Appendix D Error Messages
This appendix describes the error messages generated by various components of the SunScreen EFS 3.0 software and suggested solution for each error condition.
Error Messages From ssadm edit Component
The ssadm edit component's error messages follow:
-
Usage: ssadm edit [-beim] [-I ip] [-U user] policy [-c command]
Return code: 1
Indicates that the user invoked the edit program incorrectly.
-
Error illegal policy name policyname
Return code: 1
Indicates that the user specified an illegal policy name while invoking the editor.
-
Discarding unsaved changes
Return code:
Indicates that the user chose to QUIT even though there are unsaved changes.
-
Write Lock Held
Return code:
Indicates that the user asked for their "lock_status", and they currently hold the write lock.
-
Read Lock Held
Return code:
Indicates that the user asked for their "lock_status", and they currently hold the read lock.
-
Registry Version: #Policy Version: #
Return code: 0
Indicates that the user asked for the "version" currently being edited.
-
no longer supported. use edit del request syntax
Return code: 251
Indicates that the user tried to delete a NAT Rule using the old ssadm nat or ssadm access command.
-
There are unsaved changes
Return code: 231
Indicates that the user attempted to "quit" without saving unsaved changes.
-
Cannot name Policy "lock"
Return code: 232
Indicates that the user attempted to save the policy as "lock", which is a reserved word.
-
There are unsaved changes "Version."
Return code: 233
Indicates that the user attempted to save the policy as "Version", which is a reserved word.
-
There are unsaved changes in "Registry"
Return code: 234
Indicates that the user attempted to save the policy as "Registry", which is a reserved word.
-
Cannot save a versioned file with a new name
Return code: 235
Indicates that the user attempted to save a versioned policy with a new name.
-
Registry objects redefined
Return code:
Indicates that an entry in the Registry (on disk) has more than one definition. All definitions after the first are lost upon the next "save."
-
Registry objects redefined
Return code:
Indicates that an entry in the Registry (on disk) has more than one definition. All definitions after the first are lost upon the next "save."
-
file not found
Return code: 240
Indicates that the policy given to be read did not exist.
-
parse error
Return code: 241
Indicates that the Policy or Registry file on disk is corrupt and cannot be read. Make sure you have a back-up or a recent version saved.
-
could not acquire read lock
Return code: 242
Indicates that the configuration editor could not acquire a read lock. Likely the lock file is corrupt or some process is hanging. ss_lock -c policy is likely to be needed.
-
could not acquire write lock
Return code: 243
Indicates that a request to gain the write lock failed. Likely because some other process currently holds the write lock.
-
lock not held
Return code: 244
Indicates that an attempt was made to "save" changes, but something has happened so that this process no longer holds the write lock. Perhaps someone else has issued a ss_lock -c policy and invalidated the lock.
-
cannot modify "*"
Return code: 247
Indicates that an attempt was made to modify the Address or Screen object "*". This is a reserved name and cannot be modified.
-
cannot modify "localhost"
Return code: 248
Indicates that an attempt was made to modify the Address "localhost". This is a reserved name and cannot be modified.
-
lock unavailable
Return code: 249
Indicates that something happened to the lock files. ss_lock -c policy is likely needed to fix the situation.
-
unresolved references
Return code: 250
Indicates that a reference is made to a named object in the global registry that does not exist in the registry.
-
invalid input
Return code: 251
Indicates that a request was not well-formed.
-
unknown operation
Return code: 253
Indicates that a request used an invalid operation.
-
unknown data type
Return code: 252
Indicates that a request was issued for an invalid data type.
-
internal error
Return code: 255
No longer used.
-
Error: invalid input
Return code: non-zero
-
Warning: Adding ADMIN Interface to an routing machine.
Indicates you added an ADMIN Interface to a routing machine. You probably want this to be an routing type Interface.
-
Warning: Adding ADMIN Interface to an routing machine.
Indicates you added an ADMIN Interface to an routing machine. You probably want this to be an routing type Interface.
-
(ssadm interfaces) Warning: operation replaced the Administrative Interface
Only appears as a result of an "add Interface" request
-
(ssadm interfaces) Warning: operation replaced only EFS Interface
Only appears as a result of an "add Interface" request
-
(ssadm interfaces) Warning: operation replaced only SPF Interface
Only appears as a result of an "add Interface" request
-
(ssadm interfaces) Warning: operation left only one SPF Interface
Only appears as a result of an "add Interface" request
-
Error: certificate invalid input
Return code: non-zero
Error messages can arise while editing the address, rule, and service configurations (and from the corresponding GUIs).
The expression, [ARGUMENTS], used in the following error messages means that the same set of arguments passed into ssadm* is echoed back. For example, if you type: "add address a b junk x y z" the error message is: "add address a b junk x y z: error_message".
Error Messages From ssadm activate Component
The ssadm activate component's error messages follow:
-
Error output directory does not exist output directory
Return code: non-zero
Indicates that the policy being compiled and activated refers to more than 31 distinct Time objects.
-
Too many Time objects being used. Limit is 31.
Return code: 236
Indicates that the user invoked ssadm activate incorrectly.
-
Registry objects redefined
Return code:
Indicates that an entry in the Registry (on disk) has more than one definition. All definitions after the first are lost upon the next "save."
-
Screen object not found
Return code: 239
Indicates that the -S passed to ssadm activate is a non-existent Screen object.
-
file not found
Return code: 240
Indicates that the policy given to be read did not exist.
-
Too many Time objects being used. Limit is 31.
Return code: 236
Indicates that the user invoked ssadm activate incorrectly.
-
parse error
Return code: 241
Indicates that the Policy or Registry file on disk is corrupt and cannot be read. Be sure you have a back-up or a recent version saved.
-
compile error
Return code: 245
No longer used.
-
unresolved references
Return code: 250
Indicates that a reference is made to a named object in the global registry, which does not exist in the registry.
-
Error: Status NAT, but Addresses are different sizes (NAT entry)
Return code: non-zero
-
Error: Original and Translated Source Intersect
Return code: non-zero
-
Error: Original and Translated Destination Addresses Intersect
Return code: non-zero
-
Error: Cannot translate both source and destination addresses
Return code: non-zero
-
Screen object must define smtp address
Return code: non-zero
Indicates that the Screen object must define the SMTP Address if the SMPT Proxy is to be used.
-
Error: Service not defined (remote administration)
Return code: non-zero
Indicates that the indicated service is needed by the system, but the definition has either been deleted or renamed in the global registry.
-
Error: SunScreen object has no Administrative Certificate Screen name
Return code: non-zero
Indicates that the Screen object is not fully defined. Remote administration is indicated but the Screen is lacking a Certificate.
-
Error: SKIP and Ethernet filtering not supported
Return code: non-zero
Indicates that an ethernet-based Rule is specified (that is, a service that includes the "ether" state engine) and it also indicates SKIP is to be used.
-
Error: More than 16 Interfaces defined for a given type
Return code: non-zero
Indicates that only 16 of a given type of Interface is supported.
-
Could not find HA Service
Return code: non-zero
HA is indicated, but the services "HA administration" and "HA heartbeat" have been either removed or renamed.
-
Error: HA cluster missing HA IP Addresses
Return code: non-zero
Indicates that the Screen objects participating in the current HA cluster lack HA_IP addresses.
-
Error: HA IP address is not on HA interface
Return code: non-zero
Indicates that the HA IP address specified is not part of the HA Interface.
-
Error: Service incorrectly defined
Return code: non-zero
Indicates that a service has contradictory information, such as the same port, but different state engines, or different parameters.
-
Error: Interfaces intersect
Return code: non-zero
Indicates that two (or more) Interfaces' addresses intersect.
-
Error: Rule uses Certificate Group with Service containing Reverse Filter RULE
Return code: non-zero
Indicates that the problem is that the reverse Rule swaps the Certificates, and Groups are not supported in the encrypting case.
-
Error: Rule uses Certificate Group with Service containing Reverse State Engine RULE
Return code: non-zero
Indicates that the problem is that the reverse Rule swaps the Certificates, and Groups are not supported in the encrypting case.
-
Error: Service not defined (remote administration)
Return code: non-zero
Indicates that the service is needed internally, but has been either renamed or deleted.
-
Error: Service not defined (snmp traps)
Return code: non-zero
Indicates that the service is needed internally, but has been either renamed or deleted.
-
Error: Service not defined (skip)
Return code: non-zero
Indicates that the service is needed internally, but has been either renamed or deleted.
-
Error: Service not defined (certificate discovery)
Return code: non-zero
Indicates that the service is needed internally, but has been either renamed or deleted.
-
Error: Service not defined (rip)
Return code: non-zero
Indicates that the service is needed internally, but has been either renamed or deleted.
-
Error: Service not defined (dns)
Return code: non-zero
Indicates that the service is needed internally, but has been either renamed or deleted.
-
Error: Service not defined (nis)
Return code: non-zero
Indicates that the service is needed internally, but has been either renamed or deleted.
-
Error: could not generate Rule from Screen: Screen name
Return code: non-zero
-
Error: could not generate Rule to Screen: Screen name
Return code: non-zero
-
Error: Screen name is missing encryption parameters
Return code: non-zero
-
Error: Screen name requires a certificate to administer Screen Screen name
Return code: non-zero
-
Error: Screen name requires a certificate to be administered by Screen Screen name
Return code: non-zero
-
Error: HA Secondary with no Master
Return code: non-zero
Indicates that HA is indicated, but no primary Screen is specified.
-
Error: Incomplete Screen definition
Return code: non-zero
Indicates that one of the following is missing given that HA_Secondary is indicated: Certificate, key, data, mac, or compression algorithm.
-
Error: HA enabled with no HA Interface defined
Return code: non-zero
-
Error: HA enabled with multiple HA Interface(s) defined
Return code: non-zero
-
Error: HA not enabled but HA Interface(s) defined
Return code: non-zero
-
datacompiler: Error writing data file (fseek failed)
Indicates that the datacompiler could not write the output file due to a failed fseek.
-
Error: Remote Certificate name1 uses multiple local certificates: name2 and name3
Indicates that a certificate name1 that is not local to this Screen is used in at least two SKIP_VERSION_1 rules but the local certificate is not the same. SunScreen EFS supports only using a one local certificate for any given remote certificate in SKIP_VERSION_1 compatibility mode. The user must either use skip_version_2 or change one of name2 and name3 to the other.
-
datacompiler: Manual Table too large. Limit is 65535.
Indicates that there are more than 65535 pairs of certificates (unlikely) for either Manual Keying or support SKIP_V1 nodes. There is a limit of 65535.
-
datacompiler: Skip_V1 Table too large. Limit is 65535
Indicates that there are more than 65535 pairs of certificates (unlikely) for either Manual Keying or support SKIP_V1 nodes. There is a limit of 65535.
-
Activation failed, error error code
Return code: 1
-
Active configuration: NAMEActivated by user on date
Return code: 0
-
Warning: Rule type could not be determined and is being discarded Svc addr . . .
Indicates that a problem determining how to implement the rule occurred and is being discarded.
-
TYPE: name is already defined. Redefined on line <#> in file file
Indicates that TYPE is address, action, service, state engine. This means that the name is defined multiple times. One of the definitions must be removed. Using the ssadm* command removes the first such definition. To remove the second, and keep the first intact, you must use a text editor on the file on the Screen.
-
Error: name1 is not defined. Used on line # [in file file] by name2
Indicates an unresolved reference, where name2 refers to name1 but name1 is not defined. The user needs to define name1 or remove the reference by modifying name2.
-
Address name is part of a cycle
Indicates a circular reference in an address list definition, such that list A includes list B as a member and list B includes list A as a member. The user must break the cycle for the compilation to be successful.
-
Service name is part of a cycle
Indicates a circular reference in a service list definition, such that list A includes list B as a member and list B includes list A as a member. The user must break the cycle for the compilation to be successful.
-
Service incorrectly defined. name...
Indicates that the service is internally inconsistent. Either the service defines two state engines in the same class and subclass for the same port; or the same port and the same state engine are used twice, but with different parameters. The user must redefine this service for the compilation to be successful.
-
Error: "name" is not defined. Used on line # in file FILE by name
Indicates that the user is referring to an object (address, service) that has not yet been defined. Be sure it is defined.
-
Invalid Domain Name: "name"
Indicates that the user has entered a domain name that has illegal characters, such as "/." Use the default domain name "default."
-
Error: Domain "name" does not exist.
Indicates that the user has entered a non-existent domain name. Use the default domain name "default."
-
unknown operation
Indicates that the user has requested an operation that is not recognized.
-
Sorry, character character not supported.
Indicates that the user has entered an unsupported character.
-
could not acquire lock to read data, please re-issue request.
Indicates that too many concurrent processes are running.
-
could not acquire lock to write data, please re-issue request.
Indicates that too many concurrent processes are running.
-
invalid input
Indicates that the user entered something incorrectly. Refer to the relevant man page to verify you have the correct command syntax.
-
unknown data type.
Indicates that the user requested an operation on an unknown data type.
-
Error: "name" cannot be a Local Certificate.
Indicates that the first certificate specified is supposed to be the Administration Station's certificate. If the certificate is local to the Screen, then it cannot be the Administration Station's.
-
Error: Missing Remote Certificate: "name"
Indicates that the first certificate could not be found in the Certificate registry, as maintained by ssadm certificate. Be sure the entry is entered correctly.
-
Error: "name" must be a Local Certificate.
Indicates that the second certificate must belong to the Screen. Try again and verify that the second certificate is the Screen's certificate.
-
Error: Could not find Local Certificate: "name"
Indicates that the second certificate could not be found in the Certificate registry, as maintained by ssadm certificate. Be sure the entry is entered correctly.
-
cannot modify Address "*"
Indicates that the user attempted to modify "*," which is not user-editable.
-
cannot modify Address "localhost"
You attempted to modify localhost, which is not user-editable.
-
Error: Service "SERVICE" not found
Indicates that the user indicated service is missing.
-
Warning: RULE uses invalid pair of certificate and will be ignored
Indicates that a SKIP-based rule must include one local and one non-local certificate. If both are local, or both are non-local, then the rule is invalid and will be ignored. If you believe the rule is necessary for this Screen, verify that one of the certificates is local and one is non-local, and re-activate.
-
"smtp-server" must refer to single IP Address
Indicates that the smtp-server definition refers to an address that must contain a single IP address as its value. Verify that the specified address is either a host address or a list that contains only a host address.
-
Warning: PROXY proxy server not found. No rule generated
Indicates that the user specified proxy definition cannot be found and a proxy rule was specified. The Rule necessary to support the proxy cannot be generated. Be sure the appropriate proxy server is defined.
-
Error: Configuration "name" does not exist in domain name
Indicates that the configuration does not exist. Try again with a configuration that does exist.
-
Error: # NAT entries are incorrectly defined
Indicates that the NAT entry is invalid if its public and private addresses intersect with each other or any other address in the NAT table. Be sure that no two NAT entries intersect.
-
Could not find HA Service
Indicates that the service "HA Service" could not be found. Be sure it is defined.
-
Could not find HA_HOSTS address
Indicates that the HA_HOSTS address could not be found. The HA_HOSTS address contains the IP addresses of all the HA Screens in the cluster so rules can be made that allow them to share data. Be sure this address is defined.
-
Service incorrectly Defined: SERVICE
Indicates that the specified service is not well-defined. For example, it may specify the SAME port for multiple state engines that conflict, like UDP and UDP-datagram. Re-define the service correctly.
-
Error: Interface does not exist (le0)
Indicates that le0 is the name of the non-existant interface. This happens if the global common registry being activated contains an Interface that the machine the compile and activate is happening on does not have .
-
Warning: Could not verify Interface "name" exists
Indicates that the user added an Interface and it could not be verified on the Screen.
-
Warning: Adding stealth Interface to an routing Machine
Indicates that the user added an Interface of type stealth on an routing machine. This configuration is not supported.
-
Warning: Adding ADMIN Interface to an routing machine
Indicates that the user added an ADMIN Interface to an routing machine. You probably want this to be an routing type Interface.
-
Expecting "{" but found a character
Indicates that the syntax entered was incorrect. See the man page for correct syntax.
-
Expecting "}" but found a character
Indicates that the syntax entered was incorrect. See the man page for correct syntax.
-
Unexpected end of input
Indicates that the syntax entered was incorrect. See the man page for correct syntax.
-
Invalid Range specified # - #
Indicates that the user entered a range where the end value was less than the start value.
-
Service definition is internally inconsistent
Indicates that the user specified service is not well-defined. For example, it may specify the same port for conflicting state engines, such as UDP and UDP-datagram. Redefine the service correctly.
Error Messages From ssadm lock Component
The ssadm lock component's error messages follow:
-
Usage: ssadm lock -w | -c policy
Return code: 1
Indicates that the user invoked ssadm lock command incorrectly.
-
lock held by user @ IP process id pid
Indicates that the user used pid.
-
Lock available
0
Logged Packet Reasons
The following table lists common reasons for logging packets in the SunScreen EFS log and in the SNMP syslog files. Packets logged for reasons with numbers below 256 indicates that the packet passed. Packets logged for reasons with number of 256 or greater indicates that the packet was dropped.
- © 2010, Oracle Corporation and/or its affiliates