Focus

Prisma SD-WAN

Event Category-Network

Table of Contents

Filter

Expand All | Collapse All

Prisma SD-WAN Docs

Activation & Onboarding
Administration
CloudBlades
Select a Document
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
Deployment
Incidents & Alerts
Reference
Release Notes
Select a Document
- 6.5
- 6.4
- 6.3
- 6.1
- 5.6
- Prisma SD-WAN Controller
- Prisma SD-WAN On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
Prisma SASE

Event Category-Device

Event Category-Policy

Event Category-Network

Incident and alert event codes based on the categories for troubleshooting in Prisma SD-WAN. Learn about the event codes generated due to network-related events in Prisma SD-WAN.

Where Can I Use This?	What Do I Need?
Prisma SD-WAN (Managed by `Strata Cloud Manager`)	Prisma SD-WAN

In Prisma SD-WAN, different types of events trigger alerts and incidents. Prisma SD-WAN generates alerts and incidents on reaching system-defined thresholds or if there is a fault in the system.

A network-related event that can trigger either an incident or an alert can be due to issues related to site connectivity, secure fabric links, service endpoints, or logical interfaces.

The following tables describe a list of event or incident codes, the event origin, its severity, and a description of each event as per the event category.

For each incident raised on the web interface, you can troubleshoot the issue. If the issue persists, select Go to Support to create a support ticket. A Palo Alto Networks Support executive will contact you. You can also return the device to Palo Alto Networks.

**Event Category-Network**
INCIDENT CODE	EVENT ORIGIN	INCIDENT /ALERT	SEVERITY	EVENT TITLE	EVENT DESCRIPTION	RELEASE INTRODUCED
BRANCH_ GATEWAY CLUSTER_ SITE COUNT_ THRESHOLD_ EXCEEDED	Controller	Incident	Major	Spoke sites limit exceeded on Branch Gateway cluster	The maximum number of branch sites that can be associated with a Branch Gateway site has been exceeded.	6.4.1
DEVICESW_ INITIATED_ CONNECTION_ ON_ EXCLUDED_ PATH	Device	INCIDENT	Warning	Device Initiated Connection on excluded path.	Device Initiated Connection on excluded interface.	5.4.3
HUB_ CLUSTER_ SITE_ COUNT_ THRESHIOLD_ EXCEEDED	Controller	INCIDENT	Warning	Hub Cluster Branch Count Limit Exceeded	The maximum number of branches allowed on hub cluster have been exceeded.	6.1.1
NETWORK_ SECUREFABRICLINK_ DEGRADED	Controller	INCIDENT	Informational	Secure Fabric Link is degraded with atleast 1 VPN link UP from the active spoke and 1 or more VPN links DOWN from the active SPOKE.	Secure Fabric Link is degraded with atleast 1 VPN link up from the active spoke and 1 or more VPN links down from the active spoke. The incident also displays the reasons for the VPN failure and the root cause incidents found. Following the controller upgrade to 5.4.1 there will be immediate changes to incidents, including standing VPN related incidents that will no longer be visible, by default. If you interact with the events API programmatically, you must modify the scripts because the VPN incidents are replaced with a new incident category. When querying for events using the API, replace the code for NETWORK_ SECUREFABRICLINK_ DEGRADED with NETWORK_ ANYNETLINK_ DEGRADED. Click API Changes for Network Secure Fabric Link Event Codes to know more about the API changes.	5.4.1
NETWORK_ SECUREFABRICLINK_ DOWN	Controller	INCIDENT	Warning	Secure Fabric Link is down with all VPN Links DOWN from the active spoke.	Secure Fabric Link is down with all VPN links down from the active spoke. The incident also displays the reasons for the VPN failure and the root cause incidents found. Following the controller upgrade to 5.4.1 there will be immediate changes to incidents, including standing VPN related incidents that will no longer be visible, by default. If you interact with the events API programmatically, you must modify the scripts because the VPN incidents are replaced with a new incident category. When querying for events using the API, replace the code for NETWORK_ SECUREFABRICLINK _DOWN with NETWORK_ ANYNETLINK _DOWN. Click API Changes for Network Secure Fabric Link Event Codes to know more about the API changes.	5.4.1
NETWORK_ DIRECTINTERNET_ DOWN	Device	INCIDENT	Warning	Direct Internet Reachability Down.	For remote office or branch sites, reachability on an internet circuit is down. If there are no alternate paths in application policy, the incident indicates that traffic is impacted and must be attended to immediately. `Release 5.4.1 and later` When NETWORK_ DIRECTINTERNET _DOWN incident is raised, it also shows related faults. These faults are caused due to this incident which can be NETWORK_ SECUREFABRICLINK _DEGRADED or NETWORK_ SECUREFABRICLINK _DOWN .	4.5.1
NETWORK_ DIRECTPRIVATE_ DOWN	Device	INCIDENT	Warning	Private WAN Reachability Down.	For remote office or branch sites, all data center sites with the ION 7000 deployed are unreachable on the private WAN. If there are no alternate paths configured in application policy, the incident indicates that traffic is impacted and must be attended to immediately. `Release 5.4.1 and later` When NETWORK_ DIRECTINTERNET _DOWN incident is raised, it also shows related faults. These faults are caused due to this incident which can be NETWORK_ SECUREFABRICLINK _DEGRADED or NETWORK_ SECUREFABRICLINK _DOWN .	4.5.1
NETWORK_ PRIVATEWAN_ DEGRADED	Device	INCIDENT	Warning	Private WAN Degraded.	For data center sites, a subset of IP prefixes from one or more remote sites are determined to be unreachable over the private WAN based on routing updates received from the network.	4.5.1
NETWORK_ PRIVATEWAN_ UNREACHABLE	Device	INCIDENT	Warning	Private WAN Unreachable.	For data center sites, one or more remote offices declared unreachable over the private WAN based on routing updates received from the network. If this incident occurred due to WAN edge peering failure PEERING _EDGE_ DOWN incident(s) is also raised.	4.5.1
PEERING_ BGP_ DOWN	Device	INCIDENT	Critical	BGP Peer Down.	Routing peer session is down. If alternate paths are available traffic is not affected; else the fault is critical.	5.0.3
NETWORK_ STANDARD_ VPN_ ENDPOINT_ DOWN	Controller	INCIDENT	Warning	Standard VPN Endpoint Down.	Multiple service link interfaces connecting to a service endpoint are down.	5.6.1
NETWORK_ VPNKEK_ UNAVAILABLE	Device	INCIDENT	Informational	Key Encryption Key(KEK) is not available	This fault is generated when Key Encryption Key(KEK) required to decrypt shared secrets for VPN Link is not available. The controller issues a KEK along with shared secrets. If the communication between the controller and the device is down for 3 days or more, then this can happen.	6.2.1
NETWORK_ VPNKEK_ UNAVAILABLE	Device	INCIDENT	Informational	Key Encryption Key (KEK) is not available.	This fault is generated when Key Encryption Key (KEK) required to decrypt shared secrets for VPN link is not available. The controller issues a KEK along with shared secrets. If the communication between the controller and the device is down for more than three days, this can happen.
NETWORK_ VPNLINK_ DOWN	Device	INCIDENT	Warning	VPN Link Down	A VPN Link connecting two sites is down. If the VPN Link is the only link between the two sites, VPN based connectivity between those sites has been impacted. If alternate VPN Links exist between the two sites, connectivity and capacity is available between the sites; however additional VPN Link failures between the two sites may impact traffic.
NETWORK_ VPNPEER_ UNAVAILABLE	Device	INCIDENT	Informational	VPN Peer Down	A peer instance on other side of a VPN Link of a remote office (branch) has been declared to be down. This fault will typically be seen along with one of [NETWORK_ VPNLINK _DOWN, PEERING_ CORE_ DOWN, DEVICESW_ GENERAL_ PROCESSSTOP] faults that identify the likely root cause.
NETWORK_ VPNSS_ UNAVAILABLE	Device	INCIDENT	Informational	VPN Shared Secret Unavailable	Shared secret required to establish a VPN Link is not available. The Prisma SD-WAN controller pre-issues a certain number of shared secrets (3 days worth by default). If the communication between the Prisma SD-WAN Controller and the device is down for 3 days or more, then this fault is raised.
NETWORK_ VPNPEER_ UNREACHABLE	Device	INCIDENT	Informational	VPN Peer Unreachable	Control communication could not be established with the VPN Peer. Common reasons include (a) IP Address mis-configuration, (b) NAT misconfiguration or (c) a firewall which is blocking port 4500 traffic as UDP port 4500 is used for control communication between the two VPN Peers.
NETWORK_ VPNSS_ MISMATCH	Device	INCIDENT	Informational	VPN Shared Secret Mismatch	VPN Peers could not agree on a shared secret. Usually happens when (a) one of the devices is not able to contact the Prisma SD-WAN Controller and retrieve the shared secret corresponding to the time window when the fault was raised or (b) the clocks on the VPN Peer devices are out of sync.
NETWORK_ VPNBFD_ DOWN	Device	INCIDENT	Informational	VPN Liveliness Down	VPN Link liveliness is monitored through BFD heartbeats. This fault indicates that the VPN Link went down because the BFD heartbeats failed. If this is a temporary network failure then the VPN Link will come back up once the network is restored. If the fault continues to stay on then check for network availability.
SITE_ CONNECTIVITY_ DOWN	Controller	INCIDENT	Critical	Site Connectivity Down	At the Branch, incident is raised when the site cannot connect to controller or any remote branch or data center. Suppressed Incidents at the Branch site: DEVICESW_ DISCONNECTED _FROM_ CONTROLLER NETWORK_ SECUREFABRICLINK _DOWN The following incidents are suppressed only if they were received by the controller before the site connectivity was lost: DEVICEHW_ INTERFACE _DOWN NETWORK_ DIRECTINTERNET _DOWN NETWORK_ DIRECTPRIVATE _DOWN At the Data Center, incident is raised when all the remote sites are unreachable. Suppressed Incidents at the Data Center site: DEVICESW_ DISCONNECTED _FROM_ CONTROLLER NETWORK_ SECUREFABRICLINK _DOWN	5.5.1
SITE_ CIRCUIT_ ABSENT_ FOR_ POLICY	Controller	INCIDENT	Warning	Path label used in policy is missing on site.	One or more path labels (public-, private-, public-[1-32], private-[1-32]) used in policy not assigned to any site WAN interface at the site.	4.5.1
SITE_ NETWORK_ SERVICE_ ABSENT_ FOR_ POLICY	Controller	INCIDENT	Warning	Policy DC Group Missing Service Endpoint.	One or more DC groups used in the policy has not been assigned a valid service endpoint for the domain bound to the identified site.	5.4.1
SITE_ CONNECTIVITY_ DEGRADED	Controller	INCIDENT	Warning	Site connectivity degraded	Branch site connectivity is degraded due to one or more secure fabric links down, Layer 3 reachability is down or service link is down. Suppressed Incidents: NETWORK_DIRECTINTERNET_DOWNNETWORK_DIRECTPRIVATE_DOWNNETWORK_SECUREFABRICLINK_DOWNNETWORK_SECUREFABRICLINK_DEGRADEDDEVICEHW_INTERFACE_DOWN	5.5.1
SASE_ SERVICEEND POINT_ BANDWIDTH_ LIMIT_ EXCEEDED	Controller	INCIDENT	Warning		Configured circuit bandwidth for sites exceeds allocated bandwidth for region.	6.0.1
SASE_ SERVICEEND POINT_ BANDWIDTH_ SOFT_ LIMIT_ EXCEEDED	Controller	INCIDENT	Informational		Total estimated bandwidth for sites exceeds allocated bandwidth for the region.	6.0.1
VION_ BANDWIDTH_ LIMIT_ EXCEEDED	Controller	INCIDENT	Warning		Configured circuit bandwidth for sites exceeds maximum capacity of the virtual ION.	6.0.1
VION_ BANDWIDTH_ SOFT_ LIMIT_ EXCEEDED	Controller	INCIDENT	Informational		Total estimated bandwidth for sites exceeds maximum capacity of the virtual ION.	6.0.1
SPN_ BANDWIDTH_ LIMIT_ EXCEEDED	Controller	INCIDENT	Warning		Configured circuit bandwidth for sites exceeds maximum capacity of the security service endpoint connected to virtual ION.	6.0.1
SPN_ BANDWIDTH_ SOFT_ LIMIT_ EXCEEDED	Controller	INCIDENT	Informational		Total estimated bandwidth for sites exceeds maximum capacity of the security service endpoint connected to virtual ION.	6.0.1
NETWORK_ VPNLINKCIPHERS_ INCOMPATIBLE	Controller	INCIDENT	Informational	Network VPN Link Ciphers Incompatible	The two element endpoints do not have a common VPN cipher configured.
PEERING_ EDGE_ DOWN	Device	INCIDENT	Warning	WAN Edge Peer Down	The routing peer session with a configured WAN edge device is down.	N/A (Note: Removed in 5.0.3)
PEERING_ CORE_ DOWN	Device	INCIDENT	Warning	Core Peer Down	The routing peer session with a configured Core device is down.	N/A (Note: Removed in 5.0.3)

Event Category-Device

Event Category-Policy

Prisma SD-WAN Docs

Event Category-Network

Prisma SD-WAN Docs

Event Category-Network

Activation & Onboarding

SASE

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

Prisma SD-WAN Integration

Prisma SD-WAN Experts Corner

Best Practices

Resources