Prisma SD-WAN
Event Category-Network
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
-
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
-
-
-
-
- 6.5
- 6.4
- 6.3
- 6.2
- 6.1
- 5.6
- New Features Guide
- On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
Event Category-Network
Incident and alert event codes based on the categories for troubleshooting in Prisma
SD-WAN. Learn about the event codes generated due to network-related events in Prisma SD-WAN.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
In Prisma SD-WAN, different types of events trigger alerts and incidents.
Prisma SD-WAN generates alerts and incidents on reaching
system-defined thresholds or if there is a fault in the system.
A network-related event that can trigger either an incident or an alert can be due to
issues related to site connectivity, secure fabric
links, service endpoints, or logical interfaces.
The following tables describe a list of event or incident codes, the event
origin, its severity, and a description of each event as per the event category.
For each incident raised on the web interface, you can troubleshoot the issue. If the issue persists,
select Go to Support to create a support ticket. A Palo Alto
Networks Support executive will contact you. You can also return the device to Palo Alto Networks.
| INCIDENT CODE | EVENT ORIGIN | INCIDENT /ALERT | SEVERITY | EVENT TITLE | EVENT DESCRIPTION | RELEASE INTRODUCED |
|---|---|---|---|---|---|---|
|
BRANCH_
GATEWAY
CLUSTER_SITE
COUNT_
THRESHOLD
_EXCEEDED
| Controller | Incident | Major | Spoke sites limit exceeded on Branch Gateway cluster | The maximum number of branch sites that can be associated with a Branch Gateway site has been exceeded. | 6.4.1 |
|
DEVICESW_
INITIATED_
CONNECTION
_ON_
EXCLUDED_
PATH
| Device | INCIDENT | Warning | Device Initiated Connection on excluded path. | Device Initiated Connection on excluded interface. | 5.4.3 |
|
HUB_CLUSTER
_SITE_COUNT_
THRESHIOLD_
EXCEEDED
| Controller | INCIDENT | Warning | Hub Cluster Branch Count Limit Exceeded | The maximum number of branches allowed on hub cluster have been exceeded. | 6.1.1 |
|
NETWORK_
SECUREFABRICLINK
_DEGRADED
| Controller | INCIDENT | Informational | Secure Fabric Link is degraded with atleast 1 VPN link UP from the active spoke and 1 or more VPN links DOWN from the active SPOKE. | Secure Fabric Link is degraded with atleast 1 VPN link up
from the active spoke and 1 or more VPN links down from the active
spoke. The incident also displays the reasons for the VPN failure and
the root cause incidents found. Following the controller upgrade to
5.4.1 there will be immediate changes to incidents, including
standing VPN related incidents that will no longer be visible, by
default. If you interact with the events API programmatically, you
must modify the scripts because the VPN incidents are replaced with
a new incident category. When querying for events using the API,
replace the code for NETWORK_ SECUREFABRICLINK_ DEGRADED
with NETWORK_ ANYNETLINK_ DEGRADED. Click
API Changes for Network Secure Fabric Link Event Codes to know more about
the API changes. | 5.4.1 |
|
NETWORK_
SECUREFABRICLINK
_DOWN
| Controller | INCIDENT | Warning | Secure Fabric Link is down with all VPN Links DOWN from the active spoke. | Secure Fabric Link is down with all VPN links down from
the active spoke. The incident also displays the reasons for the VPN
failure and the root cause incidents found. Following the controller
upgrade to 5.4.1 there will be immediate changes to incidents,
including standing VPN related incidents that will no longer be
visible, by default. If you interact with the events API
programmatically, you must modify the scripts because the VPN
incidents are replaced with a new incident category. When querying
for events using the API, replace the code for
NETWORK_ SECUREFABRICLINK _DOWN with
NETWORK_ ANYNETLINK _DOWN. Click API Changes for Network Secure Fabric Link Event Codes to know more about
the API changes. | 5.4.1 |
|
NETWORK_
DIRECTINTERNET
_DOWN
| Device | INCIDENT | Warning | Direct Internet Reachability Down. | For remote office or branch sites, reachability on an
internet circuit is down. If there are no alternate paths in application
policy, the incident indicates that traffic is impacted and must be
attended to immediately. Release 5.4.1 and later When
NETWORK_ DIRECTINTERNET _DOWN incident is raised,
it also shows related faults. These faults are caused due to this
incident which can be
NETWORK_ SECUREFABRICLINK _DEGRADED or
NETWORK_ SECUREFABRICLINK _DOWN . | 4.5.1 |
|
NETWORK_
DIRECTPRIVATE
_DOWN
| Device | INCIDENT | Warning | Private WAN Reachability Down. | For remote office or branch sites, all data center sites
with the ION 7000 deployed are unreachable on the private WAN. If there
are no alternate paths configured in application policy, the incident
indicates that traffic is impacted and must be attended to immediately.
Release 5.4.1 and later When
NETWORK_ DIRECTINTERNET _DOWN incident is raised,
it also shows related faults. These faults are caused due to this
incident which can
beNETWORK_ SECUREFABRICLINK _DEGRADED or
NETWORK_ SECUREFABRICLINK _DOWN . | 4.5.1 |
|
NETWORK_
PRIVATEWAN_
DEGRADED
| Device | INCIDENT | Warning | Private WAN Degraded. | For data center sites, a subset of IP prefixes from one or more remote sites are determined to be unreachable over the private WAN based on routing updates received from the network. | 4.5.1 |
|
NETWORK_
PRIVATEWAN_
UNREACHABLE
| Device | INCIDENT | Warning | Private WAN Unreachable. | For data center sites, one or more remote offices
declared unreachable over the private WAN based on routing updates
received from the network. If this incident occurred due to WAN edge
peering failure PEERING _EDGE_ DOWN incident(s) is
also raised. | 4.5.1 |
|
PEERING
_BGP_
DOWN
| Device | INCIDENT | Critical | BGP Peer Down. | Routing peer session is down. If alternate paths are available traffic is not affected; else the fault is critical. | 5.0.3 |
|
NETWORK_
STANDARD_
VPN_
ENDPOINT
_DOWN
| Controller | INCIDENT | Warning | Standard VPN Endpoint Down. | Multiple service link interfaces connecting to a service endpoint are down. | 5.6.1 |
|
NETWORK_
VPNKEK_
UNAVAILABLE
| Device | INCIDENT | Informational | Key Encryption Key(KEK) is not available | This fault is generated when Key Encryption Key(KEK) required to decrypt shared secrets for VPN Link is not available. The controller issues a KEK along with shared secrets. If the communication between the controller and the device is down for 3 days or more, then this can happen. | 6.2.1 |
|
NETWORK_
VPNKEK_
UNAVAILABLE
| Device | INCIDENT | Informational | Key Encryption Key (KEK) is not available. | This fault is generated when Key Encryption Key (KEK) required to decrypt shared secrets for VPN link is not available. The controller issues a KEK along with shared secrets. If the communication between the controller and the device is down for more than three days, this can happen. | |
|
NETWORK_
VPNLINK_
DOWN
| Device | INCIDENT | Warning | VPN Link Down | A VPN Link connecting two sites is down. If the VPN Link is the only link between the two sites, VPN based connectivity between those sites has been impacted. If alternate VPN Links exist between the two sites, connectivity and capacity is available between the sites; however additional VPN Link failures between the two sites may impact traffic. | |
|
NETWORK_
VPNPEER_
UNAVAILABLE
| Device | INCIDENT | Informational | VPN Peer Down | A peer instance on other side of a VPN Link of a remote
office (branch) has been declared to be down. This fault will typically
be seen along with one of [NETWORK_ VPNLINK _DOWN,
PEERING_ CORE_ DOWN,
DEVICESW_ GENERAL_ PROCESSSTOP] faults that
identify the likely root cause. | |
|
NETWORK_
VPNSS_
UNAVAILABLE
| Device | INCIDENT | Informational | VPN Shared Secret Unavailable | Shared secret required to establish a VPN Link is not available. The Prisma SD-WAN controller pre-issues a certain number of shared secrets (3 days worth by default). If the communication between the Prisma SD-WAN Controller and the device is down for 3 days or more, then this fault is raised. | |
|
NETWORK_
VPNPEER_
UNREACHABLE
| Device | INCIDENT | Informational | VPN Peer Unreachable | Control communication could not be established with the VPN Peer. Common reasons include (a) IP Address mis-configuration, (b) NAT misconfiguration or (c) a firewall which is blocking port 4500 traffic as UDP port 4500 is used for control communication between the two VPN Peers. | |
|
NETWORK_
VPNSS_
MISMATCH
| Device | INCIDENT | Informational | VPN Shared Secret Mismatch | VPN Peers could not agree on a shared secret. Usually happens when (a) one of the devices is not able to contact the Prisma SD-WAN Controller and retrieve the shared secret corresponding to the time window when the fault was raised or (b) the clocks on the VPN Peer devices are out of sync. | |
|
NETWORK
VPNBFD_
DOWN
| Device | INCIDENT | Informational | VPN Liveliness Down | VPN Link liveliness is monitored through BFD heartbeats. This fault indicates that the VPN Link went down because the BFD heartbeats failed. If this is a temporary network failure then the VPN Link will come back up once the network is restored. If the fault continues to stay on then check for network availability. | |
|
SITE_
CONNECTIVITY_
DOWN
| Controller | INCIDENT | Critical | Site Connectivity Down | At the Branch, incident is raised when the site cannot
connect to controller or any remote branch or data center. Suppressed
Incidents at the Branch site:
DEVICESW_ DISCONNECTED _FROM_ CONTROLLER NETWORK_ SECUREFABRICLINK _DOWN
The following incidents are suppressed only if they were received by the
controller before the site connectivity was lost:
DEVICEHW_ INTERFACE _DOWN NETWORK_ DIRECTINTERNET _DOWN NETWORK_ DIRECTPRIVATE _DOWN
At the Data Center, incident is raised when all the remote sites are
unreachable. Suppressed Incidents at the Data Center site:
DEVICESW_ DISCONNECTED _FROM_ CONTROLLER NETWORK_ SECUREFABRICLINK _DOWN | 5.5.1 |
|
SITE_
CIRCUIT_
ABSENT_
FOR_POLICY
| Controller | INCIDENT | Warning | Path label used in policy is missing on site. | One or more path labels (public-*, private-*, public-[1-32], private-[1-32]) used in policy not assigned to any site WAN interface at the site. | 4.5.1 |
|
SITE_
NETWORK_
SERVICE
_ABSENT_
FOR_POLICY
| Controller | INCIDENT | Warning | Policy DC Group Missing Service Endpoint. | One or more DC groups used in the policy has not been assigned a valid service endpoint for the domain bound to the identified site. | 5.4.1 |
|
SITE_
CONNECTIVITY_
DEGRADED
| Controller | INCIDENT | Warning | Site connectivity degraded | Branch site connectivity is degraded due to one or more secure fabric links down, Layer 3 reachability is down or service link is down. Suppressed Incidents: NETWORK_DIRECTINTERNET_DOWNNETWORK_DIRECTPRIVATE_DOWNNETWORK_SECUREFABRICLINK_DOWNNETWORK_SECUREFABRICLINK_DEGRADEDDEVICEHW_INTERFACE_DOWN | 5.5.1 |
|
SASE_
SERVICEEND
POINT_
BANDWIDTH_
LIMIT_
EXCEEDED
| Controller | INCIDENT | Warning | Configured circuit bandwidth for sites exceeds allocated bandwidth for region. | 6.0.1 | |
|
SASE_
SERVICEEND
POINT_
BANDWIDTH_
SOFT_LIMIT_
EXCEEDED
| Controller | INCIDENT | Informational | Total estimated bandwidth for sites exceeds allocated bandwidth for the region. | 6.0.1 | |
|
VION_
BANDWIDTH_
LIMIT_
EXCEEDED
| Controller | INCIDENT | Warning | Configured circuit bandwidth for sites exceeds maximum capacity of the virtual ION. | 6.0.1 | |
|
VION_
BANDWIDTH_
SOFT_LIMIT_
EXCEEDED
| Controller | INCIDENT | Informational | Total estimated bandwidth for sites exceeds maximum capacity of the virtual ION. | 6.0.1 | |
|
SPN_
BANDWIDTH_
LIMIT_
EXCEEDED
| Controller | INCIDENT | Warning | Configured circuit bandwidth for sites exceeds maximum capacity of the security service endpoint connected to virtual ION. | 6.0.1 | |
|
SPN_
BANDWIDTH_
SOFT_LIMIT_
EXCEEDED
| Controller | INCIDENT | Informational | Total estimated bandwidth for sites exceeds maximum capacity of the security service endpoint connected to virtual ION. | 6.0.1 |