>
    Strata Copilot
    Event Category-Device
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Incident and Alert Event Codes
    4. Event Category-Device
    Download PDF
    Prisma SD-WAN

    Event Category-Device

    Table of Contents

    Event Category-Device

    Incident and alert event codes based on the categories for troubleshooting in Prisma SD-WAN, Event category - device codes.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN (Managed by Strata Cloud Manager)
    • Prisma SD-WAN
    The following tables describe a list of event or incident codes, the event origin, its severity, and a description of each event as per the event category.
    Event Category-Device
    INCIDENT CODEEVENT ORIGININCIDENT /ALERTSEVERITYEVENT TITLEEVENT DESCRIPTIONRELEASE INTRODUCED
    CLAIMCERT_
    AUTO_
    RENEWAL_
    DISABLED
    		DeviceALERTWarningAuto Renewal of Claim Certificate is Disabled.The scheduler process for Claim Certificate renewals wasn't initialized which has caused the auto renewal feature to be disabled on the device. Renewal of Claim Certificate must be triggered manually from the Controller.5.5.1
    CLAIMCERT_
    RENEWAL_
    FAILED
    		DeviceALERTWarningRenewal of Claim Certificate failed.The process of renewing the Claim Certificate encountered problems. These may be related to external events such as failures reported by CA or an incorrect or invalid certificate being issued. Other reasons can be internal failures such as problems arising from generating a CSR request or receiving CSR details from the controller.5.5.1
    CLAIMCERT_
    RENEWAL_
    RETRY_
    LIMIT_
    EXCEEDED
    		DeviceINCIDENTCriticalClaim Certificate Renewal Attempts Exceeded Retry Limit.There were errors observed during the process of Claim Certificate renewal. Repeated attempts to renew the Claim Certificate exceeded three consecutive retries. Auto renewal is therefore disabled and a renewal must be triggered from the Controller. However, this event indicates a problem that’s external to the process and it must be attended to immediately.5.5.1
    CLAIMCERT_
    RENEWALS_
    TOO_
    FREQUENT
    		DeviceALERTWarningClaim Certificate is being Renewed Too Frequently.A condition is reached where a renewed Claim Certificate has already expired and a subsequent renewal is attempted. This condition may occur when the renewal window configured on the Controller is incorrect or the Certificate issued by the CA has an expiry time that has already elapsed.5.5.1
    DEVICEIF_
    IPV6_
    ADDRESS_
    DUPLICATE
    		DeviceINCIDENTWarningDuplicate IPv6 addressAnother device in the local network is using an IPv6 address assigned to this device.6.1.1
    DEVICEHW_
    DISKUTIL_
    FRUSSD
    		DeviceINCIDENTWarningFRU SSD UnavailableLogs and core files are normally stored on separate media on this platform. That media is not currently available. Contact Palo Alto Networks Support.6.2.1
    DEVICEHW_
    DISKENC_
    SYSTEM
    		DeviceINCIDENTCriticalDisk Encryption Upgrade Failure.One of the disks partitions failed to convert into an encrypted partition during the last device upgrade.4.5.1
    DEVICEHW_
    DISKUTIL_
    PARTITION
    SPACE
    		DeviceINCIDENTWarningHigh Disk Capacity Utilization.Disk Storage Utilization on a device has reached 85% capacity. Noncritical functions, including logging and statistics export may be impacted.4.5.1
    DEVICEHW_
    INTERFACE_
    ERRORS
    		DeviceALERTWarningHigh rate of errors on the interface.The number of transmission and/or reception errors seen on an interface over the last one hour period has exceeded the threshold. The threshold is 0.5% of received or transmitted packet count in the same one hour period.4.5.1
    DEVICEHW_
    INTERFACE_
    HALFDUPLEX
    		DeviceINCIDENTWarningInterface running in half-duplex mode.An interface has negotiated half duplex, although it's allowed to run in full duplex, which is preferred.4.5.1
    DEVICEHW_
    INTERFACE_
    DOWN
    		DeviceINCIDENTWarningInterface Down.A configured Admin-Up interface is not receiving a signal or experiencing an error that has caused lack of data flow through that interface.
    Release 5.4.1 onward, when DEVICEHW_
    INTERFACE_
    DOWN incident is raised, it also shows Related Faults. These faults are caused due to this incident that can be NETWORK_
    SECUREFABRICLINK_
    DEGRADED or NETWORK_
    SECUREFABRICLINK_
    DOWN.
    		4.5.1
    DEVICEHW_
    MEMUTIL_
    SWAPSPACE
    		DeviceINCIDENTCriticalHigh Memory Utilization.Memory utilization on a device has reached maximum capacity forcing use of disk-based swap space. Sub-optimal performance impact device functions.4.5.1
    DEVICEHW_
    POWER_LOST
    		DeviceINCIDENTWarningPower Lost. The power supply unit is reporting loss of power, possibly due to failure or unplugged power cable.4.5.1
    DEVICEHW_
    POWER_
    MISSING
    		DeviceINCIDENTWarningPower Supply MissingIf PSU is missing or AC voltage is not detected in ION 5200 and 9200, Power Missing alarm with reason psu_not_present and ac_lost respectively is raised.6.4.1
    DEVICEHW_
    TEMPERATURE_
    SENSOR
    		DeviceINCIDENTWarningOperating temperature beyond thresholdOne or more thermal sensors have reported temperature beyond the operationally safe threshold. Please monitor the device temperature activity chart. If the condition persists, the device will shutdown. This will require manual intervention to turn the device backup .6.2.1
    DEVICEIF_
    ADDRESS_
    DUPLICATE
    		DeviceALERTWarningInterface Duplicate Address.Another device in the local network is using an IP address assigned to this device.4.5.1
    DEVICESW_
    CONCURRENT_
    FLOWLIMIT_
    EXCEEDED
    		DeviceINCIDENTCriticalConcurrent flow limit.The system has reached edits allowed max concurrent flow limit.4.5.1
    DEVICESW_
    CONCURRENT_
    FLOW_
    SOFTLIMIT_
    EXCEEDED
    		DeviceALERTInformationalConcurrent flow soft limit.The system reached its 75% of the max concurrent flow limit.6.2.1
    DEVICESW_
    IMAGE
    _UNSUPPORTED
    		ControllerINCIDENTCriticalUnsupported Software ImageThe device's software image isn't recognized by the controller. The software version may not be allowed in the network or may no longer exist.
    DEVICESW_
    INTERFACE_
    CONFIG_
    OUTOFSYNC
    		DeviceINCIDENTWarningInterface configuration out-of-syncWhen a user modifies interface configuration via the toolkit command when a device is in an assigned state. As a result, the configuration between the element and the controller goes out of sync.6.3.1
    APPLICATION
    _PROBE_
    DISABLED
    		DeviceINCIDENTWarningApplication Probe DisabledApplication probes are disabled either due to incomplete configuration or invalid state. The device will no longer issue an application probe to detect application reachability unless the issue is resolved. Consequently, if application probes are disabled then the application will no longer switch to alternative paths in case it fails on its current path.
    DEVICESW_
    CRITICAL_
    PROCESSRESTART
    		DeviceALERTCriticalCritical Process Restart.A critical software process on the device has restarted either due to an error or as a self-recovery method. Process restart as a self-recovery does not impact long-term functions on the device but can cause short-term suboptimal dataplane functions and errors.4.6.1
    DEVICESW_
    CRITICAL_
    PROCESSSTOP
    		DeviceINCIDENTCriticalCritical Process Stopped.A critical software process on the device has stopped due to an error and is unable to recover with a self-restart. Impacts data forwarding functionality.4.6.1
    DEVICESW_
    DHCPRELAY_
    RESTART
    		DeviceALERTInformationalThe DHCP relay agent restarted.The DHCP relay agent on a device has restarted and recovered from an error.4.4.1
    DEVICESW_
    DHCPSERVER_
    ERRORS
    		DeviceINCIDENTCriticalThe DHCP server failed to start.DHCP server listening on physical interfaces failed to start due to the following reasons:
    • DHCP server configuration error.
    • Lack of active ION device interface with static IP configuration.
    • Internal errors on the ION device.
    		4.4.1
    DEVICESW_
    DHCPSERVER_
    RESTART
    		DeviceALERTInformationalThe DHCP server restarted.The DHCP server listening on physical interfaces has restarted and recovered from an error.4.4.1
    DEVICESW_
    DISCONNECTED_
    FROM_
    CONTROLLER
    		DeviceINCIDENTWarningDevice disconnected from ControllerRelease 5.4.1 and later Device has remained disconnected from the controller for a prolonged duration. The incident hold time has been reduced to 10 minutes. Releases prior to Release 5.4.1 the hold time was 30 minutes. 5.0.3
    DEVICESW_
    FPS_
    LIMIT_
    EXCEEDED
    		DeviceINCIDENTWarningFlows Per Second limit.The system has reached its allowed flows per second limit.4.5.1
    DEVICESW_
    GENERAL_
    PROCESSRE
    START
    		DeviceALERTInformationalProcess Restart.A software process on the device has restarted either due to an error or a self-recovery method. Process restart as self-recovery does not impact long-term functions on the device. However, it can cause short-term suboptimal functions and errors.4.5.1
    DEVICESW_
    GENERAL_
    PROCESSSTOP
    		DeviceINCIDENTWarningThe process Stopped.A software process on the device has stopped due to an error and is unable to recover with a self-restart. Impacts the Functionality.4.5.1
    DEVICESW_
    INITIATED_
    CONNECTION_
    ON_
    EXCLUDED_
    PATH
    		DeviceINCIDENTWarningDevice Initiated Connection on the excluded path.Due to the lack of any other available interface, established a device-initiated controller connection from an excluded interface as a last resort.5.4.3
    DEVICESW_
    LICENSE_
    VERIFICATION_
    FAILED
    		DeviceINCIDENTCriticalVirtual ION license verification failed. The license is no longer valid. The maximum ION device deployment limit is reached.4.5.1
    DEVICESW_
    MONITOR_ DISABLED
    		DeviceINCIDENTWarningSystem Monitoring DisabledA software process that monitors the health of a device and its hardware or software components is disabled.4.5.1
    DEVICESW_
    NTP_
    NO_
    SYNC
    		DeviceINCIDENTWarningNTP synchronization failed.Device NTP has been unreachable for more than 24 hours.4.6.1
    DEVICESW_
    SNMP_
    AGENT_
    RESTART
    		DeviceALERTInformationalSNMPThe SNMP agent on a device has restarted.4.5.1
    DEVICESW_
    SNMP_
    AGENT_
    FAILED_
    TO_
    START
    		DeviceALERTWarningSNMP Agent failed to start.SNMP Agent failed to start due to either invalid configuration or decryption failure.5.2.1
    DEVICESW_
    SYSTEM_
    BOOT
    		DeviceALERTCriticalDevice Reboot.Device rebooted either due to recovery from an incident condition or as part of normal operations, including user initiated reboots and software upgrades. Reboots due to incident conditions can cause suboptimal or significantly reduced functionality on the device.4.5.1
    DEVICESW_
    TOKEN_
    VERIFICATION_
    FAILED
    		DeviceALERTCriticalVirtual ION token validation failed.The token is no longer valid. It's currently utilized, expired, or revoked.4.5.1
    DEVICESW_
    CONNTRACK_
    FLOWLIMIT_
    EXCEEDED
    		DeviceINCIDENTCriticalConntrack table flow count exceeded the threshold.The number of flows in the connection tracking table that are used for features such as NAT and device management policy has exceeded the 90% threshold.5.2.1
    DEVICESW_
    IPFIX_
    COLLECTORS
    _DOWN
    		DeviceINCIDENTWarningIPFIX collectors downThe IPFIX export process observes that there are no active connections to the IPFIX collectors. The process will continue to monitor the connection status and resume export of the IPFIX records once the connection is re-established.5.5.1
    DEVICESW_
    SYSLOG
    SERVERS_
    DOWN
    		DeviceINCIDENTInformationalSyslog Export DownA Syslog Export daemon failed to connect with a remote syslog server.5.6.1
    DEVICESW_
    ANALYTICS_
    DISCONNECTED_
    FROM_
    CONTROLLER
    		ControllerINCIDENTInformationalDevice analytics disconnected from ControllerDevice analytics has remained disconnected from the Controller for a prolonged duration.5.6.1
    DEVICESW
    _FLOWS_
    DISCONNECTED_
    FROM_
    CONTROLLER
    		ControllerINCIDENTInformationalDevice flows disconnected from ControllerDevice flows have remained disconnected from the Controller for a prolonged duration.5.6.1
    FLOW_
    LIMIT_
    PER_SOURCE
    EXCEEDED
    		DeviceINCIDENTWarningExceeded Flow Limit ThresholdWhen the user exceeds the configured Flow Limit Threshold.6.3.6
    NAT_POLICY_
    STATIC_
    NATPOOL_
    OVERRUN
    		DeviceINCIDENTInformationalThe static NAT pool range is overrun by selector prefix.The configured NAT pool range can't map 1:1 with the matching traffic selector prefix.5.2.1
    DEVICESW_
    DNSSECCLOUDSERVER_
    DOWN
    		DeviceINCIDENTWarningDNS Security Cloud Server UnreachableThe DNS Security Cloud Server connection is lost, preventing the categorization of DNS requests.
    6.5.3-i
    DEVICESW_
    SLSCONNECTION_
    DOWN
    		DeviceINCIDENTWarningSLS Cloud Server UnreachableThe Secure Logging Service (SLS) Cloud Server connection has remained disconnected, impacting logging functionality.
    DEVICESW_
    URLCLOUDSERVER_
    DOWN
    		DeviceINCIDENTURL Cloud Server UnreachableThe URL Cloud Server is unreachable, preventing URL categorization.
    DEVICESW_
    APPDEF_
    SIGFILE_
    MISMATCH
    		DeviceINCIDENTWarningApp/Signature File Version MismatchThe Application Definition (Appdef) and Signature file versions do not match.
    6.0.1
    DEVICESW_
    MCTD_
    INITIALIZATION_
    FAILURE
    		DeviceALERTML7 Data Plane Initialization FailureThe ml7 data plane failed to initialize.
    DEVICESW_
    MCTD_
    CONTENT_
    LOAD_
    FAILURE
    		DeviceALERTML7 Content Load FailureThe ml7 content files failed to load.
    DEVICESW_
    MCTD_
    LOG_
    BUFFER_
    FULL
    		DeviceALERTMCTD Log Buffer FullThe MCTD log buffer has reached maximum capacity.
    DEVICEHW_
    ION9000X722FW_
    OUTOFDATE
    		DeviceINCIDENTION 9000 Port 9-12 Firmware Update RequiredA critical firmware update is required to maintain stable operation of ports 9 through 12 on this device.
    DEVICEHW_
    FAN_
    LOST
    		DeviceINCIDENTFan LossA monitored fan is not functioning due to failure, obstruction, or being unplugged.
    DEVICE_
    POE_
    SHUT_
    CPU_
    TEMP_
    OVER_
    THRESHOLD
    		DeviceINCIDENTPoE Shutdown Due to CPU Thermal IssuePoE operations shut down because the CPU temperature exceeded the safe threshold. A system reboot is required to re-enable PoE.
    DEVICE_
    POE_
    PORT_
    POWER_
    OVER_
    THRESHOLD
    		DeviceINCIDENTWarningPort Power Over ThresholdA PoE port's power usage exceeded the configured threshold.6.0.2
    DEVICE_
    POE_
    MAIN_
    POWER_
    OVER_
    THRESHOLD
    		DeviceINCIDENTWarningSystem Power Over ThresholdThe overall power usage for all Power-over-Ethernet (PoE) devices on the system exceeded the configured device threshold.6.0.2
    DEVICE_
    POE_
    MAIN_
    POWER_
    FAULT
    		DeviceINCIDENTWarningMain Power FaultAn internal error occurred in the Power-over-Ethernet (PoE) support requiring device reload, power-cycle, or RMA.6.0.2
    CLAIMCERT_
    EXPIRY_
    WARNING
    		DeviceALERTWarningClaim Certificate Expiration Date ApproachingThe Claim Certificate is approaching its expiration date. This may be due to previous renewal failures or a short expiration period set by the CA.5.5.1
    DEVICESW_
    MFGCERT_
    RENEWAL_
    FAILED
    		DeviceINCIDENTRenewal of MIC Certificate FailedManufacturing Identity Certificate (MIC) renewal failed after multiple consecutive retries, disabling auto-renewal.
    DEVICESW_
    MFGCERT_
    EXPIRY_
    WARNING
    		DeviceALERTMIC Certificate Expiry WarningThe Manufacturing Identity Certificate (MIC) is approaching its expiration date.
    SECURITY_POLICY_RULES_FAILED
    		DeviceAlarmCriticalSecurity Policy Rules FailedThis alarm is generated when the security policy rules creation failed due to an internal error or less memory available on the device.6.3.6

    © 2026 Palo Alto Networks, Inc. All rights reserved.