: Alert and Alarm Event Codes
Focus
Focus

Alert and Alarm Event Codes

Table of Contents

Alert and Alarm Event Codes

Learn more about the alert and alarm event codes generated in
Prisma SD-WAN
.
The following tables describe a list of event or alarm codes, the event origin, its severity, and a description of each event as per the event category.
Event Category-Device
ALARM CODE
EVENT ORIGIN
ALARM /ALERT
SEVERITY
EVENT TITLE
EVENT DESCRIPTION
RELEASE INTRODUCED
DEVICEIF_IPV6_ADDRESS_DUPLICATE
Device
ALARM
Major
Duplicate IPv6 address
Another device in the local network is using an IPv6 address assigned to this device.
6.1.1
DEVICEHW_
DISKUTIL_
FRUSSD
Device
ALARM
MAJOR
FRU SSD Unavailable
Logs and core files are normally stored on separate media on this platform. That media is not currently available. Contact Palo Alto Networks Support.
6.2.1
DEVICEHW_
DISKENC_
SYSTEM
Device
ALARM
Critical
Disk Encryption Upgrade Failure.
One of the disk partitions failed to convert into an encrypted partition during the last device upgrade.
4.5.1
DEVICEHW_
DISKUTIL_
PARTITIONSPACE
Device
ALARM
Major
High Disk Capacity Utilization.
Disk Storage Utilization on a device has reached 85% capacity. Noncritical functions, including logging and statistics export may be impacted.
4.5.1
DEVICEHW_
INTERFACE_
ERRORS
Device
ALERT
Major
High rate of errors on the interface.
Number of transmission and/or reception errors seen on an interface over the last one hour period has exceeded the threshold. The threshold is 0.5% of received or transmitted packet count in the same one hour period.
4.5.1
DEVICEHW_
INTERFACE_
HALFDUPLEX
Device
ALARM
Major
Interface running in half-duplex mode.
An interface has negotiated half duplex, although it is allowed to run in full duplex, which is preferred.
4.5.1
DEVICEHW_
INTERFACE_DOWN
Device
ALARM
Major
Interface Down.
A configured
Admin-Up
interface is not receiving a signal or experiencing an error that has caused lack of data flow through that interface.
Release 5.4.1
onward, when DEVICEHW_INTERFACE_DOWN alarm is raised, it also shows Related Faults. These faults are caused due to this alarm which can be NETWORK_SECUREFABRICLINK_DEGRADED or NETWORK_SECUREFABRICLINK_DOWN.
4.5.1
DEVICEHW_
MEMUTIL_
SWAPSPACE
Device
ALARM
Critical
High Memory Utilization.
Memory utilization on a device has reached maximum capacity forcing use of disk based swap space. Sub-optimal performance impact device functions.
4.5.1
DEVICEHW_
POWER_LOST
Device
ALARM
Major
Power Lost.
Power supply unit is reporting loss of power, possibly due to failure or unplugged power cable.
4.5.1
DEVICEHW_POWER_MISSING
Device
ALARM
MAJOR
Power Supply Missing
If PSU is missing or AC voltage is not detected in ION 5200 and 9200, Power Missing alarm with reason psu_not_present and ac_lost respectively is raised.
6.4.1
DEVICEHW_
TEMPERATURE_
SENSOR
Device
ALARM
MAJOR
Operating temperature beyond threshold
One or more thermal sensors has reported temperature beyond operationally safe threshold. Please monitor device temperature activity chart. If the condition persists, the device will shutdown. This will require manual intervention to turn the device back up.
6.2.1
DEVICEIF_
ADDRESS_
DUPLICATE
Device
ALERT
Major
Interface Duplicate Address.
Another device in the local network is using an IP address assigned to this device.
4.5.1
DEVICESW_
CONCURRENT_
FLOWLIMIT_
EXCEEDED
Device
ALARM
Critical
Concurrent flow limit.
The system has reach edits allowed max concurrent flow limit.
4.5.1
DEVICESW_
CONCURRENT_
FLOW_
SOFTLIMIT_
EXCEEDED
Device
ALERT
Minor
Concurrent flow soft limit.
The system reached its 75% of the max concurrent flow limit.
6.2.1
DEVICESW_IMAGE
_UNSUPPORTED
Controller
ALARM
Critical
Unsupported Software Image
Device's software image is not recognized by the controller. The software version may not be allowed in the network or may no longer exist.
APPLICATION_
PROBE_DISABLED
Device
ALARM
Major
Application Probe Disabled
Application probes are disabled either due to incomplete configuration or invalid state. Device will no longer issue application probe to detect application reachability unless the issue is resolved. Consequently, if application probes are disabled then application will no longer switch to alternative paths in case it fails on its current path.
DEVICESW_
CRITICAL_
PROCESSRESTART
Device
ALERT
Critical
Critical Process Restart.
A critical software process on the device has restarted either due to an error or as a self recovery method. Process restart as a self-recovery does not impact long-term functions on the device but can cause short term sub-optimal data plane functions and errors.
4.6.1
DEVICESW_
CRITICAL_
PROCESSSTOP
Device
ALARM
Critical
Critical Process Stopped.
A critical software process on the device has stopped due to an error and is unable to recover with a self restart. Impacts data forwarding functionality.
4.6.1
DEVICESW_
DHCPRELAY_
RESTART
Device
ALERT
Minor
DHCP relay agent restarted.
DHCP relay agent on a device has restarted and recovered from an error.
4.4.1
DEVICESW_
DHCPSERVER_
ERRORS
Device
ALARM
Critical
DHCP server failed to start.
DHCP server listening on physical interfaces failed to start due to the following reasons:
  • DHCP server configuration error.
  • Lack of active ION device interface with static IP configuration.
  • Internal errors on the ION device.
4.4.1
DEVICESW_
DHCPSERVER_
RESTART
Device
ALERT
Minor
DHCP server restarted.
DHCP server listening on physical interfaces has restarted and recovered from an error.
4.4.1
DEVICESW_
DISCONNECTED_
FROM_
CONTROLLER
Device
ALARM
Major
Device disconnected from Controller
Release 5.4.1 and later
Device has remained disconnected from the controller for a prolonged duration. The alarm hold time has been reduced to 10 minutes.
Releases prior to Release 5.4.1
the hold time was 30 minutes.
5.0.3
DEVICESW_FPS_
LIMIT_ EXCEEDED
Device
ALARM
Major
Flows Per Second limit.
The system has reached its allowed flows per second limit.
4.5.1
DEVICESW_
GENERAL_
PROCESSRESTART
Device
ALERT
Minor
Process Restart.
A software process on the device has restarted either due to an error or self-recovery method. Process restart as self recovery does not impact long-term functions on the device. However, it can cause short-term sub-optimal functions and errors.
4.5.1
DEVICESW_
GENERAL_
PROCESSSTOP
Device
ALARM
Major
Process Stopped.
A software process on the device has stopped due to an error and is unable to recover with a self-restart. Impacts the Functionality.
4.5.1
DEVICESW_
INITIATED_
CONNECTION_ON_
EXCLUDED_PATH
Device
ALARM
Major
Device Initiated Connection on excluded path.
Due to the lack of any other available interface, established a device initiated controller connection from an excluded interface as a last resort.
5.4.3
DEVICESW_LICENSE_
VERIFICATION_
FAILED
Device
ALARM
Critical
Virtual ION license verification failed.
The license is no longer valid. The maximum ION device deployment limit is reached.
4.5.1
DEVICESW_
MONITOR_ DISABLED
Device
ALARM
Major
System Monitoring Disabled
A software process that monitors the health of device and its hardware or software components is disabled.
4.5.1
DEVICESW_NTP_
NO_SYNC
Device
ALARM
Major
NTP synchronization failed.
Device NTP has been unreachable for more than 24 hours.
4.6.1
DEVICESW_SNMP_
AGENT_ RESTART
Device
ALERT
Minor
SNMP
SNMP agent on a device has restarted.
4.5.1
DEVICESW_
SNMP_
AGENT_FAILED_
TO_START
Device
ALERT
Major
SNMP Agent failed to start.
SNMP Agent failed to start due to either invalid configuration or decryption failure.
5.2.1
DEVICESW_
SYSTEM_BOOT
Device
ALERT
Critical
Device Reboot.
Device rebooted either due to recovery from an alarm condition or as part of normal operations, including user initiated reboots and software upgrades. Reboots due to alarm conditions can cause sub-optimal or significantly reduced functionality on the device.
4.5.1
DEVICESW_
TOKEN_
VERIFICATION_
FAILED
Device
ALERT
Critical
Virtual ION token validation failed.
The token is no longer valid. It is currently utilized, expired, or revoked.
4.5.1
DEVICESW_
CONNTRACK_
FLOWLIMIT_
EXCEEDED
Device
ALARM
Critical
Conntrack table flow count exceeded threshold.
Number of flows in the connection tracking table that are used for features such as NAT and device management policy has exceeded 90% threshold.
5.2.1
DEVICESW_
IPFIX_
COLLECTORS_DOWN
Device
ALARM
Major
IPFIX collectors down
The IPFIX export process observes that there are no active connections to the IPFIX collectors. The process will continue to monitor the connection status and resume export of the IPFIX records once the connection is re-established.
5.5.1
DEVICESW_
SYSLOGSERVERS_
DOWN
Device
ALARM
Minor
Syslog Export Down
A Syslog Export daemon failed to connect with remote syslog server.
5.6.1
DEVICESW_
ANALYTICS_
DISCONNECTED_
FROM_CONTROLLER
Controller
ALARM
Minor
Device analytics disconnected from Controller
Device analytics has remained disconnected from the Controller for a prolonged duration.
5.6.1
DEVICESW_FLOWS_
DISCONNECTED_
FROM_CONTROLLER
Controller
ALARM
Minor
Device flows disconnected from Controller
Device flows has remained disconnected from the Controller for a prolonged duration.
5.6.1
NAT_POLICY_
STATIC_NATPOOL_
OVERRUN
Device
ALARM
Minor
Static NAT pool range is overrun by selector prefix.
Configured NAT pool range cannot map 1:1 with matching traffic selector prefix.
5.2.1
Event Category-Network
ALARM CODE
EVENT ORIGIN
ALARM /ALERT
SEVERITY
EVENT TITLE
EVENT DESCRIPTION
RELEASE INTRODUCED
DEVICESW_
INITIATED_
CONNECTION_ON_
EXCLUDED_PATH
Device
ALARM
Major
Device Initiated Connection on excluded path.
Device Initiated Connection on excluded interface.
5.4.3
HUB_CLUSTER_SITE_COUNT_THRESHIOLD_EXCEEDED
Controller
ALARM
Major
Hub Cluster Branch Count Limit Exceeded
The maximum number of branches allowed on hub cluster have been exceeded.
6.1.1
NETWORK_
SECUREFABRICLINK
_DEGRADED
Controller
ALARM
Minor
Secure Fabric Link is degraded with atleast 1 VPN link UP from the active spoke and 1 or more VPN links DOWN from the active SPOKE.
Secure Fabric Link is degraded with atleast 1 VPN link up from the active spoke and 1 or more VPN links down from the active spoke. The alarm also displays the reasons for the VPN failure and the root cause alarms found.
Following the controller upgrade to 5.4.1 there will be immediate changes to alarms, including standing VPN related alarms that will no longer be visible, by default. If you interact with the events API programmatically, you must modify the scripts because the VPN alarms are replaced with a new alarm category. When querying for events using the API, replace the code for NETWORK_SECUREFABRICLINK_DEGRADED with NETWORK_ANYNETLINK_DEGRADED. Click here to know more about the API changes.
5.4.1
NETWORK_
SECUREFABRICLINK
_DOWN
Controller
ALARM
Major
Secure Fabric Link is down with all VPN Links DOWN from the active spoke.
Secure Fabric Link is down with all VPN links down from the active spoke. The alarm also displays the reasons for the VPN failure and the root cause alarms found.
Following the controller upgrade to 5.4.1 there will be immediate changes to alarms, including standing VPN related alarms that will no longer be visible, by default. If you interact with the events API programmatically, you must modify the scripts because the VPN alarms are replaced with a new alarm category. When querying for events using the API, replace the code for NETWORK_SECUREFABRICLINK_DOWN with NETWORK_ANYNETLINK_DOWN. Click here to know more about the API changes.
5.4.1
NETWORK_
DIRECTINTERNET
_DOWN
Device
ALARM
Major
Direct Internet Reachability Down.
For remote office or branch sites, reachability on an internet circuit is down. If there are no alternate paths in application policy, the alarm indicates that traffic is impacted and must be attended to immediately.
Release 5.4.1 and later
When NETWORK_DIRECTINTERNET_DOWN alarm is raised, it also shows related faults. These faults are caused due to this alarm which can be NETWORK_SECUREFABRICLINK_DEGRADED or NETWORK_SECUREFABRICLINK_DOWN.
4.5.1
NETWORK_
DIRECTPRIVATE
_DOWN
Device
ALARM
Major
Private WAN Reachability Down.
For remote office or branch sites, all data center sites with the ION 7000 deployed are unreachable on the private WAN. If there are no alternate paths configured in application policy, the alarm indicates that traffic is impacted and must be attended to immediately.
Release 5.4.1 and later
When NETWORK_DIRECTPRIVATE_DOWN alarm is raised, it also shows related faults. These faults are caused due to this alarm which can be NETWORK_SECUREFABRICLINK_DEGRADED or NETWORK_SECUREFABRICLINK_DOWN.
4.5.1
NETWORK_
PRIVATEWAN_
DEGRADED
Device
ALARM
Major
Private WAN Degraded.
For data center sites, a subset of IP prefixes from one or more remote sites are determined to be unreachable over the private WAN based on routing updates received from the network.
4.5.1
NETWORK_
PRIVATEWAN_
UNREACHABLE
Device
ALARM
Major
Private WAN Unreachable.