

Recommended Action:
None.

01900023 : SCTP %s association (%F) %s path %F failed (destination unreachable).

Location:
/var/log/ltm

Conditions:
An ICMP error is received that indicated that the association's primay/backup path to the destination failed (destination unreachable).

Impact:
The primay/backup path to the destination is unreachable.

Recommended Action:
None.

01900024 : SCTP %s association (%F) path %F restored.

Location:
/var/log/ltm

Conditions:
TMM has received data or heartbeat ack from peer.

Impact:
SCTP clientside or serverside association path has been restored.

Recommended Action:
None.

01900025 : SCTP %s association (%F) primary path changed to %F.

Location:
/var/log/ltm

Conditions:
The association's old primary path is not working, and then changed the primary path to another.

Impact:
The association's primary path changed to a new one.

Recommended Action:
None.

01900026 : SCTP %s association (%F) path %F usable.

Location:
/var/log/ltm

Conditions:
TMM has received SCTP data or Heartbeat Ack through the association's path and determines that the path is usable.

Impact:
TMM has determines that the association's path is usable.

Recommended Action:
None.

01900027 : SCTP %s association (%F) %s path %F not usable (path-retransmit-exceeded).

Location:
/var/log/ltm

Conditions:
Either the data or the Heartbeat has been sent the the destination, but never got a response, and the retransmit exceeded the maximum allowed.

Impact:
The path is unusable for the association because that path's retransmit has exceeded the maximum allowed.

Recommended Action:
None.

01900028 : SCTP %s association (%F) %s path %F not usable (destination unreachable).

Location:
/var/log/ltm

Conditions:
TMM detects that the SCTP association's path to the destination is unreachable.

Impact:
Logs a message to indicate that the SCTP association to the destination through the path is unreachable.

Recommended Action:
None.

01900029 : SCTP %s association (%F) failed (association-retransmit-exceeded).

Location:
/var/log/ltm

Conditions:
Retransmit exceeded the maximum allowed in the following cases when sent through the association:
case 1: Sent SCTP SHUTDOWN or SCTP SHUTDOWN ACT to destination.
case 2: Retransmit data.
case 3: Sent Heartbeat through the association, expected heartbeat ACK.
case 4: Sent zero-window probe through the association.

Impact:
The SCTP association failed due to the retransmission through the association exceeding the maximum allowed.

Recommended Action:
None.

01900030 : SCTP %s association (%F) initialization failed (init-retransmit-exceeded).

Location:
/var/log/ltm

Conditions:
The SCTP association's initialization failed because the sending of the INIT chunk exceeded the max retransmission allowed.

Impact:
The SCTP association's initialization failed.

Recommended Action:
None.

01900031 : SCTP %s association (%F) aborted by peer.

Location:
/var/log/ltm

Conditions:
Either the ABORT chunk type or an ICMP protocol unreachable message was received from a peer.

Impact:
The peer aborted the SCTP association.

Recommended Action:
None.

01900032 : SCTP %s association (%F) aborted (%s).

Location:
/var/log/ltm

Conditions:
When CHUNK data is received and the stream ID is found to be out of range, or when sending SCTP data and the stream ID is found to be out of range.

Impact:
The SCTP association is aborted.

Recommended Action:
None.

01900035 : SCTP %s association %s (%F) path %F restored.

Location:
/var/log/ltm

Conditions:
In an SCTP association, when a path gets restored.

Impact:
The 'bigipSctpPathRestored' SNMP trap gets raised.

Recommended Action:
None.

01910001 : Tmrouted starting.

Location:
/var/log/ltm

Conditions:
Startup of the tmrouted daemon. Typically this occurs when dynamic routing is first enabled, and whenever the BIG-IP system restarts with dynamic routing is enabled. It will also be seen anytime the tmrouted is restarted.

Impact:
This is a notice that the tmrouted daemon is starting up. Usually no action is required.
Unexpected tmrouted restarts indicate an issue with tmrouted that might cause interruptions in routing, and loss of dynamic routes.

Recommended Action:
When unexpected tmrouted restarts occur, examine the logs for other tmrouted messages that might indicate the cause of the restart. Also look for tmrouted cores in /shared/cores.

01910014 : FATAL error: non_initial state (%d) and some state vars are unknown (cluster: %d, primary: %d)

Location:
var/log/ltm

Conditions:
Message logged by tmrouted daemon.
License state is unknown, or when routing license expired on the standby.

Impact:
Tmrouted will shutdown, but should be restart by SOD. This should only happen on the standby.

Recommended Action:
Renew licenses before they expire.

01910030 : FATAL error: failed to set timer %p at %s:%d

Location:
/var/log/ltm

Conditions:
tmrouted fails to set a heartbeat timer.

Impact:
The timer is not set.

Recommended Action:
Restart tmrouted.

01910031 : FATAL error: failed to clear timer %p at %s:%d

Location:
/var/log/ltm

Conditions:
tmrouted fails to clear a heartbeat timer.

Impact:
Timer is not cleared.

Recommended Action:
Restart tmrouted.

01910032 : FATAL error: attempt to set already active timer %p at %s:%d

Location:
/var/log/ltm

Conditions:
tmrouted attempts to set a timer which is already active.

Impact:
The timer will not be set.

Recommended Action:
Restart tmrouted.

01910033 : FATAL error: attempt to clear inactive timer %p at %s:%d

Location:
/var/log/ltm

Conditions:
tmrouted attempts to clear an inactive timer.

Impact:
The timer does not clear.

Recommended Action:
Restart tmrouted.

01910034 : FATAL error: attempt to clear wrong timer %p at %s:%d

Location:
/var/log/ltm

Conditions:
tmrouted attempts to clear the wrong timer.

Impact:
The timer does not be clear.

Recommended Action:
Restart tmrouted.

01910035 : FATAL error: timer array exceeded

Location:
/var/log/ltm

Conditions:
tmrouted attempts to set a new timer, but the maximum allowed number of timers has already been reached.

Impact:
The timer is not set.

Recommended Action:
Restart tmrouted.

01910036 : FATAL error: RHI failed to send %s request.

Location:
/var/log/ltm

Conditions:
The MCP and tmrouted daemon communication channel is not properly established.

Impact:
If the MCP channel is broken, the MCP request to get the FW NAT objects/addresses is not sent to mcpd. Therefore, the tmrouted daemon might not advertise FW NAT-related addresses (source or destination) on restart.

Recommended Action:
None.

01910037 : Tmrouted clean up timed out while shutting down.

Location:
/var/log/ltm

Conditions:
Shutdown of the tmrouted daemon is taking longer than expected.

Impact:
None.

Recommended Action:
None.

01910050 : error on cluster socket %d in state %d: %s

Location:
/var/log/ltm

Conditions:
The tmrouted daemon encountered a socket error when trying to connect to the primary blade.

Impact:
Functionality of tmrouted could be affected.

Recommended Action:
Restart tmrouted, file a bug, and document the condition of the error.

01910202 : failed to add attribute %u to NETLINK message. got: %d need: %zu

Location:
/var/log/ltm, tmrouted reports

Conditions:
Example:
failed to add attribute <name> to NETLINK message. got: <length> need: <length>

tmrouted failed to add attribute to the netlink message. If this happens, it could mean that the netlink message attribute was incorrectly constructed, or corrupted.

Impact:
tmrouted will fail to construct the netlink message, impacting routing.

Recommended Action:
Consider running tmrouted in debug mode, and capture the offending attribute, correct the offending attribute as appropriate, and file a bug.

01910204 : memory allocation failed for %s: trying %zu bytes

Location:
/var/log/ltm, tmrouted reports

Conditions:
When tmrouted failed to allocate memory for netlink messages. If this happens, the box is probably out of memory and the problem is elsewhere.

Impact:
Route changes will fail.

Recommended Action:
Use 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Consider restarting these process(es), saving the core(s), and filing a bug.

01910300 : HA daemon heartbeat disabled. Last value is %u.

Location:
/var/log/ltm

Conditions:
The tmrouted daemon is only registered with the HA failover subsystem when dynamic routing protocols are configured. When disabling the last routing protocol, the tmrouted daemon will deregister with the HA system and log this message.

Impact:
None.

Recommended Action:
None.

01910301 : HA daemon heartbeat enabled with %us period. Last value is %u.

Location:
/var/log/ltm

Conditions:
The tmrouted daemon is only registered with the HA failover subsystem when dynamic routing protocols are configured. When the first routing protocol is enabled, the tmrouted daemon will register with the HA system, and log this message.

Impact:
None.

Recommended Action:
None.

01910600 : Suppressing route %s matching admin network.

Location:
/var/log/ltm

Conditions:
Log as informational when the admin ip network matches an incoming dynamic route, and the BIG-IP system is suppressing the update of the dynamic route to the kernel, so that the admin network is not replaced with the dynamic route.

Impact:
None.

Recommended Action:
None.

01910601 : Unsuppressing route %s matched previous admin network.

Location:
/var/log/ltm

Conditions:
When the admin ip network changed, and the BIG-IP system is putting previously suppressed dynamic route back into the kernel.

Impact:
None.

Recommended Action:
None.

01910602 : Failed to suppress route %s matching admin network.

Location:
/var/log/ltm

Conditions:
When a BIG-IP system attempts to remove the kernel route that matches an admin ip network, and unspecific failure occurs.

Impact:
It is possible the admin ip network was replaced in the kernel.

Recommended Action:
Check that the admin ip network is in the kernel, and add it back if necessary.

01910603 : Withdrawing route %s matching admin network not suppressed.

Location:
/var/log/ltm

Conditions:
When a BIG-IP system tries to remove a route from the kernel that matched the admin ip network, and it should be suppressed, but was not.

Impact:
Informational.

Recommended Action:
Verify that the admin ip network route is on the BIGIP system.

01910604 : New route %s matching admin network already suppressed.

Location:
/var/log/ltm

Conditions:
When a BIG-IP system attempts to suppress a incoming dynamic route that matches the admin network, but the route is already suppressed.

Impact:
None.

Recommended Action:
None.

01940007 : "Failed to allocate the errdefs tmconf handle!"

Location:
/var/log/ltm

Conditions:
The errdefsd daemon is out of memory. This memory allocation occurs during the daemon's startup. If you see this error, the system has a critical issue.

Impact:
The errdefsd daemon attempts to restart. If the same conditions exist, the daemon restart will fail. This series of events should be impossible.

Recommended Action:
Use 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Consider restarting said process(es), saving the core(s), and filing a bug.

0194000b : "errdefs: error adding local syslog destination %s; check the configuration for missing elements."

Location:
/var/log/ltm

Conditions:
The system is out of memory and therefore affecting the errdefs daemon. Possible reasons are:

1. One or more processes running on the system are using an excessive amount of memory.

2. The logging configuration is excessively large (several hundred publishers, destinations, and/or filters)

3. A validation issue in the mcpd daemon is allowing the creation of an incomplete logging configuration.

Impact:
The errdefsd daemon never publishes an incomplete logging configuration. Therefore, all daemons continue to use the previous logging configuration. If the previous logging configuration is the default configuration, then the configuration might only include local syslog logging.

Recommended Action:
Check the configuration. If all of the parts are present, and it is not overly large, use 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Consider restarting said process(es), saving the core(s), and filing a bug.

0194000c : "errdefs: error adding remote syslog destination %s; check the configuration for missing elements."

Location:
/var/log/ltm

Conditions:
The system is out of memory and therefore affecting the errdefs daemon. Possible reasons are:

1. One or more processes running on the system are using an excessive amount of memory.

2. The logging configuration is excessively large (several hundred publishers, destinations, and/or filters)

3. A validation issue in the mcpd daemon is allowing the creation of an incomplete logging configuration.

Impact:
The errdefsd daemon never publishes an incomplete logging configuration. Therefore, all daemons continue to use the previous logging configuration. If the previous logging configuration is the default configuration, then the configuration might include local syslog logging only.

Recommended Action:
Check the configuration. If all of the parts are present, and it is not overly large, use 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Consider restarting said process(es), saving the core(s), and filing a bug.

0194000d : "errdefs: error adding remote hsl destination %s; check the configuration for missing elements."

Location:
/var/log/ltm

Conditions:
The system is out of memory and therefore affecting the errdefs daemon. Possible reasons are:

1. One or more processes running on the system are using an excessive amount of memory.

2. The logging configuration is excessively large (several hundred publishers, destinations, and/or filters)

3. A validation issue in the mcpd daemon is allowing the creation of an incomplete logging configuration.

Impact:
The errdefsd daemon never publishes an incomplete logging configuration. Therefore, all daemons continue to use the previous logging configuration. If the previous logging configuration is the default configuration, then the configuration might include local syslog logging only.

Recommended Action:
If the configuration is not overly large, use 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Consider restarting said process(es), saving the core(s), and filing a bug.

0194000e : "errdefs: error adding fslog destination %s; check the configuration for missing elements."

Location:
/var/log/ltm

Conditions:
The system is out of memory and therefore affecting the errdefs daemon. Possible reasons are:

1. One or more processes running on the system are using an excessive amount of memory.

2. The logging configuration is excessively large (several hundred publishers, destinations, and/or filters)

3. A validation issue in the mcpd daemon is allowing the creation of an incomplete logging configuration.

Impact:
The errdefsd daemon never publishes an incomplete logging configuration. Therefore, all daemons continue to use the previous logging configuration. If the previous logging configuration is the default configuration, then the configuration might include local syslog logging only.

Recommended Action:
Check the configuration. If all of the parts are present, and it is not overly large, use 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Consider restarting said process(es), saving the core(s), and filing a bug.

0194000f : "errdefs: error adding alertd destination %s; check the configuration for missing elements."

Location:
/var/log/ltm

Conditions:
The system is out of memory and therefore affecting the errdefs daemon. Possible reasons are:

1. One or more processes running on the system are using an excessive amount of memory.

2. The logging configuration is excessively large (several hundred publishers, destinations, and/or filters)

3. A validation issue in the mcpd daemon is allowing the creation of an incomplete logging configuration.

Impact:
The errdefsd daemon never publishes an incomplete logging configuration. Therefore, all daemons continue to use the previous logging configuration. If the previous logging configuration is the default configuration, then the configuration might include local syslog logging only.

Recommended Action:
Check the configuration. If all of the parts are present, and it is not overly large, use 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Consider restarting said process(es), saving the core(s), and filing a bug.

01940010 : "errdefs: failed to add splunk destination %s -- the delivering destination %s probably doesn't exist or contains errors."

Location:
/var/log/ltm

Conditions:
The system is out of memory and therefore affecting the errdefs daemon. Possible reasons are:

1. One or more processes running on the system are using an excessive amount of memory.

2. The logging configuration is excessively large (several hundred publishers, destinations, and/or filters)

3. A validation issue in the mcpd daemon is allowing the creation of an incomplete logging configuration.

Impact:
The errdefsd daemon never publishes an incomplete logging configuration. Therefore, all daemons continue to use the previous logging configuration. If the previous logging configuration is the default configuration, then the configuration might include local syslog logging only.

Recommended Action:
Check the configuration. If all of the parts are present, and it is not overly large, use 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Consider restarting said process(es), saving the core(s), and filing a bug.

01940011 : "errdefs: error adding IPFIX destination %s; check the configuration for missing elements."

Location:
/var/log/ltm

Conditions:
The system is out of memory and therefore affecting the errdefs daemon. Possible reasons are:

1. One or more processes running on the system are using an excessive amount of memory.

2. The logging configuration is excessively large (several hundred publishers, destinations, and/or filters)

3. A validation issue in the mcpd daemon is allowing the creation of an incomplete logging configuration.

Impact:
The errdefsd daemon never publishes an incomplete logging configuration. Therefore, all daemons continue to use the previous logging configuration. If the previous logging configuration is the default configuration, then the configuration might include local syslog logging only.

Recommended Action:
Check the configuration. If all of the parts are present, and it is not overly large, use 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Consider restarting said process(es), saving the core(s), and filing a bug.

01940012 : "errdefs: failed to add splunk destination %s -- the delivering destination %s probably doesn't exist or contains errors."

Location:
/var/log/ltm

Conditions:
The system is out of memory and therefore affecting the errdefs daemon. Possible reasons are:

1. One or more processes running on the system are using an excessive amount of memory.

2. The logging configuration is excessively large (several hundred publishers, destinations, and/or filters)

3. A validation issue in the mcpd daemon is allowing the creation of an incomplete logging configuration.

Impact:
The errdefsd daemon never publishes an incomplete logging configuration. Therefore, all daemons continue to use the previous logging configuration. If the previous logging configuration is the default configuration, then the configuration might include local syslog logging only.

Recommended Action:
Check the configuration. If all of the parts are present, and it is not overly large, use 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Consider restarting said process(es), saving the core(s), and filing a bug.

01940019 : "Unable to connect to MCPD, will try again in 30 seconds."

Location:
/var/log/ltm

Conditions:
This message typically occurs on system startup when the errdefsd daemon starts up before the mcpd daemon. In this case, errdefsd must wait until mcpd begins accepting connections. The message is logged every 30 seconds until a connection between errdefsd and mcpd is established. Once errdefsd connects with mcpd, logging of the message stops.

Impact:
The errdefsd daemon normally communicates the logging configuration to the rest of the system. However, during the time that errdefsd is unable to connect to mcpd, the rest of the system uses the most recently-communicated logging configuration instead. An exception to this behavior is if the message occurs on boot-up; in this case, the system logs locally.

Recommended Action:
Ignore these messages whenever the system is logging them occasionally on startup; in this case, the messages are benign. If the messages persist, consult the MCP logs for more information because there is likely a problem with the mcpd daemon.

0194001d : Errdefsd is starting.

Location:
/var/log/ltm

Conditions:
Generated by the errdefsd daemon, this message appears whenever the machine is rebooted or errdefs restarts. The message typically occurs when errdefsd has not yet established
connectivity with the mcpd daemon.

Impact:
There is no immediate change to the system when this message appears. The message is generated at the NOTICE level, but should be generated at the INFO level instead. Because the errdefsd daemon must be running for changes to log filters, publishers, and destinations to be communicated from mcpd to the processes that are actually generating logs, this message simply indicates that errdefsd has been (re)started and will be publishing a new logging configuration (to a new shared memory segment). The old "deprecated" segment might continue to exist for some time because daemons only notice the change and switch to the new segment when they attempt to log.

Recommended Action:
No corrective action is needed. This log message is part of normal startup and is not an error.

01940022 : errdefs: error adding management port destination %s; check the configuration for missing elements.

Location:
/var/log/ltm

Conditions:
The system is out of memory and therefore affecting the errdefs daemon. Possible reasons are:

1. One or more processes running on the system are using an excessive amount of memory.

2. The logging configuration is excessively large (several hundred publishers, destinations, and/or filters)

3. A validation issue in the mcpd daemon is allowing the creation of an incomplete logging configuration.

Impact:
The errdefsd daemon never publishes an incomplete logging configuration. Therefore, all daemons continue to use the previous logging configuration. If the previous logging configuration is the default configuration, then the configuration might only include local syslog logging.

Recommended Action:
Check the configuration. If all of the parts are present, and it is not overly large, use 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Consider restarting said process(es), saving the core(s), and filing a bug.

01960002 : netHSM: Failed to login to network HSM with login_status[%lu].

Location:
/var/log/ltm

Conditions:
This occurs when the BIG-IP is unable to login to the network HSM. There are multiple possible reasons why the HSM would not let the BIG-IP login (eg an incorrect, invalid, or expired password or a locked HSM). The BIG-IP logs the specific error returned by the HSM, so that the user can look for more specific info in the HSM documentation, but a good place to start is verifying that the password is correctly entered on the BIG-IP and matches the password on the HSM.

Impact:
All HSM keys will be unable to be used (as well as any configurations depending on them) until the issue preventing the BIG-IP system from logging in to the HSM is resolved.

Recommended Action:
There is no workaround, but the issue is that the password that the BIG-IP is using to log in to the HSM is not what the HSM is expecting.

01960004 : netHSM: Failed login: password[%s]. Error[%lu].

Location:
/var/log/ltm

Conditions:
This occurs when the BIG-IP system is unable to log in to the network HSM. There are multiple possible reasons why the HSM would not let the BIG-IP log in (for example, an incorrect, invalid, or expired password, or a locked HSM). The point of this message is to provide feedback as to what type of issue the HSM reports to the BIG-IP system for why the login failed. The BIG-IP system logs the specific error returned by the HSM, so that the user can look for more specific information in the HSM documentation, but a good place to start is verifying that the password is correctly entered on the BIG-IP system and matches the password on the HSM.

Impact:
All HSM keys will be unable to be used (as well as any configurations depending on them) until the issue preventing the BIG-IP from logging into the HSM is resolved.

Recommended Action:
There is no hard and fast workaround, but the ultimate issue is that the password that the BIG-IP system is using to log in to the HSM is not what the HSM is expecting.

01960005 : netHSM: The session with the network-hsm is invalid.

Location:
/var/log/ltm

Conditions:
This happens when the BIG-IP system is unable to open a session with the network HSM. This most likely indicates that there is an issue with the network connecting the BIG-IP system to the network HSM, or the network HSM is unable to allow connections from the BIG-IP system.

Impact:
All HSM keys will be unable to be used (as well as any configurations depending on them) until the issue preventing the BIG-IP system from logging in to the HSM is resolved.

Recommended Action:
There is no temporary workaround. The solution is to determine why the BIG-IP system cannot communicate with the network HSM and restore communications between the BIG-IP system and the network HSM

01960005 : netHSM: The session with the network-hsm is invalid.

Location:
/var/log/ltm

Conditions:
If this occurs, it means HSM returns error at the request of C_OpenSession.

Impact:
This is the initial HSM operation. Pkcs11d will try to re-run in order to recover. If it cannot be recovered, it normally indicates a severe HSM networking issue or integration issue.

Recommended Action:
Check the availability of HSM and try reinstall HSM.

01960006 : netHSM: Failed to open file [%s].

Location:
/var/log/ltm

Conditions:
The pkcs11d service doesn't exist or the user is not logged on with the root account. If this happens, try to start/restart the pkcs11d service or reinstall the HSM client with root privilege.

Impact:
If this happens, most HSM functions will be unavailable. In particular, key generation and the SSL handshake through the HSM will fail.

Recommended Action:
Try to add, start, or restart the pkcs11d service or reinstall the HSM client, using the root user account.

01960007 : netHSM: Unknown client [%d].

Location:
/var/log/ltm

Conditions:
The pkcs11d process has received requests from TMM and the requests were not named "PKCS11D_CLIENT_TMM".

Impact:
All netHSM related operations, for example, key creation/sign/decrypt, will not work.

Recommended Action:
Use the TMSH command "restart sys service tmm" to restart TMM. This will interrupt traffic processing during the restart. If the error continues to occur, reinstall the NetHSM client software at BigIP.

01960008 : netHSM: Thales RFS error [%s].

Location:
/var/log/ltm

Conditions:
"rfs-sync" (which is Thales's utility) is missing or not working properly.

Impact:
Thales key cannot be uploaded to its RFS server, and consequently, other BIG-IP systems can't get it. For example, at HA setup, the key won't be able to get sync'ed to the standby BIG-IP system.

Recommended Action:
Reinstall the Thales client. This might cause TMM to be restarted, which will interrupt tmm services.

01960009 : netHSM: Failed to allocate space [%u] for [%s].

Location:
/var/log/ltm

Conditions:
The BIG-IP system memory is nearly or already exhausted, possibly due to a memory leakage.

Impact:
The pkcs11d daemon does not work properly, and key generation and other operations (example: netHSM SSL key signing) fail.

Recommended Action:
Reboot the system to clean up the used memory.

01960010 : netHSM: Unknown HSM vendor [%s].

Location:
/var/log/ltm

Conditions:
This error occurs when the HSM client is not installed properly or when a user manually changes the external_hsm.vendor's name. You can check the vendor name with this tmsh command:
     
     tmsh list sys crypto fips external-hsm vendor

Impact:
This error indicates a problem with the HSM installation.

Recommended Action:
Reinstall the HSM client on the BIG-IP system.

01960011 : netHSM: BigDB error [%d][%s].

Location:
/var/log/ltm

Conditions:
This error can occur when bigdb is not functioning properly.

Impact:
The pkcs11d service cannot retrieve the DB variable.

Recommended Action:
Restart the bigdbd service or issue the "bigstart restart" command.

01960012 : netHSM: PKCS11d (re)initialization is not complete.

Location:
/var/log/ltm

Conditions:
A pkcs11d is at reinitialization or initialization stage.

This might happen too soon after a pkcs11d restart. This might also happen when the network connectivity between the BIG-IP system and hsm are being restored from a network disruption.

Impact:
If this happens, pkcs11d operations, such as key creation, won't be able to finish.

Recommended Action:
Wait for some time and issue key creation command again.

01960013 : netHSM: PKCS11d stopped. Verify password, and restart PKCS11d.

Location:
/var/log/ltm, console, GUI

Conditions:
This message will appear anytime the BIG-IP system realizes that the nethsm password it uses to log into the netHSM is incorrect. This could be because the user changed the password on the netHSM itself, or it could be because the BIG-IP system was configured with the wrong password.

Impact:
Any configuration that depends on nethsm keys will fail to work until this issue is resolved, and PKCS11d is restarted. There is no way to automatically recover from the BIG-IP system having the wrong password.

Recommended Action:
Either change the HSM password to match the BIG-IP system's stored password, or change the password on the BIG-IP system to the one the netHSM is using.

There is no workaround for this issue.

01960014 : netHSM: Error: %s.

Location:
/var/log/ltm

Conditions:
Sys calls from tmm are received, which should not occur.

Impact:
Some unexpected results might occur. For example, the prolonged tmm sync call will make tmm crash.

Recommended Action:
Report to F5 Networks developers for resolution.

01960014 : netHSM: Key name is too long (>=255).

Location:
/var/log/ltm

Conditions:
An SSL key name passed to netHSM key pair generation exceeds a limit in size.

Impact:
Key generation might fail. This can normally be avoided by the validation of the callers. Therefore, this is an API-level error message that you should not normally see.

Recommended Action:
Reduce the size of the key name.

01960015 : netHSM: Input string(%s) is too long (>=255).

Location:
/var/log/ltm, GUI, CLI

Conditions:
The key name that is passed to the setter of netHSM key CKA_ID is too large.

Impact:
The netHSM key import quits and the error message is displayed. This is more of an internal API validation.

Recommended Action:
Truncate the key name, which might require users to change the key label at the netHSM.

01960016 : netHSM: Failed to create ec key for key %llu

Location:
/var/log/ltm

Conditions:
An error occurred while creating an ECDSA key.

Impact:
ECDSA key creation fails.

Recommended Action:
Restart pkcs11d. Note that this action will impact SSL traffic associated with keys stored on the network HSM.

01960017 : netHSM: Failed to set ec group for key %llu

Location:
/var/log/ltm

Conditions:
An error occurred while creating an ECDSA key group.

Impact:
ECDSA key creation fails.

Recommended Action:
Restart pkcs11d. Note that this action will momentarily impact SSL traffic associated with keys stored on the network HSM.

01960018 : netHSM: Failed to create ec point for key %llu

Location:
/var/log/ltm

Conditions:
The system failed to create EC key Qx, Qy POINT.

Impact:
ECDSA key creation fails.

Recommended Action:
Restart pkcs11d. Note that this action impacts SSL traffic associated with keys stored on network HSM.

01960020 : %s: file name too long (module: %s, dir: %s).

Location:
/var/log/ltm

Conditions:
The dynamic loadable module directory path is too long.

Impact:
The FIPS device library modules are not loaded, and FIPS will not work.

Recommended Action:
Ensure that the directory path of the FIPS loadable module is not too long.

01960021 : dlopen returned %s for module %s.

Location:
/var/log/ltm

Conditions:
dlopen() has returned a failure for a loadable module for FIPS.

Impact:
The FIPS device fails to load the module and will be non-functional.

Recommended Action:
Check if the correct library module is being loaded for the FIPS device.

01960022 : module %s is invalid (attach function missing).

Location:
/var/log/ltm

Conditions:
A FIPS loadable module has a missing attach() function.

Impact:
The FIPS device fails to load the module, and fips_open fails.

Recommended Action:
None.

01960023 : %s(): mod_err = 0x%x

Location:
/var/log/ltm

Conditions:
A FIPS device function module has failed.

Impact:
The system logs the error return value for the FIPS failure in mod_err.

Recommended Action:
Check which FIPS function module failed, and find the reason.

01960030 : N3FIPS: Couldn't get curve id for key %PRId64 (%s, err=%u)

Location:
/var/log/ltm

Conditions:
The NITROX III FIPS device failed to get the Elliptic Curve (EC) curve ID from the key modulus.

Impact:
The EC key creation fails.

Recommended Action:
None.

01960031 : N3FIPS: Couldn't create group for curve id %u

Location:
/var/log/ltm

Conditions:
The NITROX III FIPS device failed to create an Elliptic Curve (EC) group from the EC curve name.

Impact:
The EC key creation fails.

Recommended Action:
None.

01960032 : N3FIPS: Couldn't get group order for curve id %u

Location:
/var/log/ltm

Conditions:
The Elliptic Curve (EC) key function "Get" has failed when attempting to get the group order for the curve ID.

Impact:
The EC key creation fails.

Recommended Action:
None.

01960033 : N3FIPS: Couldn't get qx/qy for key %PRId64 (%s, err=%u)

Location:
/var/log/ltm

Conditions:
The NITROX III FIPS device has failed to get qx and qy data from the key modulus for the Elliptic Curve (EC) key.

Impact:
The EC key creation fails.

Recommended Action:
None.

01960034 : N3FIPS: Couldn't read qx/qy for key %PRId64

Location:
/var/log/ltm

Conditions:
The NITROX III FIPS device has failed to get Elliptic Curve (EC) key qx and qy data from the key modulus.

Impact:
The EC key creation fails for NITROX III FIPS.

Recommended Action:
None.

01960035 : N3FIPS: Couldn't export key %PRId64 (%s)

Location:
/var/log/ltm

Conditions:
A user attempted to export an ECDSA public key from a NITROX III FIPS device.

Impact:
The system cannot read data from the NITROX III device.

Recommended Action:
Check the connection with the NITROX III device.

01960036 : N3FIPS: Couldn't set the ec group for key %PRId64

Location:
/var/log/ltm

Conditions:
A user attempted to export an ECDSA public key from a NITROX III FIPS device, but the Elliptic Curve group for the ECDSA public key on the NITROX III FIPS device is invalid.

Impact:
The configuration operation fails.

Recommended Action:
This error is extremely rare, so if it occurs, try regenerating the public key to see if this solves the problem.

01960037 : N3FIPS: Couldn't retrieve curve id for label '%s'

Location:
/var/log/ltm

Conditions:
A user has attempted to import an ECDSA private key from the NITROX III FIPS device. The private key is invalid.

Impact:
The configuration operation fails.

Recommended Action:
Regenerate the private key.

01960038 : N3FIPS: Couldn't assign ec_key to pkey for label '%s'

Location:
/var/log/ltm

Conditions:
A user attempted to import an ECDSA private key from NITROX III FIPS device, but the private key data was not assignable to the elliptic curve key.

Impact:
The configuration operation fails.

Recommended Action:
None.

01960039 : N3FIPS: Couldn't convert to bio_key.

Location:
/var/log/ltm

Conditions:
A user attempted to import an ECDSA private key from a NITROX III FIPS device. The created file is not writeable, and potentially the BIG-IP system is out of memory.

Impact:
The configuration operation fails.

Recommended Action:
None.

01960040 : N3FIPS: Couldn't read from the bio_key.

Location:
/var/log/ltm

Conditions:
The created file is not readable.

Impact:
The user cannot import an ECDSA private key from the NITROX III FIPS device.

Recommended Action:
None.

01960041 : N3FIPS: Couldn't import private key (err=%u, reason='%s').

Location:
/var/log/ltm

Conditions:
The NITROX III FIPS device was unable to import the ECDSA private key. The private key could be invalid.

Impact:
The user cannot import an ECDSA private key from the NITROX III FIPS device.

Recommended Action:
Check that the ECDSA private key is valid.

01960042 : N3FIPS: Unsupported curve id %u.

Location:
/var/log/ltm

Conditions:
During the signing with an ECDSA private key, an unsupported curve ID has been selected.

Impact:
The user cannot sign with the selected private key and the selected curve ID.

Recommended Action:
Use a different curve that is supported.

01960043 : N3FIPS(mem): Couldn't create octet string for key %PRId64

Location:
/var/log/ltm

Conditions:
This error is caused by insufficient memory.

Impact:
The user cannot export an ECDSA public key from the NITROX III FIPS device.

Recommended Action:
Try solving the issue by freeing up some memory. To free up memory, you might need to restart some services.

01960044 : N3FIPS(mem): Couldn't export key %PRId64

Location:
/var/log/ltm

Conditions:
This error is caused by insufficient memory.

Impact:
The user cannot export an ECDSA public key from the NITROX III FIPS device.

Recommended Action:
Try solving the issue by freeing up some memory. To free up memory, you might need to restart some services.

01960045 : N3FIPS(mem): Couldn't create ec key for key %PRId64

Location:
/var/log/ltm

Conditions:
Not enough memory.

Impact:
EC key creation fails.

Recommended Action:
Use 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. You can disable/turn off service to free more memory, or in some cases, you might need to reboot or restart services.

01960047 : N3FIPS(mem): Couldn't create memory BIO.

Location:
/var/log/ltm

Conditions:
The system is probably out of memory and the problem is elsewhere.

Impact:
The N3FIPS hardware security module (HSM) cannot create bio_key.

Recommended Action:
Use 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. May disable/turn off service to free more memory. It might require reboot or restart of services in order to free more memory.

01960048 : N3FIPS(mem): Couldn'tgenerate a PEM buffer.

Location:
/var/log/ltm

Conditions:
Not enough memory. PEM_write_bio_EC_PUBKEY() failed and returned a NULL value.

Impact:
The user cannot export an ECDSA public key.

Recommended Action:
Disable/turn off service to free more memory. It might require reboot or restart of services in order to free more memory.

01960049 : N3FIPS(mem): Failed to allocate PEM string of %zu bytes.

Location:
/var/log/ltm

Conditions:
The system is probably out of memory and the problem is elsewhere.

Impact:
The system cannot export an ECDSA public key.

Recommended Action:
Use the command 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Disable/turn off service to free more memory. It might require reboot or restart of services.

01960050 : N3FIPS(mem): Couldn't duplicate ec_key for label '%s'

Location:
/var/log/ltm

Conditions:
Insufficient memory.

Impact:
The user cannot import the ECDSA private key.

Recommended Action:
To free more memory, try restarting some services.

01960051 : N3FIPS(mem): Couldn't allocate pkey for label '%s'

Location:
/var/log/ltm

Conditions:
Insufficient memory.

Impact:
The user cannot import an ECDSA private key.

Recommended Action:
Try solving the issue by freeing up some memory. To free up memory, you might need to restart some services.

01960052 : N3FIPS(mem): Couldn't allocate bio_key for label '%s'

Location:
/var/log/ltm

Conditions:
Insufficient memory.

Impact:
The N3FIPS hardware security module (HSM) might not be able to import the ECDSA private key.

Recommended Action:
Try freeing up some memory. To do this, you might need to restart some services.

01960053 : N3FIPS(mem): Couldn't allocate bin_key for label '%s'

Location:
/var/log/ltm

Conditions:
There is insufficient memory, and the problem could be elsewhere.

Impact:
The N3FIPS hardware security module (HSM) user might not be able to import an ECDSA private key.

Recommended Action:
Free up more memory. To do this, you might need to restart some services, If this doesn't help, consider filing a bug.

01960054 : N3FIPS(mem): Couldn't allocate a FIPS request record.

Location:
/var/log/ltm

Conditions:
This might happen when the system is out of memory. Note that the problem might be elsewhere.

Impact:
The N3FIPS hardware security module (HSM) user cannot sign using an ECDSA key.

Recommended Action:
Free up more memory by restarting some services/processes. If this doesn't help, consider filing a bug.

01a30018 : (%s). err(%d)(%s)

Location:
/var/log/ltm

Conditions:
This is an error in the connect() call on a socket between hclientd (a TAM daemon) and tmm. This type of error can have many causes, but the error message should contain more information on the specific error.

Impact:
TAM and tmm might not be able to communicate, so TAM control plane configuration might not be possible.

Recommended Action:
Check the error message for specific information on the reason that the socket connection is failing.

01a30019 : read error (%s)/(%d)/(%d) (%d)(%s)

Location:
/var/log/ltm

Conditions:
An error has occurred in reading the socket connection between TMM and the Traffic Acceleration Module (TAM) control plane. This could have many different causes, but the exact error message will have the error code that will provide more information.

Impact:
The TAM module fails to acquire necessary information from TMM, so the new TAM configuration fails. Any changes to TAM virtual servers could fail to be set correctly.

Recommended Action:
The fix will depend on the specific error in the error message. Some general things to try are:
    1) Restart the relevant TAM control plane process: "bigstart restart hclientd".
    2) Re-provision TAM.
    3) Reboot the system.

01a3001a : write error (%s)/(%d)/(%d)(%d)(%s)

Location:
/var/log/ltm

Conditions:
A communication error occurred between a Traffic Acceleration Module (TAM) process and the standard data plane. The error message has more information about the specific error.

Impact:
The update of the TAM module fails. The current configuration will not match the actual state of the TAM module, so network traffic might not act as expected.

Recommended Action:
The fix might depend on the specific error in the error message. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Restart tmm: "bigstart restart tmm"
    3) Re-provision TAM.
    4) Reboot the system.

01a3001b : Collecting pool member %s status monitor: %d session: %d

Location:
/var/log/ltm

Conditions:
The status of a pool member has been updated in Traffic Acceleration Module (TAM).

Impact:
None.

Recommended Action:
None.

01a30025 : The database has become inconsistent!

Location:
/var/log/ltm

Conditions:
An internal error has occurred within the database of the hclientd process.

Impact:
Any configuration of Traffic Acceleration Module (TAM) fails as long as this error persists.

Recommended Action:
This error indicates an error in the internal logic of the process, so an exact fix depends on what went wrong. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.

01a30040 : Reconnected to TAM server after %d attempts

Location:
/var/log/ltm

Conditions:
The hclientd process that was previously unable to connect to another process has recovered and connected successfully.

Impact:
None.

Recommended Action:
None.

01a3004b : Missing rd(%s) for vlan(%s)

Location:
/var/log/ltm

Conditions:
An error has occurred within the internal state of the hclientd process. There are several reasons that this error could occur, but the exact error message contains more information.

Impact:
The update of Traffic Acceleration Module (TAM) fails for the VLAN specified in the error. The current configuration will not match the actual state of the TAM module, so network traffic might not behave as expected.

Recommended Action:
The fix may depend on the specific error in the error message. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.

01a3004c : Virtual server (%s) is configured with unexpected virtual server type (%d)

Location:
/var/log/ltm

Conditions:
An internal configuration error has occurred where an incorrect virtual server is being forwarded to Traffic Acceleration Module (TAM). Therefore, TAM is trying to handle a virtual server that is not set as traffic-accelerated.

Impact:
TAM ignores the incorrect virtual server. If this error is causing tmm to not handle this virtual server, the error could also cause the virtual server to not handle traffic.

Recommended Action:
Try removing and re-adding the virtual server.

01a3004d : Error: load balance mode invalid for pool %s used by virtual %s - changed to Round Robin load balancing

Location:
/var/log/ltm

Conditions:
The hclientd daemon receives an unsupported load-balancing mode for a Traffic Acceleration Module (TAM) virtual server. The only supported load-balancing modes for a pool attached to a TAM virtual server are Round Robin and Ratio Member.

Impact:
The load-balancing mode defaults to Round Robin.

Recommended Action:
Choose a supported load-balancing mode for all pools attached to TAM virtual servers.

01a3004e : Error (%s) node(%s)

Location:
/var/log/ltm

Conditions:
An internal bug in the Traffic Acceleration Module (TAM) module triggers one of the following actions:

    1) A new self IP address is created when one already exists.
    2) An update to a self IP address occurs when the address does not exist.

Impact:
TAM ignores the creation or update of the self IP address.

Recommended Action:
To remove the error, try saving the configuration, as well as restarting the hclientd process using this command at the advanced shell prompt:

bigstart restart hclientd

01a3004f : node(%s) state(%s)

Location:
/var/log/ltm

Conditions:
A self IP address has been added to Traffic Acceleration Module (TAM).

Impact:
None.

Recommended Action:
None.

01a30050 : Failed to post from(%s) to(%s) message (%d)/(%s) error: (%s)

Location:
/var/log/ltm

Conditions:
A communication error has occurred between Traffic Acceleration Module (TAM) processes. The error message contains more information on the specific error.

Impact:
Any TAM configuration fails as long as this error persists.

Recommended Action:
The workaround depends on the specific error in the error message. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.

01a30051 : Failed to alloc (%s) for (%d)bytes context(%s) err(%d)/(%s)

Location:
/var/log/ltm

Conditions:
The hclientd process is out of memory. If this happens, the box is probably out of memory and the problem is elsewhere.

Impact:
The hclientd process stops functioning normally, and configuration of Traffic Acceleration Module (TAM) stops working.

Recommended Action:
Use 'top -a' or 'ps v | sort -k 8 -g -r | head' to look for processes occupying excessively large amounts of memory. Consider restarting these process(es), saving the core(s), and filing a bug.

01a40000 : Failed to create IVS (%s).

Location:
/var/log/tmm

Conditions:
When a certificate is associated with an OCSP object, the configuration from the OCSP object is used to create an Internal Virtual Server that fetches OCSP response corresponding to the certificate. This error messages is seen when there is a failure in creating the Internal Virtual Server.

Impact:
OCSP response(s) for certificates(s) can't be fetched, and certificate monitoring is not functional.

Recommended Action:
The error is an internal error that can't be recovered from by user actions. However, user can disassociate OCSP monitoring from certificate, and re-associate it back to re-trigger internal initialization for fetching OCSP response.

01a40001 : Failed to create OCSP context - %s, with error: %E.

Location:
/var/log/tmm

Conditions:
When a certificate is associated with an OCSP object, the configuration from the OCSP object is used for context initialization for fetching OCSP response. This error indicates failure to do the necessary initialization.

Impact:
OCSP response(s) for certificates(s) can't be fetched, and certificate monitoring is not functional.

Recommended Action:
The error is an internal error that can't be recovered from by user actions. However, user can disassociate OCSP monitoring from certificate, and re-associate it back to re-trigger internal initialization for fetching OCSP response.

01a40002 : Failed to create OCSP request with OCSP object(%s), certificate(%s).

Location:
/var/log/tmm

Conditions:
When a certificate is associated with an OCSP object, the configuration from the OCSP object is used for context initialization for fetching OCSP response. This error indicates failure to do the necessary initialization.

Impact:
OCSP response(s) for certificates(s) can't be fetched, and certificate monitoring is not functional.

Recommended Action:
The error is an internal error that can't be recovered from by user actions. However, user can disassociate OCSP monitoring from certificate, and re-associate it back to re-trigger internal initialization for fetching OCSP response.

01a40003 : HTTP status code of OCSP response(%d) indicates failure to obtain the response for certificate(%s).

Location:
/var/log/tmm

Conditions:
This indicates that the unsatisfactory HTTP status code returned by the OCSP responder. If the status code is 503, it could indicate other issues such as failure in DNS resolution of the OCSP responder URL, or other network issues.

Impact:
OCSP response can't be obtained for a certificate and the monitoring status indicates an error.

Recommended Action:
For 503 status code, examine tcpdump and tmctl stats for the TCP profile, and HTTP profiles with a name starting with the prefix of "_km_ocsp" for debugging connection errors.

Other status codes are returned from the OCSP responder, and might be temporary errors indicating OCSP responder downtime etc.

01a40004 : OCSP validation result of certificate(%s): OCSP response - (%s), certificate status - (%s), lifetime - %u.

Location:
/var/log/tmm

Conditions:
This log is seen when OCSP validation is enabled on the certificate. The log is informational and indicates the OCSP response, certificate status and the calculated cache lifetime of the OCSP response.

Impact:
None.

Recommended Action:
None.

01a40008 : Unable to build certificate trust chain for profile %s

Location:
/var/log/ltm

Conditions:
The certificate authority (CA) bundle file assigned to the Server SSL profile does not contain the SSL server's root certificate.

Impact:
The SSL handshake fails.

Recommended Action:
Approach 1: Use a proper CA bundle certificate file that contains the SSL server's root certificate assigned to the Server SSL profile.

Approach 2: Add the missing root SSL certificate into the CA bundle certificate file used by the serverSSL profile for server authentication, and restart tmm by running the command "bigstart restart tmm".

# tmsh list ltm profile server-ssl myssl.app/myssl-sssl ca-file crl ocsp
ltm profile server-ssl myssl.app/myssl-sssl {
    ca-file ca_bundle_file.crt <============ Make sure that it contains the root certificate of SSL server's certificate
    crl my_crl1
    ocsp none
}

01a40008 : %s

Location:
/var/log/ltm

Conditions:
This message occurs whenever the system needs to log various log messages at the debug level.

Impact:
The system logs various messages at the debug level.

Recommended Action:
The recommended action varies depending on the specific message.

01a40009 : Certificate(%s) has expired, or is going to expire in less than a week.

Location:
/var/log/ltm

Conditions:
A certificate whose lifecycle is managed using a certificate-order-manager object has expired or is going to expire within a week.

Impact:
Certificate is expired or close to expiration.

Recommended Action:
Take the necessary actions to renew the certificate.

01a50024 : Node to corrupt %s is invalid

Location:
/var/log/ltm

Conditions:
This condition only happens during a debug session where the debug parameters are invalid.

Impact:
The debugging operation does not work properly.

Recommended Action:
Supply the correct node name during the corrupt node debugging operation.

01a50027 : The revoke option is only available on VE platforms.

Location:
/var/log/ltm, tmsh

Conditions:
User error by requesting a license being revoked on a non-VE system.

Impact:
This safeguard informs the user that this action is not possible and invalid license revocation is avoided.

Recommended Action:
The only workaround is to not attempt to revoke the license on a non-VE system.

01a50031 : Manifest created is larger than 512K: %u

Location:
/var/log/ltm

Conditions:
A huge manifest has been produced that prevents the data from being passed on to the receiving server. This is an unlikely event.

Impact:
A phone-home upload will not happen. This is informational data that is collected for statistics. By not sending this information (if it is indeed good data that exceeded 512k), the information will be lost. This impacts statistics collection by F5 only. Note that many systems do not send this either because they opted out or are not connected to the internet.

Recommended Action:
None.

01a50033 : Unable to parse the manifest with a json parser.

Location:
/var/log/ltm

Conditions:
This is not ever expected to happen unless there is an error condition caused by an unforeseen event. There is a bug in the creation of the manifest. In the past, the json has had this condition and it went unnoticed until the downstream process failed.

Impact:
If this error occurs, the manifest is marked as invalid and the calling function should stop and report this.

Recommended Action:
Corrective action in creating the manifest in proper json is needed.

01a50034 : Failed to get variables from mcpd: %s

Location:
/var/log/ltm

Conditions:
This error could happen if the mcpd is not active or there is an error condition not anticipated.

Impact:
The impact can vary depending on the variable in question. Most likely if the variable value is not obtained, the calling program will fail.

Recommended Action:
This could be a temporary condition where the mcpd daemon was down and the issue could go away should it be restarted. A possible workaround might be to try again later presumably when the mcpd is running.

01a50035 : Failed to to connect to mcpd.

Location:
/var/log/ltm

Conditions:
The usual case for this error is that the mcpd service is not running or is in the process of getting started and isn't communicating yet.

Impact:
The calling program usually throws an exception and stops. Unless obtaining the information from mcpd is not crucial to successful execution of the program, the calling application will fail. This most likely isn't an error in the application but indicates that there is a system condition (mcpd not running) that is causing this.

Recommended Action:
Once the mcpd is correctly working, perhaps simply restart the daemon if it was stopped due to some other need. If the mcpd cannot be started, then the system is in a failed state.

01a50100 : Error: Failed to store EULA in %s.

Location:
/var/log/ltm

Conditions:
An existing EULA file does not have permissions to be overwritten, thereby causing the system to write the file to another location.

Impact:
The EULA file is not written to the location requested. Since this is an informational file, there is only a cosmetic problem, although it might have legal consequences. The latter is doubtful because the EULA is not necessarily needed to be in the location specified.

Recommended Action:
Unless there is a specific legal need to have the EULA written to the file specified, this can usually be ignored since there is no direct impact on program function.

01a50101 : Error: Failed to install backup file %s to %s.

Location:
/var/log/ltm

Conditions:
The reason for failure can be varied: permissions, disk space, invalid name, missing directory.

Impact:
If writing a backup license file fails, the capability of reinstalling a replaced or expired license is no longer possible. Since this is a step of the licensing process, failing to write a backup will stop the licensing process and a new license will not get installed.

Recommended Action:
Through inspection of the file names in the error message, it might be possible to determine the reason for failure. The process of using the backup license is never done and probably would not work anyway. The backup license is used as a historical record of licensing only. In any case, the impact of not having a backup is non-existent or at most negligible.

01a50102 : Error: Failed when calling /usr/bin/chcon for %s.

Location:
/var/log/ltm, /var/log/auditd/audit.log

Conditions:
This call can fail if the selinux parameters being set are not correct.

Impact:
This call is currently only specific to installing the EULA in the /LICENSE.F5 file. If for some reason, this fails to have a selinux status set correctly, there will be warning messages in the secure logs.

Recommended Action:
It is safe to ignore the selinux warnings.

01a50111 : Error: Server busy, retry in %d seconds.

Location:
GUI

Conditions:
Communications with a license server can fail due to the server being inaccessible (busy). Sometimes, simply re-trying will succeed.

Impact:
If this occurs often, or if the license server cannot be contacted, a new BIG-IP license cannot be installed and the system could be inoperative.

Recommended Action:
There are other means of installing license files, should this error continue and prevent communications to the license server. The GUI copies dossier strings directly to the licensing server. It's possible that there is an IP resolve issue (domain-name resolution) that is preventing communications requiring intervention. Also, simply trying again might work in many situations.

01a60001 :

Location:
DPI HSL

Conditions:
When classificaion logging is enabled via security log profile.

Impact:
None.

Recommended Action:
None.

01a70028 : The platform was not found in %s.

Location:
/var/log/ltm

Conditions:
The file /PLATFORM isn't found, and licensing logic cannot determine the platform type.

Impact:
A license dossier cannot be issued. This could be a critical error; many programs depend on its existence and cannot proceed without it.

Recommended Action:
No workaround is possible. Without the /PLATFORM file, we cannot proceed. The file is essential to determine how to proceed based on platform type.

01a70029 : CCN is unsupported on vcmp guests.

Location:
/var/log/ltm

Conditions:
When checking the platform type for a vCMP guest, the system doesn't receive the expected type by reading from /PLATFORM with type Z101.

Impact:
Since Z101 was the expected type, a failure returned from this subroutine means that the system is attempting to do a function that is not appropriate for this platform. Specifically, this is an attempt to get CCN information from VCMP guests and this is not possible.

Recommended Action:
Try again on the appropriate platform or don't attempt the operation that caused this error. No real workaround exists as the message indicates an incorrect procedure.

01a70077 : Error: OpenSSL PEM_read_bio_PrivateKey failed read key %s.

Location:
/var/log/ltm

Conditions:
An attempt to generate an encrypted private key has caused an error, most likely a programming error.

Impact:
The private key is not generated and communications with api.f5.com are not possible. This affects phonehome sending anonymous meta-data back to F5 and has no bearing on any other BIG-IP functionality.

Recommended Action:
Report the error to F5 customer support. Since calling OpenSSL code can be difficult to debug, this error can pinpoint where the code is failing. This can be helpful for F5 customer support diagnostics.

01a70095 : Error: OpenSSL EVP_PKEY_get1_RSA failed.

Location:
/var/log/ltm

Conditions:
A user has attempted to create an OpenSSL private key. This most likely is caused by a programming error where the requirements by OpenSSL to generate the private key were not met.

Impact:
The generation of the private key will not happen. Any program that requires that key will not work.

Recommended Action:
Contact F5 customer support and have a ticket generated. It is safe to ignore this error as it only concerns the creation of a private key to be used with phonehome.

01a70096 : Error: OpenSSL RSA_check_key(%s) failed.

Location:
/var/log/ltm

Conditions:
A call to the internal OpenSSL subroutine RSA_check_key() has failed.

Impact:
No private key is generated. Communication with api.f5.com is not possible. There is no impact to the BIG-IP system for this private key not being generated. It's part of the phone-home package that sends anonymous meta-data back to F5 for use by F5 personnel.

Recommended Action:
Report the error to F5 customer support.

01a70097 : Error: OpenSSL BN_new failed.

Location:
/var/log/ltm

Conditions:
An attempt to get memory for an OpenSSL call has failed.

Impact:
The operation requiring this memory immediately fails.

Recommended Action:
No workaround exists for this fatal condition. Try again when the system is less busy.

01a70098 : Error: OpenSSL RAND_file_name failedo_RSAPrivateKey.

Location:
/var/log/ltm

Conditions:
Writing of the .rnd file (part of OpenSSL programming procedures) has failed. This could be for many reasons ranging from invalid permissions to missing directories.

Impact:
The creation of the OpenSSL private key fails. Communications via phonehome to F5 is not possible. This is not essential for BIG-IP operations and can be safely ignored.

Recommended Action:
No workaround exists. Report this to F5 customer support.

01a70121 : Error: Failed while getting the status, %s.

Location:
/var/log/ltm

Conditions:
The mcpd daemon is down or not communicating.

Impact:
Any program that uses f5-api-com interface will fail because it requires communications with the mcpd daemon to obtain current values of data base items.

Recommended Action:
Usually, one can retry application again after the mcpd daemon restarts or finishes coming up.

01a70122 : Error: Failed to obtain auto-check/auto-phonehome status.

Location:
/var/log/ltm

Conditions:
Most likely this is a runtime error where the mcpd deamon is stopped or not completely started.

Impact:
Since the phonehome_upload program runs periodically, the upload for this period will be lost. The upload provides F5 with useful feedback information such as provisioning and hardware usage. There is no other impact.

Recommended Action:
The next execution of the phonehome_upload will most likely work if the reason for the failure was a temporary issue involving the mcpd daemon being unavailable (down).

01a70131 : Error: Failed to obtain certificate cache path.

Location:
/var/log/ltm

Conditions:
Certificate cache-path file is not accessible or is missing. This condition is not expected but could happen if user has altered the files in the filestore directory.

Impact:
This is fatal when the certificate is needed to complete a task.

Recommended Action:
Re-install key/certificate pair via license registration. First delete the entries in the mcp via "tmsh delete sys file ssl-cert <cert>" and "tmsh elete sys file ssl-key <key>".

01a70132 : Error: Failed while gettting the certificate cache path, %s.

Location:
/var/log/ltm

Conditions:
Certificate cache-path file stored in MCP is inaccessible or is missing. This condition is not expected, but could happen if user has altered the files in the filestore directory or communications with mcpd has been severed.

Impact:
This is fatal when the certificate is needed to complete a task.

Recommended Action:
If the problem is due to a missing or bad certificate, then first delete the entries in MCP via "tmsh delete sys file ssl-cert <cert>" and "tmsh elete sys file ssl-key <key>" and then re-install key/certificate pair via license registration.

01a70133 : Error: Failed to obtain key cache path.

Location:
/var/log/ltm

Conditions:
A key is expected to be stored in mcpd as a cached file, but no record of this has been found.

Impact:
Using the key is impossible because its location and passphrase are unknown.

Recommended Action:
You can ignore this message. The BIG-IP system is attempting to communicate with api.f5.com to send phonehome data and this falure is not important to the normal operations of the BIG-IP system.

01a70134 : Error: Failed while gettting the key cache path, %s.

Location:
/var/log/ltm

Conditions:
An attempt to determine the cache-path for the OpenSSL has failed.

Impact:
Any program that tries to access the key fails and communications using the key are not possible.

Recommended Action:
Try again when mcpd is up and running, or delete the key and have a new one issued. The way to get a key issued is to re-run the license activation or enter a new registration base-key. The key is needed to communicate with api.f5.com and is needed to send feedback to F5 with non-private data. If the data is not sent, this does not affect the customer in any way.

01a70141 : Error: Can't connect to mcp, %s.

Location:
/var/log/ltm

Conditions:
A failure to connect to mcpd for internal communications has been detected.
Seeing this error message is unlikely and has been defined for future use.

Impact:
The program calling mcpd fails, as the requirement for the program to communicate with mcpd is essential.

Recommended Action:
No real workaround. Attempt to revive mcpd and try again.

01a70151 : Error: OpenSSL RAND_status failed.

Location:
/var/log/ltm

Conditions:
A call to the internal OpenSSL RAND_status() to create a key for phonehome has failed. This is most likely due to a coding error. A major change in the OpenSSL Libraries in the future could also cause the error.

Impact:
OpenSSL operations abort the key generation program. This error can be safely ignored.

Recommended Action:
No workaround is available. Report this error to F5 customer support.

01a70152 : Error: OpenSSL RSA_new failed.

Location:
/var/log/ltm

Conditions:
A user has attempted to create an encrypted private key when not enough memory is available.

Impact:
The generation of the encrypted private key fails. The code generating this error is part of the phonehome package and is not crucial to the operations of the BIG-IP system and can be safely ignored.

Recommended Action:
Attempt to try again when the system has more memory available.

01a70153 : Error: OpenSSL BN_set_word failed.

Location:
/var/log/ltm

Conditions:
During the creation of an encrypted private key, the internal OpenSSL call to BN_set_word() failed.

Impact:
The creation of the encrypted OpenSSL f5-api-com.key fails, and communications with api.f5.com make it impossible to send anonymous phonehome meta-data. The re-creation of the private key will be attempted during the next license activation. This is an internal error and not due to customer action.

Recommended Action:
No workaround exists for this. The cause of the failure would need to be investigated.

01a70154 : Error: OpenSSL RSA_generate_key_ex failed.

Location:
/var/log/ltm

Conditions:
An attempt to create an OpenSSL key has failed. This could be caused internally by a failure for a process to give the correct parameters to the asking program.

Impact:
The process that was attempting to create a key has failed.

Recommended Action:
Contact F5 customer support and request that they file a bug. The only other alternative is to try again, although most likely, this will not succeed.

01a70155 : Error: OpenSSL RAND_write_file failed.

Location:
/val/log/ltm

Conditions:
An attempt to write a .rnd file in the home directory has failed. This should not happen, but one possible cause is by not having permissions to write to the directory containing the .rnd file.

Impact:
This is a critical condition that keeps code associated with phonehome from completing OpenSSL tasks such as creating a key/certificate pair. Many OpenSSL calls require random data that comes from the .rnd file. Without this data, the OpenSSL code fails. The phonehome failure itself is not critical to any BIG-IP functionality, so this message can safely be ignored.

Recommended Action:
The best action is to report this error to F5 customer support and ignore the fact the code failed. However, if you are an advanced user, you can try creating the .rnd file manually by redirecting bytes from /dev/urandom into the .rnd file. However, this is not recommended since this is what the program normally does and shouldn't fail.

01a70156 : Error: OpenSSL PEM_write_bio_RSAPrivateKey for key %s failed.

Location:
/var/log/ltm

Conditions:
An attempt to generate a private key has caused an internal error.

Impact:
The key is not generated.

Recommended Action:
Report this error to F5 customer support. Most likely the cause is due to internal changes, such as using an incompatible OpenSSL library, or it is a programming error.

01a70170 : Error: Failed to obtain key passphrase from mcpd for key %s.

Location:
/var/log/ltm

Conditions:
During creation of an encrypted key (f5-api-com.key) and subsequent generation of the 64-byte random passphrase, the passphrase could not be stored.

Impact:
The encrypted key is unusable, and phonehome data is not sent to F5.

Recommended Action:
Delete the key and start over. This is done automatically by the licensing re-activation.

01a70171 : Error: system call to tmsh save sys config.

Location:
/var/log/ltm

Conditions:
An attempt was made to call "tmsh save sys config" externally from within a program.

Impact:
The call fails, and the failure prevents any data items from being saved in the bigip.config file. Therefore, subsequent reboots or upgrades are not able to use the data that was intended to be saved. This is true if the BIG-IP system saves an encrypted key object that requires a passphrase to be stored with it. Without the "save" succeeding, the key becomes useless. The save operation was required to produce keys and/or certificates to communicate with the api.f5.com server for use with phonehome.

Recommended Action:
If the operation was successful and generated the data in mcpd, one could theoretically run the "tmsh save sys config" manually. This could or could not work and is unreliable. The recommendation is to ignore the error, since the code that is calling this isn't essential to the operation of the BIG-IP system. The BIG-IP system will retry the procedure automatically the next time there is a license re-activation. Further attempts to save the configuration could succeed in the future. This is most likely a problem with contention and will need to be fixed.

01a70172 : Error: Failed to create cached key file.

Location:
/var/log/ltm

Conditions:
During creation of a new encrypted key, the process of storing the key and its passphrase in mcpd has failed. The creation of the f5-api-com key has failed, and therefore no f5-api-com certificate is obtained. This should not happen in normal conditions.

Impact:
Phonehome data is not sent; all attempts to send anonymous meta-data to F5 fail. This is not important for the customer as the data collected by F5 is for use by F5 only, such as for gathering statistics about versioning or provisioning and/or other meta-data.

Recommended Action:
No action is recommended. The next license activation will try this process again.

01a70173 : Error: Failed to create cached certificate file.

Location:
/var/log/ltm

Conditions:
The BIG-IP system has attempted to add a certificate (that was extracted from the bigip.license file) to the mcpd cache directory with an entry for finding its cached location.

Impact:
The operation fails and the certificate is unusable. This is not a problem for users, as the data is informational only and is intended for F5 monitoring for gathering statistics about systems in general (for example, what versions are being used world-wide). The certificate is used to communicate with api.f5.com, that is, for phonehome transmission of meta-data. This transmission is not possible if the certificate is not stored in the mcpd cache. F5 will not obtain statistics from this BIG_IP system during this period. Note that this is an opt-out item and is of no consequence to the customer directly.

Recommended Action:
None. The certificate will be re-extracted on the next licensing re-activation and there is nothing critical about the failure. F5 will simply not obtain statistics from this BIGIP during this period.

01a70180 : Error: Attempted to get cloud environment when not on cloud.

Location:
/var/log/ltm

Conditions:
Cloud data has been requested, but the discovery of the fact that we are running on a cloud is showing that it isn't a cloud. This should not ever happen, unless a new cloud environment is added and we haven't accounted for it programmatically.

Impact:
The attempt to get cloud data fails. For a non-cloud system, this is expected, but this log message should not happen. This indicates that there is an error, and the user will continuously see this error logged whenever the program is attempted. The impact is that nothing happens.

Recommended Action:
No workaround is available or recommended. Contact F5 to have a bug filed against this.

01a70181 : Error: Failed to communicate with %s to obtain metadata.

Location:
/var/log/ltm

Conditions:
On cloud BIG-IP systems, the service that obtains meta-data by communicating with a local address (usually 169.254.169.254) is down or unavailable.

Impact:
All programs that use this code to obtain the meta-data fail. Usually this data is used for diagnostics and/or statistics and is not critical to the function of the BIG-IP system.

Recommended Action:
No recommended workaround is suggested. Try again later or after a reboot operation. This is not under F5 control.

01a90007 : dynconf setrlimit %d failure: %s.

Location:
/var/log/ltm

Conditions:
dynconfd attempts to raise the file descriptor limit from the default 1024 to 32768.

Impact:
dynconfd is restricted to opening no more than a little over 1000 connections to external DNS servers. This may impact large configurations, but is unlikely to be an issue for smaller configurations.

Recommended Action:
Reduce the number of DNS servers configured. This will not prevent the error message, but will mitigate the effects of failing to increase the FD limit.

01a90008 : dynconf setrlimit %d error: %s %d.

Location:
/var/log/ltm

Conditions:
dynconfd attempts to raise the file descriptor limit from the default 1024 to 32768; this error indicates that the number of file descriptors requested differs from the number that were granted.

Impact:
The number of file descriptors requested differs from the number that were granted. dynconfd is restricted to opening no more than a little over 1000 connections to external DNS servers. This may impact large configurations, but is unlikely to be an issue for smaller configurations.

Recommended Action:
Reduce the number of DNS servers configured. This does not prevent the error message, but mitigates the effects of failing to increase the FD limit.

01aa0000 : ICAP (%F): Incomplete message body received from server

Location:
/var/log/ltm

Conditions:
An ICAP transaction with a body ended without a terminating zero-length chunk "0\r\n\r\n". For example, the connection was closed prematurely.

Impact:
The HTTP client or server receives a partial message body. There might be a delay because the incomplete response might not be detected until the ICAP server connection times out.

Recommended Action:
Try the transaction again, as there might have been a transient network issue. If it consistently occurs, verify by packet capture that the ICAP server is sending the complete chunked ICAP response body, in particular the terminating chunk is present. Verify preceding chunk headers have the correct chunk length in hexadecimal, as any error will throw off tracking.

If the cause cannot be determined, contact F5 Support and provide the complete log per their instructions. If it looks like a possible bug in BIG-IP, F5 will need a packet capture including all 3 connections (HTTP client, HTTP server, and ICAP server) for diagnosis. Providing this with your initial report will save time.

01aa0001 : ICAP (%F): Unexpected status code %u received from server

Location:
/var/log/ltm

Conditions:
The ICAP server returned an unexpected status code in the first line of its response. The status code is reported. Expected ICAP status codes are in the range 100-299, most commonly 100, 200 and 204, per RFC 3507. Codes >= 300 are unexpected and reported in this log message.

Impact:
The ICAP transaction on the internal virtual server is aborted. The parent virtual server performs the service-down-action configured in the request-adapt or response-adapt profile.

Recommended Action:
Investigate why the ICAP server is returning an unexpected status code.

01aa0002 : ICAP (%F): Server responded 204 beyond or without preview ('Allow: 204' is not supported)

Location:
/var/log/ltm

Conditions:
The ICAP server returned status code 204 "no content" outside the context of a preview (either there was no preview or the server previously responded to the preview). BIG-IP is unable to buffer content beyond a preview, therefore is unable to accept 204 beyond or without a preview. BIG-IP does not specify "Allow: 204" in its ICAP request header, therefore the server must not respond with 204 under these conditions.

Impact:
The ICAP transaction on the internal virtual server is aborted. The parent virtual server performs the service-down-action configured in the request-adapt or response-adapt profile.

Recommended Action:
Check that an iRule in the ICAP_REQUEST event (or elsewhere) is not inserting "Allow: 204" into the ICAP header. If it is, it is misleading the server, and is the cause of the problem. Otherwise, the ICAP server is in violation of RFC 3507.

01aa0003 : ICAP (%F): Parsing ICAP response headers failed

Location:
/var/log/ltm

Conditions:
The BIG-IP system was unable to parse all of the ICAP headers in the server response.

Impact:
The ICAP transaction on the internal virtual server is aborted. The parent virtual server performs the service-down-action configured in the request-adapt or response-adapt profile.

Recommended Action:
Check the ICAP response headers. Verify all headers required by RFC 3507 are present and correctly formatted. If the setup is experimental and uses a manually-constructed ICAP response (or the ICAP server is a casual script), it is likely there is an incorrect offset in the 'Encapsulated:' header.

If the cause cannot be discerned, contact F5 Support and provide the complete log and packet capture per their instructions.

01aa0004 : ICAP (%F): Parsing ICAP chunked response body failed

Location:
/var/log/ltm

Conditions:
The BIG-IP system was unable to parse the chunked body of the ICAP server response.

Impact:
The ICAP transaction on the internal virtual server is aborted. The parent virtual server performs the service-down-action configured in the request-adapt or response-adapt profile.

Recommended Action:
Verify by packet capture that the ICAP server is sending the ICAP response body in chunked form (required by RFC 3507). Verify all chunk headers have the correct chunk length in hexadecimal, as any error will throw off tracking. If the setup is experimental and uses a manually constructed ICAP response (or the ICAP server is a casual script), it is likely there is an incorrect size in a chunk header.

If the cause cannot be discerned, contact F5 Support and provide the complete log and packet capture per their instructions.

01aa0005 : ICAP (%F): Status code %u received from server

Location:
/var/log/ltm

Conditions:
The first line of the ICAP server response was received and successfully parsed. The status code is reported.

Impact:
This is a notification that is useful for analysis of an ICAP transaction.

Recommended Action:
If you were asked by F5 Support to set log.icap.level to "notice" or above, please provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.icap.level below the "notice" level.

01aa0006 : ICAP (%F): Response completed after request completed - connection may be reused by 'oneconnect'

Location:
/var/log/ltm

Conditions:
An ICAP response completed normally, and not before the ICAP request completed. This indicates an ideal scenario in which the connection may be reused if the internal virtual server (IVS) has a 'oneconnect' profile (any abnormal or early termination prevents connection reuse).

Impact:
This is a notification that is useful for analysis of an ICAP transaction. If the internal virtual server (IVS) has a 'oneconnect' profile, the current TCP connection may be reused for a subsequent ICAP transaction.

Recommended Action:
If you were asked by F5 Support to set log.icap.level to "informational" or above, please provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.icap.level below the "informational" level.

01aa0007 : ICAP (%F): Response completed before request - request truncated and oneconnect reuse disabled

Location:
/var/log/ltm

Conditions:
An ICAP response completed early, before the ICAP request completed. This occurs in normal operation when the ICAP response replaces (rather then modifies) the original ICAP request, such as a HTTP 302 redirect. In this case the outbound ICAP request body is truncated (server is no longer interested). Due to the truncation of the outbound request body, it is not possible to gaurantee the ICAP server will end up in a state that is ready to begin a new ICAP request. Therefore the connection is terminated and cannot be reused by a 'oneconnect' profile.

Impact:
This is a notification that is useful for analysis of an ICAP transaction. The ICAP connection is terminated and will not be reused, even if the internal virtual server (IVS) is configured with a 'oneconnect' profile.

Recommended Action:
If you were asked by F5 Support to set log.icap.level to "informational" or above, please provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.icap.level below the "informational" level.

01aa0008 : ICAP (%F): An IVS result was imposed during iRule event %s - ICAP transaction terminated

Location:
/var/log/ltm

Conditions:
An iRule command "IVS_ENTRY::result <result>" executed in an event on the internal virtual server during an ICAP transaction. The event might be ICAP_REQUEST or ICAP_RESPONSE, or a non-ICAP event triggered by a command executed in one of those events. The ICAP event being executed at the time is reported. The result is communicated to the parent virtual server and determines its action.

Impact:
The imposition of an IVS result by an iRule overrides the ICAP transaction and places responsibility on the user's set of iRules to provide any HTTP headers and body to the parent virtual server. The ICAP transaction is aborted and has no further effect on the parent virtual server.

Recommended Action:
Check that the iRule executing "IVS_ENTRY::result <value>" is intended. If so, any issue must be resolved in the iRules. Generally use of this command on an internal virtual server (IVS) that has an active 'icap' profile is not recommended.

This is a notification that is useful for analysis of an ICAP transaction. If you were asked by F5 Support to set log.icap.level to "notice" or above, please provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.icap.level below the "notice" level.

01aa0009 : ICAP (%F): An iRule parked at event %s

Location:
/var/log/ltm

Conditions:
An iRule in the ICAP_REQUEST or ICAP_RESPONSE event was not able to complete synchronously and has "parked" for later completion.

Impact:
Parking an iRule changes the timing and can affect system behavior, therefore this informational message is useful in debugging.

Recommended Action:
This is a notification that is useful for analysis of an ICAP transaction. If you were asked by F5 Support to set log.icap.level to "informational" or above, please provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.icap.level below the "informational" level.

01aa0010 : ICAP (%F): Processing message %s failed: %s

Location:
/var/log/ltm

Conditions:
An error was encountered during processing of an internal message. The message and error code are reported.

Impact:
The ICAP connection is aborted. The parent virtual server performs the service-down-action configured in the request-adapt or response-adapt profile.

Recommended Action:
This is a notification that is useful for analysis of an ICAP transaction. If you were asked by F5 Support to set log.icap.level to "debug" or above, please provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.icap.level below the "debug" level.

01aa0011 : ICAP (%F): Processing ingress from IVS failed: %s

Location:
/var/log/ltm

Conditions:
An error was encountered during processing of an outbound ICAP request body. The error code is reported.

Impact:
The ICAP connection is aborted. The parent virtual server performs the service-down-action configured in the request-adapt or response-adapt profile.

Recommended Action:
This is a notification that is useful for analysis of an ICAP transaction. If you were asked by F5 Support to set log.icap.level to "debug" or above, please provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.icap.level below the "debug" level.

01aa0012 : ICAP (%F): Processing egress from server failed: %s

Location:
/var/log/ltm

Conditions:
An error was encountered during processing of an inbound ICAP response body. The error code is reported.

Impact:
The ICAP connection is aborted. The parent virtual server performs the service-down-action configured in the request-adapt or response-adapt profile.

Recommended Action:
This is a notification that is useful for analysis of an ICAP transaction. If you were asked by F5 Support to set log.icap.level to "debug" or above, please provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.icap.level below the "debug" level.

01aa0013 : ICAP: Client-facing state transition %s -> %s

Location:
/var/log/ltm

Conditions:
The ICAP filter client-facing state machine transitioned from one state to another. The state names are reported. This state machine assembles outbound ICAP requests.

Impact:
None.

Recommended Action:
This is a notification that is useful for analysis of an ICAP transaction. If you were asked by F5 Support to set log.icap.level to "debug" or above, please provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.icap.level below the "debug" level.

01aa0014 : ICAP: Server-facing state transition %s -> %s

Location:
/var/log/ltm

Conditions:
The ICAP filter server-facing state machine transitioned from one state to another. The state names are reported. This state machine parses and processes inbound ICAP responses.

Impact:
None.

Recommended Action:
This is a notification that is useful for analysis of an ICAP transaction. If you were asked by F5 Support to set log.icap.level to "debug" or above, please provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.icap.level below the "debug" level.

01ad0001 : Monitor Agent TMM %u: channel could not be opened: error %s(%s)

Location:
/var/log/ltm

Conditions:
An internal communication channel to the monitor agent in a TMM process failed an authentication check.

Impact:
The communication channel is closed by the TMM. In-TMM monitoring activity cannot take place in this TMM.

Recommended Action:
Report to F5 Support and provide the complete log.

01ad0003 : Monitor Agent TMM %u: channel could not be authenticated: error %s(%s)

Location:
/var/log/ltm

Conditions:
An attempt by the monitor daemon (bigd) to open a communication channel to the monitor agent in a TMM process is unsuccessful.

Impact:
In-TMM monitoring activity cannot take place in this TMM. The daemon may attempt to connect again.

Recommended Action:
Attempting to restart bigd may be successful if there is a transient issue. It is possible there is an internal network failure within the BIG-IP. Report to F5 Support and provide the complete log.

01ad0013 : Monitor Agent TMM %u: failed to handle %s message: MID %u, error %s(%s)

Location:
/var/log/ltm

Conditions:
An error occurrs in the in-TMM monitor agent when processing a message from the monitor daemon (bigd).

Impact:
The message is not processed.

Recommended Action:
In case it is a transient issue, disable then enable the monitor the message is associated with; if it still fails, turn up the log level as high as "debug" by means of tmsh modify sys db log.tma.level value debug. If you cannot discern the cause with the error code, contact F5 Support and provide the complete log.

01ad0014 : Monitor Agent TMM %u: created activity: MID %u, proto %s, endpoint %A:%u, monitor %s

Location:
/var/log/ltm

Conditions:
A new in-TMM monitoring activity is created.

Impact:
Monitor probe messages begin going out to the endpoint at configured intervals, and responses are monitored.

Recommended Action:
Set log.tma.level to "notice" or above. Provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.tma.level below the "notice" level.

01ad0015 : Monitor Agent TMM %u: failed to create activity: proto %s, endpoint %A:%u, monitor %s

Location:
/var/log/ltm

Conditions:
A new in-TMM monitoring activity fails create.

Impact:
Monitor probe messages do not go out to the endpoint.

Recommended Action:
An error occurs in TMM that prevents the monitoring activity from establishing. Another log message may follow with an internal error code. In the monitor configuration, try to disable then enable the monitor, in case it is a transient issue. If it still fails, try turning up the log level as high as "debug" by means of: tmsh modify sys db log.tma.level value debug.

If you cannot discern the cause, contact F5 Support and provide the complete log.

01ad0016 : Monitor Agent TMM %u: deleted activity: MID %u, monitor %s

Location:
/var/log/ltm

Conditions:
In-TMM monitoring activity is deleted.

Impact:
Monitor probe messages stop going out for that monitoring activity, and any latent responses are ignored.

Recommended Action:
Notification is useful for analysis of in-TMM monitoring activity. Set log.tma.level to "notice" or above. Provide the qkview containing the log file to F5 for analysis. If not requiring this level of logging, set the system DB variable log.tma.level below the "notice" level.

01ad0017 : Monitor Agent TMM %u: sent probe: MID %u

Location:
/var/log/ltm

Conditions:
A monitor probe successfully initiates to the endpoint of a given in-TMM monitoring activity. The probe generates a protocol-specific in-TMM monitor backend, which reports success to the generic in-TMM monitor agent. Some backends may log more specific information.

Impact:
There is a probe action generated by an in-TMM monitor backend specific to the protocol of the stated in-TMM monitor activity. The TMM expects a protocol-specific response interpreted by the same backend.

Recommended Action:
A debug message is useful for debugging issues with in-TMM monitoring. Set log.tma.level to "debug" or above; provide the qkview containing the log file to F5 for analysis. If not requiring this level of logging, set the system DB variable log.tma.level below the "notice" level.

01ad0018 : Monitor Agent TMM %u: failed to send probe: MID %u, monitor %s

Location:
/var/log/ltm

Conditions:
A monitor probe was attempted to the endpoint of a given in-TMM monitoring activity, but could not be sent. The probe was attempted by a protocol-specific in-TMM monitor backend, which reported failure to the generic in-TMM monitor agent. The generic in-TMM monitor agent then logged the generic error message.

Impact:
The probe action was never initiated to the endpoint. The monitoring activity might attempt to probe again up to some number of times, depending on the protocol and how it is configured. Eventually without a successful probe, the monitored endpoint is marked as down.

Recommended Action:
In case it is a transient issue, disable then enable the monitor the message is associated with; If it still fails, try turning up the log level as high as "debug" by means of tmsh modify sys db log.tma.level value debug. The error code provides more detailed information; If the cause cannot be discerned, contact F5 Support and provide the complete log

01ad0019 : Monitor Agent TMM %u: received probe response: MID %u, reason %s(%s), info %#x

Location:
/var/log/ltm

Conditions:
The endpoint of a given in-TMM monitoring activity receives a monitor probe response.
The response from the endpoint interprets the protocol-specific in-TMM monitor backend, which reports it to the generic in-TMM monitor agent. The generic debug message is logged. A backend is free to ignore an invalid response without reporting it; the generic in-TMM monitor agent will eventually time out and decide that no response was received.
Some backends might log more specific information in separate messages.

Impact:
The generic in-TMM monitor agent determines the current monitor up/down status and notifies the monitor daemon (bigd) according to parameters given when the monitor activity was created. The parameters are logged by the TMALOG_MSG_CREATE informational message. The monitor daemon makes a final determination of the endpoint status.

Recommended Action:
A debug message is useful for debugging issues with in-TMM monitoring. Set log.tma.level to "debug" or above; provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.tma.level below the "debug" level.

01ad0020 : Monitor Agent TMM %u: probe response timeout: MID %u

Location:
/var/log/ltm

Conditions:
The TMM has not received a valid response to a monitor probe within the timeout associated with the monitoring activity. The timeout is specified when the monitor activity is created by the monitor daemon and logged by the TMALOG_MSG_CREATE informational message.

Impact:
The generic in-TMM monitor agent concludes that the endpoint has not responded to the probe and tells the protocol-specific in-TMM monitor backend to stop waiting for response. The backend closes any connection it had to the endpoint. The agent determines the current monitor up/down status and notifies the monitor daemon (bigd) according to parameters given when the monitor activity is created. (The parameters are logged by the TMALOG_MSG_CREATE informational message). A final determination of endpoint status is made by the monitor daemon (bigd).

Recommended Action:
A debug message that is useful for debugging issues with in-TMM monitoring. Set log.tma.level to "debug" or above; provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.tma.level below the "debug" level.

01ad0021 : Monitor Agent TMM %u: created/enlarged monitor table for %u entries

Location:
/var/log/ltm

Conditions:
There is a change to the size of TMM's table of monitoring activities. The TMM process and new table size are reported. The message displays once at TMM startup, once at TMM shutdown, and any time the table is enlarged.

Impact:
None.

Recommended Action:
Set log.tma.level to "informational" or above; provide the qkview containing the log file to F5 for analysis. If this level of logging is not required, set the system DB variable log.tma.level below the "informational" level.

01af0004 : Traffic rejected for hornet virtual (%s)

Location:
/var/log/tmm

Conditions:
The BIG-IP configuration includes a Traffic Acceleration Module (TAM) virtual server (that is, a virtual server with a traffic-acceleration type of profile assigned to it), but the TAM module is either down or not provisioned. One reason for TAM unavailability is that the hardware platform does not support the TAM data plane, which a TAM virtual server requires.

Impact:
Traffic is broken for TAM virtual servers, when TAM is down or not provisioned. The traffic reaches the TMM, which rejects incoming packets and logs the error message in a rate-limited fashion.

Recommended Action:
Take either of these actions:

1) On platforms that support TAM, provision TAM and enable it.

2) On the virtual server, replace the assignment of the traffic-acceleration profile (or a profile derived from a traffic-acceleration profile), with the assignment of a Fast L4 type of profile.

01b00001 : %s: class name (%s) field name (%s)

Location:
/var/log/ltm

Conditions:
Unusual processing about encryption handling for SNMP v3 user's authentication and privacy passphrases has occurred. Examples are errors with Master Key initialization, empty passphrases, or errors with encryption or decryption.

Impact:
The SNMPv3 user's passphrases might need to be reconfigured.

Recommended Action:
If SNMP v3 user authentication or privacy handling is not working as expected, review the log messages for explanation. You might also need to reconfigure the SNMPv3 user's passphrases.

01b00002 : internal error - %s

Location:
/var/log/ltm

Conditions:
Unknown. The message is classified as DEBUG and is not intended to be interpreted by an end user. This message is for analysis by developers only.

Impact:
Unknown.

Recommended Action:
None.

01b00003 : Full sync for devicegroup %s on connection %p complete; sending updated sync.

Location:
/var/log/ltm

Conditions:
More than one full config sync is requested in a short period of time.

Impact:
This is an informational message that does not indicate functional issues.

Recommended Action:
None.

01b00004 : There is an unfinished full sync already being sent for device group %s on connection %p, delaying new sync until current one finishes.

Location:
/var/log/ltm

Conditions:
More than one full config sync is requested in a short period of time.

Impact:
This is an informational message that does not indicate functional issues.

Recommended Action:
None.

01b00005 : Incremental sync request received for device group (%s) from device (%s) cannot be processed because an earlier incremental sync request failed.

Location:
/var/log/ltm

Conditions:
An incremental sync was attempted after a previous incremental sync failed validation.

This was previously allowed which ended up putting the systems in an unsynchronized state but marked as 'In Sync'. For info, see Bug ID 593536: Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations :: https://cdn.f5.com/product/bugtracker/ID593536.html.

Impact:
There is typically no impact because a full sync is performed automatically if this error happens. However, if the full sync also fails, then manual intervention is required to correct whatever is causing the sync failures.

Recommended Action:
-- If the system reports 'In Sync' after this message appears, no action is required.

-- If it reports 'Sync Failed', then the logs must be analyzed to find out why the sync is failing and what can be done to stop the failures.

01b10000 : DSCPROXY: failed to allocate new %s.

Location:
/var/log/ltm

Conditions:
The TMM is out of memory.

Impact:
The system will most likely fail.

Recommended Action:
Consider filing a bug.

01b10001 : DSCPROXY: Attempting connect - remote_ip %A, local_ip %A, port %d.

Location:
/var/log/ltm

Conditions:
The Device Service Clustering proxy is attempting to create a connection to a remote peer mirroring address. This is a debug-only message, and is only visible if the log level has been set to Debug.

Impact:
None.

Recommended Action:
None.

01b10001 : Failed to restart nslcd: %s

Location:
/var/log/ltm

Conditions:
Starting the nslcd daemon failed while system auth with ldap or cert-ldap is configured.

Impact:
The failure of the nslcd daemon causes ldap authentication to fail.

Recommended Action:
Examine the error message to determine why nslcd failed to start. Also examine messages in /var/log/secure and /var/log/daemon.log, as these messages might indicate the problem. If necessary, modify the ldap configuration to correct the issue.

If the configuration is not the problem, it might be possible to start nslcd manually by running the command "systemctl start nslcd.service".

01b10002 : DSCPROXY: Connection attempt failed to %la port %u: %E.

Location:
/var/log/ltm

Conditions:
An attempt was made to establish a connection with a Device Service Clustering peer.

Impact:
The connection fails and therefore certain state replication between Device Service Clustering members does not occur.

Recommended Action:
None. The system automatically retries to establish the connection.

01b10003 : DSCPROXY: Connection with peer %la:%d failed TLS handshake.

Location:
/var/log/ltm

Conditions:
Device trust members do not have properly synchronized certificates.

Impact:
The DSC proxy is inoperative, and certain state information will not be replicated properly.

Recommended Action:
Address the configuration problem that is causing configuration synchronization to fail.

01b10004 : DSCPROXY: Connection with peer %la:%d closed.

Location:
/var/log/ltm

Conditions:
The DSC proxy connection with the remote system has been closed, probably due to a configuration change.

Impact:
This is an informational message.

Recommended Action:
None.

01b10005 : DSCPROXY: Connection with peer %la:%d lost.

Location:
/var/log/ltm

Conditions:
The connection to the Device Service Cluster peer has disconnected. This might be because the remote device is not available or has been removed from the failover device group.

Impact:
State replication will not occur.

Recommended Action:
None.

01b10006 : DSCPROXY: Reconnect with peer %la:%d stuck in delay.

Location:
/var/log/ltm

Conditions:
An internal inconsistency has been detected in the connection retry logic, and recovery is being attempted.

Impact:
The replication connection might not be established.

Recommended Action:
If the error repeats, consider filing a bug.

01b10007 : DSCPROXY: %s connection with peer %la:%d established.

Location:
/var/log/ltm

Conditions:
The Device Service Clustering replication channel is established with the specified remote device address.

Impact:
None.

Recommended Action:
None.

01b10008 : DSCPROXY: Cannot connect to peer because local address is %s (%la) and remote address is %s (%la).

Location:
/var/log/ltm

Conditions:
The Device Service Clustering (DSC) members have been configured with incompatible mirroring addresses.

Impact:
The DSC proxy will not function, and certain state replication will not occur between DSC members.

Recommended Action:
Fix the mirror addresses of the DSC members to all be either IPv4 or IPv6, and not a mixture.

01b30001 : Failed to configure iptables rules for config sync CGC routing: %s

Location:
/var/log/ltm

Conditions:
The cgc-setup script indicates an error when mcpd tries to initialize the iptables rules and routing for config-sync.

Impact:
Config-sync might not work. This error message will include the output of the script, which contains additional clues as to why the script failed.

Recommended Action:
Review the specific error messages for details, and engage with F5 Support, if needed.

01b30002 : Configured iptables rules for config sync CGC routing: %s

Location:
/var/log/ltm

Conditions:
This is an informational message indicating the cgc-setup script ran correctly. This message is not reported unless log.mcpd.level is set to info or debug.

Impact:
This is an informational message.

Recommended Action:
None.

01b30003 : Config sync over the management port requires big3d, which is not currently running. Config sync will not work until big3d is running.

Location:
/var/log/ltm

Conditions:
This message is reported if config-sync is configured to use the management port and mcpd fails to detect big3d running at the time mcpd sets up the config sync network sockets.

You might also see this message if big3d is in the middle of restarting when mcpd checks for it, in which case config-sync operation starts as soon as big3d starts. If you see this message for this reason, you can ignore the message, as the situation corrects itself.

Impact:
Config-sync over the management port does not work without big3d.

If you have intentionally disabled big3d, you must re-enable it or reconfigure config sync to not use the management port.

Recommended Action:
Make sure big3d is enabled.

01b40001 : A cipher group must be configured when TLS 1.3 is enabled (validation failed for %sprofile %s).

Location:
/var/log/ltm

Conditions:
An SSL profile has TLS 1.3 configured, but does not have an associated cipher group.

Impact:
This configuration is not allowed.

Recommended Action:
Create a cipher group with the necessary cipher strings (or use one of those shipped with the ISO) and use it in the SSL profile instead of the cipher string.

01b40002 : Configuration error: sslo log configuration (%s) is part of system configuration, so it cannot be deleted.

Location:
/var/log/ltm, CLI

Conditions:
The user has attempted to delete an SSLO log configuration.

Impact:
Deleting the default configuration is disallowed.

Recommended Action:
None.

01b40017 : Configuration error: Virtual Server (%s) with Access Profile of type sslo is not compatible with profile of type (%s).

Location:
/var/log/ltm, CLI

Conditions:
On the same virtual server, the user has attempted to specify an SSLO profile, as well as other profiles that are incompatible with an SSLO access profile.

Impact:
Specifying certain profile types on a virtual server is disallowed when one profile is an SSLO profile.

Recommended Action:
Do not configure profiles that are incompatible with SSLO profiles on the same virtual server.

01b40018 : Configuration error: Access Profile of type sslo is not compatible with exchange profile.

Location:
/var/log/ltm, CLI

Conditions:
The user has attempted to configure an exchange profile along with an SSLO profile.

Impact:
Configuring an exchange profile with an SSLO profile is disallowed.

Recommended Action:
None.

01b4001d : The listen-ip or listen-port must not be zero in splitsession server profile %s for virtual server %s.

Location:
/var/log/ltm

Conditions:
The SplitSession Server profile has a local-peer attribute set to false, and did not have a valid TCP/IP address/port setup to listen on.

Impact:
The BIG-IP system prevents the SplitSession Server profile from being applied to the virtual server.

Recommended Action:
Update the problematic profile to have valid peering address/port settings.

01b4001e : The peer-ip or peer-port must not be zero in splitsession client profile %s for virtual server %s.

Location:
/var/log/ltm

Conditions:
The SplitSession Client profile has local-peer attribute set to false, and did not have a valid TCP/IP address/port setup for peering.

Impact:
The BIG-IP system prevents the SplitSession Client profile from being applied to the virtual server.

Recommended Action:
Update the problematic profile to have valid peering address/port settings.

01b4001f : Invalid value (%s) for profile %s field %s. Only integers between %d and %d are permitted.

Location:
/var/log/ltm, GUI, CLI, API

Conditions:
A user has selected invalid error types to trigger diameter retransmission.

Impact:
This is an invalid configuration.

Recommended Action:
Select valid error types.

01b40020 : Invalid retransmission queue limits (high = %d, low = %d) High must be greater than low, and as they represent percentages, they both must be between 0 and 100.

Location:
/var/log/ltm, GUI, CLI, API

Conditions:
The user selects invalid queue limits (that is, a high limit that's lower than the low limit).

Impact:
This is a validation error and the configuration is not saved.

Recommended Action:
Correct the configuration of the queue limits.

01b40021 : Invalid unroutable options selected. Only one of 'Discard' and 'Respond' may be selected.

Location:
/var/log/ltm, GUI, CLI

Conditions:
An unroutable message has been discarded and responded to.

Impact:
This creates an invalid configuration.

Recommended Action:
Select valid configuration options.

01b40023 : Virtual Server (%s) cannot use both an Access profile and an Anti-Fraud profile.

Location:
/var/log/ltm, GUI, CLI

Conditions:
An administrator has attempted to apply an Access profile and an Anti-Fraud profile to the same virtual server.

Impact:
The configuration fails.

Recommended Action:
To apply Datasafe protection to the APM logon page, create another "Internal" type of virtual server, and apply the Datasafe profile to that virtual server.

01b40024 : Virtual Server (%s) of type Internal contains an HTTP profile. It must also contain a Service profile.

Location:
/var/log/ltm, GI, CLI

Conditions:
An administrator has created an Internal type of virtual server and has attempted to apply an HTTP profile, without also applying a Service profile. The Internal virtual server is not part of a Service-Connector configuration.

Impact:
The configuration fails.

Recommended Action:
Create an appropriate Service profile and apply this Service profile to the Internal virtual server. This allows the administrator to add an HTTP profile.

01b40025 : Virtual Server (%s) contains a Fraud Protection profile and a Service profile. The Service profile must be of type F5 Module.

Location:
/var/log/ltm, GUI, CLI

Conditions:
When deploying Datasafe protection of the APM logon page, the administrator has attempted to apply to an Internal virtual server a Service profile that is not of type "F5 Module".

Impact:
This results in a configuration error.

Recommended Action:
Create a Service profile of type "F5 Module". Assign that Service profile to the virtual server.

01b40027 : On profile (%s) with GMSSL enabled: no-tls, no-ssl, and no-dtls must be selected.

Location:
/var/log/ltm

Conditions:
"Guo Mi SSL" (GmSSL) is enabled in an SSL profile, but the SSL profile options no-TLS and no-SSL are not selected.

Impact:
The configuration fails.

Recommended Action:
This is a requirement, so there is no workaround.

01b40028 : On profile (%s): Invalid SSL option (%s) found.

Location:
/var/log/ltm

Conditions:
A user has attempted to add an unsupported SSL option in an SSL profile.

Impact:
This validation prevents an invalid configuration for SSL profile. When this error is seen, the user is unable to create or modify the SSL profile with the unsupported SSL option.

Recommended Action:
Remove the unsupported item from the SSL options and re-configure the SSL profile.

01b40029 : Client SSL profile (%s): %s is not RSA %s. To add non-RSA cert/key, please use [cert-key-chain add].

Location:
/var/log/ltm

Conditions:
A user has attempted to specify a non-RSA cert/key for the Client SSL profile certificate and key, using the tmsh command. The certificate and key settings in the profile are linked to an RSA certificate/key only.

Impact:
The attempted profile configuration is disallowed.

Recommended Action:
To configure a non-RSA certificate/key pair in TMSH, use the "cert-key-chain" attribute. In general, the "cert-key-chain" attributes in TMSH are much preferred over the "cert" and "key" attributes, which are being deprecated.

01b4002a : Client SSL profile (%s):%s and profile %s options cannot be specified together.

Location:
/var/log/ltm

Conditions:
A user has specified "cert-key-chain" and "cert" (or "key") together in one tmsh command, which is not allowed.

Impact:
The profile configuration is disallowed.

Recommended Action:
In general, the "cert-key-chain" attributes in tmsh are much preferred over "cert" and "key", which are being deprecated.

01b4002b : Client SSL profile (%s): the profile has no RSA cert/key pair that can be modified. To add RSA cert/key, please use [cert-key-chain add].

Location:
/var/log/ltm

Conditions:
A user has attempted to modify a Client SSL profile's RSA certificate/key pair that does not exist. It's possible that the user has either forgotten about the absence of the RSA certificate/key, or has attempted to modify a non-RSA certificate/key by specifying a certificate/key that is directly linked to an RSA certificate/key.

Impact:
The profile configuration is disallowed.

Recommended Action:
If you are trying to use tmsh to modify an RSA certificate/key pair that doesn't exist, add the certificate/key first, using the tmsh "cert-key-chain add" attribute. If you are trying to use tmsh to modify a non-RSA certificate/key pair, use the "cert-key-chain modify" attribute. In general, the "cert-key-chain" command in tmsh is much preferred over "cert" and "key", which are being deprecated.

01b4002c : Client SSL profile (%s): inherit-cert-key-chain and cert/key can not be set together.

Location:
/var/log/ltm

Conditions:
A user has attempted to modify the "inherit-cert-key-chain" flag and the certificate/key specified in the Client SSL profile at the same time.

Impact:
The profile configuration is disallowed.

Recommended Action:
None.

01b4002d : Client SSL profile (%s): SM2 certitificate and key type is incompatible with other crtificate and key types.

Location:
/var/log/ltm

Conditions:
You are trying to add both SM2 and non-SM2 type keys and certificates into an SSL profile.

Impact:
This validation prevents invalid configuration for SSL profile. You cannot create or modify the SSL profile with the unsupported configuration.

Recommended Action:
Do not add both SM2 and non-SM2 type keys and certificates into an SSL profile.

01b4002e : Client SSL profile (%s): SM2 certificate and key type is incompatible with SSL forward proxy mode.

Location:
/var/log/ltm

Conditions:
A user has attempted to create or modify an SSL profile with an SM2 key and certificate while the profile is set to forward proxy mode.

Impact:
This validation prevents invalid configuration for SSL profile. Therefore, the user is unable to create or modify the SSL profile with the unsupported configuration.

Recommended Action:
None.

01b4002f : Client SSL profile (%s): un-licensed certificate and key type.

Location:
/var/log/ltm

Conditions:
A user has attempted to add a key and certificate to an SSL profile, but the key and certificate type are not supported by the current license.

Impact:
This validation prevents invalid configuration for SSL profile. The user is unable to create or modify the SSL profile with the unsupported configuration.

Recommended Action:
Get a proper license for the key and certificate type to allow them to be used.

01b40030 : Client SSL profile (%s): cert-key-chain (%s): SM2 certificate and key can not be used as forward proxy CA.

Location:
/var/log/ltm

Conditions:
A user has attempted to create or modify a CA-type cert-key-chain of an SSL profile using an SM2 certificate and key.

Impact:
This validation prevents invalid configuration for SSL profile. Therefore, the user is unable to create or modify the SSL profile with the unsupported configuration.

Recommended Action:
Avoid using an SM2 certificate and key for the CA-type cert-key-chain of an SSL profile.

01b40033 : Server SSL profile (%s): SM type %s (%s) is not allowed in a serverSSL profile.

Location:
/var/log/ltm

Conditions:
A user has attempted to configure an SM-related object (a key, cert, chain, CA file) in a Server SSL profile, which is not allowed.

Impact:
The profile configuration is disallowed.

Recommended Action:
None.

01b40034 : Clieint SSL profile (%s): Un-licensed type %s (%s).

Location:
/var/log/ltm

Conditions:
A user has attempted to add a cipher group with an un-licensed type of DH group or signature algorithm to a Client SSL profile, which is not allowed.

Impact:
The profile configuration is disallowed.

Recommended Action:
None.

01b40035 : Cipher Group (%s): %s can not be used with other %s together in one cipher group.

Location:
/var/log/ltm

Conditions:
A user has attempted to add a cipher group to a DH group (and respectively, a signature algorithm) that is incompatible with other DH groups (and respectively, signature algorithms) in the same cipher group.

Impact:
The cipher group cannot be used.

Recommended Action:
None.

01b40036 : SSL profile (%s): A cipher group must be configured when GMSSL is enabled.

Location:
/var/log/ltm

Conditions:
A user has not assigned a cipher group to the SSL profile when "Guo Mi SSL" (GmSSL) is enabled.

Impact:
The profile configuration is disallowed.

Recommended Action:
None.

01b40037 : Virtual Server (%s): GMSSL clientSSL profile (%s) and non-GMSSL clientSSL profile (%s) cannot be configured in the same virtual server.

Location:
/var/log/ltm

Conditions:
A "Guo Mi SSL" (GmSSL) Client SSL profile and a non-GmSSL Client SSL profile are being configured together in one virtual server.

Impact:
The virtual server configuration is disallowed.

Recommended Action:
None.

01b40039 : %s critical message rate limit threshold (%u) must be greater than major message rate limit threshold (%u).

Location:
/var/log/ltm

Conditions:
A user has configured thresholds in a Diameter session to send SNMP traps when an ingress/egress message's rate limit exceeds configured thresholds; that is, the threshold values are non-zero, and the major threshold value is greater than or equal to the critical threshold.

Impact:
The user cannot save a diameter session with the threshold values.

Recommended Action:
Ensure that the critical threshold value is greater than the major threshold value.

01b4003c : The addresses within the specified address list(%s) have different route domains.

Location:
CLI

Conditions:
A user has attempted to add an address list, containing addresses with different route domains, to traffic-matching criteria.

Impact:
The user cannot create traffic-matching criteria or associate the address list to the traffic-matching criteria.

Recommended Action:
Ensure that the addresses within the address list have the same route domain. You will then be able to create the traffic-matching criteria or add an address list to the traffic-matching criteria.

01b4003e : Server SSL Profile (%s): %s response control cannot be set to mask when forward proxy is disabled

Location:
/var/log/ltm

Conditions:
The expire and untrusted response control cannot be set to the mask option when the forward proxy is disabled.

Impact:
A user cannot set the mask option when the forward proxy feature is disabled.

Recommended Action:
None.

01b4003f : VLAN(%s) and tmc have different route-domain

Location:
CLI

Conditions:
A user has attempted to associate traffic-matching criteria with a VLAN that has a different route domain.

Impact:
The user cannot create traffic-matching criteria or associate the VLAN with the traffic-matching criteria.

Recommended Action:
Only associate a VLAN with a route domain that is the same as that of the traffic-matching criteria.

01b40040 : TMC(%s) and %s have different route domain.

Location:
CLI

Conditions:
The traffic-matching criteria and the destination address list have different route domains.

Impact:
The user cannot create traffic-matching criteria or associate the intended address list with the traffic-matching criteria.

Recommended Action:
Create the traffic-matching criteria such that its associated destination address list has the same route domain.

01b40041 : Policy: '%s' Rule '%s' Condition '%s', Option 'use case sensitive string comparison' not supported for data type '%s'.

Location:
/var/log/ltm

Conditions:
A user has created or edited a policy and the "case-sensitive" option is selected with one of the following policy value types: number array, number, ip, bool, datagroup.

Impact:
The message indicates that the feature is not supported. The policy will function as if "case-sensitive" option wasn't selected.

Recommended Action:
Do not select "case-sensitive" option with unsupported data types.

01b40042 : The virtual server %s cannot support SSL persistence since SSL profile %s has zero cache-size.

Location:
This error (MCPDERR_SSL_PERSIST_SSL_ZERO_CACHE_SIZE) is shown in /var/log/ltm and can be seen on the console and in the logs.

It is being added as MCPDERR_SSL_PERSIST_SSL_ZERO_CACHE_SIZE LOG_LOCAL0|LOG_ERR 'The virtual server %s cannot support SSL persistence since SSL profile %s has zero cache-size.'

Conditions:
This message occurs when a virtual server SSL profile has zero cache.

Impact:
The mcp virtual server validation fails for LTM.

Recommended Action:
Set the cache size to some value (e.g., 1).

tmsh list ltm profile client-ssl myclientssl | grep cache-size

tmsh modify sys db tmm.ssl.cachesize value 1

01b40042 : Cannot add record to an external data group (%s).

Location:
/var/log/ltm log file and tmsh output.

Conditions:
An external data group is being modified in an unsupported way. For example, an external data group created with 'tmsh create ltm data-group external dg ...' is being modified with 'tmsh modify ltm data-group internal dg ...'.

Impact:
The external data group is not modified.

Recommended Action:
Modify external data groups using the command:
tmsh edit sys file data-group

For more information, see K17523: Modifying large external data-groups with CLI :: https://support.f5.com/csp/article/K17523.

01b40043 : Traffic-group of Virtual-address(%s) associated with Virtual Server(%s) cannot be updated.

Location:
CLI

Conditions:
Update traffic group of the virtual address to be different from the other virtual addresses. The IP addresses are within an address-list. This address-list is associated with a destination-address-list of a traffic-matching-criteria associated with a virtual server.

Impact:
Cannot update the traffic group of the virtual address.

Recommended Action:
Ensure the traffic group of the virtual addresses are consistent before associating them with a virtual server.

01b40044 : Virtual Server(%s) cannot have Virtual-address(%s) associated with different traffic groups.

Location:
CLI

Conditions:
Associate virtual addresses' (with different traffic groups) IP addresses to traffic-matching-criteria through destination-address-list. Then, associate traffic-matching-criteria with a virtual server.

Impact:
Cannot associate traffic-matching-criteria with a virtual server.

Recommended Action:
Ensure the traffic group of the virtual addresses is consistent before associating them with a virtual server.

01b40046 : Base profile (%s) may not be assigned to a virtual server (%s)

Location:
/var/log/ltm

Conditions:
This happens when you try to assign the base/builtin geo redundancy profile /Common/georedundancy to a virtual server.

Impact:
The attempt to update the configuration fails.

Recommended Action:
1. Create a user-defined geo profile (e.g.):
tmsh create ltm profile georedundancy my_geo_profile defaults-from georedundancy

2. Assign my_geo_profile to the virtual server.

01b40047 : Cannot create TDR filter '%s' inside TDR profile '%s', maximum limit 255 reached.

Location:
/var/log/ltm

Conditions:
Whenever MCP identifies that the newly created TDR filter count in the TDR profile is crossed its threshold value of 255.

Impact:
Does not create the specified TDR filter for the TDR profile. TDR filters can be created inside a TDR profile.

Recommended Action:
None

01b40048 : TDR filter '%s' has invalid TDR format %s (%s)

Location:
/var/log/ltm

Conditions:
Whenever MCP identifies the Transaction Data Record (TDR) format configuration parameter of the TDR filter as invalid before trying to store it in the MCP database.

Impact:
Does not update the specified value for the TDR format configuration parameter of the TDR filter. TDR filters can be created inside a TDR profile.

Recommended Action:
None

01b40049 : MR RateLimit profile '%s' has invalid configuration (%s).

Location:
/var/log/ltm

Conditions:
When MCP identifies the Message Routing (MR) rate limiting configuration as invalid before trying to store it in the MCP database.

Impact:
Does not allow creation of the profile.

Recommended Action:
Use the correct configuration for the rate limit.

01b4004b : DNS Cache dlv-anchors has been deprecated, removing from the configuration.

Location:
/var/log/ltm

Conditions:
An existing configuration with dlv-anchors in the DNS Cache Validating-resolver.

Impact:
Existing dlv-anchor will be removed from the configuration.

Recommended Action:
No workaround. Configuration was deprecated.

01b4004c : Invalid Transparent Nexthop configuration,VLAN (%s) %s

Location:
Error message is seen on the GUI and Console.

Conditions:
This occurs when you select the same VLAN group through TMSH/GUI Advanced Menu/GUI DoS Menu:
-- Virtual Server :: VLANs
-- Virtual Server :: Transparent Nexthop

Impact:
Configuration changes for that virtual server are not saved.

Recommended Action:
NA

01b50001 : VE 1NIC Self IP configuration error: %s

Location:
/var/log/ltm, CLI

Conditions:
When BIG-IP Virtual Edition is in 1NIC mode, a user has tried to set self IP xxx.xxx.xxx.xxx, but that IP address is not present in the management interface. (The command "tmsh list sys management-ip" does not show that address). This can occur for both IPV4 and IPV6 addresses.

Impact:
The self IP address that the user was trying to create does not succeed.

Recommended Action:
Create a management IP address with the same IP address as in the management interface. Then create a self IP address.

01b50002 : The label '%s' is longer than the %u characters specified by the PKCS11 Standard.

Location:
/var/log/ltm

Conditions:
A user has tried to configure a label that is longer than the PKCS11 standard.

Impact:
The TMSH or iControl command fails.

Recommended Action:
Use a smaller label. You also might need to rename the label on the HSM.

01b50003 : Certificate (%s) is not generated from the key (%s).

Location:
/var/log/ltm

Conditions:
The selected certificate for configuration is not matching the key.

Impact:
The selected certificate/key pair cannot be used for the configuration.

Recommended Action:
Identify the correct certificate that matches the key and apply to the configuration.

01b50004 : Certificate signing request (%s) is not generated from the key (%s).

Location:
/var/log/ltm

Conditions:
The selected certificate signing request (CSR) for configuration is not matching the key.

Impact:
The selected certificate signing request/key pair cannot be used for the configuration because the key is not matching the CSR.

Recommended Action:
Identify the correct certificate signing request that matches the key, and apply it to configuration.

01b50005 : Key (%s) access requires passphrase.

Location:
/var/log/ltm

Conditions:
The provided key does not have a passphrase to decrypt it.

Impact:
The provided key cannot be used for configuration.

Recommended Action:
None.

01b50009 : Certificate order manager (%s) certificate authority (%s) requires client certificate and key to access the account.

Location:
/var/log/ltm

Conditions:
A certificate order manager configuration for the selected authority lacks a client certificate and key.

Impact:
The certificate order manager configuration is invalid and therefore fails.

Recommended Action:
None.

01b50010 : Certificate order manager (%s) fields (%s) should be empty for the selected certificate authority (%s).

Location:
/var/log/ltm

Conditions:
A certificate order manager configuration for the selected authority contains fields that are filled with values.

Impact:
The certificate order manager configuration is invalid and therefore fails.

Recommended Action:
Ensure that certificate order manager fields are empty.

01b50011 : Certificate order manager (%s) empty order-info. Please provide a valid order-info corresponding to the CA.

Location:
/var/log/ltm

Conditions:
A certificate order manager order-info field is empty.

Impact:
The certificate order manager configuration is invalid and therefore fails.

Recommended Action:
Provide a value for the order-info field that corresponds to the certificate authority (CA).

01b50012 : Certificate order manager (%s) invalid order-info for Certificate Authority (%s).\n%s.

Location:
/var/log/ltm

Conditions:
The value of a certificate order manager order-info field does not match the order-info template required for the selected certificate authority (CA).

Impact:
The certificate order manager configuration is invalid and therefore fails.

Recommended Action:
Ensure that the value of the certificate order manager order-info field matches the order-info template required for the selected certificate authority (CA).

01b50015 : Certificate order manager (%s) certificate authority (%s) order-info field (%s) value (%s) is not valid. Allowed values are (%s).

Location:
/var/log/ltm

Conditions:
The certificate order manager order-info field value does not match the allowed list of values.

Impact:
The certificate order manager configuration fails.

Recommended Action:
None.

01b50016 : Certificate order manager (%s) certificate authority (%s) order-info field (%s) value (%s) is not valid. An Integer value is expected.

Location:
/var/log/ltm

Conditions:
The certificate order manager order-info field value is not an integer.

Impact:
The certificate order manager configuration fails.

Recommended Action:
Ensure that the order-info field value is an integer.

01b50017 : Certificate order manager (%s) certificate authority (%s) order-info field (%s) value (%s) is not valid. An integer value within range (%d-%d) is expected.

Location:
/var/log/ltm

Conditions:
The configured certificate order manager order-info field value is not within the range of integer values enforced by the authority.

Impact:
The certificate order manager configuration fails.

Recommended Action:
Ensure that the order-info field value is within the range of integer values enforced by the authority.

01b50018 : Certificate order manager (%s) CA certificate (%s) is invalid. %s.

Location:
/var/log/ltm

Conditions:
The configured certificate order manager CA certificate is not a true CA certificate.

Impact:
The certificate order manager configuration fails.

Recommended Action:
Ensure that the certificate is a true CA certificate.

01b50019 : Certificate order manager (%s) client certificate key pair is mismatched.\n%s

Location:
/var/log/ltm

Conditions:
The configured certificate order manager client certificate is not signed by the configured client key.

Impact:
The certificate order manager configuration fails.

Recommended Action:
Ensure that the client certificate is signed by the configured client key.

01b50020 : Key (%s) cert-order-manager revoke-reason should not be empty for certificate revoke.

Location:
/var/log/ltm

Conditions:
A certificate revoke order made from the key is missing the mandatory revoke reason.

Impact:
The certificate order fails.

Recommended Action:
Supply the missing revoke reason.

01b50020 : Key (%s) cert-order-manager cannot be deleted when order-status is in 'pending'.

Location:
/var/log/ltm

Conditions:
An attempt was made to delete a key certificate order manager association when a certificate order is in progress.

Impact:
The system failed to delete the certificate order manager association from the key.

Recommended Action:
None.

01b50021 : Key (%s) cert-order-manager association is being deleted while order-type (%s) is in progress.

Location:
/var/log/ltm

Conditions:
A user has attempted to delete a cert-order-manager from the key when an active order-type is present.

Impact:
The attempt to remove the cert-order-manager from the key failed.

Recommended Action:
Wait until the current order-type is complete and the order-type is None.

01b50022 : Key (%s) cert-order-manager order-status should be in 'pending' to check-status.

Location:
/var/log/ltm

Conditions:
An attempt was made to check the status of a certificate authority (CA) order on a key when there is no pending certificate order.

Impact:
The status check on the CA order fails.

Recommended Action:
None.

01b50022 : Key (%s) cert-order-manager order-status should not be in 'pending' while deleting key.

Location:
/var/log/ltm

Conditions:
An attempt was made to delete a key when a certificate order is in progress.

Impact:
The system fails to delete the key.

Recommended Action:
None.

01b50022 : Key (%s) cert-order-manager order-id should be valid to download a certificate.

Location:
/var/log/ltm

Conditions:
A user has attempted to download an approved certificate, but the order-id field is empty.

Impact:
The certificate cannot be downloaded from a certificate authority (CA) without a valid order-id.

Recommended Action:
Ensure that the value of the order-id field is valid.

01b50023 : Key (%s) is being deleted while order-type (%s) is in progress.

Location:
/var/log/ltm

Conditions:
An attempt was made to delete a key when the key is progressing on a certificate order.

Impact:
The certificate order manager configuration failed.

Recommended Action:
None.

01b50027 : Key (%s) changing order-type to (%s) is not allowed as there is order-type (%s) in progress.

Location:
/var/log/ltm

Conditions:
An attempt was made to change a certificate order type on a key while another order type is in progress.

Impact:
The system fails to change the order type.

Recommended Action:
None.

01b50028 : Key (%s) cert-order-manager order-type(%s) needs a valid certificate signing request (CSR) with name (%s). %s

Location:
/var/log/ltm

Conditions:
The BIG-IP system could not make a certificate order because it could not find a valid certificate signing request (CSR) that matches the key.

Impact:
The system fails to make a certificate order.

Recommended Action:
None.

01b50029 : CSR (%s) is being deleted while key (%s) cert-order-manager order-type (%s) is in progress.

Location:
/var/log/ltm

Conditions:
An attempt was made to delete a CSR when the key is progressing on a certificate order.

Impact:
The certificate order manager configuration fails.

Recommended Action:
None.

01b50030 : Key (%s) cert-order-manager current order-type (%s) cannot be canceled.

Location:
/var/log/ltm

Conditions:
An attempt was made to cancel a certificate order from a key, but the current order type cannot be canceled.

Impact:
The system fails to cancel the order.

Recommended Action:
None.

01b50032 : Certificate order manager (%s) base-url should not include authentication information.

Location:
/var/log/ltm

Conditions:
The certificate order manager configured base-url contains authentication information.

Impact:
The certificate order manager configuration fails.

Recommended Action:
None.

01b50033 : Certificate order manager (%s) additional header %s. Expected configuration '%s'".

Location:
/var/log/ltm

Conditions:
The certificate order manager configured additional header doesn't match the header expected by the certificate authority.

Impact:
The certificate order manager configuration fails.

Recommended Action:
None.

01b50034 : Certificate order manager (%s) internal proxy should not be empty.

Location:
/var/log/ltm

Conditions:
The certificate order manager internal proxy field is empty.

Impact:
The certificate order manager configuration fails.

Recommended Action:
None.

01b50034 : Key (%s) Certificate order manager (%s) authority (%s) requires challenge passphrase for submitting the order.

Location:
/var/log/ltm

Conditions:
The challenge passphrase required by the certificate authority (CA) is missing on the certificate order configuration.

Impact:
The certificate order to the CA fails.

Recommended Action:
None.

01b50035 : Key (%s) cert-order-manager certificate authority (%s) order-passphrase requirements not met.%s

Location:
/var/log/ltm

Conditions:
The passphrase filed is empty, or the CA-specific passphrase requirements have not been met.

Impact:
The certificate order fails.

Recommended Action:
Provide a valid passphrase for the order.

01b50036 : Key (%s) cert-order-manager order-passphrase not required for certificate authority (%s).

Location:
/var/log/ltm

Conditions:
A user attempted to configure an order passphrase, but the certificate order manager authority does not require one.

Impact:
The certificate order configuration for the key failed.

Recommended Action:
None.

01b50037 : Key (%s) cert-order-manager order-type should not be changed along with check-status.

Location:
/var/log/ltm

Conditions:
In a key cert-order-manager association, a user has attempted to set a new order-type in addition to using the check-status command.

Impact:
The check-status order is not executed for the certificate order.

Recommended Action:
None.

01b50037 : Key (%s) cert-order-manager order-type should not be changed while downloading certificate.

Location:
/var/log/ltm

Conditions:
A user has attempted to download a certificate while changing the certificate order manager order-type field.

Impact:
The certificate fails to download from the certificate authority (CA).

Recommended Action:
None.

01b50038 : Certificate order manager (%s) CA certificate should not be empty.

Location:
/var/log/ltm

Conditions:
A CA certificate configuration field is empty.

Impact:
The attempt to make a certificate order manager failed.

Recommended Action:
None.

01b50039 : Key (%s) certificate order manager order-id should not be empty while making a renewal order.

Location:
/var/log/ltm

Conditions:
A key-associated certificate order manager order ID is empty while the system is making a certificate renewal order.

Impact:
The attempt to make a certificate renewal order fails.

Recommended Action:
If the order ID is empty, find the order ID from the certificate authority (CA) website, and make a manual entry of the order ID in the key certificate order manager association.

01b50040 : System generated key (%s) should not be associated with certificate order manager.

Location:
/var/log/ltm

Conditions:
A user has attempted to associate a system-generated key, such as "default.key", with the certificate order manager.

Impact:
The configuration action fails.

Recommended Action:
Ensure that the key that you associate with the certificate order manager is not a system-generated key.

01b50041 : Certificate order management is disallowed on key (%s) as its folder (%s) is associated with a sync-only device-group (%s). This operation is allowed on folders associated with sync-failover device-group or if the device-group on the folder is set to none.

Location:
/var/log/ltm

Conditions:
Key included in a folder associated with a Sync-Only device group is not allowed to make certificate order management.

Impact:
The system fails to create certificate order management objecta in Sync-Only device-group associated folders.

Recommended Action:
None.

01b50042 : Certificate order manager (%s) - Certificate authority is not allowed to be modified. Please create a new certificate order manager if a different certificate authority is needed.

Location:
/var/log/ltm

Conditions:
A user has attempted to modify the certificate order manager authority field.

Impact:
Certificate authority is not allowed to be modified. The configuration operation is not saved.

Recommended Action:
Create a new certificate order manager.

01b50043 : Certificate order manager (%s) has invalid (%d) validity-days. %s

Location:
/var/log/ltm

Conditions:
A user has attempted to configure empty or invalid validity-days on a
cert-order-manager configuration. The selected certificate authority requires validity days for the certificate requested.

Impact:
The system prevents successful cert-order-manager configuration.

Recommended Action:
Configure validity-days for the certificate authority selected.

01b50044 : No symmetric unit key found for guest %s.

Location:
/var/log/ltm

Conditions:
A vCMP guest configuration on the host has been sent to secondary blades of a chassis and the guest configuration does not include the symmetric unit key.

Impact:
The secondary blade's mcpd daemon goes into a restart loop and causes disruption of traffic.

Recommended Action:
Delete the guest, save and load the configuration, or reboot the chassis.

01b50045 : Generating symmetric unit key failed (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
When creating a vCMP guest or upgrading a host with vCMP guests, an attempt to create the guest's unit key has failed.

Impact:
This causes a validation failure in MCPD and prohibits the guest from being created or the configuration from being loaded.

Recommended Action:
Try creating the vCMP guest or upgrading the host again. This process takes time.

01b50046 : Encrypting symmetric unit key failed.

Location:
/var/log/ltm, GUI, CLI

Conditions:
When a user is creating a vCMP guest or upgrading a host with vCMP guests, encrypting the guest's unit key fails.

Impact:
The guest or the configuration fails validation.

Recommended Action:
Try creating the vCMP guest or upgrading the host again. This process takes time.

01b50047 : Setting DB variable %s to %s. No rebooting needed.

Location:
MCPDERR_DB_CC_FIPS_CHANGE_NOREBOOT is shown in /var/log/ltm and can be seen on the console and in the logs.

It is being added as MCPDERR_DB_CC_FIPS_CHANGE_NOREBOOT LOG_LOCAL0|LOG_NOTICE 'Setting DB variable %s to %s. No rebooting needed.'

Conditions:
For some platforms (other than vADC), the BIG-IP system does not require a reboot after setting the db variable.

Impact:
This message is for logging purposes. There is impact to functionality.

Recommended Action:

01b50047 : The system auth source type (%s) does not support rewrite system-auth for update on auth password policy.

Location:
/var/log/ltm.

Conditions:
-- Remote AAA provider is in use.
-- Attempting to enforce password_policy for localusers configured with an unsupported auth type.

Impact:
No major impact on config for unsupported auth type; these types should not be allowed anyway. Password_policy is enabled only for supported auth types from the CLI and GUI.

Recommended Action:
Change to a known auth source type.

Impact: Authentication changes for locally created login users on the BIG-IP system (e.g., root, admin, etc.).

01b50048 : Certificate order manager (%s) certificate authority (%s) security token is invalid. %s

Location:
/var/log/ltm, CLI

Conditions:
The configured security token is invalid because it is not in
the required format for the specific certificate authority.

Impact:
The certificate order manager configuration fails.

Recommended Action:
Configure the security-token in the prescribed format for the specific certificate authority.

01b50048 : %s changing OpenSSL FIPS flag from (%d) to (%d). No rebooting needed.

Location:
This error is reported in /var/log/ltm, and can be seen on the console and in the logs.

It is added as MCPDERR_OPENSSL_FIPS_FLAG_CHANGE_NOREBOOT LOG_LOCAL0|LOG_NOTICE '%s changing OpenSSL FIPS flag from (%d) to (%d). No rebooting needed.'

Conditions:
-- For devices other than BIG-IP Virtual Edition (VE) with PAYG licenses, this involves a reboot.
-- For VE PAYG devices, no reboot is required.

Impact:
This message is for logging purposes. There is impact to functionality when this error occurs.

Recommended Action:

01b60001 : No cipher match found in '%s'

Location:
GUI, CLI

Conditions:
A user has entered an invalid cipher list string. OpenSSL could not find a single cipher match in the string.

Impact:
This is a validation error. OpenSSL will not use that value and will use the previously-working cipher list.

Recommended Action:
Enter a cipher list string that contains at least one supported cipher.

01b60002 : No TLS version match found in '%s'

Location:
GUI, CLI

Conditions:
The user has entered a TLS version that is not recognized by OpenSSL and was caught by MCP validation.

Impact:
The TLS version entered is not used by OpenSSL.

Recommended Action:
Enter a supported TLS version.

01b60003 : QoS Round-trip time and Hops can't both have non-zero values.

Location:
/var/log/ltm

Conditions:
The GTM pool Quality of Service parameters "Hops" and "Round-trip time" are both set to non-zero values.

Impact:
The Quality of Service parameter "Hops" is reset to zero under certain conditions. The validation throws an MCP exception, which will be reported to the user through the GUI, TMSH, or iControl. The transaction will be canceled until the user explicitly sets acceptable values for the parameters.

Recommended Action:
Set acceptable values for the "Hops" and "Round-trip time" parameters.

01b60004 : DNSSEC External Zone (%s) must be a descendant of DNSSEC Zone (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create a DNSSEC External Zone (external secure delegation) on a DNSSEC Zone that is not a parent of the DNSSEC External Zone.

Impact:
A DNSSEC External Zone is created.

Recommended Action:
Correct the name of the DNSSEC External Zone (external secure delegation) to be an actual child of the DNSSEC Zone. For example, if the DNSSEC Zone is "example.com", then a valid external secure delegation could be something like "my.external.child.example.com".

01b60005 : DNSSEC External Zone (%s:%s) duplicates existing DNSSEC zone (%s) with the same name (case-insensitive and unique across folders).

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create a DNSSEC External Zone (external secure delegation) that matches the name of a pre-existing DNSSEC Zone.

Impact:
A DNSSEC External Zone is not created.

Recommended Action:
Correct the name of the DNSSEC External Zone (external secure delegation) to be a unique name compared to the existing DNSSEC Zones that are configured.

01b60006 : DNSSEC External Zone (%s:%s) duplicates existing external zone (%s:%s) with the same name (case-insensitive).

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create a DNSSEC External Zone (external secure delegation) on a DNSSEC Zone that matches the name of a pre-existing DNSSEC External Zone (external secure delegation).

Impact:
DNSSEC External Zone is not created.

Recommended Action:
Correct the name of the DNSSEC External Zone (external secure delegation) to be a unique name compared to the existing DNSSEC External Zones that are configured.

01b60007 : DNSSEC External Zone (%s) references a nonexistent DNSSEC zone (%s)

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create a DNSSEC External Zone (external secure delegation) on a DNSSEC Zone that does not exist.

Impact:
A DNSSEC External Zone is not created.

Recommended Action:
Either first create the parent DNSSEC Zone that you want to add the DNSSEC External Zone to, or change the name of the parent of the DNSSEC External Zone (external secure delegation) to be a pre-existing DNSSEC Zone.

01b60008 : DNSSEC Zone %s duplicates existing external zone (%s:%s) with the same name (case-insensitive).

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create a DNSSEC Zone (secure delegation) that matches the name of a pre-existing DNSSEC External Zone (external secure delegation).

Impact:
DNSSEC Zone is not created.

Recommended Action:
Correct the name of the DNSSEC Zone (secure delegation) to be a unique name compared to the existing DNSSEC Zones and DNSSEC External Zones that are configured.

01b60009 : Unable to parse DNSSEC secure delegation record (%s:%s):%s (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create a DNSSEC External Zone (external secure delegation) with an invalid DS Record string field.

Impact:
A DNSSEC External Zone is not created.

Recommended Action:
Correct the formatting of the DS Record string to follow the standard format. For example, the following is a DS record for example.com:
"example.com. 34695 IN DS 31589 8 1 3490A6806D47F17A34C29E2CE80E8A999FFBE4BE"

01b6000a : DNSSEC external secure delegation record (%s:%s) has DS with different owner name: %s.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create or modify a DNSSEC External Zone (external secure delegation) by specifying a DS record string where the owner name is different than the name of the DNSSEC External Zone.

Impact:
If the user attempted to create a new DNSSEC External Zone, the External zone is not created. If the user attempted to modify an existing DNSSEC External Zone, the External Zone remains unchanged.

Recommended Action:
When specifying DS record strings, the owner name (the first field) must match the name of the DNSSEC External Zone on which the DS record strings are being configured.

01b6000b : At least one ds-algorithm must be specified.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to remove the only algorithm in the DNSSEC Zone DS Algorithms list.

Impact:
The DNSSEC Zone remains unchanged. A DNSSEC Zone must have at least one DS algorithm configured. When a new DNSSEC Zone is created but no DS algorithm is specified, it defaults to the DS algorithm SHA1.

Recommended Action:
Specify at least one DS algorithm when modifying the DNSSEC Zone ds-algorithms list.

01b6000c : DNSSEC External Zone (%s) must contain at least one DS record string.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create or modify a DNSSEC External Zone (external secure delegation) without specifying at least one DS record string in the DS records list.

Impact:
If the user attempted to create a new DNSSEC External Zone, the zone is not created. If the user attempted to modify an existing DNSSEC External Zone, the zone remains unchanged.

Recommended Action:
When creating or modifying a DNSSEC External Zone (external secure delegation), ensure that there is at least one DS record in the DS records list.

01b6000d : DNSSEC External Zone (%s) contains a duplicate DS record (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create a DNSSEC External Zone DS Record string that matches a pre-existing DS Record string on the same zone.

Impact:
If the user attempted to create a new DNSSEC External Zone, it is not created. If the user attempted to modify an existing DNSSEC External Zone, it remains unchanged.

Recommended Action:
When creating or modifying a DNSSEC External Zone's DS Record string, ensure that tthe given string does not already exist on the zone.

01b6000e : DNSSEC External Zone (%s) DS record string (%s) contains a non-IN class type (%s). It must be 'IN'.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create or modify a given DNSSEC External Zone's DS Record string and did not specify the class as "IN" within the DS Record string.

Impact:
If the user attempted to create a new DNSSEC External Zone, it is not created. If the user attempted to modify and existing DNSSEC External Zone, it remains unchanged.

Recommended Action:
When creating or modifying a DNSSEC External Zone's DS Record string, ensure that the class type specified is "IN".

01b6000f : DNSSEC External Zone (%s) DS record string (%s) contains a non-DS resource record type (%s). It must be 'DS'.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create or modify a given DNSSEC External Zone's DS Record string and did not specify the resource record type as "DS" within the DS Record string.

Impact:
If the user attempted to create a new DNSSEC External Zone, it is not created. If the user attempted to modify an existing DNSSEC External Zone, it remains unchanged.

Recommended Action:
When creating or modifying a DNSSEC External Zone's DS Record string, ensure that the resource record type specified is "DS".

01b60010 : DNSSEC External Zone (%s) DS record string (%s) contains an invalid digest type (%s). It must be an integer in the range of 1 - 2.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create or modify a given DNSSEC External Zone's DS Record string and did not specify the digest type as an integer in the range of 1 - 2.

Impact:
If the user attempted to create a new DNSSEC External Zone, it is not created. If the user attempted to modify and existing DNSSEC External Zone, it remains unchanged.

Recommended Action:
When creating or modifying a DNSSEC External Zone's DS Record string, ensure the digest type is within the valid range of integers.

01b60011 : DNSSEC External Zone (%s) DS record string (%s) contains an invalid key tag (%s). It must be an integer in the range of 0 - 65535 and match that of the corresponding DNSKEY RR.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create or modify a given DNSSEC External Zone's DS Record string and did not specify the DNSKEY tag as an integer in the range of 0 - 65535.

Impact:
If the user attempted to create a new DNSSEC External Zone, it is not created. If the user attempted to modify and existing DNSSEC External Zone, it remains unchanged.

Recommended Action:
When creating or modifying a DNSSEC External Zone's DS Record string, ensure the DNSKEY tag is within the valid range of integers.

01b60012 : DNSSEC External Zone (%s) DS record string (%s) contains an invalid DNSKEY algorithm (%s). It must be an integer in the range of 3 - 255 and match that of the corresponding DNSKEY RR.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create or modify a given DNSSEC External Zone's DS Record string and did not specify the DNSKEY algorithm as an integer in the range of 3 - 255.

Impact:
If the user attempted to create a new DNSSEC External Zone, it is not created. If the user attempted to modify and existing DNSSEC External Zone, it remains unchanged.

Recommended Action:
When creating or modifying a DNSSEC External Zone's DS Record string, ensure the DNSKEY algorithm is within the valid range of integers.

01b60013 : DNSSEC External Zone (%s) DS record string (%s) contains an invalid TTL (%s). It must be an integer in the range of 0 - 2147483647.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create or modify a given DNSSEC External Zone's DS Record string and did not specify the TTL as an integer in the range of 0 - 2147483647.

Impact:
If the user attempted to create a new DNSSEC External Zone, it is not created. If the user attempted to modify and existing DNSSEC External Zone, it remains unchanged.

Recommended Action:
When creating or modifying a DNSSEC External Zone's DS Record string, ensure that the TTL value is within the valid range of integers.

01b60014 : DNSSEC External Zone (%s) DS record string (%s) is missing the DNSKEY digest.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create or modify a given DNSSEC External Zone's DS Record string without specifying the DNSKEY digest as part of the DS Record string.

Impact:
If the user attempted to create a new DNSSEC External Zone, it is not created. If the user attempted to modify and existing DNSSEC External Zone, it remains unchanged.

Recommended Action:
When creating or modifying a DNSSEC External Zone's DS Record string, ensure that there a DNSKEY digest at the end of the string.

01b60015 : Topology order value (%u) ignored because longest match is enabled.

Location:
/var/log/ltm

Conditions:
A user has attempted to modify the order of a topology record while the longest-match global setting is enabled.

Impact:
The change to the order of topology records has no substantial effect. The longest-match setting indicates that the system manages the order of topology records and therefore user-initiated changes to the topology order are ignored.

Recommended Action:
To manage the order of topology records manually, disable the longest-match setting by using the command "tmsh modify gtm global-settings load-balancing topology-longest-match no".

To add a topology record while maintaining longest-match ordering, refrain from specifying an order value.

If longest-match ordering is disabled, then the system no longer manages the order on its own and relies on the user-specified order values.

01b60016 : Cannot specify order (%u) that is greater than the number of topology records (%u)

Location:
/var/log/ltm

Conditions:
An attempt has been made to modify the order of a topology record to an invalid value.

Impact:
The change to the order of topology records is rejected.

Recommended Action:
Specify an order value that is greater than or equal to 1 and less than or equal to the total number of topology records indicated in the message.

01b60018 : DS record is not a valid attribute for external insecure zone %s

Location:
CLI

Conditions:
A user has attempted to add a DS record in TMSH that is an invalid attribute for an insecure external delegation for a DNSSEC zone.

Impact:
MCP does not allow a DS record to be added because the delegation is insecure and has no DS records.

Recommended Action:
If adding a DS record, ensure that the delegation has its secure attribute enabled.

01b60019 : DNSSEC SEP Record is missing %s.

Location:
/var/log/ltm

Conditions:
This error field is currently unused.

Impact:
Users will never see this message.

Recommended Action:
None.

01b6001a : DNSSEC FIPS manager could not parse %s key file (%s)

Location:
/var/log/ltm

Conditions:
The DNSSEC FIPS manager has attempted to generate keys via an external FIPS device and was unable to parse one or more of the files that generating keys using this device should produce.

Impact:
DNSSEC keys are not generated when configured with the external FIPS device.

Recommended Action:
Verify that keys can be created manually by running the tmsh command "tmsh create sys crypto key <key_name> key_size <key_size> security-type nethsm".

Then verify that certs can be created manually via "tmsh create sys crypto cert <cert_name> key <key_name> common-name <x509_common_name>".

Finally, if both the key and the certificate have been successfully created, verify that a file was created using either the cert_name or key_name in the same directory indicated by the log message.

01b6001b : Handling request for dnssec generation of key %s with id %llu. %s.

Location:
/var/log/gtm

Conditions:
mcpd has received the request "request_gtm_dnssec_key_generation" to generate a new DNSSEC key with a specified ID.

Impact:
The debug log message is printed.

Recommended Action:
None.

01b6001c : Failed to handle request for new dnssec key generation: Invalid primary key in request for DNSSEC Key Generation.

Location:
/var/log/gtm

Conditions:
mcpd has received the request "request_gtm_dnssec_key_generation" to generate a new DNSSEC key, without one of required field "key_name" or "id".

Impact:
The request "request_gtm_dnssec_key_generation" is invalid, so no new DNSSEC key generation is created.

Recommended Action:
None.

01b6001d : Failed to handle request for new dnssec key generation: Non existent key %s.

Location:
/var/log/gtm

Conditions:
mcpd has received the request "request_gtm_dnssec_key_generation" to generate new DNSSEC key because a key does not exist.

Impact:
The request "request_gtm_dnssec_key_generation" is invalid, so no new DNSSEC generation will be created.

Recommended Action:
None.

01b6001e : Invalid control character %u found in GTM object with name %s.

Location:
/var/log/ltm

Conditions:
A control-character exists within a GTM object's name.

Impact:
GTM Monitors fail to properly find and monitor these objects

Recommended Action:
Rename the object to remove the control characters.

Note: This requires a configuration change.

01b6001f : DNS monitor '%s' has invalid parameter value '%s'

Location:
This error message is reported on the tmsh console as well as in the GUI.

Conditions:
This error message appears if you try to specify an invalid value for the recv-status-code parameter, for example, alpha characters, or special characters.

Impact:
Invalid value message is reported, and you must select a different parameter value (numeric) for the recv-status-code parameter.

Recommended Action:
None.

01b60020 : Found invalid configuration for DNSSEC zone %s %s RR types.

Location:
The error might be displayed in TMSH, in the Web GUI, or on the CLI (upon a config load or a software upgrade).

Conditions:
You configured a Resource Record type that is not valid for either apex or under-apex bitmap types field of a DNSSEC zone. Some resource record types are valid for apex but not for under-apex. The Web GUI and TMSH should not allow the user to configure invalid types. The error is there to catch any exceptional events or if the configuration file was edited manually.

Impact:
When that error occurs, the invalid, configured Resource Record type is discarded, and the previous value for that field is restored.

Recommended Action:
No workaround. Valid Resource Record types must be configured.

01b60020 : Failed to decrypt private text of DNSSEC Key Generation %llu of key %s.

Location:
/var/log/ltm

Conditions:
MCP failed to decrypt private text of DNSSEC Key Generation while loading configuration. The issue most likely caused by mismatch master key used to encrypt the private text and current master key.

Impact:
GTM configuration will not be loaded.

Recommended Action:
Remove the DNSSEC Key Generation completely in bigip_gtm.conf and reload config to let GTM generate it from scratch.

01b60021 : Configured DNSSEC Zone %s bitmap types are missing required default RR types. Required defaults are %s.

Location:
The error might be displayed in TMSH, in the Web GUI, or on the CLI (upon a config load or a software upgrade).

Conditions:
The configured Resource Record (RR) types do not satisfy the set of required Resource Record Types that must be present for either apex or under-apex bitmap types fields of a DNSSEC zone.

-- For apex the set of required RR types is 'NS SOA RRSIG NSEC3PARAM DNSKEY KEY'.

-- For under-apex the set of required RR types is 'RRSIG'.

Impact:
When the error occurs, those configured RR types are discarded and the previous value for that field is restored.

Recommended Action:
No workaround. Valid RR types must be configured.

01b60021 : DNSSEC Key %s cannot have manual key management and HSM at the same time.

Location:
/var/log/ltm

Conditions:
An attempt to create DNSSEC Key with manual key management and with HSM: FIPS and Thales.

Impact:
The DNSSEC Key will not be created, because the configuration is invalid.

Recommended Action:
None. You must configure the DNSSEC Key with either manual key management or HSM: FIPS and Thales. You cannot use both at once.

01b60022 : Last resort pool name not specified for Wide IP %s

Location:
/var/log/ltm and tmsh

Conditions:
This error appears while creating a gtm wideip entry for last-resort-pool and no pool name provided
example: tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind>

Impact:
The lastResortValue in the REST response might be confusing for an external orchestrator that consumes the BIG-IP configuration via iControl REST. BIG-IQ, for instance, might be confused with these values

Recommended Action:
Change the wideIP object via the GUI and set the Last Resort Pool to None, then save the changes.

01b60023 : Last resort pool type not specified for Wide IP %s

Location:
/var/log/gtm

Conditions:
This error appears while creating a gtm wideip entry for last-resort-pool and no pool name provided
example: tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool

Impact:
The lastResortValue in the REST response might be confusing for an external orchestrator that consumes the BIG-IP configuration via iControl REST. BIG-IQ, for instance, might be confused with these values

Recommended Action:
Change the wideIP object via the GUI and set the Last Resort Pool to None, then save the changes.

01b60024 : DNSSEC Key %s of ECDSA algorithm not supported for Thales HSM.

Location:
/var/log/ltm

Conditions:
DNSSEC Key created of ECDSA algorithm with Thales HSM, which does not support ECDSA Keys.

Impact:
The error message appears and the key is not created.

Recommended Action:
None

01b60025 : The bit-width field is not applicable for ECDSA algorithms.

Location:
CLI

Conditions:
Creating a DNSSEC key with any of the ECDSA algorithms, and either of the following:
-- You enter a value other than 0 (zero) for the bitwidth field.
-- You do not change the default value of bitwidth field.

Impact:
DNSSEC key creation fails.

Recommended Action:
Make sure the value of the bitwidth field is 0 when creating a DNSSEC key with the ECDSA algorithm.

01b70001 : Per-request policy (%s) should have only one per-req-policy-properties object

Location:
cli

Conditions:
While using TMSH, a user has tried to add multiple per-req-policy-properties objects to an Access policy.

Impact:
Adding multiple per-req-policy-properties objects to an Access policy fails.

Recommended Action:
Edit the per-req-policy-properties object that is already attached to the policy instead of adding another per-req-policy-properties object.

01b70002 : Policy (%s) of type %s cannot have per-req-policy-properties attached, policy type must be %s.

Location:
cli

Conditions:
While using TMSH, a user has tried to add a per-req-policy-properties object to an Access policy that is not of type "per-rq-policy" or "sslo-policy".

Impact:
Adding a per-req-policy-properties object to an Access policy fails.

Recommended Action:
Add a per-req-policy-properties object to a policy of the correct type.

01b70003 : Discovery interval (%u) for OAuth provider (%s) must be greater than (%u) minutes.

Location:
/var/log/apm, GUI, CLI

Conditions:
The administrator has set the discovery interval in OAuth provider to an invalid value.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
Set discovery interval for OAuth provider to be greater than 60 minutes.

01b70005 : oneshot_macro attribute for the requested object (%s) can be set to true only for access policy of type per request macro and per request sslo macro.

Location:
/var/log/apm

Conditions:
A user has attempted to reset a oneshot macro from “false” to “true”. Only the access policy types “Access policy (pre-request) macro” and “Access policy sslo macro” can be set to “true”.

Impact:
The oneshot macro value remains unchanged ("false") and is not visible.

Recommended Action:
None.

01b70008 : JWK config (%s) is configured to use client secret for key type octet. Hence, this cannot be used as %s in %s (%s).

Location:
GUI, CLI

Conditions:
The key is being attached to an OAuth Profile or elsewhere that does not accept octet keys with 'use-client-secret' set.

Impact:
The Save operation fails.

Recommended Action:
Attach another key or modify this key and set 'use-client-secret' to false.

01b7000b : OAuth claim object (%s) has an invalid value (%s). When claim-type is set to '%s', allowed value is %s or a valid session variable.

Location:
GUI, CLI

Conditions:
The claim value does not match what is specified in the claim type.

Impact:
The configuration cannot be saved.

Recommended Action:
Change the claim type or specify the correct claim value.

01b7000c : Access Profile or Per-Request Policy cannot be attached to virtual (%s) when API Protection profile is attached.

Location:
/var/log/ltm

Conditions:
Either an Access profile, a Per Request policy, or both is associated with a virtual server, and a user has tried to add the API Protection profile to the virtual server in TMSH.

Impact:
The virtual server cannot be configured to use the API Protection profile. This is because an API Protection profile contains its own references to an Access profile and a Per Request policy.

Recommended Action:
Do not attempt to associate an API Protection profile with a virtual server that already has an Access profile and/or a Per Request policy assigned to it. To get API Protection features, ensure that an API Protection profile is the only profile assigned to the virtual server.

01b7000d : In API Protection Profile (%s), Last Generated Path ID value (%d) must be greater than or equal to its previous value (%d).

Location:
/var/log/ltm, GUI, CLI

Conditions:
In the API Protection profile, the Last Generated Path ID value is lesser than its previous value.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
In the API Protection profile, set the Last Generated Path ID value to be greater than or equal to its previous value.

01b7000e : In API Protection Profile (%s), Last Generated Path ID should be provided when setting Path ID manually(%d) in the children Path object.

Location:
/var/log/ltm, GUI, CLI

Conditions:
In the API Protection profile, the Last Generated Path ID value has not been provided when setting the path ID manually in the child path object.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
In the API Protection profile, set the Last Generated Path ID value when setting the path ID manually in the child path object.

01b7000f : In API Protection Profile (%s), Path ID (%d) in the children Path object should not be greater than Last Generated Path ID (%d) value.

Location:
/var/log/ltm, CLI

Conditions:
In the API Protection profile, the value of the path ID in the child path object, when set manually with the CLI, is greater than the Last Generated Path ID value.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
In the API Protection profile, the path ID value in the child path object must be equal to or less than Last Generated Path ID value.

01b70010 : In API Protection Profile (%s), children Path object has path_id modified to '%d'. Updating Path ID for an exisitng API Protection Profile Path object is not allowed.

Location:
/var/log/ltm, CLI

Conditions:
In the API Protection profile, the child path object has been modified to update the path ID.

Impact:
The save operation on an object or a configuration load operation fails.

Recommended Action:
In the API Protection profile, do not modify the value of the path ID in the child path object.

01b70011 : Access profile (%s) is of type api-protection and cannot be attached via the access profile link. API protection profiles must be directly attached to the Virtual Server.

Location:
GUI, CLI

Conditions:
The Access profile type is API Protection, and a user has attempted to attach the profile to an "Access Profile" link on a virtual server.

Impact:
The BIG-IP system cannot save the configuration.

Recommended Action:
Find the API Protection profile that this Access profile is attached to, and attach the API Protection profile to the "API Protection Profile" link on the virtual server instead.

01b70012 : Per request policy (%s) is of type api-protection and cannot be attached via the per request policy link. API protection profiles must be directly attached to the Virtual Server.

Location:
GUI, CLI

Conditions:
The Access policy profile type is API protection, and a user has attempted to attach the profile to the "Per-Request Policy" link on a virtual server.

Impact:
The BIG-IP system cannot save the configuration.

Recommended Action:
Find the API Protection profile that this per-request policy is attached to, and attach the API Protection profile to the "API Protection Profile" link on the virtual server.

01b70013 : Once an access profile has been associated to an API Protection profile (%s), a new access profile (%s) cannot be attached.

Location:
GUI, CLI

Conditions:
An Access profile reference on an API Protection profile has been modified.

Impact:
The BIG-IP system cannot save the configuration and throws an exception.

Recommended Action:
Create a new API Protection profile if needed, with the new Access profile as a reference.

01b70014 : Once a per request policy has been associated to an API Protection profile (%s), a new per-request policy (%s) cannot be attached.

Location:
GUI, CLI

Conditions:
A per-request-policy reference on an API Protection profile has been modified.

Impact:
The BIG-IP system cannot save the configuration and throws an exception.

Recommended Action:
Create a new API Protection profile if needed, with the new per-request-policy as a reference.

01b70015 : Access profile (%s) attached to the API protection profile (%s) must be of type api-protection.

Location:
CLI

Conditions:
A user has tried to attach an Access profile of a type other than "api-protection".

Impact:
Saving the new configuration fails.

Recommended Action:
Create a new Access profile or use an existing Access profile of type "api-protection".

01b70016 : Per request policy (%s) attached to the API protection profile (%s) must be of type api-protection.

Location:
CLI

Conditions:
A user has attempted to attach a per-request-policy of a type other than "api-protection".

Impact:
Saving the new configuration fails.

Recommended Action:
Create a new per-request-policy or use an existing per-request-policy of type "api-protection".

01b70017 : API Server (%s) cannot be attached to two API protection profiles (%s and %s).

Location:
CLI

Conditions:
A user has attempted to attach the same API server to two API Protection profiles.

Impact:
The configuration load fails.

Recommended Action:
Create a new API server and attach it to the second API Protection profile.

01b70018 : DNS Resolver must be attached if a server is present on API protection profile (%s).

Location:
GUI, CLI

Conditions:
An API Protection profile contains at least one server but does not reference a DNS resolver.

Impact:
The configuration load fails.

Recommended Action:
To attach a server, attach a DNS resolver also.

01b7001a : In API Protection Profile (%s), Path ID (%d) is not allowed. Path ID must be unique for the API protection profile.

Location:
/var/log/ltm, CLI

Conditions:
In an API Protection profile, a child path object has been created with a duplicate path ID. (Another path object with the same path ID exists for this API Protection profile.)

Impact:
The save operation on an object fails, or a configuration load operation fails.

Recommended Action:
In the API Protection profile, define a unique path ID for the child path object.

01b7001b : In API Protection Profile (%s), Path ID (%d) value is out of bounds. Valid value must be between (0) and (%d).

Location:
/var/log/ltm, CLI

Conditions:
In an API Protection profile, a user has set a path ID manually using the CLI and has configured an invalid path ID in the child path object. The path ID must be a valid number between 0 and 2147483647.

Impact:
The save operation on an object fails, or a configuration load operation fails.

Recommended Action:
In the API Protection profile, set the path ID in the child path object to be a valid number between 0 and 2147483647.

01b7001c : In API Protection Profile (%s), path ID cannot be generated for child path object. Maximum allowed value (%d) is reached

Location:
/var/log/ltm, CLI

Conditions:
In an API Protection profile, the path ID generated in the child path object has exceeded the maximum allowed number (2147483647).

Impact:
The save operation on an object fails, or a configuration load operation fails.

Recommended Action:
In the API Protection profile, remove the unwanted path object, and set that path ID for the new path object manually.

01b7001d : Response (%s) cannot be attached to two API protection profiles (%s and %s).

Location:
CLI

Conditions:
A user has attempted to attach the same response to two API Protection profiles.

Impact:
The configuration fails to load.

Recommended Action:
Create a new response-config, and associate it with the second API protection profile.

01b7001e : Default response cannot be empty in API protection profile (%s).

Location:
CLI

Conditions:
An attempt was made to set default-response to None.

Impact:
The configuration cannot be saved.

Recommended Action:
Set default-response in the API Protection profile.

01b7001f : Default response (%s) must be a part of responses associated with the API protection profile (%s).

Location:
CLI

Conditions:
An attempt has been made to set default-response to a response outside of the list of responses on this API Protection profile.

Impact:
The configuration load fails.

Recommended Action:
Set default-response to a response already in this API Protection profile's list of responses, or add a new response to this list and set default-response to this new response.

01b70020 : API Protection base profile (%s) cannot be modified or deleted.

Location:
CLI

Conditions:
A user has attempted to modify the API Protection base profile.

Impact:
The configuration fails.

Recommended Action:
Create a new API Protection profile.

01b70021 : Invalid URL (%s) for API Server (%s): %s.

Location:
GUI, CLI

Conditions:
A user has provided an invalid URL in URL field of the API server.

Impact:
This object cannot be saved.

Recommended Action:
Provide a valid URL.

01b70022 : If URL (%s) is of https scheme, serverssl profile must be present in API Server (%s).

Location:
GUI, CLI

Conditions:
The API server's URL field contains https, but a Server SSL profile has not been provided.

Impact:
The configuration load fails.

Recommended Action:
Provide a Server SSL profile.

01b70023 : Status code cannot be empty in Response Config (%s).

Location:
GUI, CLI

Conditions:
There is an empty status code in the response config.

Impact:
The configuration load fails, and the response object cannot be saved.

Recommended Action:
Provide a status code.

01b70024 : Status string cannot be empty in Response Config (%s).

Location:
GUI, CLI

Conditions:
THe status string is empty in response-config.

Impact:
The configuration load fails, and the object cannot be saved.

Recommended Action:
Provide a status string.

01b70025 : Response Config (%s) cannot have 'Connection' header present.

Location:
GUI, CLI

Conditions:
A "Connection" header has been provided in response config.

Impact:
The object cannot be saved.

Recommended Action:
Remove the "Connection" header, and save the object.

01b70026 : Response Config (%s) cannot have 'Content-Length' header present.

Location:
GUI, CLI

Conditions:
The "Content-Length" header is present.

Impact:
The object cannot be saved.

Recommended Action:
Remove the header with the "Content-Length" header name, and save the object.

01b70027 : In API Server Selection Agent (%s), Server (%s) selected must be part of servers associated with the API protection Profile (%s).

Location:
/var/log/ltm, CLI

Conditions:
In the API Server Selection agent, the server selected is not part of the servers associated with the API Protection profile.

Impact:
The save operation on an object fails, or a configuration load operation fails.

Recommended Action:
In the API Server Selection agent, the server selected must be part of the servers associated with the API Protection profile.

01b70028 : %s (%s) cannot be configured to use SSO Config (%s) since the SSO method is not supported for API Protection. Use SSO Config with SSO method configured for one of 'HTTP Basic', 'Kerberos' or 'OAuth Bearer'.

Location:
/var/log/ltm, CLI

Conditions:
The configured SSO method is not supported for API protection.

Impact:
The save operation on the object fails, or a configuration load operation fails.

Recommended Action:
For API protection, use SSO Config with an SSO method configured for "HTTP Basic", "Kerberos" or "OAuth Bearer" in the SSO Configuration Select agent or in corresponding profile access.

01b70029 : In %s Agent (%s), Response (%s) selected must be part of responses associated with the API protection Profile (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
An attempt has been made to select a "Response" object in an OAuth Scope agent, Response Selection agent, or Reject Ending agent of a V1/V2 access policy of an API Protection profile object, and the "Response" object selected is not associated with one of the responses for that API Protection profile.

Impact:
This is an MCP configuration error. The object containing this configuration is not saved.

Recommended Action:
Select a "Response" object that is associated with a response for that API Protection profile.

01b7002a : Invalid URI (%s) in Path (ID = %d) for API Protection Profile (%s): %s.

Location:
GUI, CLI

Conditions:
A user has provided an invalid URI in the path in an API Protection profile.

Impact:
The configuration load operation fails, and you cannot save the object.

Recommended Action:
Provide a valid URI, and save the object.

01b7002b : Method cannot be empty in Path (ID = %d) for API Protection Profile (%s).

Location:
GUI, CLI

Conditions:
The method is empty in the path in an API Protection profile.

Impact:
The object cannot be saved.

Recommended Action:
Provide a method, and save the object.

01b7002c : This combination of URI (%s) and method (%s) must be unique in API Protection Profile (%s).

Location:
GUI, CLI

Conditions:
The method URI combination already exists in this API Protection profile.

Impact:
The object cannot be saved.

Recommended Action:
The method URI combination in the API Protection profile already exists, so leave as is.

01b7002d : In API Protection profile (%s), Response (%s) cannot be deleted since it is used in %s (%s).

Location:
CLI

Conditions:
A user has attempted to delete a response object that is referenced elsewhere.

Impact:
The delete operation fails.

Recommended Action:
Disassociate the reference and then save the object.

01b7002e : In API Protection Profile (%s), Server (%s) cannot be deleted since it is used in %s (%s).

Location:
/var/log/ltm, CLI

Conditions:
While configuring an API Protection profile, a user has attempted to disassociate the server that is used in the API Server Selection agent.

Impact:
The save operation on the object fails, or a configuration load operation fails.

Recommended Action:
Do not disassociate a server used in an API Server Selection agent.

01b7002f : %s (%s) cannot be attached to two API protection profiles (%s and %s).

Location:
CLI

Conditions:
A user has attempted to attach an API Protection profile embedded object to another API Protection profile.

Impact:
The attempt to attach the object to the second profile fails.

Recommended Action:
Create a new object to attach to the other profile, and then save the object.

01b70030 : Status code (%s) in Response Config (%s) does not contain valid session variable.

Location:
GUI, CLI

Conditions:
The input for the "Status code" field of the "Response Config" object is inavlid.

Impact:
The configuration cannot be saved.

Recommended Action:
Provide valid input for the "Status code" field and save the configuration. If the input contains session variable start-delimiter "'%{" - it must contain the corresponding close-delimiter "}".

01b70031 : Status string (%s) in Response Config (%s) does not contain valid session variable.

Location:
GUI, CLI

Conditions:
The input for the "Status string" field of the "Response Config" object is invalid.

Impact:
The configuration cannot be saved.

Recommended Action:
Provide valid input for the "Status string" field and save the configuration. If the input contains session variable start-delimiter "'%{" - it must contain the corresponding close-delimiter "}".

01b70032 : Header (%s) in Response Config (%s) does not contain valid session variable.

Location:
GUI, CLI

Conditions:
The input for the "Header Name" field of the "Response Config" object is invalid.

Impact:
Configuration cannot be saved.

Recommended Action:
Provide valid input for the 'Header Name' field and save the configuration.
If the input contains session variable start-delimiter "'%{" - it must contain the corresponding close-delimiter "}".

01b70033 : Header value (%s) in Response Config (%s) does not contain valid session variable.

Location:
GUI, CLI

Conditions:
The input for the "Header value" field of the "Response Config" object is invalid.

Impact:
The configuration cannot be saved.

Recommended Action:
Provide valid input for the 'Header Value' field and save the configuration.
If the input contains session variable start-delimiter "'%{" - it must contain the corresponding close-delimiter "}".

01b70034 : Response body (%s) in Response Config (%s) does not contain valid session variable.

Location:
GUI, CLI

Conditions:
The input for the "Response Body" field of the "Response Config" object is invalid.

Impact:
The configuration cannot be saved.

Recommended Action:
Provide valid input for the 'Response Body' field and save the configuration.
If the input contains session variable start-delimiter "'%{" - it must contain the corresponding close-delimiter "}".

01b70035 : The virtual server (%s) must have an HTTP profile assigned to it before you can associate an API protection profile.

Location:
/var/log/ltm

Conditions:
A user has not associated an HTTP profile with the virtual server that an API Protection profile is also associated with.

Impact:
API Protection profile cannot be associated with a virtual server without an HTTP profile.

Recommended Action:
Ensure that both an HTTP profile and an API Protection profile are associated with the virtual server.

01b70036 : You cannot associate the base API protection profile with the virtual server (%s).

Location:
/var/log/ltm

Conditions:
An administrator has attempted to use TMSH to assign the base API Protection profile (/Common/apiprotection) to a virtual server.

Impact:
Virtual Server fails to be configured with API Protection functionality.

Recommended Action:
Create a new API Protection profile to use with a virtual server.

01b70037 : Header name and header value in response (%s) cannot be empty.

Location:
GUI, CLI

Conditions:
A user has added a new response-header join, but the header name or value is not specified.

Impact:
The configuration is not saved.

Recommended Action:
Delete this join if not necessary, or ensure that the name and value are specified.

01b70038 : In the API Protection Profile (%s), the path (ID = %d) refers to an API Server (%s) that is not part of this profile.

Location:
CLI

Conditions:
A user has attempted to associate a server outside of this API Protection profile with this profile's path.

Impact:
The configuration is not saved.

Recommended Action:
Associate a different server that is part of this profile, and then save the configuration.

01b70039 : In SSO config '%s',scope value(%s) contains invalid characters. Valid values are session variables or ASCII character set (0x21/ 0x23-0x5B/ 0x5D-0x7E).

Location:
/var/log/ltm, CLI

Conditions:
In an OAuth Bearer SSO configuration, the scope value contains invalid characters. Valid values are session variables or ASCII character set (0x21/ 0x23-0x5B/ 0x5D-0x7E).

Impact:
The save operation on the SSO object fails, or a configuration load operation fails.

Recommended Action:
In OAuth Bearer SSO configuration, set the scope value with session variables or ASCII character set (0x21/ 0x23-0x5B/ 0x5D-0x7E).

01b7003a : OpenID Connect should not be enabled for '%s' grant in agent '%s'

Location:
/var/log/ltm

Conditions:
A user attempted to enable an OpenID Connect for a grant type other than Authorization code.

Impact:
The configuration is not saved.

Recommended Action:
Disable OpenID Connect when the grant type is not Authorization code.

01b7003b : Unable to find customization source (%s) for customization group (%s).

Location:
/var/log/ltm, CLI

Conditions:
The definition of the customization group object contains an invalid customization source name.

Impact:
The system configuration cannot be loaded or modified.

Recommended Action:
Use correct customization source name for the customization group named in the message.

In case of initial configuration loading, it is necessary to make corrections in /config/bigip.conf. Reload configuration after this correction using the following tmsh command:

  tmsh load sys config

If the error occurred with the customization group creation / modification command, correct the command and re-issue it.

01b7003c : Deletion of customization source (%s) is prohibted. Object must always be present.

Location:
CLI

Conditions:
A user has attempted to delete a customization source object.

Impact:
No impact on a running system.

Recommended Action:
Do not attempt to delete or modify a customization source object.

01b7003d : Per-request access policy (%s) is not referenced by any existing customization group set

Location:
/var/log/ltm, CLI

Conditions:
The system configuration does not contain a customization group object that refers to a named access policy object.

Impact:
The system configuration cannot be loaded or modified.

Recommended Action:
Create a customization group set object for access policy within the same tmsh transaction.

01b7003e : The customization group set (%s) cannot share an access policy (%s) with other customization group set (%s).

Location:
/var/log/ltm, CLI

Conditions:
Two customization group set objects refer to the same access policy object.

Impact:
The system configuration cannot be loaded or modified.

Recommended Action:
Correct the access policy name in one of the named customization group set objects, or delete (don't create) one of these objects.

In case of initial configuration loading, you must make corrections in /config/bigip.conf. Reload the configuration after this correction by using the following tmsh command:

  tmsh load sys config

If the error occurred using a customization group creation or modification command, correct the command and re-issue it.

01b7003f : Access policy name cannot be changed in customization group set (%s)

Location:
CLI

Conditions:
A user has attempted to use a tmsh command to modify an access policy name in a customization group set object.

Impact:
The system configuration cannot be modified.

Recommended Action:
Do not modify an access policy name in a customization group set object.

01b70041 : DoS profile (%s) is already referenced by another API protection profile.

Location:
/var/log/ltm, CLI, API

Conditions:
This message occurs when the BIG-IP ASM or DoS module is provisioned. In an API protection profile, it is illegal to use an existing DoS profile that is used by another API protection profile. This error is relevant to TMSH and REST only, because in the GUI, there is no need to assign DoS profile to an API protection profile manually.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b70041 : %s profile (%s) is already referenced by another API protection profile.

Location:
/var/log/ltm, CLI, API

Conditions:
The BIG-IP ASM or DoS module is provisioned, and in an API protection profile, a user has attempted to use an existing DoS or Bot defense profile that is used by another API protection profile.

Impact:
The configuration is not stored in the MCP database. This message is relevant to TMSH and REST only, because in the GUI, there is no need to assign DoS and Bot defense profiles to an API protection profile manually.

Recommended Action:
None.

01b70041 : In API Protection Profile (%s), the Base Path (%s) is invalid: uri path must start with a '/' and cannot contain invalid characters.

Location:
GUI, CLI

Conditions:
An administrator has entered an invalid base path.

Impact:
The invalid base path is rejected.

Recommended Action:
Re-enter a valid base path. A base path is a standard uri path, which must start with a / and contain no invalid characters.

01b70042 : DoS profile (%s) is already attached to a virtual server.

Location:
/var/log/ltm, CLI, API

Conditions:
This message occurs when the BIG-IP ASM or DoS module is provisioned.
In an API protection profile, it is illegal to use an existing DoS profile that is already attached to a virtual server. This message is relevant to TMSH and REST only, because in the GUI, there is no need to assign a DoS profile to an API protection profile manually.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b70042 : %s profile (%s) is already attached to a virtual server.

Location:
/var/log/ltm, CLI, API

Conditions:
The BIG-IP ASM or DoS module is provisioned, and in an API protection profile, a user has attempted to use an existing DoS or Bot defense profile that is already attached to a virtual server.

Impact:
The configuration is not stored in the MCP database. This message is relevant to TMSH and REST only, because in the GUI, there is no need to assign DoS and Bot defense profiles to an API protection profile manually.

Recommended Action:
None.

01b70042 : When force-authn is set to session-var-setting, force-authn-session-var cannot be empty in agent (%s)

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to set the 'force-authn' field in SAML SP agent to 'session-var-setting' while the 'force-authn-session-var' field is blank. Or, an attempt has been made to set the 'force-authn-session-var'field to empty when the 'foce-authn' field is set to 'session-var-setting'.

Impact:
This is an MCP configuration error. The object containing this configuration is not saved.

Recommended Action:
Ensure that when the 'force-authn' field is set to 'session-var-setting', 'force-authn-session-var' is not empty.

01b70043 : Bot defense profile (%s) is already referenced by another API protection profile.

Location:
/var/log/ltm, CLI, API

Conditions:
This message occurs when the BIG-IP ASM or DoS module is provisioned. In an API protection profile, it is illegal to use an existing Bot defense profile that is used by another API protection profile. This message is relevant to TMSH and REST only, because in the GUI there is no need to assign a Bot defense profile to an API protection profile manually.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b70043 : Another DoS profile is already attached to virtual server (%s).

Location:
/var/log/ltm, GUI, CLI, API

Conditions:
The BIG-IP ASM or DoS module is provisioned, and a user has attempted to attach an API protection profile to a virtual server when some DoS profile is already attached to it.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b70043 : Force-authn session variable (%s) in agent (%s) is not in session variable format

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to set 'force-authn session variable' in a SAML SP agent to a value that is not in the valid session variable format.

Impact:
This is an MCP configuration error. The object containing this configuration is not saved.

Recommended Action:
Ensure that the 'force-authn session variable' is set to a value that is in the valid session variable format:
1) Not empty
2) Length <= 250
3) Starts with '%{'
4) Ends with '}'
5) No spaces or '*' in between.

01b70044 : Bot defense profile (%s) is already attached to a virtual server.

Location:
/var/log/ltm, CLI, API

Conditions:
This message occurs when the BIG-IP ASM or DoS module is provisioned. In an API protection profile, it is illegal to use an existing Bot defense profile that is already attached to a virtual server. This message is relevant to TMSH and REST only, because in the GUI, there is no need to assign a Bot defense profile to an API protection profile manually.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b70044 : Cannot attach DoS profile to virtual server (%s). It is assigned to API protection profile (%s)

Location:
/var/log/ltm, GUI, CLI, API

Conditions:
The BIG-IP ASM or DoS module is provisioned, and a user has attempted to attach the DoS profile used by an API protection profile to a virtual server directly, without attaching the API protection profile.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b70044 : API Rate Limiting Config (%s) contains invalid Quota Interval (%d). Quota Interval must be between 1 and 60 minutes.

Location:
/var/log/ltm, GUI, CLI

Conditions:
An API Rate Limiting configuration contains an invalid quota interval.

Impact:
Saving the configuration fails.

Recommended Action:
Set a valid quota interval for the API Rate Limiting configuration and then save the configuration. The quota interval must be between 1 and 60 minutes.

01b70045 : Cannot dettach DoS profile from virtual server (%s). It is assigned to the attached API protection profile

Location:
/var/log/ltm, GUI, CLI, API

Conditions:
The BIG-IP ASM or DoS module is provisioned, and a user has attempted to detach the DoS profile used by an API protection profile from a virtual server directly, without detaching the API protection profile.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b70045 : API Rate Limiting Config (%s) contains invalid Spike Interval (%d). Spike Interval must be between 1 and 60 seconds.

Location:
/var/log/ltm, GUI, CLI

Conditions:
An API Rate Limiting configuration contains an invalid spike interval.

Impact:
Saving the configuration fails.

Recommended Action:
Set a valid spike interval for the API Rate Limiting configuration and then save the configuration. The spike interval must be between 1 and 60 minutes.

01b70046 : API Rate Limiting Config (%s) contains invalid Max Quota Requests (%s). Max Quota Requests must be a valid number or a subsession /perflow variable.

Location:
/var/log/ltm, GUI, CLI

Conditions:
In an API Rate Limiting configuration, a Max Quota request has an invalid value.

Impact:
Saving the configuration fails.

Recommended Action:
In the API Rate Limiting configuration , set the Max Quota request value to be a number or a subsession/perflow variable if not empty. The save the configuration.

01b70047 : API Rate Limiting Config (%s) contains invalid Max Spike Requests (%s). Max Spike Requests must be a valid number or a subsession /perflow variable.

Location:
/var/log/ltm, GUI, CLI

Conditions:
In an API Rate Limiting configuration, a Max Spike request has an invalid value.

Impact:
Saving the configuration fails.

Recommended Action:
In the API Rate Limiting configuration, set Max Spike request value to be a number or subsession/perflow variable if not empty. Then save the configuration.

01b70048 : API Rate Limiting Config (%s) cannot be attached to two API protection profiles (%s and %s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to attach an API Rate Limiting configuration to more than one API protection profile.

Impact:
Saving the configuration fails.

Recommended Action:
Remove the API Rate Limiting configuration from all but one API protection profile. Then save the configuration.

01b70049 : API Rate Limiting Key (%s) cannot be attached to two API protection profiles (%s and %s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to attach an API Rate Limiting key to more than one API protection profile.

Impact:
Saving the configuration fails.

Recommended Action:
Remove the API Rate Limiting key from all but one API protection profile. Then save the configuration.

01b7004a : In API Protection Profile (%s), Rate Limiting Config (%s) cannot be deleted since it is used by one or more Rate Limiting Configuration entry in API Rate Limiting Agent (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
In an API Protection profile, a Rate Limiting configuration is being used by one or more Rate Limiting configuration entries in a API Rate Limiting agent.

Impact:
Saving the configuration fails.

Recommended Action:
In the API Protection profile, remove the Rate Limiting configuration from all associated Rate Limiting agent configuration entries. Then delete the Rate Limiting configuration from the API protection profile. Finally, save the configuration.

01b7004b : In API Rate Limiting Agent (%s), Rate Limiting Config (%s) selected must be part of rate limiting configurations associated with the API protection Profile (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
In an API Rate Limiting agent, the Rate Limiting configuration selected is not part of any Rate Limiting configurations associated with the parent API protection profile.

Impact:
Saving the configuration fails.

Recommended Action:
In an API Rate Limiting agent, assign a Rate Limiting configuration that is part of any Rate Limiting configurations associated with the parent API protection profile. Then save the configuration.

01b7004c : In API Rate Limiting Agent (%s), Weight assigned (%d) to Rate Limiting Config (%s) is invalid. Weight must be greater than 0 and less than the Quota/ Spike limit value in corresponding Rate Limiting Config.

Location:
/var/log/ltm, GUI, CLI

Conditions:
In an API Rate Limiting agent entry, the weight assigned to a Rate Limiting configuration is invalid.

Impact:
Saving the configuration fails.

Recommended Action:
In the API Rate Limiting agent entry, assign a valid value for the weight - greater than 0 and less than the Quota/ Spike limit value in the corresponding Rate Limiting configuration. Then save the configuration.

01b7004d : In API Protection Profile (%s), the Black/White list (%s) refers to Rate Limiting Key (%s), which is required to exist in the same profile.

Location:
/var/log/ltm, GUI, CLI

Conditions:
In an API Protection profile, a Black/White list is referencing a Rate Limiting key that is not associated with the same API protection profile.

Impact:
Saving the configuration fails.

Recommended Action:
In the API Protection profile, ensure that the Black/White list references the Rate Limiting key that is associated with the same API protection profile. If it does not, then either:

* Add the Rate Limiting key in the parent API Protection profile and then use it in the Black/White list.

* Delete the key from the Black/White list before deleting the same key from the API Protection profile.

Then save the configuration.

01b7004e : Key Name (%s) configuration is invalid for the Rate Limiting Key (%s). Key Name must be unique for all the Rate Limiting Keys in an API Protection Profile (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to associate a Rate Limiting key with a duplicate key name to the API Protection profile.

Impact:
Saving the configuration fails.

Recommended Action:
Ensure that the key name is unique for all Rate Limiting keys in an API Protection profile. This pertains either when associating new keys to an API Protection profile or when updating a key name in an existing Rate Limiting key. You can also edit a Rate Limiting key that is associated with an API Protection profile and change the key name to another key name that belongs to another key. Then save the configuration.

01b7004f : In the API Protection Profile (%s), a Rate Limiting Config (%s) refers to an API Rate Limiting Key (%s) that is not part of this profile.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to associate a Rate Limiting configuration with an API Rate Limiting key that is not part of the API Protection profile.

Impact:
Saving the configuration fails.

Recommended Action:
When a Rate Limiting configuration is associated with API Protection profile, ensure that the configuration has a key from the same API Protection profile.

You can disassociate a Rate Limiting key from API Protection profile, but only after removing it from all associated Rate Limiting configurations. You can also add a key belonging to the same API Protection profile to the Rate Limiting configuration.

Then save the configuration.

01b70050 : In API Rate Limiting Config (%s), Max Quota Requests is required when Enable Quota is true

Location:
/var/log/ltm, GUI, CLI

Conditions:
In an API Rate Limiting configuration, the Max Quota request is not provided when Enable Quota is set to "true".

Impact:
Saving the configuration fails.

Recommended Action:
In the API Rate Limiting configuration, configure a valid value for the Max Quota request when Enable Quota is set to "true". Then save the configuration.

01b70051 : In API Rate Limiting Config (%s), Max Spike Requests is required when Enable Spike Limit is true

Location:
/var/log/ltm, GUI, CLI

Conditions:
In an API Rate Limiting configuration, the Max Spike request is not provided when Enable Spike is set to "true".

Impact:
Saving the configuration fails.

Recommended Action:
In the API Rate Limiting configuration, configure a valid value for the Max Spike request when Enable Spike is set to "true". Then save the configuration.

01b70052 : In API Protection Profile (%s), Rate Limiting Key (%s) cannot be deleted since it is an auto-generated key.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to delete the auto-generated rate limiting keys. These are default keys that shouldn't be deleted, and will only be deleted when the API Protection Profile is deleted.

Impact:
Minimal impact. The user simply is prevented from deleting the auto-generated keys.

Recommended Action:
If the user needs to change the auto-generated keys, they can change the key name and key value. However, they don't need to delete the keys.

01b70053 : API Rate Limiting Key (%s) cannot be deleted as it is associated with Rate Limiting Config (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
An administrator has attempted to delete a Rate Limiting key that is associated with a Rate Limiting configuration.

Impact:
This is an MCP configuration error. The object containing this configuration is not saved.

Recommended Action:
First, disassociate the Rate Limiting key from the Rate Limiting configuration and then delete the key.

01b70054 : Rate Limiting Config (%s) must have a Rate Limiting Key attached when associated to an API Protection Profile (%s).

Location:
CLI

Conditions:
A user has attempted one of these actions:

* Assigning a rate limiting configuration to an API Protection profile, but the rate limiting configuration does not have any rate limiting key attached to it.

* Removing the only rate limiting key from a rate limiting configuration that it is attached to, and the rate limiting configuration is currently assigned to an API Protection profile.

Impact:
The operation fails without any change to the current BIG-IP configuration.

Recommended Action:
Make sure that the rate limiting configuration has at least one rate limiting key attached to it.

01b70055 : In the API Protection Profile (%s), the Blacklist or Whitelist (%s) must have an API Rate Limiting Key attached.

Location:
CLI

Conditions:
An administrator has created a rate-limiting blacklist or whitelist without giving it a rate-limiting key, or has removed a rate-limiting key from a rate-limiting blacklist or whitelist.

Impact:
The administrative operation is rejected.

Recommended Action:
Ensure that the rate-limiting blacklist or whitelist has a rate-limiting key attached.

01b70056 : %s (%s) associated with %s (%s) does not exist.

Location:
CLI

Conditions:
The configuration is referencing a non-existent object.

Impact:
The configuration cannot be saved.

Recommended Action:
Either create an object with this name, or use an existing object (check for mistakes).

01b70057 : Empty Rate Limiting Config. Must select a rate limiting configuration associated with the API protection Profile.

Location:
/var/log/audit, GUI, CLI

Conditions:
An administrator has created a Rate Limiting configuration entry for an API Rate Limiting agent, without specifying which Rate Limiting configuration should be used.

Impact:
The configuration is denied.

Recommended Action:
Specify the Rate Limiting configuration to be used that is associated with the current API Protection profile.

01b70058 : API Protection Profile (%s) had an unexpected default rate limiting response (%s) during upgrade.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The API protection profile has an unexpected response configuration for rate limiting.

Impact:
The user cannot upgrade the system.

Recommended Action:
Remove the response configuration for rate limiting before upgrading the system.

01b70059 : APM must be provisioned when a Virtual Server is using an API Protection Profile (%s) that has a reference to the access profile.

Location:
/var/log/ltm, GUI

Conditions:
A BIG-IP APM administrator configured a virtual server, using an access policy with that virtual server, and has attempted to de-provision APM.

Impact:
The attempt to de-provision APM fails.

Recommended Action:
Remove the access policy from the virtual server.

01b7005b : APM Network Access (%s) DNS name (%s) is not a valid domain name.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to configure a DNS Address Space or DNS Exclude Address Space with an invalid domain name, such as an IP address or a name that uses invalid characters.

Impact:
The configuration cannot be saved, and Edge Client fails to connect when using machine tunnels, due to the invalid entry.

Recommended Action:
Change or delete the invalid entry to save the configuration and to prevent Edge Client from failing to connect when using machine tunnels. If an IP address is needed, use the IPv4 LAN Address Space field.

01b7005c : Not allowed to create or modify SWG Scheme (%s) because the swg-scheme object is deprecated.

Location:
/var/log/ltm, CLI

Conditions:
The swg-scheme object is deprecated. It is allowed to list and delete swg-scheme objects, but it is not allowed to create new swg-scheme objects or modify existing swg-scheme objects.

Impact:
No new swg-scheme objects are created and existing swg-scheme objects are not modified.

Recommended Action:
None.

01b7005d : Ephemeral Authentication (%s) requires using either LDAP or RADIUS authentication, or both.

Location:
Message appear on the console.

Conditions:
Failed to set Ephemeral Authentication Configuration. Possible reason:

No LDAP or RADIUS Authentication is set in Ephemeral Authentication Configuration.

Impact:
This is an informational message.

Recommended Action:
Set either LDAP or RADIUS Authentication or both for the Ephemeral Authentication Configuration.

01b7005d : The requested otp source (%s) is invalid: %s

Location:
This error(MCPDERR_OTP_SRC_INVALID) will be shown in /var/log/ltm and can be seen in console

The error description is 'The requested otp source (%s) is invalid: %s'.

Conditions:
This message occurs when mcp is validating agent OTP sources for APM.

Impact:
The mcp OTP validation fails for APM

Recommended Action:
There is no workaround: OTP validation is required for APM functionality.

01b7005e : Expiry time (%u) of the password for Ephemeral Authentication (%s) must be in the range of %u-%u.

Location:
On the console

Conditions:
Failed to set expiry time of password in the Ephemeral Authentication Configuration. Possible reason:

The expiry time is out of range (1, 30).

Impact:
Expiry time of password is not set.

Recommended Action:
Check the range of expiry time in error log and reset the expiry time.

01b7005f : Minimum length (%u) of the password for Ephemeral Access Configuration (%s) must be at least %u.

Location:
On the console

Conditions:
Failed to set the minimum length of password in the Ephemeral Access Configuration. Possible reason:

The minimum length of password is smaller than the number show in the log message.

Impact:
Minimum length of password is not set.

Recommended Action:
If you want to reduce the minimum length of password, make sure it is no smaller than the number shown in the log message. You can find number in error log.

01b70060 : Maximum length (%u) of the password for Ephemeral Access Configuration (%s) cannot be larger than %u.

Location:
On the console

Conditions:
Failed to set the maximum length of password in the Ephemeral Access Configuration. Possible reason:

The maximum length of password is larger than the number show in the log message.

Impact:
Maximum length of password is not set.

Recommended Action:
If you want to increase the maximum length of the password, make sure it is no larger than the number shown in the log message. You can find the number in error log.

01b70061 : Minimum length (%u) of the password must be less than or equal to the maximum length (%u) for Ephemeral Access Configuration (%s).

Location:
On the console

Conditions:
Failed to set the minimum or maximum length of the password in the Ephemeral Access Configuration. Possible reason:

The minimum length of the password is larger than the maximum length of the password.

Impact:
Minimum or maximum length of the password is not set.

Recommended Action:
-- If you want to increase the minimum length of the password, increase the maximum length of the password first.

-- If you want to reduce the maximum length of the password, reduce the minimum length of the password first.

01b70062 : Minimum length (%u) of %s must be an integer no larger than %u for Ephemeral Access Configuration (%s).

Location:
On the console

Conditions:
Failed to set the minimum number of uppercase, lowercase, digits, or special characters or the the maximum length of the password. Possible reasons:

-- The minimum length of uppercase, lowercase, digits, or special characters is negative.

-- The minimum length of uppercase, lowercase, digits, or special characters is larger than the maximum length of password.

Impact:
The values are not set for minimum number of uppercase, lowercase, digits, or special characters for a password, or the value is not set for the maximum length of a password.

Recommended Action:
-- If you want to reduce the minimum number of uppercase, lowercase, digits, or special characters, make sure the minimum value is no smaller than 0.

-- If you want a larger minimum number of uppercase, lowercase, digits, or special characters, increase the maximum length of the password first.

-- If you want to reduce the maximum length of the password, reduce the number of uppercase, lowercase, digits, or special characters first.

01b70063 : Total number of uppercase, lowercase, digits, and special characters (%u) exceeds the maximum length (%u) of the password for Ephemeral Access Configuration (%s).

Location:
On the console

Conditions:
Failed to set the minimum number of uppercase, lowercase, digits, and special characters or the maximum length of the password in the Ephemeral Access Configuration. Possible reasons:

-- The minimum number of uppercase characters is too large.

-- The minimum number of lowercase characters is too large.

-- The minimum number of digits is too large.

-- The minimum number of uppercase characters is too large.

-- The maximum length of password is too small.

Impact:
The values are not set for the minimum number of uppercase, lowercase, digits, and special characters or the maximum length of password.

Recommended Action:
-- If you want to increase the minimum number of uppercase, lowercase, digits, or special characters, increase the maximum length of the password first.

-- If you want to reduce the maximum length of the password, reduce the minimum length of uppercase, lowercase, digits, or special characters first.

01b70064 : Special characters (%s) should only include these characters %s for Ephemeral Access Configuration (%s).

Location:
On the console

Conditions:
Failed to set special characters in the Ephemeral Access Configuration. Possible reason:

The string of special characters contains illegal characters.

Impact:
The special characters are not set.

Recommended Action:
Check the error message to determine the legal special characters, and specify only those characters.

01b70065 : The special characters (%s) in the password have a duplicate character (%c) for Ephemeral Access Configuration (%s).

Location:
On the console

Conditions:
Failed to set special characters in Ephemeral Access Configuration. Possible reason:

There are duplicate characters in the special characters string.

Impact:
The special characters are not set.

Recommended Action:
Remove the duplicate character in the special characters string.

01b70066 : The number of special characters in the password (%u) is less than the minimum number required (%u) for Ephemeral Access Configuration (%s).

Location:
On the console

Conditions:
Failed to set special characters or minimum length of special characters in Ephemeral Access Configuration. Possible reason:

The number of special characters is fewer than the minimum number of required special characters.

Impact:
The number of special characters cannot be changed to be smaller or the minimum length of special characters cannot be changed to larger.

Recommended Action:
-- If you want to change special characters, set the minimum length of special characters to be no larger than the length of the new string of special characters.

-- If you want to increase the minimum number of special characters, increase the maximum number of special characters first.

01b70067 : Ephemeral Authentication cannot be empty in Ephemeral Access Configuration (%s).

Location:
On the console

Conditions:
The Ephemeral Authentication associated with Ephemeral Access failed to be set as none. Possible reason:

There is no associated Ephemeral Authentication profile.

Impact:
The Ephemeral Access configuration is not created.

Recommended Action:
Specify an Ephemeral Authentication profile for the Ephemeral Access configuration.

01b70068 : The %s (%s) associated with %s (%s) is not a valid %s.

Location:
On the console

Conditions:
The Ephemeral Authentication specified for the Single Sign-On or Ephemeral Access configuration does not exist. Possible reason:

The Ephemeral Authentication name is invalid.

Impact:
The Ephemeral Authentication profile is not applied. The system retains the previously applied Ephemeral Authentication profile, if there was one.

Recommended Action:
Check the list of existing Ephemeral Authentication profiles. Specify one of those for the Single Sign-On or Ephemeral Access configuration.

01b70069 : User LDAP DN session variable is required in Ephemeral Access Configuration (%s) because LDAP is enabled in %s.

Location:
This error (MCPDERR_PUA_CONFIG_USER_LDAP_DN_REQUIRED) is shown in /var/log/ltm and can be seen in the GUI, on the console, and in the logs.

It is being added as MCPDERR_PUA_CONFIG_USER_LDAP_DN_REQUIRED LOG_LOCAL0|LOG_ERR 'User LDAP DN session variable is required in Ephemeral Access Configuration (%s) because LDAP is enabled in %s.'

Conditions:
This is related to Privileged User access configuration (PUA).

-- When mcp is validating Privileged User Access configurations.
-- When it's authenticating using LDAP.

Impact:
The mcp validation fails.

Recommended Action:
There is no workaround if LDAP is enabled.

The User LDAP DN session variable is required in Ephemeral Access Configuration to get PUA licensing.

01b7006a : If using Single Sign-On (%s), you can select only one authentication method for ephemeral authentication (%s).

Location:
On the console.

Conditions:
Failed to set Ephemeral Authentication for Single Sign-On (SSO).

Possible reason:

The Ephemeral Authentication has more than one authentication method.

Impact:
Cannot set Ephemeral Authentication with more than one authentication for SSO.

Recommended Action:
Check the properties of the Ephemeral Authentication:
tmsh
apm ephemeral-auth auth-config
list all-properties

You can see how many authentication methods the Ephemeral Authentication has. Then, choose an Ephemeral Authentication that has only one authentication method and associated it with your SSO.

01b7006b : TCP profile must be present on both client-side and server-side of virtual server (%s) when LDAP Auth profile is attached.

Location:
01b7006b:3: TCP profile must be present on both client-side and server-side of virtual server (/Common/ldap_filter) when LDAP Auth profile is attached.

This log message is seen in TMSH, GUI when an Ephemeral Authentication LDAP Auth Profile is attached to a virtual server without TCP profile.

Conditions:
When an Ephemeral Authentication LDAP Auth Profile is attached to a virtual server without a TCP profile.

Impact:
This error message is part of mcp validation when an Ephemeral Authentication LDAP Auth profile is added to a virtual server during configuration. If a TCP profile is not present on either the client or server side, the LDAP Profile is not added to the virtual server.

Recommended Action:
Recommended action is to attach a TCP profile on both the client side and server side of a virtual server before the LDAP Auth profile is attached.

01b7006c : Proxy user DN is mandatory in LDAP Auth profile (%s).

Location:
01b7006c:3: Proxy user DN is mandatory in LDAP Auth profile (/Common/ldapprofile).

This log message is seen in TMSH, GUI when an Ephemeral Authentication LDAP Auth Profile is created with an empty proxy user DN field.

Conditions:
When Ephemeral Authentication LDAP Auth Profile is created with an empty proxy user DH field.

Impact:
This error message is part of mcp validation when an Ephemeral Authentication LDAP Auth Profile is created with an empty proxy user DN field during configuration.

Recommended Action:
Recommended action is to create LDAP Auth profile with non-empty proxy user DN.

01b7006d : Proxy user password is mandatory in LDAP Auth profile (%s).

Location:
01b7006d:3: Proxy user password is mandatory in LDAP Auth profile (/Common/ldapprofile).

This log message is seen in TMSH, GUI when an Ephemeral Authentication LDAP Auth Profile is created with an empty proxy user password field.

Conditions:
When an Ephemeral Authentication LDAP Auth Profile is created with an empty proxy user password field.

Impact:
This error message is part of mcp validation when an Ephemeral Authentication LDAP Auth Profile is created with an empty proxy user password field during configuration.

Recommended Action:
Recommended action is to create the LDAP Auth profile with a non-empty proxy user password.

01b7006e : Ephemeral Access Configuration cannot be empty in virtual server (%s) when LDAP Auth profile is attached.

Location:
01b7006e:3: Ephemeral Access Configuration cannot be empty in virtual server (vs_name) when LDAP Auth profile is attached.

This log message is seen in TMSH, GUI when Ephemeral Access Configuration is empty in virtual server when an LDAP Auth profile is attached.

Conditions:
When Ephemeral Access Configuration is empty to a virtual server when an LDAP Auth profile is attached.

Impact:
This error is part of mcp validation. Validation does not allow BIG-IP admin to add LDAP Auth profile to a virtual server without Ephemeral Access configuration.

Recommended Action:
Recommended action is to assign Ephemeral Access configuration before attaching an LDAP Auth profile to a virtual server.

01b7006f : Pool configuration is mandatory in virtual server (%s) when LDAP Auth profile is attached.

Location:
01b7006f:3: Pool configuration is mandatory in virtual server (vs_name) when LDAP Auth profile is attached.

This log message is seen in TMSH, GUI when an Ephemeral Authentication LDAP Auth Profile is attached to a virtual server without having a pool configured.

Conditions:
This log message is part of mcp validation. It occurs when an LDAP Auth profile is added to a virtual server without a pool being configured.

Impact:
The LDAP Auth profile cannot be assigned to the virtual server.

Recommended Action:
Recommended action is to configure a pool on the virtual server before attaching the LDAP Auth Profile.

01b70070 : User DN (%s) should not be present in both bypass user list and deny user list in LDAP Auth profile (%s).

Location:
01b70070:3: User DN (user_dn) should not be present in both bypass user list and deny user list in an LDAP Auth profile (profile_name).

This log message is seen in TMSH, GUI.

Conditions:
When the same user domain name is added to both the bypass user list and the deny user list in an LDAP Auth profile.

Impact:
This error message is part of MCP validation. Validation does not allow the same user domain name to be present in both bypass user list and deny user list in LDAP Auth profiles.

Recommended Action:
Recommended action is not to specify the same user domain name in both bypass user list and deny user list in any LDAP Auth profile.

01b70071 : Profile (%s) should not be attached to virtual server (%s) when LDAP Auth profile is attached.

Location:
01b70071:3: Profile (profile_name) should not be attached to virtual server (vs_name) when LDAP Auth profile is attached.

This log message is seen in TMSH and in the GUI when an Ephemeral Authentication LDAP Auth Profile is attached to a virtual server configured with with profiles other than TCP, ServerSSL, or ClientSSL.

Conditions:
When an Ephemeral Authentication LDAP Auth Profile is attached to a virtual server configured with profiles other than TCP, ServerSSL, or ClientSSL.

Impact:
This error message is part of mcp validation when an Ephemeral Authentication LDAP Auth profile is added to a virtual server during configuration. Validation does not allow the LDAP profile to be added to the virtual server if profiles other than TCP, ServerSSL, or ClientSSL are attached to the virtual server.

Recommended Action:
Recommended action is to add only TCP, ServerSSL, or ClientSSL profiles to s virtual server when an LDAP Auth profile is attached.

01b70072 : LDAP Auth base profile (%s) cannot be modified.

Location:
01b70072:3: LDAP Auth base profile (profile_name) cannot be modified.

This log message is seen in TMSH, to prevent modification of LDAP Auth Base Profile.

Conditions:
When the BIG-IP administrator tries to modify the LDAP Auth Base Profile.

Impact:
This error message is part of mcp validation. Validation does not allow the LDAP Auth Base Profile to be modified.

Recommended Action:
Recommended action is to not modify LDAP Auth Base Profile.

01b70073 : LDAP Auth base profile (%s) cannot be attached to virtual server (%s).

Location:
01b70073:3: LDAP Auth base profile (profile_name) cannot be attached to virtual server (vs_name).

This log message is seen in TMSH, GUI to prevent attaching LDAP Auth Base Profile to virtual server.

Conditions:
When the BIG-IP administrator tries to attach a LDAP Auth Base Profile to a virtual server.

Impact:
This error message is part of mcp validation. Validation does not allow you to attach an LDAP Auth Base Profile to a virtual server.

Recommended Action:
Recommended action is not to attach the LDAP Auth Base Profile to virtual servers.

01b7007c : Host group is mandatory for a host group entry in RADIUS Client (%s).

Location:
The following error message is seen in the GUI (TMUI) when the Host Group value is not provided when adding a new Host Group. The context is Access :: Ephemeral Authentication : Radius Authentication Configuration : Client Configuration.

Host Group is mandatory for a Host Group entry in RADIUS Client (/Common/test_client).

Conditions:
When adding a new host group entry or modifying an existing entry in TMUI, if the Host Group field is empty, the system reports this error.

Impact:
Error is reported in TMUI, and the operation fails.

Recommended Action:
Provide a value for Host Group, and the operation succeeds as expected.

01b7007e : Privilege level (%d) is invalid for vendor (%s) in RADIUS Client (%s): Host group (%s). Allowed levels: %s

Location:
The message could be seen in the GUI (TMUI) or in tmsh (TMSH console):

01b7007e:3: Privilege level (1000) is invalid for vendor (F5) in RADIUS Client (/Common/test_client): Host group (group1). Allowed levels: {0,20,40,80,100,300,350,400,450,480,500,510,700,800,810,850,900}

01b7007e:3: Privilege level (1000) is invalid for vendor (JUNIPER) in RADIUS Client (/Common/test_client): Host group (group1). Allowed levels: [9000-9999] range

01b7007e:3: Privilege level (1000) is invalid for vendor (BLUECOAT) in RADIUS Client (/Common/test_client): Host group (group1). Allowed levels: [1-11] range

Conditions:
When trying to add a host group with privilege level outside of allowed ranges for different vendors. In TMSH (under tmos.apm.ephemeral-auth.radius-auth when creating or modifying a client), or in TMUI (navigation Access :: Ephemeral Authentication : Radius Authentication Configuration : Client Configuration).

Impact:
Error is reported in either TMUI or TMSH, preventing the operation from succeeding.

Recommended Action:
Provide privilege level in the allowed ranges for different vendors:

F5: {0,20,40,80,100,300,350,400,450,480,500,510,700,800,810,850,900}
JUNIPER: [9000-9999] range
BLUECOAT: [1-11] range

01b70083 : Portal Access resource(%s) should have Ephemeral Authentication flag enabled as Ephemeral access config(%s) is supplied for Virtual Server(%s)

Location:
/var/log/ltm

Conditions:
-- Convert a standard Virtual Server to an Ephemeral Authentication Virtual Server, and then try to attach an Ephemeral Access Config to a Virtual Server that has an ephemeral authentication-disabled Portal Access resource assigned, the validation error is reported.

-- If you try to attach an ephemeral authentication-disabled Portal Access resource to an Ephemeral Authentication Server, the validation error is reported.

-- If you try to disable the Ephemeral authentication flag of a Portal Access resource that is attached to an Ephemeral Authentication Virtual Server, the validation error is reported.

Impact:
This error is part of MCP validation. Validation does not allow you to configure Ephemeral Authentication in the specified scenarios.

Recommended Action:
Ensure that only Ephemeral Authentication-enabled Portal Access resources are attached to Ephemeral Authentication Virtual Servers.

01b70084 : Webtop link(%s) should have Ephemeral Authentication flag enabled as Ephemeral access config(%s) is supplied for Virtual Server(%s)

Location:
/var/log/ltm

Conditions:
-- Convert a standard Virtual Server to an Ephemeral Authentication Virtual Server, and then try to attach an Ephemeral Access Config to a Virtual Server that has an ephemeral authentication-disabled webtop link assigned, the validation error is reported.

-- If you try to attach an ephemeral authentication-disabled webtop link to an Ephemeral Authentication Server, the validation error is reported.

-- If you try to disable the Ephemeral authentication flag of a webtop link that is attached to an Ephemeral Authentication Virtual Server, the validation error is reported.

Impact:
This error is part of MCP validation. Validation does not allow you to configure Ephemeral Authentication in the specified scenarios.

Recommended Action:
Ensure that that only Ephemeral Authentication-enabled webtop links are attached to Ephemeral Authentication Virtual Servers.

01b70085 : Samesite cookie value changed in %s. Enable it for change to take effect.

Location:
This error message appears in the /var/log/ltm and /var/log/audit logs, and on the command line in tmsh.

Changes made to SameSite cookie value in access authentication domain do not take affect when it is disabled.

Conditions:
-- SameSite cookie is disabled, e.g.:
modify apm profile access myaccessprofile samesite-cookie false

-- Make change to SameSite cookie value, e.g., if current value is strict, then:
modify apm profile access myaccessprofile samesite-cookie-attr-value lax

Same applies to an authentication domain of the access profile:
modify myaccessprofile domain-groups modify { authdomain0 { samesite-cookie false }

modify myaccessprofile domain-groups modify { authdomain0 { samesite-cookie-attr-value lax }

Impact:
Changed SameSite cookie value does not take effect in the data plane.

Recommended Action:
Enable SameSite cookie.

01b70086 : SSH Security Configuration (%s) is system built-in. Cannot modify/delete it.

Location:
/var/log/ltm

Conditions:
When modifying or deleting the built-in SSH Security Configuration (ssh-security-config).

Impact:
This error is part of mcp validation. Validation does not allow BIG-IP admins to modify/delete the built-in SSH Security Configuration (ssh-security-config).

Recommended Action:
Recommended action is to avoid delete/modify of built-in SSH Security Configuration (ssh-security-config).

01b70087 : The cipher (%s) is already in use by SSH Security Configuration (%s).

Location:
/var/log/ltm

Conditions:
While creating or modifying the SSH Security Configuration, you supply a cipher method which is already in use with a different priority under same SSH Security Configuration.

Impact:
This error is part of mcp validation. Validation does not allow you to add/modify the SSH Security Configuration object with the supplied cipher method.

Recommended Action:
Recommended action is to supply a cipher method which is not in use by the current SSH Security configuration.

01b70088 : The key exchange (%s) is already in use by SSH Security Configuration (%s).

Location:
/var/log/ltm

Conditions:
While creating or modifying the SSH Security Configuration, if you supply a key exchange method which is already in use with a different priority under same SSH Security Configuration.

Impact:
This error is part of mcp validation. Validation does not allow you to add/modify the SSH Security Configuration object with the supplied key exchange method.

Recommended Action:
Recommended action is to supply a key exchange method which is not in use by the current SSH Security configuration.

01b70089 : The hmac (%s) is already in use by SSH Security Configuration (%s).

Location:
/var/log/ltm

Conditions:
While creating or modifying the SSH Security Configuration, if you supply an hmac method which is already in use with a different priority under same SSH Security Configuration.

Impact:
This error is part of mcp validation. Validation does not allow you to add/modify the SSH Security Configuration object with the supplied hmac method.

Recommended Action:
Recommended action is to supply a hmac method which is not in use by the current SSH Security configuration.

01b70090 : The compression (%s) is already in use by SSH Security Configuration (%s).

Location:
/var/log/ltm

Conditions:
While creating or modifying the SSH Security Configuration, if you supply a compression method which is already in use with a different priority under same SSH Security Configuration.

Impact:
This error is part of mcp validation. Validation does not allow you to add/modify the SSH Security Configuration object with the supplied compression method.

Recommended Action:
Recommended action is to supply a compression method which is not in use by the current SSH Security configuration.

01b70091 : SSH Security Configuration (%s) must contain at least one cipher entry.

Location:
/var/log/ltm

Conditions:
When at least one cipher method is not supplied while creating SSH Security Configuration.

Impact:
This error is part of mcp validation. Validation does not allow you to add the new SSH Security Configuration unless there is at least one cipher method supplied.

Recommended Action:
Recommended action is to supply at least one cipher method while creating SSH Security configuration.

01b70092 : SSH Security Configuration (%s) must contain at least one key exchange method entry.

Location:
/var/log/ltm

Conditions:
When at least one key exchange method is not supplied while creating SSH Security Configuration.

Impact:
This error is part of mcp validation. Validation does not allow you to add the new SSH Security Configuration unless there is at least one key exchange method supplied.

Recommended Action:
Recommended action is to supply at least one key exchange method while creating SSH Security configuration.

01b70093 : SSH Security Configuration (%s) must contain at least one hmac entry.

Location:
/var/log/ltm

Conditions:
When at least one hmac method is not supplied while creating SSH Security Configuration.

Impact:
This error is part of mcp validation. Validation does not allow you to add the new SSH Security Configuration unless there is at least one hmac method.

Recommended Action:
Recommended action is to supply at least one hmac method while creating SSH Security configuration.

01b70094 : SSH Security Configuration (%s) must contain at least one compression entry.

Location:
/var/log/ltm

Conditions:
When at least one compression method is not supplied while creating SSH Security Configuration.

Impact:
This error is part of mcp validation. Validation does not allow you to add the new SSH Security Configuration unless there is at least one compression method.

Recommended Action:
Recommended action is to supply at least one compression method while creating SSH Security configuration.

01b70095 : SSH Security Configuration (%s) requires at least one cipher entry. Cannot delete cipher (%s).

Location:
/var/log/ltm

Conditions:
When deleting the last cipher present in a SSH Security Configuration.

Impact:
This error is part of mcp validation. Validation does not allow you to delete the cipher entry from SSH Security Configuration if that cipher is the only cipher in that SSH Security Configuration.

Recommended Action:
Recommended action is to modify the cipher entry to the required cipher instead of deleting and creating. It is not allowed to delete all the ciphers from an SSH Security Configuration.

01b70096 : SSH Security Configuration (%s) requires at least one key exchange entry. Cannot delete key exchange method (%s).

Location:
/var/log/ltm

Conditions:
When deleting the last key exchange method present in an SSH Security Configuration.

Impact:
This error is part of mcp validation. Validation does not allow you to delete the key exchange entry from SSH Security Configuration if that key exchange method is the only key exchange method in that SSH Security Configuration.

Recommended Action:
Recommended action is to modify the key exchange entry to the required key exchange method instead of deleting and creating. It is not allowed to delete all the key exchange entries from an SSH Security Configuration.

01b70097 : SSH Security Configuration (%s) requires at least one hmac entry. Cannot delete hmac (%s).

Location:
/var/log/ltm

Conditions:
When deleting the last hmac present in an SSH Security Configuration.

Impact:
This error is part of mcp validation. Validation does not allow you to delete the hmac entry from SSH Security Configuration if that hmac is the only hmac in that SSH Security Configuration.

Recommended Action:
Recommended action is to modify the hmac entry to the required hmac instead of deleting and creating. It is not allowed to delete all the ciphers from an SSH Security Configuration.

01b70098 : SSH Security Configuration (%s) requires at least one compression entry. Cannot delete compression (%s).

Location:
/var/log/ltm

Conditions:
When deleting the last compression present in an SSH Security Configuration.

Impact:
This error is part of mcp validation. Validation does not allow you to delete the compression entry from SSH Security Configuration if that compression is the only compression in that SSH Security Configuration.

Recommended Action:
Recommended action is to modify the compression entry to the required compression instead of deleting and creating. It is not allowed to delete all the compressions from an SSH Security Configuration.

01b70099 : SSH Security Configuration must be specified in Ephemeral Access Configuration (%s).

Location:
/var/log/ltm

Conditions:
If SSH Security Configuration is not supplied while creating Ephemeral Access Configurations.

Impact:
This error is part of mcp validation. Validation does not allow you to add the Ephemeral Access Configuration without supplying an SSH Security Configuration.

Recommended Action:
Recommended action is to supply an SSH Security Configuration while creating an Ephemeral Access Configuration.

01b70100 : The SSH Security Configuration (%s) associated with Ephemeral Access Configuration (%s) does not exist.

Location:
/var/log/ltm

Conditions:
When the SSH Security Configuration supplied to an Ephemeral Access Configuration does not exist.

Impact:
This error is part of mcp validation. Validation does not allow you to add the Ephemeral Access Configuration without a valid SSH Security Configuration object.

Recommended Action:
Recommended action to create the required SSH Security Configuration or use the default SSH Security Configuration (ssh-security-config) while creating Ephemeral Access Configurations.

01b70101 : The compression algorithm (%s) cannot be used along with the existing compression algorithms (%s) for SSH Security Configuration (%s).

Location:
/var/log/ltm

Conditions:
When using compression method none along with zlib/zlib-openssh.

Impact:
This error is part of mcp validation. Validation does not allow you to add/modify the SSH Security Configuration with the supplied compression.

Recommended Action:
Recommended action is to make sure SSH Security Configuration contains only the following combinations of compression methods:
-- none
-- zlib
-- zlib-openssh
-- zlib, zlib-openssh

Note: The method 'none' cannot be used along with zlib/zlib-openssh.

01b90001 : AJAX encryption or both AJAX integrity and strong integrity must be enabled for URL '%s' while parameter '%s' has AJAX mapping enabled in the Anti-Fraud profile '%s'.

Location:
/var/log/ltm, CLI

Conditions:
An attempt is made to disable 1) full AJAX encryption and 2) either full AJAX integrity check or enhanced data manipulation while there is a parameter with AJAX mapping enabled (non-empty) configured under the same URL.

Impact:
The configuration fails.

Recommended Action:
Do not disable 1) full AJAX encryption or 2) either full AJAX integrity check or enhanced data manipulation in case a parameter with AJAX mapping is configured under the same URL.
If not required, set empty AJAX mapping and then disable 1) or 2) above.

01b90001 : Security FlowSpec: %s: route domain (%s) is already used by %s.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to configure a route domain that is already being used.

Impact:
The configuration is not updated.

Recommended Action:
None.

01b90005 : %s: The number of custom signatures (%d) is over limit (%d).

Location:
/var/log/ltm, GUI, CLI

Conditions:
The custom signatures per DoS profile or DoS device-config profile are over the allowed limit.

Impact:
The related configuration is not updated in the MCP database.

Recommended Action:
Delete some custom signature of the problematic DoS profile or DoS device-config profile.

01b90006 : Dos signature %s: '%s' is not applicable for %s and should be kept as the default value, '%s'.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A non-applicable DoS signature field is being modified.

Impact:
The related configuration is not updated in the MCP database.

Recommended Action:
None.

01b90007 : Dos signature %s: '%s' is not allowed to be modified %s.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A non-changeable DoS signature field is being modified.

Impact:
The related configuration is not updated in the MCP database.

Recommended Action:
None.

01b90008 : Dos profile %s: cannot be deleted because %s.

Location:
/var/log/ltm, GUI, CLI

Conditions:
An attempt was made to delete a DoS profile.

Impact:
The related configuration will not be updated in the MCP database.

Recommended Action:
None.

01b90009 : %s: The associated custom signature (%s) is not a custom Dos persistent signature.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A DoS profile or DoS device-config profile refers to a DoS dynamic signature.

Impact:
The related configuration will not be updated in the mcp database.

Recommended Action:
None.

01b9000a : %s: shareability-state cannot be changed to not-shareable because it is referred by %s.

Location:
/var/log/ltm, GUI, CLI

Conditions:
An attempt was made to change a Dos signature from shareable to non-shareable.

Impact:
The related configuration will not be updated in the MCP database.

Recommended Action:
None.

01b9000b : %s: The associated custom signature (%s) is not a shareable or doesn't have matching parent-profile.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A DoS profile or DoS device-config profile refers to a DoS signature that is non-shareable or doesn't match the proper DoS signature's parent profile.

Impact:
The related configuration will not be updated in the MCP database.

Recommended Action:
None.

01b9000c : %s: The associated custom signature (%s) only can be referred by %s.

Location:
/var/log/ltm, GUI, CLI

Conditions:
The profile that refers to the DoS signature is a DoS profile, but should be a DoS device-config profile instead.

Impact:
The related configuration will not be updated in the MCP database.

Recommended Action:
No workaround.

01b9000d : Dos signature %s: The signature's partition (%s) doesn't match its '%s' partition (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
A DoS signature's partition doesn't match the partition of the parent profile or the parent context.

Impact:
The related configuration will not be updated in the MCP database.

Recommended Action:
None.

01b90014 : Cannot edit response page %s while its type is Default.

Location:
/var/log/ltm, CLI, API

Conditions:
ASM is provisioned, and an attempt was made to edit the blocking page while its type is Default in the Blocking Page settings.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b9001c : Bot signature category %s not found.

Location:
/var/log/ltm, CLI, API

Conditions:
ASM is provisioned, and the category name mentioned in the tmsh/REST command does not exist in the MCP database.

Impact:
None.

Recommended Action:
None.

01b9001d : Bot defense profile (%s) class override (%s) error: %s.

Location:
/var/log/ltm, CLI, API

Conditions:
ASM is provisioned, and the tmsh command contains incorrect values.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b9001e : Bot Defense Profile (%s) Micro Service (%s): %s.

Location:
/var/log/ltm, CLI, API

Conditions:
ASM is provisioned, and the tmsh command contains incorrect values.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b9001f : Bot Defense Profile (%s) Micro Service (%s) Url (%s): %s.

Location:
/var/log/ltm, CLI, API

Conditions:
ASM is provisioned, and the tmsh command contains incorrect values.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b90020 : Bot defense profile (%s) anomaly override (%s): %s.

Location:
/var/log/ltm, CLI, API

Conditions:
ASM is provisioned, and the tmsh command contains incorrect values.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b90021 : Bot defense profile (%s) Signature (%s) should be Mobile Application Class signature.

Location:
/var/log/ltm, CLI, API

Conditions:
ASM is provisioned, and the tmsh command contains incorrect values.

Impact:
None.

Recommended Action:
When defining the mobile signature on a bot defense profile, verify that the signature is of a category which belongs to the class name "Mobile Application".

01b90022 : Bot defense signature category illegal class (%s).

Location:
/var/log/ltm, CLI, API

Conditions:
ASM is provisioned, and the tmsh command contains incorrect values. It is illegal to set a Browser or Unknown bot defense class for a signature category.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b90023 : Bot defense profile (%s) signature category override not supported for (%s) which belongs to (%s) class.

Location:
/var/log/ltm, CLI, API

Conditions:
ASM is provisioned, and the tmsh command contains incorrect values. is illegal to define override settings for several signature categories, for example, categories of mobile signatures.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b90024 : Bot defense profile (%s) signature override not supported for (%s) which belongs to (%s) class.

Location:
/var/log/ltm, CLI, API

Conditions:
ASM is provisioned, and the tmsh command contains incorrect values. It is illegal to define override settings for a signature that belongs to a category that cannot be overridden, for example, mobile signatures.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b90025 : Bot defense profile (%s) Micro Service (%s) class override (%s) error: %s.

Location:
/var/log/ltm, CLI, API

Conditions:
ASM is provisioned, and the tmsh command contains incorrect values. It is illegal to define override settings for a class on a micro service level; the exception is the "Trusted Bot" class.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b90026 : Bot defense profile (%s) error: %s.

Location:
/var/log/ltm, CLI, API

Conditions:
ASM is provisioned, and the tmsh command contains incorrect values. The error is a generic template for arbitrary error messages that are thrown by MCP validation code; the specific error description is appended to the end of the error message after the "error:" label.

Impact:
The configuration is not stored in the MCP database.

Recommended Action:
None.

01b90027 : Only one place directive may be specified for firewall rule (%s) per transaction.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has added/re-ordered firewall rules via TMSH or GUI, and there are more than one place_before or place_after attributes specified for a single rule.

Impact:
The TMSH command or GUI action fails, and the configuration is not changed.

Recommended Action:
Correct the TMSH command or GUI data and re-submit.

01b90028 : Internal error #%u in firewall rule ordering

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to add/re-order firewall rules via TMSH or GUI, and the command cannot be executed due to internal problems.

Impact:
The command or GUI action fails, and the configuration is not changed.

Recommended Action:
Try to change the TMSH command or GUI data and re-submit. It's recommended that you break a complex command into several smaller commands.

01b90029 : There is a loop in firewall rule ordering specified with place_before and place_after options in the following rules: %s

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to add/re-order firewall rules via TMSH or GUI and there's a loop in the rule order. For example, the following command specifies the addition of a rule in which the order of rule r1 depends on another rule r2, and the order of rule r2 depends on rule r1: "rules add { r1 { place_after r2}} { r2 {place before r1} }".

Impact:
The TMSH command or GUI action fails, and the configuration is not changed.

Recommended Action:
Correct the TMSH command or GUI data and re-submit.

01b9002b : Inconsistency in Anti-Fraud log profile: %s.

Location:
/var/log/ltm, tmsh

Conditions:
There is a configuration discrepancy, where the format type and the user template do not match.

Impact:
The configuration fails.

Recommended Action:
Ensure that the format type and the user template match.

01b9002c : Security FlowSpec: %s: %s is not user settable field.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has tried to set a user-disallowed configuration.

Impact:
The configuration is not updated.

Recommended Action:
None.

01b9002d : Security FlowSpec: %s: %s are mutual exclusive fields. They cannot be specified simultaneously.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to change two mutually-exclusive configurations simultaneously.

Impact:
The configuration is not updated.

Recommended Action:
None.

01b9002e : Security FlowSpec: %s: 'expiry-time' (%s) is invalid. It is earlier than current time (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to set the expiry-time attribute to a time that is earlier than the current time.

Impact:
The configuration is not updated.

Recommended Action:
None.

01b9002f : Security FlowSpec: %s: The rule can not be created since the sum of current system advertised flowspec routes (%d) and user defined routes in database (%d) would exceed the max flowpsec route limit (%d) as per profile (%s) configuration.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to create a rule when the number of FlowSpec routes exceeds the FlowSpec route limit for the profile configuration.

Impact:
The configuration is not updated.

Recommended Action:
None.

01b90030 : Security FlowSpec: %s: The value (%d) for %s is outside the acceptable value set [range %d - %d (inclusive)].

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to specify a configuration with an invalid value.

Impact:
The configuration is not updated.

Recommended Action:
None.

01b90031 : Security FlowSpec: %s: %s must be configured when %s is redirect.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has specified a FlowSpec advertisement action type with no matched next-hop address.

Impact:
The configuration is not updated.

Recommended Action:
None.

01b90032 : Security FlowSpec: %s: %s (%s) and %s (%s) must be the same type (IPv4 or IPv6).

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to specify two IP addresses of different family types (either IPv4 or IPv6).

Impact:
The configuration is not updated.

Recommended Action:
Ensure that both IP addresses are in either IPv4 or IPv6 format.

01b90033 : Security FlowSpec: %s: For port range, beginning port (%d) can not be greater than end port (%d).

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to specify FlowSpec ports out of the allowed range.

Impact:
The configuration is not updated.

Recommended Action:
None.

01b90034 : Security FlowSpec: %s: The rule can not be created or changed to persisted one since total number of persisted rules in MCP database (%d) would exceed the max allowed in database limit (%d) as per profile (%s) configuration.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to add more than the allowed number of persisted FlowSpec profile rules.

Impact:
The configuration is not updated.

Recommended Action:
None.

01b90035 : %s cannot be changed to %s because the number of persisted rules of profile %s in MCP database is already %d.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to add more than the allowed number of persisted FlowSpec profile rules.

Impact:
The configuration is not updated.

Recommended Action:
None.

01b90036 : Security FlowSpec: %s: can not refer %s which is neither in the same partition as profile nor in /Common partition.

Location:
/var/log/ltm, GUi, CLI

Conditions:
A user has attempted to specify a FlowSpec configuration with mismatched administrative partitions.

Impact:
The configuration is not updated.

Recommended Action:
None.

01b90037 : Blacklist Publisher Profile (%s): %s is invalid.

Location:
/var/log/ltm, GUi, CLI

Conditions:
A user has attempted to specify a configuration that is not valid for a blacklist publisher profile.

Impact:
The configuration is not updated.

Recommended Action:
None.

01b90038 : Security FlowSpec: %s: port argument is not allowed for non-port-based protocol (%d).

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to specify a port for a non-port-based protocol.

Impact:
The configuration is not updated.

Recommended Action:
None.

01b90039 : Security FlowSpec: %s: The protocol (%d) is not supported.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has specified a non-supported FlowSpec protocol.

Impact:
The configuration is not updated.

Recommended Action:
None.

01b9003a : Security FlowSpec: %s: The max flowspec route limit can not be decreased since the sum of current system advertised flowspec routes and user defined routes in database (%d) would exceed the specified max flowpsec route limit (%d).

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to change the value of the maximum allowed route limit to less than the number of currently-existing routes in the system.

Impact:
The configuration is not updated.

Recommended Action:
None.

01b9003b : Security FlowSpec: %s: IP fragement can't be specified with IPv6 Flowspec rule (%s).

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to specify FlowSpec IPv6 rules with matched IP fragments.

Impact:
The configuration is not updated.

Recommended Action:
None.

01b9003c : Multiple extension header types defined in policy %s, rule %s. Only one extension header type per rule supported.

Location:
/var/log/ltm

Conditions:
When attempting to add or modify security packet filter rules via TMSH or the BIG-IP Configuration utility, the user tried to configure more than one Extension header type per rule.

Impact:
The TMSH command or BIG-IP Configuration utility action fails, and the configuration is not changed.

Recommended Action:
Correct the TMSH command or the BIG-IP Configuration utility input data.

01b9003d : Extension header type %s used more than once in policy %s. Extension header type that doesn't support additional values can be used only once per policy.

Location:
TMSH, GUI and ltm log

Conditions:
When attempting to add or modify security packet filter rules via TMSH or the BIG-IP Configuration utility, the user tried to use an Extension header type that doesn't support additional values and therefore can be used only once per policy.

Impact:
The TMSH command or BIG-IP Configuration utility action fails, and the configuration is not changed.

Recommended Action:
Correct the TMSH command or BIG-IP Configuration utility input data.

01b9003e : Value %u associated with extension header type %s used more than once in policy %s. Any (Extension header type, value) pair can be used only once per policy.

Location:
/var/log/ltm, GUI, CLI

Conditions:
When attempting to add or modify security packet filter rules via TMSH or the BIG-IP Configuration utility, the user tried to use an Extension type/value pair more than once per policy.

Impact:
The TMSH command or BIG-IP Configuration utility action fails, and the configuration is not changed.

Recommended Action:
Correct the TMSH command or GUI input data.

01b9003f : Specifying values for extension header type %s is not supported, but values specified in policy %s, rule %s.

Location:
var/log/ltm, GUI, CLI

Conditions:
When attempting to add or modify security packet filter rules, a user has specified values that the extension header does not support.

Impact:
The TMSH command or GUI action fails, and the configuration is not changed.

Recommended Action:
Correct the TMSH command or the GUI input data.

01b90040 : Aggregate log rate for security packet filter cannot be greater than %u.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has attempted to configure a security packet filter log profile via a TMSH command or the GUI, and the following limitation was exceeded: Aggregate log rate for security packet filter cannot be greater than 1000.

Impact:
The TMSH command or GUI action fails and the configuration is not changed.

Recommended Action:
Correct the TMSH command or GUI data and re-submit.

01b90045 : Firewall Zone configuration %s exceeds maximum allowed limit of %d.

Location:
/var/log/ltm, GUI, CLI, API

Conditions:
A user has created a Firewall Zone beyond the maximum allowed limit of 256.

Impact:
"System Limits" imposes a maximum of 256 zones to be configured. If there is a need for more Zone objects, this feature limit imposes a restriction.

Recommended Action:
None.

01b90047 : %s: %s is not supported.

Location:
/var/log/ltm

Conditions:
A user has specified an unsupported format VLAN ID/mask in the source VLAN field of the debug register configuration.

Impact:
The configuration is invalid.

Recommended Action:
Inspect the relevant object configuration in the debug register. The source VLAN field of the debug register must refer to a VLAN configuration object.

01b90048 : %s: Configuration cannot be modified because %s.

Location:
/var/log/ltm

Conditions:
A debug register is being used to capture packets, and the capturing is not yet finished.

Impact:
This is an invalid configuration. The user is unable to modify the debug register configuration when it is being used to capture packets.

Recommended Action:
Stop the packet capturing and retry the command.

01b90049 : The %s (%s) for %s (%s) has the incorrect number of 0-bits set for the given address/prefixlen.

Location:
/var/log/ltm

Conditions:
A user has specified an invalid network address format. The address not in the prefix length should be 0's.

Impact:
The configuration is not valid.

Recommended Action:
Fix the network address properly. For example, 10.10.10.20/24 is not a valid network address. 10.10.10.0/24 is the correct network address.

01b9004a : Inconsistency in Anti-Fraud log profile: %s.

Location:
/var/log/ltm, GUI, CLI

Conditions:
A user has created an inconsistency in the configuration, for example, trying to use a storage field in the context of an event that the storage field doesn't support.

Impact:
The configuration fails.

Recommended Action:
Take action according to the provided message.

01b9004b : Inconsistency in the Anti-Fraud DOM signature '%s'(hash ID): %s in the Anti-Fraud profile '%s'.

Location:
/var/log/ltm, GUI, CLI

Conditions:
Any of these scenarios might have caused the error message:
- The DOM signature 'attribute name' field has been edited while the 'search-in' field is not 'attribute'.
- The DOM signature 'match-type' field has been set to 'contains' while the 'search-in' field is 'JS global variable'.
- The DOM signature 'html-tag' field has been left 'empty' while the 'search-in' field is 'HTML' and the 'match-type' field is 'is'.

Impact:
According to the scenarios above:
- Unable to edit DOM signature 'attribute name' field.
- Unable to set DOM signature 'match-type' set to 'contains'.
- Unable to set DOM signature 'html-tag' field to 'empty'.

Recommended Action:
According to the scenarios above:
- Edit the DOM signature 'attribute name' field only when 'search-in' field is 'attribute'.
- Set the DOM signature 'match-type' to 'is' while 'search-in' field is 'JS global variable'.
- Leave the DOM signature 'html-tag' field 'empty' only while 'search-in' field is 'HTML' and 'match-type' field is 'is'.

01b9004c : Log publisher '%s' used by Anti-Fraud log profile '%s' can have only Remote HSL, Splunk or Syslog destinations.

Location:
/var/log/ltm, CLI

Conditions:
An unsupported destination has been used in the assigned log publisher.

Impact:
The configuration fails.

Recommended Action:
The supported destinations are: remote-HSL, syslog, and splunk. Remove all other destinations from this publisher.

01b9004d : Anti-Fraud parameter '%s' is invalid. Enabling CSS selector for parameter requires: 1. either Full AJAX encryption or AJAX integrity enabled 2. parameter type is explicit in the Anti-Fraud profile '%s' (Anti-Fraud URL: '%s').

Location:
GUI, CLI

Conditions:
The configuration does not meet the following conditions:
-- URL must be defined with either Full Ajax Encryption or Full Ajax Integrity.
-- Parameter must be defined as Explicit.

Impact:
The configuration fails.

Recommended Action:
Take action according to the provided message.

01b9004e : No other maximum length can be greater than maximum request length (%u) in HTTP Security profile '%s'.

Location:
Error message is reported to tmsh CLI/GUI screen to give the correct range of settings.

Conditions:
-- Create or update an HTTP Security profile.
-- Values for 'POST data length', 'URL length', 'Query string' (or the sum of those three) exceed the value for 'Request length'.

Note: You might see this after upgrade to 15.0.0 or later.

Impact:
The profile is not created/updated, and the system posts a message:
01b9004e:3: No other maximum length can be greater than maximum request length (n) in HTTP Security profile '/Common/profile_name'.

Recommended Action:
Make sure that the values you specify when creating or updating HTTP Security profiles meet these requirements:

-- 'POST data length' is not greater than 'Request length'.
-- 'URL length' is not longer than 'Request length'.
-- 'Query string' is not longer than 'Request length'.
-- The sum of 'POST data length', 'URL length', and 'Query string' is not greater than 'Request length'.

01b90050 : (%s, %s) %s (%s) must have match type (%s) to enable %s.

Location:
/var/log/ltm

Conditions:
You attempt to incorrectly modify the specified blacklist/scrubbing category in the specified DoS device-config vector.

Impact:
Cannot modify the specified blacklist/scrubbing category in the specified DoS device-config vector. This configuration is invalid.

Recommended Action:
Inspect the relevant configuration in the specified DoS device-config vector. Configure the 'Bad Actor Detection' (blacklist category) in the DoS device-config with the category 'source' direction. Configure the 'Attacked Destination Detection' (scrubbing category) in DoS device-config with the category 'destination' direction.

01b90055 : Dos Signature (%s): %s can be %s when %s is %s.

Location:
/var/log/ltm

Conditions:
In tmsh security.dos.dos-signature, the property 'hardware-offload' can be enabled only when the property 'family' type is set to 'network'. If 'family' type is not 'network', 'hardware-offload' cannot be enabled.

Impact:
The configuration is invalid.

Recommended Action:
Inspect the relevant configuration in security.dos.dos-signature. The property 'hardware-offload' can be enabled only if the property 'family' type is set to 'network'.

01b90056 : %s (%s): %s must set to %s when %s is set.

Location:
/var/log/ltm

Conditions:
In the LTM profile FastL4 or Global DoS profile, the property 'syncookie_whitelist' must be set to enabled when the property 'syncookie-dsr_flow_reset_by' is set to 'bigip' or 'client' (but not to 'none').

Impact:
The configuration is invalid.

Recommended Action:
-- Inspect the relevant configuration in the FastL4 LTM profile or Global DoS profile.
-- When the 'syncookie-dsr_flow_reset_by' property is either 'bigip' or 'client', set the 'syncookie_whitelist' property to 'enabled'.

01b90062 : Specified next hop vlan '%s' for NAT policy '%s' rule '%s' has a different route domain(%d) than currently configured route domain(%d) in destination address (%s).

Location:
This message is posted on the console after the misconfiguration occurs.

Conditions:
You specify a next hop that has a VLAN with a different route domain assigned in the self IP object than the route domain specified in the destination translation addresses in the NAT policy rule.

Impact:
This is a misconfiguration. You cannot attach a VLAN as next hop if the route domains are different from the ones configured as the destination translation addresses.

Recommended Action:
Make sure both route domain configurations are the same.

01b90063 : Unable to create source-translation object %s as EIF timeout can be set only if inbound-mode is endpoint-independent-filtering.

Location:
While creating security nat source-translation object of type dynamic-pat, if inbound mode is not endpoint-independent-filtering and eif-timeout is set, object cannot be created and this error is reported:
01b90061:3: Unable to create source-translation object {object-name} as EIF timeout can be set only if inbound-mode is endpoint-independent-filtering.

This error can be seen in both tmsh and GUI.

Conditions:
-- Error is seen while creating security nat source-translation object of type dynamic-pat.
-- If inbound mode specified is other than endpoint-independent-filtering, eif-timeout cannot be configured. If it is specified for those inbound modes, this error is reported.

Impact:
tmsh and GUI log error:
01b90061:3: Unable to create source-translation object {object-name} as EIF timeout can be set only if inbound-mode is endpoint-independent-filtering.

Recommended Action:
If inbound mode is 'Explicit'/'None', do not specify eif-timeout.

01b90065 : Modifying dos.icmp6msgtype1 not supported on Smartnic devices.

Location:
Message can be seen from the command line.

Conditions:
You try to modify this db value when using a Smartnic device.

Impact:
No higher impact. The system prevents you from modifying the db value when using a Smartnic device.

Recommended Action:
No workaround. Action is not supported when using Smartnic devices.

01b90066 : Modifying dos.icmp6msgtype2 not supported on Smartnic devices.

Location:
Message can be seen from the command line.

Conditions:
You try to modify this db value when using a Smartnic device.

Impact:
No higher impact. The system prevents you from modifying the db value when using a Smartnic device.

Recommended Action:
No workaround. Action is not supported when using Smartnic devices.

01b90067 : Modifying dos.tcp.allow.unknown.opt1 not supported on Smartnic devices.

Location:
Message can be seen from the command line.

Conditions:
You try to modify db value when using a Smartnic device.

Impact:
No higher impact. The system prevents you from modifying the db value when using a Smartnic device.

Recommended Action:
No workaround. Action is not supported when using Smartnic devices.

01b90068 : Modifying dos.tcp.allow.unknown.opt2 not supported on Smartnic devices.

Location:
Message can be seen from the command line.

Conditions:
You try to modify db value when using a Smartnic device.

Impact:
There is no functional impact. This action is not supported, so the system prevents you from modifying db value when using a Smartnic device.

Recommended Action:
No workaround. Action is not supported when using Smartnic devices.

01bb0001 : Route domain configuration error: %s

Location:
/var/log/ltm

Conditions:
An internal error related to route domain configuration has occurred, such as a failure to update the route domain ID for BGP Instance Address Family / BGP Neighbor Address Family.

Impact:
The configuration that caused the error might not be saved properly.

Recommended Action:
Re-configure the command that failed, and ensure that all parameters are valid.

01bb0002 : %s - sadc

Location:
/var/log/ltm

Conditions:
The mcpd daemon is set to the Debug log level and running in sadc mode.

Impact:
None. This is an informational message only.

Recommended Action:
Ignore the message.

01bb0005 : Raising ICMP monitor priority is not supported on this platform (%s).

Location:
/at/log/ltm, CLI

Conditions:
The platform does not support the ICMP monitor priority feature, and the user has attempted to change it from its default value of "normal" to "high".

Impact:
The impact is simply the error message, and the ICMP monitor priority remains unchanged.

Recommended Action:
Use the default ICMP monitor priority.

01bb0006 : ICMP monitor priority feature not supported in vCMP mode.

Location:
/at/log/ltm, CLI

Conditions:
The vCMP module is provisioned, the platform supports the ICMP monitor feature, and the the user has attempted to enable the ICMP monitor feature.

Impact:
ICMP monitor priority is not supported when vCMP is provisioned, so the priority remains unchanged.

Recommended Action:
Either do not increase the ICMP monitor priority, or de-provision the vCMP module.

01bf0004 : Creating/Modifying Protocol Inspection compliance map are not allowed.

Location:
/var/log/ltm

Conditions:
An attempt has been made to create or modify "protocol_inspection" compliance map type for a specific compliance check.

Impact:
Creating or modifying a "protocol_inspection" map type is disallowed.

Recommended Action:
Do not create or modify a "protocol_inspection" map type.

01bf0005 : Deleting Protocol Inspection compliance map are not allowed.

Location:
/var/log/ltm

Conditions:
An attempt has been made to delete "protocol_inspection" compliance map type for a specific compliance check.

Impact:
Deleting a "protocol_inspection" map type is disallowed.

Recommended Action:
Do not delete a "protocol_inspection" map type.

01bf0006 : Dependency failed between Protocol Inspection profile %s and the profile %s for the virtual %s, \'%s\' field must be enabled for %s

Location:
/var/log/ltm

Conditions:
When Protocol Inspection profile is attached to a virtual server of type Message Routing, the system checks for the following fields in the attached Message Routing SIP session and router profiles, and if any of them are not enabled, the system blocks attaching the Protocol Inspection profile to the virtual server.

Impact:
This is an informational message to block Protocol Inspection profile attachment to the virtual server when required fields are not enabled. There is no impact on the functionality.

Recommended Action:
There is no workaround. You must make sure that the required fields are set before attaching the Protocol Inspection profile.

-- 'Insert Via Header' must be enabled when the mode in SIP session profile is Load Balancing.
-- 'Do not Connect Back' must be disabled under the SIP session profile.

01bf0007 : Creating/Modifying Protocol Inspection service config object is not allowed.

Location:
/var/log/ltm

Conditions:
When trying to create/modify a Protocol Inspection Service Config Object.

Impact:
This is an informational message. There is no functional impact.

Recommended Action:
Creating/modifying Protocol Inspection Service Config Objects is not allowed.

01bf0008 : Deleting Protocol Inspection compliance service config is not allowed.

Location:
/var/log/ltm

Conditions:
When trying to delete a Protocol Inspection Service Config Object.

Impact:
This is an informational message.

Recommended Action:
Deleting Protocol Inspection Service Config Objects is not allowed.

01bf0009 : Creating/Modifying Protocol Inspection service config map is not allowed.

Location:
/var/log/ltm

Conditions:
When trying to create/modify a Protocol Inspection Service Config Map.

Impact:
This is an informational message.

Recommended Action:
Creating/modifying Protocol Inspection Service Config Maps is not allowed.

01bf0010 : Deleting Protocol Inspection service config map is not allowed.

Location:
/var/log/ltm

Conditions:
When trying to delete a Protocol Inspection Service Config Map.

Impact:
This is an informational message.

Recommended Action:
Deleting Protocol Inspection Service Config Maps is not allowed.

01bf0011 : Deleting Protocol Inspection service config enums is not allowed.

Location:
/var/log/ltm

Conditions:
When trying to delete a Protocol Inspection Service Config Enum.

Impact:
This is an informational message.

Recommended Action:
Deleting Protocol Inspection Service Config Enums is not allowed.

01bf0012 : Creating/Modifying Protocol Inspection service config enums is not allowed.

Location:
/var/log/ltm

Conditions:
When trying to create/modify a Protocol Inspection Service Config Enum.

Impact:
This is an informational message.

Recommended Action:
Creating/modifying Protocol Inspection Service Config Enums is not allowed.

01bf0013 : Creating/Modifying predefined Protocol Inspection common-config meta objects is not allowed.

Location:
/var/log/ltm

Conditions:
When trying to create/modify a Protocol Inspection Super Config Compliance.

Impact:
This is an informational message.

Recommended Action:
Creating/Modifying predefined Protocol Inspection Super Config Compliances is not allowed.

01bf0014 : Deleting predefined Protocol Inspection common-config meta objects is not allowed.

Location:
/var/log/ltm

Conditions:
When trying to delete a Protocol Inspection Super Config Compliance.

Impact:
This is an informational message.

Recommended Action:
Deleting predefined Protocol Inspection Super Config Compliances is not allowed.

01bf0015 : Creating/Modifying predefined Protocol Inspection common-config compliances is not allowed.

Location:
/var/log/ltm

Conditions:
When trying to create/modify associated Protocol Inspection Super Config Compliance inspection objects.

Impact:
This is an informational message.

Recommended Action:
Creating/modifying predefined Protocol Inspection Super Config Compliance inspection objects is not allowed.

01bf0016 : Deleting predefined Protocol Inspection common-config compliances is not allowed.

Location:
/var/log/ltm

Conditions:
When trying to delete associated Protocol Inspection Super Config Compliance inspection objects.

Impact:
This is an informational message.

Recommended Action:
Deleting predefined Protocol Inspection Super Config Compliance inspection objects is not allowed.

01bf0017 : Creating/Modifying predefined Protocol Inspection common-config service configs is not allowed.

Location:
/var/log/ltm

Conditions:
When trying to create/modify a Protocol Inspection Service Config template object.

Impact:
This is an informational message.

Recommended Action:
Creating/modifying a Protocol Inspection Service Config template object is not allowed.

01bf0018 : Deleting predefined Protocol Inspection common-config service configs is not allowed.

Location:
/var/log/ltm

Conditions:
When trying to delete a Protocol Inspection Service Config template object.

Impact:
This is an informational message.

Recommended Action:
Deleting a Protocol Inspection Service Config template object is not allowed.

01bf0019 : Protocol Inspection service config %s requires valid value: %s

Location:
/var/log/ltm

Conditions:
Attempt to set invalid service config value

You run the following tmsh command with an invalid service config value:
modify security protocol-inspection profile <profile name> { services modify { <service name> { config modify { <service config name> { value <value> } }}}}

Impact:
None

Recommended Action:
Specify the correct type of the value. You can see correct value hints while typing the command by pressing TAB two times after the 'value' keyword.

01bf0020 : Protocol Inspection common-config is not defined.

Location:
/var/log/ltm
tmsh

Conditions:
When creating/modifying/deleting a Protocol Inspection Super Config Service or Super Config Compliance that does not have a Super Config name specified.

Impact:
Inability to create/modify/delete a Protocol Inspection Super Config Service or Super Config Compliance.

Recommended Action:
'tmsh load sys config' should restore Protocol Inspection Super Config Service and Compliance objects.

01bf0021 : Mismatch for service config(%s) and compliance/signature service version(%s)

Location:
GUI, CLI

Conditions:
This error is raised when the compliance/signature service version does not match service version of profile.

Impact:
Minimal. This is primarily an informational message.

Recommended Action:
No workaround. Use compliance checks/signatures with corresponding service version.

01c00001 : Please modify the addresses of cluster members only through the cluster component.

Location:
/var/log/ltm, CLI

Conditions:
The user is trying to create a management IP address for a cluster member on a clustered BIG-IP system, without using the cluster component.

Impact:
The system ignores the user's TMSH command to create or delete this management IP address, and instead directs the user to use the cluster component for this operation.

Recommended Action:
Use the command "tmsh modify sys cluster ...".

01c80025 : CONNECTOR: L7 get protocol failed

Location:
/var/log/ltm

Conditions:
The virtual server has an HTTP service connector profile, but has no L7CHECK profile to identify the traffic.

Impact:
The HTTP service node does not receive the traffic.

Recommended Action:
Add an L7CHECK profile to the virtual server.

01c80026 : CONNECTOR: L7 get protocol wrong type %d

Location:
/var/log/ltm

Conditions:
The virtual server has an HTTP service connector profile and an L7CHECK profile, but L7CHECK cannot identify the traffic.

Impact:
The HTTP service node does not receive the traffic.

Recommended Action:
None.

01c80027 : CONNECTOR: Cannot allocate memory for %s

Location:
/var/log/ltm

Conditions:
TMM is out of memory when allocating memory for the service connector.

Impact:
The system behaves in a degraded condition if it is out of memory.

Recommended Action:
Look for processes consuming excessive memory and consider restarting those processes. You might need to reboot or restart the system depending on the process that is consuming the memory.

01c80028 : CONNECTOR: Create and insert node for connflow %F, proxy %s, listener %s, profile %s

Location:
/var/log/ltm

Conditions:
A Service Connector has been created and inserted into a virtual server, to facilitate sending traffic to an associated service.

Impact:
None. This is an informational message only.

Recommended Action:
None.

01c80029 : CONNECTOR: Error creating node for connflow %F, proxy %s, profile %s [%s]

Location:
/var/log/ltm

Conditions:
The system has failed to create a traffic service connector, to send traffic to an associated service.

Impact:
The system fails to establish a connection between the client and server.

Recommended Action:
Remove the failing service connector and associated service from from the virtual server/policy that is trying to create the service connector. The traffic will not be sent to the service node (IPS, IDS, tap) associated with the service connector.

01c80030 : CONNECTOR: Send Perform-Method to connector %s, method-id %u

Location:
/var/log/ltm

Conditions:
The Service Connector module has sent a "perform method" to the virtual server on which the connector is attached.

Impact:
None. This is an internal message generated at the Debug level.

Recommended Action:
None.

01c80031 : CONNECTOR: Teardown/abort connector %s, profile %s, message %s

Location:
/var/log/ltm

Conditions:
The Service Connector receives a notification to tear down or abort the connection to the service.

Impact:
None. This message is generated at the Debug level.

Recommended Action:
None.

01c80032 : CONNECTOR: Listener %s, profile %s connect to service entry virtual server %s

Location:
/var/log/ltm

Conditions:
The traffic service connector has attempted to connect to the service identified by the service-entry virtual server.

Impact:
None. This message is generated at the Debug log level.

Recommended Action:
None.

01c80033 : CONNECTOR: Listener %s, profile %s service %s entry ingress, ingress bytes %u

Location:
/var/log/ltm

Conditions:
The service connector forwards traffic to the service to which it is attached.

Impact:
None. This message is generated at the Debug log level.

Recommended Action:
None.

01c80033 : CONNECTOR: Listener %s, profile %s, service connection result %u

Location:
/var/log/ltm

Conditions:
The service has sent the result of a connection request to the service connector.

Impact:
None. This message is generated at the Debug log level.

Recommended Action:
None.

01c80034 : CONNECTOR: Listener %s, profile %s connected to service entry virtual server %s

Location:
/var/log/ltm

Conditions:
The connector has been connected to the named service.

Impact:
None. This is an informational log message only.

Recommended Action:
None.

01c80035 : CONNECTOR: Listener %s, profile %s initialize connection

Location:
/var/log/ltm

Conditions:
The service connector is initialized prior to setting up a connection to its attached service.

Impact:
None. This message is generated at the Debug log level.

Recommended Action:
None.

01c80036 : CONNECTOR: Listener %s, profile %s service returned bytes %u

Location:
/var/log/ltm

Conditions:
The service has sent return traffic back to the service connector.

Impact:
None. This message is generated at the Debug log level.

Recommended Action:
None.

01c80036 : CONNECTOR: Uninitialize service connection

Location:
/var/log/ltm

Conditions:
A service has been disconnected from the traffic service connector.

Impact:
None. This message is generated at the Debug log level.

Recommended Action:
None.

01c80037 : CONNECTOR: Listener %s, profile %s, state %s, process message %s

Location:
/var/log/ltm

Conditions:
The traffic service connector state machine driver has received a message.

Impact:
None. This message is generated at the Debug log level.

Recommended Action:
None.

01c80038 : CONNECTOR: Listener %s, profile %s enqueue service connect to %s

Location:
/var/log/ltm

Conditions:
The Service Connector adds the creation of a service to the queue when the connector is opened from within an irule.

Impact:
None. This is a Debug log message only.

Recommended Action:
None.

01c80039 : CONNECTOR: Listener %s, profile %s dequeue service connect [hold=%s ingress-len=%u]

Location:
/var/log/ltm

Conditions:
The Service Connector removes a previously-enqueued service connect from the queue and attempts to open a connection to the service.

Impact:
None. This a Debug log message only.

Recommended Action:
None.

01c80040 : CONNECTOR: State %s event %s [external event %s]

Location:
/var/log/ltm

Conditions:
The traffic service connector state machine has received the event identified in the message.

Impact:
None. This message is generated at the Debug log level.

Recommended Action:
None.

01c80040 : CONNECTOR: Listener %s, profile %s dequeue service connect [error=%u]

Location:
/var/log/ltm

Conditions:
The Service Connector removes a previously held connection from the queue to a service but it fails to connect to the service.

Impact:
Creating a connection to the service fails.

Recommended Action:
None.

01c80041 : CONNECTOR: Listener %s, profile %s forward events [%s%s%s] to service %s

Location:
/var/log/ltm

Conditions:
The Service Connector has forwarded events that it held while the service creation was enqueued to the service.

Impact:
None. This is a Debug log message only.

Recommended Action:
None.

01c80042 : CONNECTOR: encountered error: %E File: %s Function: %s, Line: %d

Location:
/var/log/ltm

Conditions:
An APM/SWG/SSLO use case, with a per-request policy with a service connect agent or virtual server, has a connector profile attached.

Impact:
An error occurs while the system is processing traffic.

Recommended Action:
None.

01c90000 : MR MQTT: %s returned error: %lE

Location:
/var/log/tmm

Conditions:
An error has occurred related to MQTT parsing and processing.

Impact:
The system displays an informational message.

Recommended Action:
Use the informational message to debug MQTT parsing and processing.

01c90002 : MR MQTT: Keepalive timeout resulted in connection close.

Location:
/var/log/tmm

Conditions:
No response to MQTT PINGREQ was received from the broker.

Impact:
The connection to the MQTT endpoint is torn down.

Recommended Action:
Check the connectivity to the broker. If the connection is successful, then check whether the process responding to PINGREQ is up and running.

01c90003 : MR MQTT: Broker connection being reused.

Location:
/var/log/tmm

Conditions:
The server-side connection to the MQTT broker is being reused.

Impact:
None. This is an informational message only.

Recommended Action:
None.

01c90004 : MR MQTT: Parser error (%E), connection will be closed.

Location:
/var/log/tmm

Conditions:
The MQTT parser failed to parse the incoming message.

Impact:
The connection is reset.

Recommended Action:
You might need to turn on additional debug messages. In addition, you can capture packets to help determine the exact root cause and to help with reproducibility.

01c90005 : MR MQTT: Ingress buffer full, closing TCP window (flow %F)

Location:
/var/log/tmm

Conditions:
The MQTTSession and MQTTRouter profiles are configured on a message-routing virtual server, and the ingress buffer of the MQTTSession filter is filling up.

Impact:
A TCP window closes and further processing of data is paused until the current data in ingress buffer is processed.

Recommended Action:
Use this informational message for debugging, if you are experiencing connection hang scenarios.

01c90006 : MR MQTT: Ingress buffer draining, opening TCP window (flow %F)

Location:
/var/log/tmm

Conditions:
The MQTTSession and MQTTRouter profiles are configured on a message-routing virtual server, and the ingress buffer of the MQTTSession filter has fallen below the acceptable limit.

Impact:
A TCP window that the MQTTSession filter had previously closed is opened, and the filter resumes data processing.

Recommended Action:
Use this informational message for debugging, if you are experiencing connection hang scenarios.

01cb0029 : Error: signature generation fails for '%s'.

Location:
/var/log/logintegrity.log

Conditions:
When the LogIntegrity utility program is triggered after logs rotation and due to specific error conditions.

Impact:
The log integrity file is not generated

Recommended Action:
You can review /var/log/logintegrity.log for additional errors or indications that match the time the associated log message occurred.

01cb0030 : Error: signatures rotation fails for '%s'.

Location:
/var/log/logintegrity.log

Conditions:
When the LogIntegrity utility program is triggered after log rotation and encounters a specific error conditions.

Impact:
The log integrity file is not rotated because LogIntegrity file verification failed.

Recommended Action:
You can review /var/log/logintegrity.log for additional errors or indications that match the time the associated log message occurred.

01cc0000 : Config error: Agent Rate Limiting Config Entry [%s:%d] update: agent clone failed

Location:
/var/log/tmm

Conditions:
When an api_rate_limiting agent, in a per request policy in APM, is modified, an internal failure can happen while cloning it, because the pointer to the agent entry is NULL.

Impact:
The update made to the API Rate Limiting agent in a per-request policy is lost and the system logs this error message.

Recommended Action:
Perform the update again to the API Rate Limiting agent in the per-request policy.

01cc0000 : NATS server returned error: '%.*s'

Location:
/var/log/tmm

Conditions:
The specific cause for any particular error is unknown.

Impact:
Tmm is learning that its prior request to the NATS publication/subscribe server had an error. This error originates in the NATS server, and is logged by the tmm for visibility and remediation.

Recommended Action:
Try reconfiguring the NATS server, tmm, or both. Otherwise, it might be an internal error that requires escalation to F5.

01cc0000 : Peer (%s) delay %d ms %s the %s threshold %d ms

Location:
/var/log/ltm

Conditions:
This message occurs when either:

1.The peer delay exceeds the configured peer delay critical threshold.
2.The peer delay comes back under the configured peer delay critical threshold.

Impact:
The "bigipMrfPeerDelayHealthChanged" SNMP trap gets raised.

Recommended Action:
None.

01cc0001 : The number of messages sent to the peer (%s) %d msgs/sec %s the %s rate limit threshold %d msgs/sec

Location:
/var/log/ltm

Conditions:
In the last minute, the number of messages sent to the peer was below or above the rate limit threshold.

Impact:
If the rate limit on a single connection to a peer exceeds the configurable threshold, an SNMP trap is generated (if SNMP traps are configured).

Recommended Action:
None.

01cc0002 : The number of messages from the peer (%s) %d msgs/sec %s the %s rate limit threshold %d msgs/sec

Location:
/var/log/ltm

Conditions:
In the last minute, the number of messages received from the peer was below or above the rate limit threshold.

Impact:
If the rate limit on a single connection to a peer exceeds the configurable threshold, the trap is generated (if the SNMP trap setting is configured).

Recommended Action:
None.

01cc0003 : Peer (%s) errors percentage %d %s the %s threshold %d percentage

Location:
/var/log/ltm

Conditions:
1.When the number of peer error responses exceed the configured peer errors major threshold.
2.When the number of peer error responses comes back under the configured peer errors major threshold.

Impact:
bigipMrfPeerErrorsHealthChanged SNMP trap gets raised.

Recommended Action:
None.

01cc0004 : Peer (%s) timeouts percentage %d %s the %s threshold %d percentage

Location:
/var/log/ltm

Conditions:
This message occurs when either:

1.The number of peer timeouts exceed the configured peer timeouts major threshold.
2.The number of peer timeouts comes back under the configured peer timeouts major threshold.

Impact:
The "bigipMrfPeerTimeoutsHealthChanged" SNMP trap gets raised.

Recommended Action:
None.

01cc0006 : Peer (%s) connection state has changed: %s

Location:
/var/log/ltm

Conditions:
The peer connection state has changed.

Impact:
None. The event is used to raise an SNMP trap.

Recommended Action:
None.

01cc0008 : telemd setrlimit %d error: %s %ld.

Location:
/var/log/telemd.log

Conditions:
A user has attempted to change the allowed number of file descriptors that may be open at one time by the 'telemd' daemon.

Impact:
The 'telemd' process is started, and the operating system denies the process from changing its default number of open file descriptors. The 'telemd' process continues to run, but with the default limit for the number of open file descriptors. This is a minor issue, as the 'telemd' daemon might not require more open file descriptors beyond the default.

Recommended Action:
None.

01d40003 : Geo_Redundancy: Reload failed: %s (%E)

Location:
/var/log/ltm

Conditions:
During a reload, the tmm GEO redundancy subsystem could not successfully send its Diameter session DB persistence records to the remote site that had requested the reload.

Impact:
The remote site did not receive all Diameter persistence records. The remote site may not be accepting new Diameter connections.

Recommended Action:
Manually initiate a reload from the remote site.
tmsh run util geodb -r

Note: The reload may take several minutes. The remote site will not accept new Diameter connections until the reload is successful.

01d40004 : Geo_Redundancy: Session DB update failed: %E

Location:
/var/log/ltm

Conditions:
The tmm GEO redundancy subsystem cannot write remote site Diameter persistent records to the session DB.

Impact:
Diameter sessions may not be persisted to the correct server.

Recommended Action:
Initiate a Diameter session DB reload from the remote site:
tmsh run util geodb -r

Note: The reload may take several minutes.

01d40007 : Geo_Redundancy: Message dropped, %s, %E

Location:
/var/log/ltm

Conditions:
The tmm GEO redundancy subsystem cannot deserialize a message it received from the kafka daemon.

Note: kafka and mirrormaker1 are open-source, GEO Redundancy-related daemons that provide distributed publish/subscribe services for BIG-IP Diameter session DB persistence operations.

Impact:
Something on the network may be injecting invalid messages into the kafka stream.

Recommended Action:
Determine whether something on the network is injecting invalid messages to the local kafka/mirrormaker1 daemons.

Reload the remote Diameter session DB:
tmsh run util geodb -r

Note: The reload may take several minutes. New diameter connections are not allowed until the reload is complete.

01d40008 : Geo_Redundancy: Unknown GEO message received, %d

Location:
/var/log/ltm

Conditions:
The tmm receives an unknown message from the kafka daemon.

Note: kafka and mirrormaker1 are open-source, GEO Redundancy-related daemons that provide distributed publish/subscribe services for BIG-IP Diameter session DB persistence operations.

Impact:
The message is dropped, the event logged, and the system continues to function.

Recommended Action:
Determine whether something in the network injected an invalid message into the BIG-IP system.

01d40009 : Geo_Redundancy: Can't send message, %s, %d

Location:
/var/log/ltm

Conditions:
The diameter tmm GEO redundancy subsystem cannot send a message to the local kafka daemon.

Note: kafka and mirrormaker1 are open-source, GEO Redundancy-related daemons that provide distributed publish/subscribe services for BIG-IP Diameter session DB persistence operations.

Impact:
Diameter session records may be dropped.

Recommended Action:
1. Check that the kafka and mirrormaker1 daemons are running. If they are not running, start them:
bash# bigstart status kafka mirrormaker1
bash# bigstart restart kafka mirrormaker1

2. Initiate a manual reload of the remote Diameter session DB:
tmsh run util geodb -r

Note: The reload may take several minutes. New diameter connections are not allowed until the reload is complete.

01d4000a : Geo_Redundancy: unexpectedly disconnected %s

Location:
This message is logged when the georedundancy profile is disconnected from its remote peer. This might happen for a variety of reasons, including network failure or the loss of function in the remote Data Center. It is used to trigger an SNMP trap.

Conditions:
Occurs when georedundancy is configured on two BIG-IP systems, they are connected to each other, and then communication between them fails.

Impact:
Georedundancy has ceased to operate. An SNMP message is sent to any subscribers.

Recommended Action:
None.

01d4000b : Geo_Redundancy: status set to offline

Location:
When georedundancy is first configured on a BIG-IP system, its status is set to offline. This triggers an SNMP trap.

Conditions:
Georedundancy is initially configured on a BIG-IP system.

Impact:
SNMP subscribers receive a message.

Recommended Action:
None.

01d4000c : Geo_Redundancy: status set to connected

Location:
Connection is established between two georedundancy device groups, reload has been completed. Initially, both peers send and receive reloads to and from each other. When 'reload receiving' completes, the 'connected' status is set and the SNMP trap is triggered.

Conditions:
Two BIG-IP systems have been configured with georedundancy and are connected to each other.

Impact:
None. This is an informational message.

Recommended Action:
None.

01d4000d : Geo_Redundancy: status set to reload sending

Location:
Georedundancy has begun sending its saved state to its peer. This means the peer requested the reload and has issued the message 'reload receiving'. An SNMP trap is triggered.

Conditions:
A BIG-IP system configured for georedundancy has connected to this one and requested a reload.

Impact:
None. This is an informational message.

Recommended Action:
None.

01d4000e : Geo_Redundancy: status set to reload receiving

Location:
This BIG-IP system has been configured with a georedundancy profile and connected to another BIG-IP system, also configured with one. Its status has been set to reload-receiving, and an SNMP trap has been triggered. The remote BIG-IP system is in the reload-sending status.

Conditions:
This BIG-IP system has connected to a remote BIG-IP system and begun receiving saved records from it.

Impact:
None. This is an informational message.

Recommended Action:
None.

01d40010 : Geo_Redundancy: watchdog has expired

Location:
This message indicates that the georedundancy watchdog has not received a keepalive message from a remote peer in a configurable number of periods of configurable length.

The period is configured as db sys georedundancy.watchdog.period, and the number of periods is db sys georedundancy.watchdog.timeoutperiods.

Conditions:
-- A georedundancy profile has been configured on the BIG-IP system.
-- There has been no communication from the remote peer.

Impact:
The system provides no georedundancy.

Recommended Action:
None.

01d40028 : Error: LogIntegrity run is prohibited from '%s'.

Location:
/var/log/logintegrity.log

Conditions:
When you run the LogIntegrity utility from the shell prompt.

Impact:
This is an informational message that has no impact.

Recommended Action:
There is no workaround. You cannot run LogIntegrity from the shell.

You can review /var/log/logintegrity.log for additional errors or indications that match the time the associated log message occurred.

01d70002 : Warn: %s

Location:
/var/log/logintegrity.log

Conditions:
When the LogIntegrity utility program is triggered after log rotation and encounters a specific error conditions.

Impact:
There might be an impact on log integrity files generation if the logintegrity operation fails.

Recommended Action:
You can review /var/log/logintegrity.log for additional errors or indications that match the time the associated log message occurred.

01d70002 : %s

Location:
This is seen on console. Informational log is used to indicate that disk check has started. This log is also used before maintenance mode is enabled.

Conditions:
-- Disk check started: Is seen when the daemon starts.
-- Enable maintenance mode: This is logged when /var/log utilization exceeds the configured threshold.

Impact:
-- Enable maintenance mode: Most of the services stop in maintenance mode (after this message).
-- Disk check started: This is seen when disk check starts, and has no effect on daemons or any other process.

Recommended Action:
After Enable maintenance mode is logged, the system goes into maintenance mode. It can be returned to normal operation by deleting or archiving files at /var/log and issuing bigstart start.

01d70003 : Info: %s

Location:
/var/log/logintegrity.log

Conditions:
This informational message gets logged when the LogIntegrity utility program is triggered after log files rotation.

Impact:
None. This is an informational message.

Recommended Action:
None

01d70004 : MR_RATELIMIT: message id %s dropped on %s

Location:

Conditions:

Impact:

Recommended Action:

01d70004 : Error '%s' opening pid file '%s'.

Location:
/var/log/ltm

Conditions:
Error is seen during daemon creation if there is a failure in opening the pid file.

Impact:
The fault_monitord daemon does not start. This is a problem with standard Linux commands.

Recommended Action:
Try to restart the daemon.

01d70006 : Fork failed: %s

Location:
/var/log/ltm

Conditions:
This message is seen when process creation fails (fork fails).

Impact:
The fault_monitord daemon does not start due to an error while creating the process.

Recommended Action:
This error is seen when a Linux (fork) call fails. The daemon does not start. Try to restart the daemon.

01d70007 : Error '%s' attempting to chdir to '%s'

Location:
/var/log/ltm

Conditions:
This is an internal issue. The message is reported when there is a failure while moving to the '/var/run/' directory.

Impact:
Failure during daemon creation.

Recommended Action:
This is an internal error that is not linked to any GUI. Try to restart the daemon.

01d70008 : Error '%s' opening file %s

Location:
/var/log/ltm

Conditions:
This error is generated when the 'open' system call fails. It is reported during daemon creation.

Impact:
Daemon creation fails.

Recommended Action:
This is an internal error that is not linked to any GUI. Try to restart the daemon.

01d70010 : Error '%s' sending signal '%d' to process '%d'.

Location:
/var/log/ltm

Conditions:
This error message is seen as a result of an unknown error while reading pid.

Impact:
Daemon creation fails.

Recommended Action:
Try to restart the fault_monitord daemon.

01d70011 : Insufficient memory, allocation failed.

Location:
Log is seen in /var/log/ltm.

Conditions:
This message is generated when there is an issue with allocating memory. This might occur while registering callback functions for db variables.

Impact:
MCP connection is not established and the db variable values cannot be fetched.

Recommended Action:
Try to restart daemon.

01d70012 : Error dispatching event

Location:
This message is seen in /var/log/ltm.

Conditions:
The message is seen when there is a failure to dispatch any event.

Impact:
Timer functionality may not work as expected.

Recommended Action:
Restart daemon.

01d70013 : Initial subscription for system configuration failed with error '%s'

Location:
This log can be seen in /var/log/ltm.

Conditions:
This error is seen when there is an issue with MCP subscription.

Impact:
Callbacks from MCP are not received.

Recommended Action:
Restart fault_monitord. This tries to reconnect with MCP.

01d70014 : Unexpected tag '%s' in msg

Location:
This message may be seen in /var/log/ltm.

Conditions:
An unexpected tag received from MCP causes this error, as there is no specified operation for the specified tag.

Impact:
This does not stop fault_monitord but sends a message to MCP that can be seen in /var/log/ltm.

Recommended Action:
NA

01d70016 : No more space to add MCP tag.

Location:
This message is seen in /var/log/ltm.

Conditions:
This message is seen when no new tags can be added for MCP registration.

Impact:
This is an internal error and is seen when fault_monitord tries to register with MCP.

Recommended Action:
This is an internal error. There is no impact on running processes.

01d70017 : Add MCP tag after compacted.

Location:
This message is seen in /var/log/ltm.

Conditions:
This message is seen when no new tags can be added for MCP registration.

Impact:
This is an internal error and is seen when fault_monitord tries to register with MCP.

Recommended Action:
This is an internal error. There is no impact on running processes.

01d70018 : No more space to add MCP object.

Location:
This message is seen in /var/log/ltm.

Conditions:
This message is seen when no new objects can be added for MCP registration.

Impact:
This is an internal error and is seen when fault_monitord tries to register with MCP.

Recommended Action:
This is an internal error. There is no impact on running processes.

01d70019 : MCP tags already compacted.

Location:
This message is seen in /var/log/ltm.

Conditions:
This message is seen when there are issues with MCP registration.

Impact:
This is an internal error and is seen when fault_monitord tries to register with MCP.

Recommended Action:
This is an internal error. There is no impact on running processes.

01d70020 : MCP objects already compacted.

Location:
This message is seen in /var/log/ltm.

Conditions:
This message is seen when there are issues with MCP registration.

Impact:
This is an internal error and is seen when fault_monitord tries to register with MCP.

Recommended Action:
This is an internal error. There is no impact on running processes.

01d70021 : No more space to compact MCP objects.

Location:
This message is seen in /var/log/ltm.

Conditions:
This message is seen when there are issues with MCP registration.

Impact:
This is an internal error and is seen when fault_monitord tries to register with MCP.

Recommended Action:
This is an internal error. There is no impact on running processes.

01d70024 : Error calling setsockopt on mcp fd: '%s'.

Location:
This message is seen in /var/log/ltm.

Conditions:
This message is seen when there are issues with socket creation.

Impact:
This is an internal error and is seen when fault_monitord tries to register with MCP.

Recommended Action:
This is an internal error. There is no impact on running processes.

01d70025 : Connection to mcpd failed with error '%s'

Location:
This message is seen in /var/log/ltm.

Conditions:
This message is seen when there are issues while connecting to MCP.

Impact:
This is an internal error and is seen when fault_monitord tries to register with MCP and may cause a failure during daemon start-up.

Recommended Action:
Restart the daemon.

01d70026 : Cannot find tag '%s' in message

Location:
/var/log/ltm

Conditions:
Message is seen when a particular tag is not found

Impact:
This is an internal error and does not cause any impact to the running process.

Recommended Action:
NA

01d70027 : %s %s %s

Location:
/var/log/ltm

Conditions:
This message is seen while processing messages.

Impact:
This is an internal error and does not have any major impact.

Recommended Action:
This is an internal error , and a minor issue while that occurs while processing messages.

01d70029 : %s %s %s

Location:
/var/log/ltm

Conditions:
This error is a result of issues with processing MCP messages.

Impact:
This does not cause any daemon failure but might result in missing a few MCP messages.

Recommended Action:
None. This is a minor issue.

01d70030 : %s: Unexpected tag '%s' in msg

Location:
/var/log/ltm

Conditions:
This message is seen when fault_monitord receives an unexpected message from MCP.

Impact:
No impact on fault_monitord; this message is ignored as it is not relevant. It is informational.

Recommended Action:
NA

01d70031 : Error fetching disk space

Location:
/var/log/ltm

Conditions:
This message is seen when fault_monitord is unable to fetch disk space usage at /var/log.

Impact:
Inability to track disk space may lead to audit data loss.

Recommended Action:
None.

01d70032 : Unable to fetch disk space : %s

Location:
/var/log/ltm

Conditions:
This message is seen when a NULL pointer is passed to a function used to check disk space.

Impact:
Disk space monitor may fail.

Recommended Action:
Try to restart the daemon.

01d70033 : Disk usage at \\var\\log: %d%%, Configured threshold %d%%

Location:
/var/log/ltm

Conditions:
This message is seen when disk usage exceeds the configured threshold.

Impact:
System goes into maintenance mode.

Recommended Action:
Many processes may stop after this log message. The system can be brought back up by archiving/deleting files and issuing 'bigstart start'.

05000017 : Attr(%attr/%s) is unknown under (%parent/%s)

Location:
/var/log/ltm

Conditions:
There is a software version mismatch between internal system components.

Impact:
The unknown message is dropped and no action taken.

Recommended Action:
None.

05000018 : client(%client/%s) last response code(%responsecode/%s) result(%result/%d)(%resultmsg/%s) request_id(%requestid/%d)

Location:
/var/log/ltm

Conditions:
An error has occurred internally within a Traffic Acceleration Module (TAM) library. There are several reasons this error could occur, but the exact error message has more information.

Impact:
The update of the TAM module fails. The current configuration does not match the actual state of the TAM module, so network traffic might not act as expected.

Recommended Action:
The workaround depends on the specific error in the error message. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"

    2) Re-provision TAM.

    3) Reboot the system.

05000019 : client(%client/%s) last request code(%requestcode/%s) request_id(%requestid/%d)

Location:
/var/log/ltm

Conditions:
An error has occurred internally within a Traffic Acceleration Module (TAM) library. There are several reasons this error could occur, but the exact error message contains more information.

Impact:
The update of the TAM module fails. The current configuration does not match the actual state of the TAM module, so network traffic might not act as expected.

Recommended Action:
The workaround depends on the specific error in the error message. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.

0501001e : Failed to call sem_post. ctx(%context/%s) client(%client/%s) Error: (%error/%d)((%strerr/%s))

Location:
/var/log/ltm

Conditions:
An issue has occurred where either the semaphore being used for inter-process communication does not exist or an overflow has happened. The error message contains the exact linux error code. This could be caused by an initialization bug, or the receiving process is not functioning correctly.

Impact:
Communication between Traffic Acceleration Module (TAM) processes might not be happening, so TAM configuration could continuously fail.

Recommended Action:
The corrective action depends on the exact error message, but restarting the TAM daemons could clear the error conditions.

"bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"

05010022 : message-post failure(%failure/%s) from (%user/%s)

Location:
/var/log/ltm

Conditions:
Traffic Acceleration Module (TAM) inter-process communication is failing. This could be caused by a variety of errors, but the exact error string should contain more information.

Impact:
TAM configuration does not update correctly. The set configuration will not be correctly set inside TAM, so TAM virtual servers might use old settings.

Recommended Action:
Restarting the TAM processes may clear the error.

"bigstart restart hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd hclientd"

Otherwise consider rebooting the system.

05010023 : Internal pipe operation (%op/%s) failed client(%client/%s) ((%errno/%d)/(%sterrror/%s)) bytes (%expect/%d)/(%done/%d)

Location:
/var/log/ltm

Conditions:
A Traffic Acceleration Module (TAM) process is unable to open a needed pipe. A software defect has caused some process on the system to open an excessive amount of files. This usually happens when some conditions cause a process to open files and never close them.

Impact:
Inter-process communication between TAM processes is failing, which will cause the TAM control plane to stop functioning correctly. Any updates to TAM configuration could fail.

Recommended Action:
Use the operating system command "lsof" on the system to determine which process is using an excess number of file handles.

05010024 : Session inactive for (%user/%s) failed (%ctx/%s)

Location:
/var/log/ltm

Conditions:
A communication error has occurred between Traffic Management Module (TAM) processes. An attempt to send a message between TAM processes has failed because one process failed to respond. The specific error message contains more information.

Impact:
Any TAM configuration fails as long as this error persists.

Recommended Action:
The workaround depends on the specific error in the error message. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.

05020039 : Expect only one busy block, as min-upd > config-switch (%count/%d) (%sequences/%s)

Location:
/var/log/ltm

Conditions:
An internal Traffic Acceleration Module (TAM) configuration is larger than expected. An error has occurred in the writing on the internal TAM state.

Impact:
TAM might not function as expected, as the internal state might be wrong. This could involve new settings looking like they were successful, but not being set in TAM.

Recommended Action:
Restarting the TAM control plane processes will probably clear this error.

"bigstart restart hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd".

A system reboot might also clear the error.

05020061 : Failed to init ha

Location:
/var/log/ltm

Conditions:
An issue is preventing parts of the Traffic Acceleration Module (TAM) control plane from registering for high availability (HA) through TMOS.

Impact:
Any TAM control plane process might not restart correctly if an error brings it down.

Recommended Action:
The workaround depends on whether the issue is caused by TMOS or the TAM control plane. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.

05020062 : Failed to exit ha

Location:
/var/log/ltm

Conditions:
As the TAM control plane exited, it was unable to de-register itself from high availability (HA) through TMOS.

Impact:
TMOS might attempt to restart the processes after they have exited.

Recommended Action:
None.

05020063 : Failed to send heartbeat to update ha

Location:
/var/log/ltm

Conditions:
An issue is preventing the Traffic Acceleration Module (TAM) control plane from sending heartbeats to TMOS for high availability (HA).

Impact:
TMOS might restart the TAM control plane because it is not receiving heartbeats. If this error is persistent, the TAM control plane might not function, and configuration changes will be impossible.

Recommended Action:
The fix will depend on whether the issue is caused by TMOS or the TAM control plane. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.

05020065 : Cannot find PM(%pm/%s) for status update for VIP(%vip/%s)

Location:
/var/log/ltm

Conditions:
A member of a pool that is assigned to a virtual server cannot be found.

Impact:
Status changes for the referenced pool member are not made, and configuration of the pool member might fail.

Recommended Action:
This error indicates an error in the internal logic of the process, so an exact workaround depends on what went wrong. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.

05020067 : Unhandled message(%msg/%s) reason(%reason/%s)

Location:
/var/log/ltm

Conditions:
A message of either unknown type or unknown data type has been sent to nest_client. This is caused by an internal software version mismatch, where the nest_client is running alongside Traffic Acceleration Module (TAM) daemons that are of an unsupported version.

Impact:
The unknown message is dropped and no action is taken.

Recommended Action:
None.

05020068 : stats reset failed (%reason/%s)

Location:
/var/log/ltm

Conditions:
An internal error in the Traffic Acceleration Module (TAM) processes caused the reset of a stats request to fail. This might have several causes, for example, the software attempted to reset a non-existent stat.

Impact:
The stat in question (if it exists) is not cleared.

Recommended Action:
None.

05020069 : SNAT detected for pm(%pm/%s) when DSR mode is enabled on vip(%vip/%s)

Location:
/var/log/ltm

Conditions:
Traffic Acceleration Module (TAM) has detected that a virtual server has DSR enabled and a SNAT pool assigned.

Impact:
TAM rejects the virtual server configuration and no traffic will be processed for that virtual server. SNAT pools are not supported for TAM virtual servers when DSR mode is enabled.

Recommended Action:
Either disable DSR mode for the virtual server or remove the assigned SNAT pool.

0503000a : Class (%class/%s) was not requested

Location:
/var/log/ltm

Conditions:
There is an internal error in the state of Traffic Acceleration Module (TAM). One process is trying to create, modify, or delete an entry that has not been requested.

Impact:
This error might indicate a problem with the TAM module. Something has caused TAM processes to get out of sync with one another.

Recommended Action:
The fix might depend on the specific error in the message. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.

0503000b : Hornet response error (%error/%d) (%msg/%s)

Location:
/var/log/ltm

Conditions:
There is a communication error between Traffic Acceleration Module (TAM) processes.

Impact:
Any configuration of TAM fails as long as this error persists. The error message contains more information on the specific error.

Recommended Action:
The fix depends on the specific error in the error message. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.

0503000c : Neuron rule programming failure. Operation: (%op/%s) Rule Text: (%text/%s) Error: (%error/%s)

Location:
/var/log/ltm

Conditions:
An error has occurred within the internal state of the neurond_updater process. A traffic rule has been created that is invalid.

Impact:
The update of Traffic Acceleration Module (TAM) fails. The current configuration will not match the actual state of the TAM module, so network traffic might not act as expected. The specific error message contains more information about which rule has failed.

Recommended Action:
The fix might depend on the specific error in the error message. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.

05030011 : nexthop update failed with err ((%err/%s))

Location:
/var/log/ltm

Conditions:
An error has occurred within the internal state of the neurond_updater process.

Impact:
The update of Traffic Acceleration Module (TAM) fails. The current configuration will not match the actual state of TAM, so network traffic might not act as expected. There are several reasons for this error, but the exact error message contains more information.

Recommended Action:
The fix may depend on the specific error in the error message. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.

05030012 : vlan update failed with err ((%err/%s))

Location:
/var/log/ltm

Conditions:
An error has occurred within the internal state of the neurond_updater process.

Impact:
The update of TAM fails. The current configuration will not match the actual state of TAM, so network traffic might not act as expected. There are several reasons for this error, but the exact error message contains more information.

Recommended Action:
The fix might depend on the specific error in the error message. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.

05030013 : virtual update failed with err ((%err/%s))

Location:
/var/log/ltm

Conditions:
An error has occurred within the internal state of the neurond_updater process.

Impact:
The relevant virtual server update is ignored, but the process will continue with other updates as normal. There are several reasons for this error, but the exact error message contains more information.

Recommended Action:
The fix might depend on the specific error in the error message. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.

05030014 : Pool-member update failed with err ((%err/%s))

Location:
/var/log/ltm

Conditions:
An error has occurred within the internal state of the neurond_updater process.

Impact:
The update of Traffic Acceleration Module (TAM) fails. The current configuration will not match the actual state of the TAM module, so network traffic might not act as expected. There are several reasons for this error, but the exact error message contains more information.

Recommended Action:
The fix might depend on the specific error in the error message. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.

05030015 : Self-IP update failed with err ((%err/%s))

Location:
/var/log/ltm

Conditions:
An error has occurred within the internal state of the neurond_updater process.

Impact:
The update of Traffic Acceleration Module (TAM) fails. The current configuration will not match the actual state of TAM, so network traffic might not act as expected. There are several reasons for this error, but the exact error message contains more information.

Recommended Action:
The fix might depend on the specific error in the error message. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hclientd hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.

05030016 : SNAT-pool-member update failed with err ((%err/%s))

Location:
/var/log/ltm

Conditions:
An error has occurred within the internal state of the neurond_updater process.

Impact:
The relevant snat pool member update is ignored, but the process will continue with other updates as normal. There are several reasons for this error, but the exact error message contains more information.

Recommended Action:
The fix might depend on the specific error in the error message. Some general things to try are:

    1) Restart the relevant TAM control plane processes:
        "bigstart restart hornet_nest_updaterd hornet_neuron_updaterd hornet_serverd"
    2) Re-provision TAM.
    3) Reboot the system.



*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information