: Event Category-Network
Focus
Focus
Table of Contents

Event Category-Network

Learn about the event codes generated due to network-related events in Prisma SD-WAN.
In Prisma SD-WAN, different types of events trigger alerts and incidents. Prisma SD-WAN generates alerts and incidents on reaching system-defined thresholds or if there is a fault in the system.
A network-related event that can trigger either an incident or an alert can be due to issues related to site connectivity, secure fabric links, service endpoints, or logical interfaces.
The following tables describe a list of event or incident codes, the event origin, its severity, and a description of each event as per the event category.
For each incident raised on the web interface, you can troubleshoot the issue. If the issue persists, select Go to Support to create a support ticket. A Palo Alto Networks Support executive will contact you. You can also return the device to Palo Alto Networks.
Event Category-Network
INCIDENT CODEEVENT ORIGININCIDENT /ALERTSEVERITYEVENT TITLEEVENT DESCRIPTIONRELEASE INTRODUCED
BRANCH_GATEWAY
CLUSTER_SITE
COUNT_THRESHOLD
_EXCEEDED
ControllerIncidentMajorSpoke sites limit exceeded on Branch Gateway clusterThe maximum number of branch sites that can be associated with a Branch Gateway site has been exceeded.6.4.1
DEVICESW_
INITIATED_
CONNECTION_ON_
EXCLUDED_PATH
DeviceINCIDENTWarningDevice Initiated Connection on excluded path.Device Initiated Connection on excluded interface.5.4.3
HUB_CLUSTER_SITE_COUNT_THRESHIOLD_EXCEEDED
ControllerINCIDENTWarningHub Cluster Branch Count Limit ExceededThe maximum number of branches allowed on hub cluster have been exceeded.6.1.1
NETWORK_
SECUREFABRICLINK
_DEGRADED
ControllerINCIDENTInformationalSecure Fabric Link is degraded with atleast 1 VPN link UP from the active spoke and 1 or more VPN links DOWN from the active SPOKE.Secure Fabric Link is degraded with atleast 1 VPN link up from the active spoke and 1 or more VPN links down from the active spoke. The incident also displays the reasons for the VPN failure and the root cause incidents found.
Following the controller upgrade to 5.4.1 there will be immediate changes to incidents, including standing VPN related incidents that will no longer be visible, by default. If you interact with the events API programmatically, you must modify the scripts because the VPN incidents are replaced with a new incident category. When querying for events using the API, replace the code for NETWORK_SECUREFABRICLINK_DEGRADED with NETWORK_ANYNETLINK_DEGRADED. Click API Changes for Network Secure Fabric Link Event Codes to know more about the API changes.
5.4.1
NETWORK_
SECUREFABRICLINK
_DOWN
ControllerINCIDENTWarningSecure Fabric Link is down with all VPN Links DOWN from the active spoke.Secure Fabric Link is down with all VPN links down from the active spoke. The incident also displays the reasons for the VPN failure and the root cause incidents found.
Following the controller upgrade to 5.4.1 there will be immediate changes to incidents, including standing VPN related incidents that will no longer be visible, by default. If you interact with the events API programmatically, you must modify the scripts because the VPN incidents are replaced with a new incident category. When querying for events using the API, replace the code for NETWORK_SECUREFABRICLINK_DOWN with NETWORK_ANYNETLINK_DOWN. Click API Changes for Network Secure Fabric Link Event Codes to know more about the API changes.
5.4.1
NETWORK_
DIRECTINTERNET
_DOWN
DeviceINCIDENTWarningDirect Internet Reachability Down.For remote office or branch sites, reachability on an internet circuit is down. If there are no alternate paths in application policy, the incident indicates that traffic is impacted and must be attended to immediately. Release 5.4.1 and later When NETWORK_DIRECTINTERNET_DOWN incident is raised, it also shows related faults. These faults are caused due to this incident which can be NETWORK_SECUREFABRICLINK_DEGRADED or NETWORK_SECUREFABRICLINK_DOWN. 4.5.1
NETWORK_
DIRECTPRIVATE
_DOWN
DeviceINCIDENTWarningPrivate WAN Reachability Down.For remote office or branch sites, all data center sites with the ION 7000 deployed are unreachable on the private WAN. If there are no alternate paths configured in application policy, the incident indicates that traffic is impacted and must be attended to immediately. Release 5.4.1 and later When NETWORK_DIRECTPRIVATE_DOWN incident is raised, it also shows related faults. These faults are caused due to this incident which can be NETWORK_SECUREFABRICLINK_DEGRADED or NETWORK_SECUREFABRICLINK_DOWN. 4.5.1
NETWORK_
PRIVATEWAN_
DEGRADED
DeviceINCIDENTWarningPrivate WAN Degraded.For data center sites, a subset of IP prefixes from one or more remote sites are determined to be unreachable over the private WAN based on routing updates received from the network.4.5.1
NETWORK_
PRIVATEWAN_
UNREACHABLE
DeviceINCIDENTWarningPrivate WAN Unreachable.For data center sites, one or more remote offices declared unreachable over the private WAN based on routing updates received from the network. If this incident occurred due to WAN edge peering failure PEERING_EDGE_DOWN incident(s) is also raised.4.5.1
PEERING_BGP_
DOWN
DeviceINCIDENTCriticalBGP Peer Down.Routing peer session is down. If alternate paths are available traffic is not affected; else the fault is critical.5.0.3
NETWORK_
STANDARD_
VPN_ENDPOINT
_DOWN
ControllerINCIDENTWarningStandard VPN Endpoint Down.Multiple service link interfaces connecting to a service endpoint are down.5.6.1
NETWORK_
VPNKEK_
UNAVAILABLE
DeviceINCIDENTInformationalKey Encryption Key(KEK) is not availableThis fault is generated when Key Encryption Key(KEK) required to decrypt shared secrets for VPN Link is not available. The controller issues a KEK along with shared secrets. If the communication between the controller and the device is down for 3 days or more, then this can happen.6.2.1
NETWORK_VPNKEK_UNAVAILABLEDeviceINCIDENTInformationalKey Encryption Key (KEK) is not available.This fault is generated when Key Encryption Key (KEK) required to decrypt shared secrets for VPN link is not available. The controller issues a KEK along with shared secrets. If the communication between the controller and the device is down for more than three days, this can happen.
NETWORK_
VPNLINK_DOWN
DeviceINCIDENTWarningVPN Link DownA VPN Link connecting two sites is down. If the VPN Link is the only link between the two sites, VPN based connectivity between those sites has been impacted. If alternate VPN Links exist between the two sites, connectivity and capacity is available between the sites; however additional VPN Link failures between the two sites may impact traffic.
NETWORK_
VPNPEER_
UNAVAILABLE
DeviceINCIDENTInformationalVPN Peer DownA peer instance on other side of a VPN Link of a remote office (branch) has been declared to be down. This fault will typically be seen along with one of [NETWORK_VPNLINK_DOWN, PEERING_CORE_DOWN, DEVICESW_GENERAL_PROCESSSTOP] faults that identify the likely root cause.
NETWORK_
VPNSS_
UNAVAILABLE
DeviceINCIDENTInformationalVPN Shared Secret UnavailableShared secret required to establish a VPN Link is not available. The Prisma SD-WAN controller pre-issues a certain number of shared secrets (3 days worth by default). If the communication between the Prisma SD-WAN Controller and the device is down for 3 days or more, then this fault is raised.
NETWORK_
VPNPEER_
UNREACHABLE
DeviceINCIDENTInformationalVPN Peer UnreachableControl communication could not be established with the VPN Peer. Common reasons include (a) IP Address mis-configuration, (b) NAT misconfiguration or (c) a firewall which is blocking port 4500 traffic as UDP port 4500 is used for control communication between the two VPN Peers.
NETWORK_
VPNSS_
MISMATCH
DeviceINCIDENTInformationalVPN Shared Secret MismatchVPN Peers could not agree on a shared secret. Usually happens when (a) one of the devices is not able to contact the Prisma SD-WAN Controller and retrieve the shared secret corresponding to the time window when the fault was raised or (b) the clocks on the VPN Peer devices are out of sync.
NETWORK VPNBFD_DOWN
DeviceINCIDENTInformationalVPN Liveliness DownVPN Link liveliness is monitored through BFD heartbeats. This fault indicates that the VPN Link went down because the BFD heartbeats failed. If this is a temporary network failure then the VPN Link will come back up once the network is restored. If the fault continues to stay on then check for network availability.
SITE_
CONNECTIVITY_
DOWN
ControllerINCIDENTCriticalSite Connectivity DownAt the Branch, incident is raised when the site cannot connect to controller or any remote branch or data center. Suppressed Incidents at the Branch site: DEVICESW_DISCONNECTED_FROM_CONTROLLERNETWORK_SECUREFABRICLINK_DOWN The following incidents are suppressed only if they were received by the controller before the site connectivity was lost:DEVICEHW_INTERFACE_DOWNNETWORK_DIRECTINTERNET_DOWNNETWORK_DIRECTPRIVATE_DOWN
At the Data Center, incident is raised when all the remote sites are unreachable.
Suppressed Incidents at the Data Center site: DEVICESW_DISCONNECTED_FROM_CONTROLLERNETWORK_SECUREFABRICLINK_DOWN
5.5.1
SITE_CIRCUIT_
ABSENT_
FOR_POLICY
ControllerINCIDENTWarningPath label used in policy is missing on site.One or more path labels (public-*, private-*, public-[1-32], private-[1-32]) used in policy not assigned to any site WAN interface at the site.4.5.1
SITE_NETWORK_
SERVICE_ABSENT_
FOR_POLICY
ControllerINCIDENTWarningPolicy DC Group Missing Service Endpoint.One or more DC groups used in the policy has not been assigned a valid service endpoint for the domain bound to the identified site.5.4.1
SITE_
CONNECTIVITY_
DEGRADED
ControllerINCIDENTWarningSite connectivity degradedBranch site connectivity is degraded due to one or more secure fabric links down, Layer 3 reachability is down or service link is down. Suppressed Incidents: NETWORK_DIRECTINTERNET_DOWNNETWORK_DIRECTPRIVATE_DOWNNETWORK_SECUREFABRICLINK_DOWNNETWORK_SECUREFABRICLINK_DEGRADEDDEVICEHW_INTERFACE_DOWN 5.5.1
SASE_
SERVICEENDPOINT_
BANDWIDTH_
LIMIT_
EXCEEDED
ControllerINCIDENTWarningConfigured circuit bandwidth for sites exceeds allocated bandwidth for region.6.0.1
SASE_
SERVICEENDPOINT_
BANDWIDTH_
SOFT_LIMIT_
EXCEEDED
ControllerINCIDENTInformationalTotal estimated bandwidth for sites exceeds allocated bandwidth for the region.6.0.1
VION_
BANDWIDTH_
LIMIT_EXCEEDED
ControllerINCIDENTWarningConfigured circuit bandwidth for sites exceeds maximum capacity of the virtual ION.6.0.1
VION_
BANDWIDTH_
SOFT_LIMIT_
EXCEEDED
ControllerINCIDENTInformationalTotal estimated bandwidth for sites exceeds maximum capacity of the virtual ION.6.0.1
SPN_BANDWIDTH_
LIMIT_
EXCEEDED
ControllerINCIDENTWarningConfigured circuit bandwidth for sites exceeds maximum capacity of the security service endpoint connected to virtual ION.6.0.1
SPN_BANDWIDTH_
SOFT_LIMIT_
EXCEEDED
ControllerINCIDENTInformationalTotal estimated bandwidth for sites exceeds maximum capacity of the security service endpoint connected to virtual ION.6.0.1