Event Category-Network
Table of Contents
Expand all | Collapse all
Event Category-Network
Learn about the event codes generated due to network-related events in Prisma SD-WAN.
In Prisma SD-WAN, different types of events trigger alerts and incidents.
Prisma SD-WAN generates alerts and incidents on reaching
system-defined thresholds or if there is a fault in the system.
A network-related event that can trigger either an incident or an alert can be due to
issues related to site connectivity, secure fabric
links, service endpoints, or logical interfaces.
The following tables describe a list of event or incident codes, the event
origin, its severity, and a description of each event as per the event category.
For each incident raised on the web interface, you can troubleshoot the issue. If the issue persists,
select Go to Support to create a support ticket. A Palo Alto
Networks Support executive will contact you. You can also return the device to Palo Alto Networks.
| INCIDENT CODE | EVENT ORIGIN | INCIDENT /ALERT | SEVERITY | EVENT TITLE | EVENT DESCRIPTION | RELEASE INTRODUCED |
|---|---|---|---|---|---|---|
|
BRANCH_GATEWAY
CLUSTER_SITE
COUNT_THRESHOLD
_EXCEEDED
| Controller | Incident | Major | Spoke sites limit exceeded on Branch Gateway cluster | The maximum number of branch sites that can be associated with a Branch Gateway site has been exceeded. | 6.4.1 |
|
DEVICESW_
INITIATED_
CONNECTION_ON_
EXCLUDED_PATH
| Device | INCIDENT | Warning | Device Initiated Connection on excluded path. | Device Initiated Connection on excluded interface. | 5.4.3 |
|
HUB_CLUSTER_SITE_COUNT_THRESHIOLD_EXCEEDED
| Controller | INCIDENT | Warning | Hub Cluster Branch Count Limit Exceeded | The maximum number of branches allowed on hub cluster have been exceeded. | 6.1.1 |
|
NETWORK_
SECUREFABRICLINK
_DEGRADED
| Controller | INCIDENT | Informational | Secure Fabric Link is degraded with atleast 1 VPN link UP from the active spoke and 1 or more VPN links DOWN from the active SPOKE. | Secure Fabric Link is degraded with atleast 1 VPN link up
from the active spoke and 1 or more VPN links down from the active
spoke. The incident also displays the reasons for the VPN failure and
the root cause incidents found. Following the controller upgrade to
5.4.1 there will be immediate changes to incidents, including
standing VPN related incidents that will no longer be visible, by
default. If you interact with the events API programmatically, you
must modify the scripts because the VPN incidents are replaced with
a new incident category. When querying for events using the API,
replace the code for NETWORK_SECUREFABRICLINK_DEGRADED with
NETWORK_ANYNETLINK_DEGRADED. Click API Changes for Network Secure Fabric Link Event Codes to know more about
the API changes. | 5.4.1 |
|
NETWORK_
SECUREFABRICLINK
_DOWN
| Controller | INCIDENT | Warning | Secure Fabric Link is down with all VPN Links DOWN from the active spoke. | Secure Fabric Link is down with all VPN links down from
the active spoke. The incident also displays the reasons for the VPN
failure and the root cause incidents found. Following the controller
upgrade to 5.4.1 there will be immediate changes to incidents,
including standing VPN related incidents that will no longer be
visible, by default. If you interact with the events API
programmatically, you must modify the scripts because the VPN
incidents are replaced with a new incident category. When querying
for events using the API, replace the code for
NETWORK_SECUREFABRICLINK_DOWN with NETWORK_ANYNETLINK_DOWN. Click
API Changes for Network Secure Fabric Link Event Codes to know more about
the API changes. | 5.4.1 |
|
NETWORK_
DIRECTINTERNET
_DOWN
| Device | INCIDENT | Warning | Direct Internet Reachability Down. | For remote office or branch sites, reachability on an internet circuit is down. If there are no alternate paths in application policy, the incident indicates that traffic is impacted and must be attended to immediately. Release 5.4.1 and later When NETWORK_DIRECTINTERNET_DOWN incident is raised, it also shows related faults. These faults are caused due to this incident which can be NETWORK_SECUREFABRICLINK_DEGRADED or NETWORK_SECUREFABRICLINK_DOWN. | 4.5.1 |
|
NETWORK_
DIRECTPRIVATE
_DOWN
| Device | INCIDENT | Warning | Private WAN Reachability Down. | For remote office or branch sites, all data center sites with the ION 7000 deployed are unreachable on the private WAN. If there are no alternate paths configured in application policy, the incident indicates that traffic is impacted and must be attended to immediately. Release 5.4.1 and later When NETWORK_DIRECTPRIVATE_DOWN incident is raised, it also shows related faults. These faults are caused due to this incident which can be NETWORK_SECUREFABRICLINK_DEGRADED or NETWORK_SECUREFABRICLINK_DOWN. | 4.5.1 |
|
NETWORK_
PRIVATEWAN_
DEGRADED
| Device | INCIDENT | Warning | Private WAN Degraded. | For data center sites, a subset of IP prefixes from one or more remote sites are determined to be unreachable over the private WAN based on routing updates received from the network. | 4.5.1 |
|
NETWORK_
PRIVATEWAN_
UNREACHABLE
| Device | INCIDENT | Warning | Private WAN Unreachable. | For data center sites, one or more remote offices declared unreachable over the private WAN based on routing updates received from the network. If this incident occurred due to WAN edge peering failure PEERING_EDGE_DOWN incident(s) is also raised. | 4.5.1 |
|
PEERING_BGP_
DOWN
| Device | INCIDENT | Critical | BGP Peer Down. | Routing peer session is down. If alternate paths are available traffic is not affected; else the fault is critical. | 5.0.3 |
|
NETWORK_
STANDARD_
VPN_ENDPOINT
_DOWN
| Controller | INCIDENT | Warning | Standard VPN Endpoint Down. | Multiple service link interfaces connecting to a service endpoint are down. | 5.6.1 |
|
NETWORK_
VPNKEK_
UNAVAILABLE
| Device | INCIDENT | Informational | Key Encryption Key(KEK) is not available | This fault is generated when Key Encryption Key(KEK) required to decrypt shared secrets for VPN Link is not available. The controller issues a KEK along with shared secrets. If the communication between the controller and the device is down for 3 days or more, then this can happen. | 6.2.1 |
| NETWORK_VPNKEK_UNAVAILABLE | Device | INCIDENT | Informational | Key Encryption Key (KEK) is not available. | This fault is generated when Key Encryption Key (KEK) required to decrypt shared secrets for VPN link is not available. The controller issues a KEK along with shared secrets. If the communication between the controller and the device is down for more than three days, this can happen. | |
|
NETWORK_
VPNLINK_DOWN
| Device | INCIDENT | Warning | VPN Link Down | A VPN Link connecting two sites is down. If the VPN Link is the only link between the two sites, VPN based connectivity between those sites has been impacted. If alternate VPN Links exist between the two sites, connectivity and capacity is available between the sites; however additional VPN Link failures between the two sites may impact traffic. | |
|
NETWORK_
VPNPEER_
UNAVAILABLE
| Device | INCIDENT | Informational | VPN Peer Down | A peer instance on other side of a VPN Link of a remote office (branch) has been declared to be down. This fault will typically be seen along with one of [NETWORK_VPNLINK_DOWN, PEERING_CORE_DOWN, DEVICESW_GENERAL_PROCESSSTOP] faults that identify the likely root cause. | |
|
NETWORK_
VPNSS_
UNAVAILABLE
| Device | INCIDENT | Informational | VPN Shared Secret Unavailable | Shared secret required to establish a VPN Link is not available. The Prisma SD-WAN controller pre-issues a certain number of shared secrets (3 days worth by default). If the communication between the Prisma SD-WAN Controller and the device is down for 3 days or more, then this fault is raised. | |
|
NETWORK_
VPNPEER_
UNREACHABLE
| Device | INCIDENT | Informational | VPN Peer Unreachable | Control communication could not be established with the VPN Peer. Common reasons include (a) IP Address mis-configuration, (b) NAT misconfiguration or (c) a firewall which is blocking port 4500 traffic as UDP port 4500 is used for control communication between the two VPN Peers. | |
|
NETWORK_
VPNSS_
MISMATCH
| Device | INCIDENT | Informational | VPN Shared Secret Mismatch | VPN Peers could not agree on a shared secret. Usually happens when (a) one of the devices is not able to contact the Prisma SD-WAN Controller and retrieve the shared secret corresponding to the time window when the fault was raised or (b) the clocks on the VPN Peer devices are out of sync. | |
|
NETWORK VPNBFD_DOWN
| Device | INCIDENT | Informational | VPN Liveliness Down | VPN Link liveliness is monitored through BFD heartbeats. This fault indicates that the VPN Link went down because the BFD heartbeats failed. If this is a temporary network failure then the VPN Link will come back up once the network is restored. If the fault continues to stay on then check for network availability. | |
|
SITE_
CONNECTIVITY_
DOWN
| Controller | INCIDENT | Critical | Site Connectivity Down | At the Branch, incident is raised when the site cannot
connect to controller or any remote branch or data center. Suppressed
Incidents at the Branch site:
DEVICESW_DISCONNECTED_FROM_CONTROLLERNETWORK_SECUREFABRICLINK_DOWN The
following incidents are suppressed only if they were received by the
controller before the site connectivity was
lost:DEVICEHW_INTERFACE_DOWNNETWORK_DIRECTINTERNET_DOWNNETWORK_DIRECTPRIVATE_DOWN
At the Data Center, incident is raised when all the remote sites
are unreachable. Suppressed Incidents at the Data Center
site:
DEVICESW_DISCONNECTED_FROM_CONTROLLERNETWORK_SECUREFABRICLINK_DOWN | 5.5.1 |
|
SITE_CIRCUIT_
ABSENT_
FOR_POLICY
| Controller | INCIDENT | Warning | Path label used in policy is missing on site. | One or more path labels (public-*, private-*, public-[1-32], private-[1-32]) used in policy not assigned to any site WAN interface at the site. | 4.5.1 |
|
SITE_NETWORK_
SERVICE_ABSENT_
FOR_POLICY
| Controller | INCIDENT | Warning | Policy DC Group Missing Service Endpoint. | One or more DC groups used in the policy has not been assigned a valid service endpoint for the domain bound to the identified site. | 5.4.1 |
|
SITE_
CONNECTIVITY_
DEGRADED
| Controller | INCIDENT | Warning | Site connectivity degraded | Branch site connectivity is degraded due to one or more secure fabric links down, Layer 3 reachability is down or service link is down. Suppressed Incidents: NETWORK_DIRECTINTERNET_DOWNNETWORK_DIRECTPRIVATE_DOWNNETWORK_SECUREFABRICLINK_DOWNNETWORK_SECUREFABRICLINK_DEGRADEDDEVICEHW_INTERFACE_DOWN | 5.5.1 |
|
SASE_
SERVICEENDPOINT_
BANDWIDTH_
LIMIT_
EXCEEDED
| Controller | INCIDENT | Warning | Configured circuit bandwidth for sites exceeds allocated bandwidth for region. | 6.0.1 | |
|
SASE_
SERVICEENDPOINT_
BANDWIDTH_
SOFT_LIMIT_
EXCEEDED
| Controller | INCIDENT | Informational | Total estimated bandwidth for sites exceeds allocated bandwidth for the region. | 6.0.1 | |
|
VION_
BANDWIDTH_
LIMIT_EXCEEDED
| Controller | INCIDENT | Warning | Configured circuit bandwidth for sites exceeds maximum capacity of the virtual ION. | 6.0.1 | |
|
VION_
BANDWIDTH_
SOFT_LIMIT_
EXCEEDED
| Controller | INCIDENT | Informational | Total estimated bandwidth for sites exceeds maximum capacity of the virtual ION. | 6.0.1 | |
|
SPN_BANDWIDTH_
LIMIT_
EXCEEDED
| Controller | INCIDENT | Warning | Configured circuit bandwidth for sites exceeds maximum capacity of the security service endpoint connected to virtual ION. | 6.0.1 | |
|
SPN_BANDWIDTH_
SOFT_LIMIT_
EXCEEDED
| Controller | INCIDENT | Informational | Total estimated bandwidth for sites exceeds maximum capacity of the security service endpoint connected to virtual ION. | 6.0.1 |