Appendix D Error Messages
This appendix describes the error messages generated by various components of the SunScreen software and a suggested solution for each error condition.
-
Error messages from ssadm edit
-
Error messages from ssadm activate
-
Error messages from ssadm lock
-
Logged packet reasons
Error Messages From the ssadm edit Component
Error messages can arise while editing the address, rule, and service configurations (and from the corresponding GUIs).
The expression, [ARGUMENTS], used in the following error messages means that the same set of arguments passed into ssadm* is echoed back.
For example, if you type: "add address a b junk x y z" the error message is: "add address a b junk x y z: error_message".
The ssadm edit component's error messages follow.
-
Usage: ssadm edit [-beim] [-I ip] [-U user] policy [-c command]
Return code: 1
The user invoked the edit program incorrectly.
-
Error illegal policy name policyname
Return code: 1
The user specified an illegal policy name while invoking the editor.
-
Discarding unsaved changes
Return code:
The user chose to QUIT even though there are unsaved changes.
-
Write Lock Held
Return code:
The user asked for their lock_status, and they currently hold the write lock.
-
Read Lock Held
Return code:
The user asked for their lock_status, and they currently hold the read lock.
-
Registry Version: #Policy Version: #
Return code: 0
The user asked for the version currently being edited.
-
no longer supported. use edit del request syntax
Return code: 251
The user tried to delete a NAT Rule using the old ssadm nat or ssadm access command.
-
There are unsaved changes
Return code: 231
The user attempted to quit without saving unsaved changes.
-
Cannot name Policy lock
Return code: 232
The user attempted to save the policy as lock, which is a reserved word.
-
There are unsaved changes Version.
Return code: 233
The user attempted to save the policy as version, which is a reserved word.
-
There are unsaved changes in Registry
Return code: 234
The user attempted to save the policy as registry, which is a reserved word.
-
Cannot save a versioned file with a new name
Return code: 235
The user attempted to save a versioned policy with a new name.
-
Registry objects redefined
Return code:
An entry in the registry (on disk) has more than one definition. All definitions after the first are lost upon the next save.
-
file not found
Return code: 240
The policy given to be read did not exist.
-
parse error
Return code: 241
The policy or registry file on disk is corrupt and cannot be read. Make sure you have a backup or a recent version saved.
-
could not acquire read lock
Return code: 242
The configuration editor could not acquire a read lock. Likely the lock file is corrupt or some process is hanging. ss_lock -c policy is likely to be needed.
-
could not acquire write lock
Return code: 243
A request to gain the write lock failed. Likely some other process currently holds the write lock.
-
lock not held
Return code: 244
An attempt was made to save changes, but something has happened so that this process no longer holds the write lock. Perhaps someone else has issued an ss_lock -c policy and invalidated the lock.
-
cannot modify "*"
Return code: 247
An attempt was made to modify the Address or Screen object *. This is a reserved name and cannot be modified.
-
cannot modify "localhost"
Return code: 248
An attempt was made to modify the Address localhost. This is a reserved name and cannot be modified.
-
lock unavailable
Return code: 249
Indicates that something happened to the lock files. ss_lock -c policy is likely needed to fix the situation.
-
unresolved references
Return code: 250
A reference is made to a named object in the global registry that does not exist in the registry.
-
invalid input
Return code: 251
A request was not well-formed.
-
unknown operation
Return code: 252
A request was issued for an invalid data type.
-
internal error
Return code: 253
A request used an invalid operation.
-
unknown data type
Return code: 255
No longer used.
-
Error: invalid input
Return code : nonzero : nonzero
-
Warning: Adding ADMIN Interface to an routing machine.
Indicates you added an ADMIN interface to a routing machine. You probably want this to be a routing type interface.
-
(ssadm interfaces) Warning: operation replaced only routing Interface
Appears as a result of an "add Interface" request
-
(ssadm interfaces) Warning: operation replaced only stealth Interface
Appears as a result of an "add Interface" request
-
(ssadm interfaces) Warning: operation left only one stealth Interface
Appears as a result of an "add Interface" request
Error Messages From the ssadm activate Component
The ssadm activate component's error messages follow.
-
Error output directory does not exist output directory
Return code : nonzero
The user invoked ssadm activate incorrectly.
-
Too many Time objects being used. Limit is 31.
Return code: 236
The policy being compiled and activated refers to more than 31 distinct time objects.
-
Registry objects redefined
Return code:
An entry in the registry (on disk) has more than one definition. All definitions after the first are lost upon the next "save.
-
Screen object not found
Return code: 239
The -S passed to ssadm activate is a nonexistent Screen object.
-
file not found
Return code: 240
The policy given to be read did not exist.
-
parse error
Return code: 241
The policy or registry file on disk is corrupt and cannot be read. Be sure you have a backup or a recent version saved.
-
compile error
Return code: 245
No longer used.
-
unresolved references
Return code: 250
A reference is made to a named object in the global registry that does not exist in the registry.
-
Error: Status NAT, but Addresses are different sizes (NAT entry)
Return code : nonzero
-
Error: Original and Translated Source Intersect
Return code : nonzero
-
Error: Original and Translated Destination Addresses Intersect
Return code : nonzero
-
Error: Cannot translate both source and destination addresses
Return code : nonzero
-
Screen object must define smtp address
Return code : nonzero
The Screen object must define the SMTP Address if the SMTP proxy is to be used.
-
Error: Service not defined (remote administration)
Return code : nonzero
The indicated service is needed by the system, but the definition has either been deleted or renamed in the global registry.
-
Error: SunScreen object has no Administrative Certificate Screen name
Return code : nonzero
The Screen object is not fully defined. Remote administration is indicated but the Screen is lacking a Certificate.
-
Error: SKIP and Ethernet filtering not supported
Return code: nonzero
An Ethernet-based Rule is specified (that is, a service that includes the "ether" state engine) and it also indicates SKIP is to be used.
-
Error: More than 16 Interfaces defined for a given type
Return code: nonzero
Indicates that only 16 of a given type of interface are supported.
-
Could not find HA Service
Return code: nonzero
HA is indicated but the services "HA administration" and "HA heartbeat" have been either removed or renamed.
-
Error: HA cluster missing HA IP Addresses
Return code: nonzero
The Screen objects participating in the current HA cluster lack HA_IP addresses.
-
Error: HA IP address is not on HA interface
Return code: nonzero
The HA IP address specified is not part of the HA interface.
-
Error: Service incorrectly defined
Return code: nonzero
A service has contradictory information, such as the same port but different state engines, or different parameters.
-
Error: Interfaces intersect
Return code: nonzero
Two (or more) interfaces' addresses intersect.
-
Error: Rule uses Certificate Group with Service containing Reverse Filter RULE
Return code: nonzero
The reverse rule swaps the certificates, and groups are not supported in the encrypting case.
-
Error: Rule uses Certificate Group with Service containing Reverse State Engine RULE
Return code: nonzero
The reverse rule swaps the certificates, and groups are not supported in the encrypting case.
-
Error: Service not defined (remote administration)
Return code: nonzero
The service is needed internally but has been either renamed or deleted.
-
Error: Service not defined (snmp traps)
Return code: nonzero
The service is needed internally but has been either renamed or deleted.
-
Error: Service not defined (skip)
Return code: nonzero
The service is needed internally but has been either renamed or deleted.
-
Error: Service not defined (certificate discovery)
Return code: nonzero
The service is needed internally but has been either renamed or deleted.
-
Error: Service not defined (rip)
Return code: nonzero
The service is needed internally but has been either renamed or deleted.
-
Error: Service not defined (dns)
Return code: nonzero
The service is needed internally but has been either renamed or deleted.
-
Error: Service not defined (nis)
Return code: nonzero
The service is needed internally but has been either renamed or deleted.
-
Error: could not generate Rule from Screen: Screen name
Return code: nonzero
-
Error: could not generate Rule to Screen: Screen name
Return code: nonzero
-
Error: Screen name is missing encryption parameters
Return code: nonzero
-
Error: Screen name requires a certificate to administer Screen Screen name
Return code: nonzero
-
Error: Screen name requires a certificate to be administered by Screen Screen name
Return code: nonzero
-
Error: HA Secondary with no Master
Return code: nonzero
HA is indicated, but no primary Screen is specified.
-
Error: Incomplete Screen definition
Return code: nonzero
One of the following is missing given that HA_Secondary is indicated: certificate, key, data, mac, or compression algorithm.
-
Error: HA enabled with no HA Interface defined
Return code: nonzero
-
Error: HA enabled with multiple HA Interface(s) defined
Return code: nonzero
-
Error: HA not enabled but HA Interface(s) defined
Return code: nonzero
-
datacompiler: Error writing data file (fseek failed)
The data compiler could not write the output file owing to a failed fseek.
-
Error: Remote Certificate name1 uses multiple local certificates: name2 and name3
A certificate name1 that is not local to this Screen is used in at least two SKIP_VERSION_1 rules, but the local certificate is not the same. SunScreen supports only using a one local certificate for any given remote certificate in SKIP_VERSION_1 compatibility mode. The user must either use skip_version_2 or change one of name2 and name3 to the other.
-
datacompiler: Manual Table too large. Limit is 65535.
There are more than 65535 pairs of certificates for either manual keying or support SKIP_V1 nodes. There is a limit of 65535.
-
datacompiler: Skip_V1 Table too large. Limit is 65535
There are more than 65535 pairs of certificates for either Manual Keying or support SKIP_V1 nodes. There is a limit of 65535.
-
Activation failed, error error code
Return code: 1
-
Active configuration: NAMEActivated by user on date
Return code: 0
-
Warning: Rule type could not be determined and is being discarded Svc addr . . .
A problem determining how to implement the rule occurred and is being discarded.
-
TYPE: name is already defined. Redefined on line <#> in file file
TYPE is address, action, service, state engine. This means that the name is defined multiple times. One of the definitions must be removed. Using the ssadm* command removes the first such definition. To remove the second, and keep the first intact, you must use a text editor on the file on the Screen.
-
Error: name1 is not defined. Used on line # [in file file] by name2
Indicates an unresolved reference, where name2 refers to name1 but name1 is not defined. The user needs to define name1 or remove the reference by modifying name2.
-
Address name is part of a cycle
A circular reference in an address list definition, such that list A includes list B as a member and list B includes list A as a member. The user must break the cycle for the compilation to be successful.
-
Service name is part of a cycle
A circular reference in a service list definition, such that list A includes list B as a member and list B includes list A as a member. The user must break the cycle for the compilation to be successful.
-
Service incorrectly defined. name...
The service is internally inconsistent. Either the service defines two state engines in the same class and subclass for the same port; or the same port and the same state engine are used twice but with different parameters. The user must redefine this service for the compilation to be successful.
-
Error: "name" is not defined. Used on line # in file FILE by name
The user is referring to an object (address, service) that has not yet been defined. Be sure it is defined.
-
Invalid Domain Name: "name"
The user has entered a domain name that has illegal characters, such as /. Use the default domain name "default."
-
Error: Domain "name" does not exist.
The user has entered a nonexistent domain name. Use the default domain name "default.
-
unknown operation
The user has requested an operation that is not recognized.
-
Sorry, character character not supported.
The user has entered an unsupported character.
-
could not acquire lock to read data, please reissue request.
Too many concurrent processes are running.
-
could not acquire lock to write data, please reissue request.
Too many concurrent processes are running.
-
invalid input
The user entered something incorrectly. Refer to the relevant man page to verify you have the correct command syntax.
-
unknown data type.
The user requested an operation on an unknown data type.
-
Error: "name" cannot be a Local Certificate.
The first certificate specified is supposed to be the Administration Station's certificate. If the certificate is local to the Screen, then it cannot be the Administration Station's.
-
Error: Missing Remote Certificate: "name"
The first certificate could not be found in the Certificate registry, as maintained by ssadm certificate. Be sure the entry is entered correctly.
-
Error: "name" must be a Local Certificate.
The second certificate must belong to the Screen. Try again and verify that the second certificate is the Screen's certificate.
-
Error: Could not find Local Certificate: "name"
The second certificate could not be found in the Certificate registry, as maintained by ssadm certificate. Be sure the entry is entered correctly.
-
cannot modify Address *
The user attempted to modify *, which is not user-editable.
-
cannot modify Address "localhost"
You attempted to modify localhost, which is not user-editable.
-
Error: Service "SERVICE" not found
The user-indicated service is missing.
-
Warning: RULE uses invalid pair of certificate and will be ignored
A SKIP-based rule must include one local and one nonlocal certificate. If both are local, or both are nonlocal, then the rule is invalid and will be ignored. If you believe the rule is necessary for this Screen, verify that one of the certificates is local and one is nonlocal, and reactivate.
-
Warning: PROXY proxy server not found. No rule generated
The user specified proxy definition cannot be found and a proxy rule was specified. The Rule necessary to support the proxy cannot be generated. Be sure the appropriate proxy server is defined.
-
Error: Configuration "name" does not exist in domain name
The configuration does not exist. Try again with a configuration that does exist.
-
Error: # NAT entries are incorrectly defined
The NAT entry is invalid if its public and private addresses intersect with each other or any other address in the NAT table. Be sure that no two NAT entries intersect.
-
Could not find HA Service
The service "HA Service" could not be found. Be sure it is defined.
-
Service incorrectly Defined: SERVICE
The specified service is not well defined. For example, it may specify the same port for multiple state engines that conflict, like UDP and UDP-datagram. Redefine the service correctly.
-
Error: Interface does not exist (le0)
le0 is the name of the nonexistent interface. This happens if the global common registry being activated contains an interface that the machine that is doing the compile and activate does not have.
-
Warning: Could not verify Interface "name" exists
The user added an interface and it could not be verified on the Screen.
-
Expecting "{" but found a character
The syntax entered was incorrect. See the man page for correct syntax.
-
Expecting "}" but found a character
The syntax entered was incorrect. See the man page for correct syntax.
-
Unexpected end of input
The syntax entered was incorrect. See the man page for correct syntax.
-
Invalid Range specified # - #
The user entered a range where the end value was less than the start value.
-
Service definition is internally inconsistent
The user specified service is not well-defined. For example, it may specify the same port for conflicting state engines, such as UDP and UDP-datagram. Redefine the service correctly.
Error Messages From the ssadm lock Component
The ssadm lock component's error messages follow:
-
Usage: ssadm lock -w | -c policy
Return code: 1
The user invoked ssadm lock command incorrectly.
-
lock held by user @ IP process id pid
The lock is held by this UNIX process with process ID pid.
Logged Packet Reasons - why codes
TABLE D-1 lists common reasons for logging packets in the SunScreen log and in the SNMP syslog files. Reasons with numbers below 256 indicates that the packet passed. Reasons with number of 256 or greater indicates that the packet was dropped. The reason numbers listed here are sometimes referred to as why codes.
Table D-1 Logged Packet Reasons
- © 2010, Oracle Corporation and/or its affiliates