Event Category-Network
Table of Contents
Expand all | Collapse all
Event Category-Network
Learn about the event codes generated due to network-related events in
Prisma SD-WAN
.In
Prisma SD-WAN
, different types of events trigger alerts and incidents.
Prisma SD-WAN
generates alerts and incidents on reaching
system-defined thresholds or if there is a fault in the system.A network-related event that can trigger either an incident or an alert can be due to
issues related to site connectivity, secure fabric
links, service endpoints, or logical interfaces.
The following tables describe a list of event or incident codes, the event
origin, its severity, and a description of each event as per the event category.
For each incident raised on the web interface, you can troubleshoot the issue. If the issue persists,
select
Go to Support
to create a support ticket. A Palo Alto
Networks Support executive will contact you. You can also return the device to Palo Alto Networks.INCIDENT CODE | EVENT ORIGIN | INCIDENT /ALERT | SEVERITY | EVENT TITLE | EVENT DESCRIPTION | RELEASE INTRODUCED |
---|---|---|---|---|---|---|
BRANCH_GATEWAY CLUSTER_SITE COUNT_THRESHOLD _EXCEEDED | Controller | Incident | Major | Spoke sites limit exceeded on Branch Gateway
cluster | The maximum number of branch sites that can be associated
with a Branch Gateway site has been exceeded. | 6.4.1 |
DEVICESW_ INITIATED_ CONNECTION_ON_ EXCLUDED_PATH | Device | INCIDENT | Warning | Device Initiated Connection on excluded path. | Device Initiated Connection on excluded
interface. | 5.4.3 |
HUB_CLUSTER_SITE_COUNT_THRESHIOLD_EXCEEDED | Controller | INCIDENT | Warning | Hub Cluster Branch Count Limit Exceeded | The maximum number of branches allowed on hub cluster
have been exceeded. | 6.1.1 |
NETWORK_ SECUREFABRICLINK _DEGRADED | Controller | INCIDENT | Informational | Secure Fabric Link is degraded with atleast 1 VPN link UP
from the active spoke and 1 or more VPN links DOWN from the active
SPOKE. | Secure Fabric Link is degraded with atleast 1 VPN link up
from the active spoke and 1 or more VPN links down from the active
spoke. The incident also displays the reasons for the VPN failure and
the root cause incidents found. Following the controller upgrade to
5.4.1 there will be immediate changes to incidents, including
standing VPN related incidents that will no longer be visible, by
default. If you interact with the events API programmatically, you
must modify the scripts because the VPN incidents are replaced with
a new incident category. When querying for events using the API,
replace the code for NETWORK_SECUREFABRICLINK_DEGRADED with
NETWORK_ANYNETLINK_DEGRADED. Click API Changes for Network Secure Fabric Link Event Codes to know more about
the API changes. | 5.4.1 |
NETWORK_ SECUREFABRICLINK _DOWN | Controller | INCIDENT | Warning | Secure Fabric Link is down with all VPN Links DOWN from
the active spoke. | Secure Fabric Link is down with all VPN links down from
the active spoke. The incident also displays the reasons for the VPN
failure and the root cause incidents found. Following the controller
upgrade to 5.4.1 there will be immediate changes to incidents,
including standing VPN related incidents that will no longer be
visible, by default. If you interact with the events API
programmatically, you must modify the scripts because the VPN
incidents are replaced with a new incident category. When querying
for events using the API, replace the code for
NETWORK_SECUREFABRICLINK_DOWN with NETWORK_ANYNETLINK_DOWN. Click
API Changes for Network Secure Fabric Link Event Codes to know more about
the API changes. | 5.4.1 |
NETWORK_ DIRECTINTERNET _DOWN | Device | INCIDENT | Warning | Direct Internet Reachability Down. | For remote office or branch sites, reachability on an
internet circuit is down. If there are no alternate paths in application
policy, the incident indicates that traffic is impacted and must be
attended to immediately. Release 5.4.1 and later When
NETWORK_DIRECTINTERNET_DOWN incident is raised, it also shows related
faults. These faults are caused due to this incident which can be
NETWORK_SECUREFABRICLINK_DEGRADED or NETWORK_SECUREFABRICLINK_DOWN. | 4.5.1 |
NETWORK_ DIRECTPRIVATE _DOWN | Device | INCIDENT | Warning | Private WAN Reachability Down. | For remote office or branch sites, all data center sites
with the ION 7000 deployed are unreachable on the private WAN. If there
are no alternate paths configured in application policy, the incident
indicates that traffic is impacted and must be attended to immediately.
Release 5.4.1 and later When NETWORK_DIRECTPRIVATE_DOWN
incident is raised, it also shows related faults. These faults are
caused due to this incident which can be
NETWORK_SECUREFABRICLINK_DEGRADED or NETWORK_SECUREFABRICLINK_DOWN. | 4.5.1 |
NETWORK_ PRIVATEWAN_ DEGRADED | Device | INCIDENT | Warning | Private WAN Degraded. | For data center sites, a subset of IP prefixes from one
or more remote sites are determined to be unreachable over the private
WAN based on routing updates received from the network. | 4.5.1 |
NETWORK_ PRIVATEWAN_ UNREACHABLE | Device | INCIDENT | Warning | Private WAN Unreachable. | For data center sites, one or more remote offices
declared unreachable over the private WAN based on routing updates
received from the network. If this incident occurred due to WAN edge
peering failure PEERING_EDGE_DOWN incident(s) is also raised. | 4.5.1 |
PEERING_BGP_ DOWN | Device | INCIDENT | Critical | BGP Peer Down. | Routing peer session is down. If alternate paths are
available traffic is not affected; else the fault is critical. | 5.0.3 |
NETWORK_ STANDARD_ VPN_ENDPOINT _DOWN | Controller | INCIDENT | Warning | Standard VPN Endpoint Down. | Multiple service link interfaces connecting to a service
endpoint are down. | 5.6.1 |
NETWORK_ VPNKEK_ UNAVAILABLE | Device | INCIDENT | Informational | Key Encryption Key(KEK) is not available | This fault is generated when Key Encryption Key(KEK)
required to decrypt shared secrets for VPN Link is not available. The
controller issues a KEK along with shared secrets. If the communication
between the controller and the device is down for 3 days or more, then
this can happen. | 6.2.1 |
NETWORK_VPNKEK_UNAVAILABLE | Device | INCIDENT | Informational | Key Encryption Key (KEK) is not available. | This fault is generated when Key Encryption Key (KEK)
required to decrypt shared secrets for VPN link is not available. The
controller issues a KEK along with shared secrets. If the communication
between the controller and the device is down for more than three days,
this can happen. | |
NETWORK_ VPNLINK_DOWN | Device | INCIDENT | Warning | VPN Link Down | A VPN Link connecting two sites is down. If the VPN Link
is the only link between the two sites, VPN based connectivity between
those sites has been impacted. If alternate VPN Links exist between the
two sites, connectivity and capacity is available between the sites;
however additional VPN Link failures between the two sites may impact
traffic. | |
NETWORK_ VPNPEER_ UNAVAILABLE | Device | INCIDENT | Informational | VPN Peer Down | A peer instance on other side of a VPN Link of a remote
office (branch) has been declared to be down. This fault will typically
be seen along with one of [NETWORK_VPNLINK_DOWN, PEERING_CORE_DOWN,
DEVICESW_GENERAL_PROCESSSTOP] faults that identify the likely root
cause. | |
NETWORK_ VPNSS_ UNAVAILABLE | Device | INCIDENT | Informational | VPN Shared Secret Unavailable | Shared secret required to establish a VPN Link is not
available. The Prisma SD-WAN controller pre-issues a certain number of
shared secrets (3 days worth by default). If the communication between
the Prisma SD-WAN Controller and the device is down for 3 days or more,
then this fault is raised. | |
NETWORK_ VPNPEER_ UNREACHABLE | Device | INCIDENT | Informational | VPN Peer Unreachable | Control communication could not be established with the
VPN Peer. Common reasons include (a) IP Address mis-configuration, (b)
NAT misconfiguration or (c) a firewall which is blocking port 4500
traffic as UDP port 4500 is used for control communication between the
two VPN Peers. | |
NETWORK_ VPNSS_ MISMATCH | Device | INCIDENT | Informational | VPN Shared Secret Mismatch | VPN Peers could not agree on a shared secret. Usually
happens when (a) one of the devices is not able to contact the Prisma
SD-WAN Controller and retrieve the shared secret corresponding to the
time window when the fault was raised or (b) the clocks on the VPN Peer
devices are out of sync. | |
NETWORK VPNBFD_DOWN | Device | INCIDENT | Informational | VPN Liveliness Down | VPN Link liveliness is monitored through BFD heartbeats.
This fault indicates that the VPN Link went down because the BFD
heartbeats failed. If this is a temporary network failure then the VPN
Link will come back up once the network is restored. If the fault
continues to stay on then check for network availability. | |
SITE_ CONNECTIVITY_ DOWN | Controller | INCIDENT | Critical | Site Connectivity Down | At the Branch, incident is raised when the site cannot
connect to controller or any remote branch or data center. Suppressed
Incidents at the Branch site :
DEVICESW_DISCONNECTED_FROM_CONTROLLERNETWORK_SECUREFABRICLINK_DOWN The
following incidents are suppressed only if they were received by the
controller before the site connectivity was
lost:DEVICEHW_INTERFACE_DOWNNETWORK_DIRECTINTERNET_DOWNNETWORK_DIRECTPRIVATE_DOWN
At the Data Center, incident is raised when all the remote sites
are unreachable. Suppressed Incidents at the Data Center
site :
DEVICESW_DISCONNECTED_FROM_CONTROLLERNETWORK_SECUREFABRICLINK_DOWN | 5.5.1 |
SITE_CIRCUIT_ ABSENT_ FOR_POLICY | Controller | INCIDENT | Warning | Path label used in policy is missing on site. | One or more path labels (public-*, private-*,
public-[1-32], private-[1-32]) used in policy not assigned to any site
WAN interface at the site. | 4.5.1 |
SITE_NETWORK_ SERVICE_ABSENT_ FOR_POLICY | Controller | INCIDENT | Warning | Policy DC Group Missing Service Endpoint. | One or more DC groups used in the policy has not been
assigned a valid service endpoint for the domain bound to the identified
site. | 5.4.1 |
SITE_ CONNECTIVITY_ DEGRADED | Controller | INCIDENT | Warning | Site connectivity degraded | Branch site connectivity is degraded due to one or more
secure fabric links down, Layer 3 reachability is down or service link
is down. Suppressed Incidents :
NETWORK_DIRECTINTERNET_DOWNNETWORK_DIRECTPRIVATE_DOWNNETWORK_SECUREFABRICLINK_DOWNNETWORK_SECUREFABRICLINK_DEGRADEDDEVICEHW_INTERFACE_DOWN | 5.5.1 |
SASE_ SERVICEENDPOINT_ BANDWIDTH_ LIMIT_ EXCEEDED | Controller | INCIDENT | Warning | Configured circuit bandwidth for sites exceeds allocated
bandwidth for region. | 6.0.1 | |
SASE_ SERVICEENDPOINT_ BANDWIDTH_ SOFT_LIMIT_ EXCEEDED | Controller | INCIDENT | Informational | Total estimated bandwidth for sites exceeds allocated
bandwidth for the region. | 6.0.1 | |
VION_ BANDWIDTH_ LIMIT_EXCEEDED | Controller | INCIDENT | Warning | Configured circuit bandwidth for sites exceeds maximum
capacity of the virtual ION. | 6.0.1 | |
VION_ BANDWIDTH_ SOFT_LIMIT_ EXCEEDED | Controller | INCIDENT | Informational | Total estimated bandwidth for sites exceeds maximum
capacity of the virtual ION. | 6.0.1 | |
SPN_BANDWIDTH_ LIMIT_ EXCEEDED | Controller | INCIDENT | Warning | Configured circuit bandwidth for sites exceeds maximum
capacity of the security service endpoint connected to virtual
ION. | 6.0.1 | |
SPN_BANDWIDTH_ SOFT_LIMIT_ EXCEEDED | Controller | INCIDENT | Informational | Total estimated bandwidth for sites exceeds maximum
capacity of the security service endpoint connected to virtual
ION. | 6.0.1 |