GTP Event Codes
A GTP event can have more than one event code.
GTP logs include event codes to help you troubleshoot issues. A single GTP event type can have more than one event code, and you can find this detail in each log. When a GTP session ends, for example, while the GTP event type is recorded as GTP session end, the event code can be 841 or 844. The event code description below will help you decipher whether the session end was triggered with a Delete message or the session terminated unexpectedly. The event codes are in hexadecimal format, where xx is the message type, yy is the Information Element (IE) type, and z is the GTP version.
|800||Normal GTP messages|
|841||GTP session ended with a GTPv1 Delete message|
|842||GTP session ended with a GTPv2 Delete message|
|844||GTP session ended unexpectedly (timeout)|
|881||GTPv1 session start|
|882||GTPv2 session start|
|101000||End User IP address spoofed|
|101800||Overbilling protection in effect|
|104zxx||Tunnel block limit reached|
|108zxx||Tunnel alert limit reached|
|1221xx||Incorrect UDP port in GTPv1 header|
|1222xx||Incorrect UDP port in GTPv2 header|
|1241xx||Unexpected sequence number in GTPv1 header|
|1242xx||Unexpected sequence number in GTPv2 header|
|1281xx||Out-of-state GTPv1 message|
|1282xx||Out-of-state GTPv2 message|
|144zxx||Invalid GTP version|
|1441xx||Incorrect reserved field in GTPv1 header|
|1442xx||Incorrect reserved field in GTPv2 header|
|1810xx||Unknown GTP-U message|
|1811xx||Unknown GTPv1-C message|
|1812xx||Unknown GTPv2-C message|
|1821xx||GTPv1 message matched by RAT filter|
|1822xx||GTPv2 message matched by RAT filter|
|1841xx||GTPv1 message matched by APN filter|
|1842xx||GTPv2 message matched by APN filter|
|1881xx||GTPv1 message matched by IMSI-Prefix filter|
|1882xx||GTPv2 message matched by IMSI-Prefix filter|
|20yyxx||Out of order IEs in GTPv1 message|
|21yyxx||Unknown IE in GTPv1 message (unsupported IE type)|
|22yyxx||Unknown IE in GTPv2 message (unsupported IE type)|
|23yyxx||Invalid IE in GTPv1 message, such as invalid IMSI|
|24yyxx||Invalid IE in GTPv2 message, such as invalid IMSI|
|26yyxx||Abnormal GTPv1 message length|
|27yyxx||Abnormal GTPv2 message length|
|28yyxx||Missing mandatory IE in GTPv1 message|
|29yyxx||Missing mandatory IE in GTPv2 message|
|4111xx||Run out of resource for GTPv1 message|
|4112xx||Run out of resource for GTPv2 message|
|4121xx||Conflict with another session for GTPv1 message|
|4122xx||Conflict with another session for GTPv2 message|
|4141xx||Invalid TEID in GTPv1 header (non-existent tunnel)|
|4142xx||Invalid TEID in GTPv2 header (non-existent tunnel)|
GTP Event Types and Severity
GTP events have categorized by their severity; the firewall generates GTP logs when GTP events occur. ...
Monitor GTP Traffic
Monitor GTP traffic passing through a Palo Alto Networks firewall by viewing Mobile Network Activity on the ACC and by running predefined and custom reports. ...
Objects > Security Profiles > GTP Protection
Objects > Security Profiles > GTP Protection The GTP Protection profile enables the firewall to inspect GTP traffic. To view this profile, you must enable ...
GTP Protection Profile
Use these fields to create a GTP Protection profile to define how the firewall inspects, validates, and filters GTP traffic. ...
Configure GTP Stateful Inspection
Enable GTP security, configure a GTP Protection profile, and attach the profile to a Security policy rule to secure GTP traffic. ...
Generate Mobile Network Reports
View daily reports or custom reports on mobile network activity. ...
Get a Packet Capture of a GTP Event
Get a packet capture of a GTP event, such as GTP-in-GTP, to troubleshoot an abnormal GTP packet. ...
GTP Cause Values in Logs
When a GTP network element accepts or rejects a GTP request, the response includes a cause value in the Information Element indicating the request is ...