Application Faults

This section contains information about application fault statistics. This category of alarm accounts for problems related to applications (protocols).

  • H.323
  • SIP
  • RADIUS and Diameter

Application alarms do not display an alarm message in the graphic display window on the front panel of the chassis.

H.323 Statistics

You can use the following command to display H.323 statistics:

  • show h323d

There is also an alarm that occurs when stack initialization fails.

Viewing H.323 Statistics

Display H.323 statistics by using the show h323d command.

For example:

acmepacket# show h323d
Session Stats                        -- Period --  -------- Lifetime -------
                           Active    High   Total      Total  PerMax    High
Incoming Calls                  5       5       1         18       6       5
Outgoing Calls                  1       1       1         18       6       2
Connected Calls                 1       1       1          8       2       1
Incoming Channels               2       2       2         17       4       2
Outgoing Channels               2       2       2         17       4       2
Contexts                        5       5       1         18       6       5
H323D Status     Current   Lifetime
Queued Messages        1       1608
TPKT Channels          5        404
UDP Channels           0          0
Stack                State    Type Mode       Registered Gatekeeper
h323172              enabled  H323 Gateway    No

In the first display section, the following statistics are displayed for period and lifetime durations in addition to an active count.

  • Incoming Calls—Number of incoming H.323 calls.
  • Outgoing Calls—Number of outgoing H.323 calls.
  • Connected Calls—Number of currently connected H.323 calls.
  • Incoming Channels—Number of established incoming channels.
  • Outgoing Channels—Number of established outgoing channels.
  • Contexts—Number of established H.323 contexts.

In the second section, the following statistics are displayed for current and lifetime durations.

  • Queued Messages—Number of messages queued.
  • TPKT Channels—Number of TPKT channels open(ed).
  • UDP Channels—Number of UDP channels open(ed).

H.323 Stack Initialization Failure Alarm

The following table provides information about the H.323 ALARM STACK INITIALIZATION FAILURE application alarm, which is triggered by the failure of an H.323 stack to initialize properly.

Alarm Name Alarm ID Alarm Severity Cause(s) Example Log Message Actions
H.323 ALARM STACK INITIALIZATION FAILURE 327682 CRITICAL The H.323 stack has failed to initialize properly and is terminated. [H.323 | IWF] stack <stack-name> has failed to initialize and is terminated apSyslogMessageGenerated trap generated

critical dry contact


H.323 Monitoring Stack Alarm

  • Viewing the number of active calls—You can see the number of active calls using the show h323 stack call command at either the User or Superuser prompt.You can also access this information with an SNMP query.
  • Viewing alarm information—Two ACLI commands allow you to view alarm information, but they provide different information:
    • display-alarms—This command shows alarm the most recently generated by an H.323 stack and the total number of stack monitoring alarms the Oracle Communications Session Border Controller has generated. Since alarms can fire simultaneously, the alarm you can see using this command will only be the most recent one.
      ORACLE# display-alarms
      1 alarms to show
      ID      Task     Severity       First Occurred          Last Occurred
      327694  462796192       3       2009-06-03 18:51:46     2009-10-03 18:51:46
      Count   Description
      2       current calls are over critical threshold of 50 percent. Total no 
              of h323 stack alarm generated are 2
    • show h323 stack stack-alarms—This command refers to specific stacks by stack name, and provides shows the alarm severity and the current percentage of max-calls that triggered the alarm. The Oracle Communications Session Border Controller keeps track of how many alarms are raised by each stacks, and the severity of each of those alarms. When the alarm clears, the information relating to it is erased from the display.
      ORACLE# show h323 stack stack-alarms
      Stack-Name   Alarm-Severity   %Max-Call
      external     minor            50
      internal     critical         50

SIP Statistics

You can use the following commands to view SIP statistics:

  • show sipd errors
  • show processes sipd
  • show registration

Viewing SIP Errors

Display SIP error statistics by using the show sipd errors command. For example:

ORACLE# show sipd errors
SIP Errors/Events             ---- Lifetime ----
                       Recent      Total  PerMax
SDP Offer Errors            0          0       0
SDP Answer Errors           0          0       0
Drop Media Errors           0          0       0
Transaction Errors          0          0       0
Application Errors          0          0       0
Media Exp Events            0          0       0
Early Media Exps            0          0       0
Exp Media Drops             0          0       0
Expired Sessions            0          0       0
Multiple OK Drops           0          0       0
Multiple OK Terms           0          0       0
Media Failure Drops         0          0       0
Non-ACK 2xx Drops           0          0       0
Invalid Requests            0          0       0
Invalid Responses           0          0       0
Invalid Messages            0          0       0
CAC Session Drop            0          0       0
CAC BW Drop                 0          0       0

Viewing SIP Processes

Display statistics about SIP processes by using the show processes sipd command. For example:

ORACLE# show processes sipd
11:34:49-130 (sipd) ID=1b89dfd0
Process Status           -- Period -- -------- Lifetime --------
               Active    High   Total      Total  PerMax    High
Services            5       5       0          5       5       5
Messages            0       0       0          6       4       3
Transactions        0       0       0          0       0       0
Timed Objects       7       7       0         14      11       9
Total Buffers       5       5       0          5       5       5
Alloc Buffers       3       3       0          7       4       5
Memory Chunks      48      48       0         82      79      50
TOQ Entries         2       2      14      58301      19       4
Operations                         14      52997      12
Messages Received                   0          3       2
Messages Sent                       4      17681      30
Partial Message                     0          0       0
Partial Msg Expired                 0          0       0
Partial Msg Dropped                 0          0       0
Timed Events                       14      58291      12
Alarms                              0          0       0
System Logs                         4      17681      32
Process Logs                        4      17684      35
Load Rate                         0.0                0.0
CPU Usage                 0.0              8.133/529935

Viewing IP Session Replication for Recording (SRR) Information

The show call-recording-server command displays information regarding the IP call recording feature configured on the Oracle Communications Session Border Controller. Entering this command without the optional call recording server (CRS) ID displays all CRS endpoints configured on the Oracle Communications Session Border Controller along with their state.

You can specify a CRS whose information you want to view. When you specify an ID, the ACLI displays all session agents created for the CRS endpoint, its IP address, its state, and the last time a failover occurred. For example:

The Internal 503 Threshold Alarm

You can configure the SBC to trigger an alarm when the system has crossed your configured threshold for the percentage of internally generated “503 Service unavailable” responses it issues against the number of received INVITEs. This alarm tracks all INVITEs on a system-wide basis. This alarm is always categorized as a MAJOR alarm and is disabled by default.

The SBC tracks the number of times it sends out an internally generated “503 Service unavailable” response to INVITE requests. As a means of tracking system and infrastructure performance, you can configure three parameters within the sip-config to specify how the system manages this alarm:

  • internal-503-threshold—Specifies, in percent utilization, the value above which the system triggers the alarm. The value measured is the percentage of 503 responses the system issues for each INVITE it receives. The default value of 0% disables the alarm, the range is 0 - 100% and the recommended setting is 50%.

    The system monitors this utilization for the standard window period of 100 seconds. If utilization remains above the threshold for the duration of this window, the system triggers the alarm.

  • internal-503-lower-threshold—Specifies, in percent utilization, the value below which the system considers the alarm condition as no longer in effect. The default value is 0%, the range is 1 - 95% and the recommended setting is 70%, or your internal-503-threshold minus 10.

    When internal 503 generation falls below this threshold, the system considers the alarm condition cleared and can re-issue the alarm if and when it is triggered.

  • 503-alarm-monitoring-time—Specifies the duration for which the system monitors internal 503 generation as being between the internal-503-threshold and the internal-503-lower-threshold. The default is 15 minutes and the range is 5 - 600:
    • If the percentage of Internally generated 503 responses remains between the internal-503-threshold and the internal-503-lower-threshold for the duration of the 503-alarm-monitoring-time window, the system considers the alarm condition cleared.
    • If internal 503 generation goes above the internal-503-threshold at any point during the 503-alarm-monitoring-time window, the system considers the alarm condition as still in effect and does not clear or re-issue the alarm.

For HA deployments, the 503-alarm-monitoring-time is not maintained across systems. If the primary fails over, the system restarts the 503-alarm-monitoring-time timer on the new primary.

The SBC issues a trap corresponding to this alarm simultaneously using the apSip503RespThresholdCrossedNotify (OID trap. This trap includes alarm/trap details, including configured threshold, current percentage of 503 response, and method name. The system does not issue a corresponding clear trap.

When triggered, the alarm appears as follows:

ID        Task  Severity First Occurred        Last Occurred
327748    117   4        2022-02-22 05:36:17   2022-02-22 05:36:17
Count Description
1     503 Service Unavailable response to INVITE is 54%, over configured
threshold of 50%.

You can find this alarm in the log.brokerd and acmelog files. You can manually clear this alarm text with the clear-alarm command. The system does not clear this alarm itself.

Notice that the alarm includes a First and Last occurrence timestamp, as well as a count. When the system generates multiple 503 alarms, which have the same alarm ID, it manages the alarm as follows:

  1. If you cleared the previous alarm manually, the system completely removes the alarm, including all fields, and generates brand new alarms if the issue occurs again.
  2. If you do not clear the previous alarm manually, the system labels any ensuing alarms with an incremented count and updated “Last Occurred” timestamp.


The SBC does not generate this alarm if you use a local-response-map or HMR to change internally generated 503 messages to other response codes. The system does not include those message as internally generated 503 messages.

Viewing SIP Registration Cache Status

Display SIP registration cache status by using the show registration command. The display shows statistics for the Period and Lifetime monitoring spans.

  • Cached Entries—Number of registration entries for the address of record
  • Local Entries—Number of entries for Contact messages sent to a real registrar.
  • Forwards—Number of registration requests forwarded to the real registrar
  • Refreshes—Number of registrations the Oracle Communications Session Border Controller answered without having to forward registrations to the real registrar
  • Rejects—Number of unsuccessful registrations sent to real registrar
  • Timeouts—Number of times a refresh from the HNT endpoint was not received before the timeout

For example:

ORACLE# show registration
SIP Registrations          -- Period -- -------- Lifetime --------
                 Active    High   Total      Total  PerMax    High
User Entries          0       0       0          0       0       0
Local Contacts        0       0       0          0       0       0
Via Entries           0       0       0          0       0       0
AURI Entries          0       0       0          0       0       0
Free Map Ports        0       0       0          0       0       0
Used Map Ports        0       0       0          0       0       0
Forwards              -       -       0          0       0
Refreshes             -       -       0          0       0
Rejects               -       -       0          0       0
Timeouts              -       -       0          0       0
Fwd Postponed         -       -       0          0       0
Fwd Rejected          -       -       0          0       0
Refr Extension        0       0       0          0       0       0
Refresh Extended      -       -       0          0       0
Surrogate Regs        0       0       0          0       0       0
Surrogate Sent        -       -       0          0       0
Surrogate Reject      -       -       0          0       0
Surrogate Timeout     -       -       0          0       0
HNT Entries           0       0       0          0       0       0
Non-HNT Entries       0       0       0          0       0       0

Viewing SIP Method Throttling Mechanism Statistics

You can monitor the SIP method throttling mechanism statistics for either a specific SIP interface or a session agent.

To display SIP method throttling mechanism statistics for a SIP interface:

  • Type show sipd interface, a Space, and then the SIP interface’s name and the SIP method name for which you want statistics. Then press Enter.
    ORACLE# show sipd interface net1 NOTIFY
    NOTIFY (15:53:42-57)
                          --------- Server --------   --------- Client --------
    Message/Event         Recent      Total  PerMax   Recent      Total  PerMax
                          ------  ---------  ------   ------  ---------  ------
    NOTIFY Requests            0         49      19        0          0       0
    Retransmissions            0          0       0        0          0       0
    100 Trying                 0         49      19        0          0       0
    180 Ringing                0         38      19        0          0       0
    200 OK                     0         38      19        0          0       0
    503 Service Unavail        0         11      11        0          0       0
    Response Retrans           0          9       5        0          0       0
    Transaction Timeouts       -          -       -        0          0       0
    Locally Throttled          -          -       -        0          0       0
    Avg Latency=0.000 for 0
    Max Latency=0.000
    BurstRate Incoming=11 Outgoing=0

    To display SIP method throttling mechanism statistics for a session agent:

  • Type show sipd agents, a Space, and then the session agent IP address and the SIP method name for which you want statistics. Then press Enter.
    ORACLE# show sipd agents NOTIFY
    NOTIFY (15:53:34-49)
                          --------- Server --------   --------- Client --------
    Message/Event         Recent      Total  PerMax   Recent      Total  PerMax
                          ------  ---------  ------   ------  ---------  ------
    NOTIFY Requests            0         50      31        0          0       0
    Retransmissions            0          3       3        0          0       0
    200 OK                     0         25      18        0          0       0
    503 Service Unavail        0         25      24        0          0       0
    Transaction Timeouts       -          -       -        0          0       0
    Locally Throttled          -          -       -        0         24      24
    Avg Latency=0.000 for 0
    Max Latency=0.000
    BurstRate Incoming=5 Outgoing=0

Viewing SIP IP CAC Statistics

You can display CAC parameters for an IP address using the show sipd ip-cac command. For example:

ORACLE# show sipd ip-cac
CAC Parameters for IP <>
 Allowed Sessions=2
 Allowed Bandwidth=3000000

Viewing SIP PUBLISH Statistics

You can display statistics related to incoming SIP PUBLISH messages using the show sipd publish command. For example:

summer# show sipd publish
PUBLISH (10:26:43-199)
                      --------- Server --------   --------- Client --------
Message/Event         Recent      Total  PerMax   Recent      Total  PerMax
                      ------  ---------  ------   ------  ---------  ------
PUBLISH Requests           1          1       1        0          0       0
Retransmissions            0          0       0        0          0       0
405 Not Allowed            1          1       1        0          0       0
Transaction Timeouts       -          -       -        0          0       0
Locally Throttled          -          -       -        0          0       0

SIP NSEP Statistics

The show nsep-stats command shows statistics related to the NSEP feature. Use arguments to narrow the display, for example, a specific r-value (namespace and r-priority combination). You can also reset NSEP statistics counters.

You can limit the output to a single realm as well as r-value and dialed number statistics for that realm. This requires that you enable these statistics on the specified realm. For the system to produce realm-level statistics on NSEP traffic, you configure the nsep-stats-profile on the session-router and enable nsep-stats on the applicable realms, as described in the ACLI Configuration Guide.

When you use the ACLI show nsep-stats command without further arguments, the system shows you information for inbound and outbound sessions. To display general NSEP statistics:

  1. Type show nsep-stats and press Enter.
    ORACLE# show nsep-stats
                              ------- Lifetime---------
                             Current      Total  PerMax
    Inbound Sessions               0          0       0
    Outbound Sessions              0          0       0

NSEP Statistics per R-Value Display

You can see statistics for a specific r-value by entering it with the show nsep-stats command. An r-value is a namespace and priority combination entered in the format: namespace.priority. The display also shows the specified r-value for which it is displaying data.

You can further refine this command's output to the R-Value statistics of a single realm by including the realms argument and specifying the desired realm name. This requires that you have enabled those statistics on the specified realm.

To display general NSEP statistics for specific r-values, type show nsep-stats, the r-value for which you want to display statistics and press Enter.

ORACLE# show nsep-stats ets.2
RValue = ets.2
                                    -- Period -- -------- Lifetime --------
                          Active    High   Total      Total  PerMax    High
Incoming Sessions              0       0       0          0       0       0
Outgoing Sessions              0       0       0          0       0       0
InbSessions Rej                -       -       0          0       0       -
OutbSessions Rej               -       -       0          0       0       -

Type show nsep-stats realm test1 ets.2 to limit this output to the ets.2 traffic traversing the realm named test1.

You can see the full set of statistics for NSEP inbound and outbound sessions with r-value statistics separated by individual r-values using the show nsep-stats all command. If configured, this output can also include realm-specific r-value and dialed-number statistics based on your nsep-stats profile and for each realm on which you have enabled the nsep-stats parameter.

Type show nsep-stats all and press Enter.

ORACLE#show nsep-stats all
Session Stats

                                    ---- Lifetime ----
                         Current      Total  PerMax
Inbound Sessions               0          0       0
Outbound Sessions              0          0       0

Per RValue Stats

                                    -- Period -- -------- Lifetime --------
                          Active    High   Total      Total  PerMax    High

RValue = ets.2
Incoming Sessions              0       0       0          0       0       0
Outgoing Sessions              0       0       0          0       0       0
InbSessions Rej                -       -       0          0       0       -
OutbSessions Rej               -       -       0          0       0       -

Per Realm Stats

Realm-id = test1

                                    -- Period -- -------- Lifetime --------
                          Active    High   Total      Total  PerMax    High

RValue = ets.2
Incoming Sessions              0       0       0          0       0       0
Outgoing Sessions              0       0       0          0       0       0
InbSessions Rej                -       -       0          0       0       -
OutbSessions Rej               -       -       0          0       0       -

Dialed Numbers
Incoming Sessions              0       0       0          0       0       0
Outgoing Sessions              0       0       0          0       0       0

NSEP Statistics per Dialed Number Display

The SBC provides realm-based NSEP statistics per Dialed Number when you configure the dialed-number and feature-code parameters in your nsep-stats-profile. The system presents this output for the realms on which you have enabled the nsep-stats parameter.

To display NSEP dialed-number statistics for a specific realm, you append the show nsep-stats command with the realm name and the dialed-numbers argument.

ORACLE# show nsep-stats realms test1 dialed-numbers
Realm-id = test1
Dialed Number

                                    -- Period -- -------- Lifetime --------
                          Active    High   Total      Total  PerMax    High
Incoming Sessions              0       0       0          0       0       0
Outgoing Sessions              0       0       0          0       0       0

The system includes dialed-number statistics for a realm with r-value statistics when you limit the arguments to the show nsep-stats command to the realm name only.

ORACLE# show nsep-stats realms test1
Realm-id = test1

                                    -- Period -- -------- Lifetime --------
                          Active    High   Total      Total  PerMax    High

RValue = ets.2
Incoming Sessions              0       0       0          0       0       0
Outgoing Sessions              0       0       0          0       0       0
InbSessions Rej                -       -       0          0       0       -
OutbSessions Rej               -       -       0          0       0       -

Dialed Numbers
Incoming Sessions              0       0       0          0       0       0
Outgoing Sessions              0       0       0          0       0       0

The system includes dialed-number statistics within the show nsep-stats all command output, dividing the output on a per-realm basis.

ORACLE# show nsep-stats all
Session Stats

                                    ---- Lifetime ----
                         Current      Total  PerMax
Inbound Sessions               0          0       0
Outbound Sessions              0          0       0

Per RValue Stats

                                    -- Period -- -------- Lifetime --------
                          Active    High   Total      Total  PerMax    High

RValue = ets.2
Incoming Sessions              0       0       0          0       0       0
Outgoing Sessions              0       0       0          0       0       0
InbSessions Rej                -       -       0          0       0       -
OutbSessions Rej               -       -       0          0       0       -

Per Realm Stats

Realm-id = test1

                                    -- Period -- -------- Lifetime --------
                          Active    High   Total      Total  PerMax    High

RValue = ets.2
Incoming Sessions              0       0       0          0       0       0
Outgoing Sessions              0       0       0          0       0       0
InbSessions Rej                -       -       0          0       0       -
OutbSessions Rej               -       -       0          0       0       -

Dialed Numbers
Incoming Sessions              0       0       0          0       0       0
Outgoing Sessions              0       0       0          0       0       0

Realm-id = test2

                                    -- Period -- -------- Lifetime --------
                          Active    High   Total      Total  PerMax    High

RValue = ets.2
Incoming Sessions              0       0       0          0       0       0
Outgoing Sessions              0       0       0          0       0       0
InbSessions Rej                -       -       0          0       0       -
OutbSessions Rej               -       -       0          0       0       -

Dialed Numbers
Incoming Sessions              0       0       0          0       0       0
Outgoing Sessions              0       0       0          0       0       0


If you do not configure the feature-code parameter in conjunction with the dialed-number, the system throws a verify error when you use the done command on your nsep-stats-profile element.

Viewing NSEP Burst Statistics for SIP Session Agents

The ACLI show sipd command supports an sa-nsep-burst argument that displays the NSEP burst rate for all SIP session agents.

ORACLE# show sipd sa-nsep-burst
Agent             Current Rate            Lifetime High        0                       0          0                       0      4                       10

Resetting NSEP Statistics

You can reset the statistics for incoming sessions, for an individual r-value, for per-realm statistics, or for the entire set of NSEP data. To reset NSEP statistics. you enter reset with the same command arguments you use to show the statistics.

For the set of statistics you want to reset, type reset nsep-stats followed by the group that you want to reset as an argument, and press Enter. The following syntax resets the statistics for the specific r-value ets.2.

ORACLE# reset nsep-stats ets.2

To reset the counters for all NSEP statistics, type reset nsep-stats and press Enter.

ORACLE# reset nsep-stats

RADIUS Statistics

The ACLI show radius command, used with the three arguments described in this section, displays the status of any established RADIUS accounting connections and authentications. A working RADIUS connection displays READY, and a disabled connection displays DISABLED.

There is also an alarm that occurs when the RADIUS connection is down.

Viewing RADIUS Statistics

The show radius command can take one of the three available arguments:

  • authentication—Shows authentication statistics for primary and secondary RADIUS servers, including: server IP address and port; round trip time; information about failed and successful requests/authentications; number of rejections; number of challenges; number of time-outs, number of retransmissions
  • accounting—Shows the information described in the following table:
    Section Description
    Client Display General accounting setup (as established in the accounting configuration element), including:

    Information about the state of the RADIUS client

    Accounting strategy used (Hunt, Failover, RoundRobin, FastestRTT, or FewestPending)

    IP address and port on which the server is listening

    Maximum message delay in seconds

    Number of configured accounting servers

    Waiting Queue Amount of accounting (RADIUS) messages waiting to be sent. Waiting queue capacity is 4,096 messages.
    <IP Address:Port> Information about each configured accounting server (established in the accounting servers configuration). The heading above each accounting server section is the IPv4 address and port combination of the accounting server described. This section also includes information about the accounting server’s state (e.g., Connect_Attempt, INIT).
  • all—Shows all of the information for both the authentication and accounting displays

The following is an example of the show radius authentication command output.

ORACLE# show radius authentication
Active Primary Authentication Servers:
   server ipAddr:
Active Secondary Authentication Servers:
   server ipAddr:
Authentication Statistics:
                RoundTripTime          :0
                AccessRequests         :2
                BadAuthenticators      :0
                AccessRetransmissions  :5
                AccessAccepts          :0
                Timeouts               :6
                AccessRejects          :0
                UnknownPDUTypes        :0
AccessChallenges       :0
                RoundTripTime          :0
                AccessRequests         :2
                BadAuthenticators      :0
                AccessRetransmissions  :9
                AccessAccepts          :0
                Timeouts               :10
                AccessRejects          :0
                UnknownPDUTypes        :0
                AccessChallenges       :0

The following is an example of the show radius accounting command output.

ORACLE# show radius accounting

*********Client Display Start************
Client State = READY, strategy=Hunt
listening on
max message delay = 60 s, # of servers = 2 
================= Waiting Queue ================
Waiting size = 89 
----------------- ------------------
Remote =, Local =, sock=45 (BOUND)
conn state=READY, RTT=250 ms
Min Rtt=250 ms, Max inactivity=60 s, expires at Nov 21 13:50:19.582, Restart delay=30 s 
----------------- ------------------
Remote =, Local =, sock=46 (BOUND)
conn state=DISABLED, RTT=0 ms
Min Rtt=250 ms, Max inactivity=60 s, expires at Nov 21 13:50:19.569, Restart delay=30 s 
*********Client Display End************

The following is an example of the show radius all command output.

ORACLE# show radius all
*********Client Display Start************
Client State = READY, strategy=Hunt
listening on
max message delay = 60 s, # of servers = 2 
================= Waiting Queue ================
Waiting size = 89 
----------------- ------------------
Remote =, Local =, sock=45 (BOUND)
conn state=READY, RTT=250 ms
Min Rtt=250 ms, Max inactivity=60 s, expires at Nov 21 13:50:19.582, Restart delay=30 s 
----------------- ------------------
Remote =, Local =, sock=46 (BOUND)
conn state=DISABLED, RTT=0 ms
Min Rtt=250 ms, Max inactivity=60 s, expires at Nov 21 13:50:19.569, Restart delay=30 s 
*********Client Display End************
Active Primary Authentication Servers:
   server ipAddr:
Active Secondary Authentication Servers:
   server ipAddr:
Authentication Statistics:
                RoundTripTime          :0
                AccessRequests         :2
                BadAuthenticators      :0
                AccessRetransmissions  :5
                AccessAccepts          :0
                Timeouts               :6
                AccessRejects          :0
                UnknownPDUTypes        :0
AccessChallenges       :0
                RoundTripTime          :0
                AccessRequests         :2
                BadAuthenticators      :0
                AccessRetransmissions  :9
                AccessAccepts          :0
                Timeouts               :10
                AccessRejects          :0
                UnknownPDUTypes        :0
                AccessChallenges       :0

RADIUS Connection Down Alarm

The following table lists the alarm generated when the RADIUS accounting connection is down.

Alarm Name Alarm ID Alarm Severity Cause(s) Example Log Message Actions
RADIUS ACCOUNTING CONNECTION DOWN 327681 CRITICAL: if all enabled and configured Remote Authentication Dial-in User Service (RADIUS) accounting server connections have timed-out without response from the RADIUS server

MAJOR: if some, but not all configured RADIUS accounting server connections have timed-out without response from the RADIUS server.

The enabled connections to RADIUS servers have timed-out without a response from the RADIUS server. CRITICAL: All enabled accounting connections have been lost! Check accounting status for more details.

MAJOR: One or more enabled accounting connections have been lost! Check accounting status for more details.

apSyslogMessageGenerated trap generated

apSysMgmtRadiusDownTrap trap generated


Security Breach Statistics

You can view statistics about denied ACL entries by using the following commands:

  • acl-show
  • show acl

Some forms of the show acl command includes a line showing the number of static plus dynamic entries that are "not allocated due to ACL constraints". The system tracks this statistic for each type of entry including media, trusted, untrusted and denied. For each type, the system displays the number of ACLs that could not be created by the system, because they would exceed the maximum supported by your system's resources. Dynamic and static maximums are displayed in the show platform limits command.

For example, the number presented by Denied Entries not allocated by the system is the number of deny ACLs that are not allocated and listed in the output because system reached its Deny Entries limit.

Viewing List of Denied ACL Entries

Display a list of denied ACL entries by using the acl-show command. If a IP address and realm ID is denied of service, its is added to the deny list. This command shows list of deny ACL entries. Information for each entry includes:

  • Incoming port, slot, and VLAN tag
  • Source IP, bit mask, port, and port mask
  • Destination IP address and port
  • Protocol
  • ACL entry as static or dynamic
  • ACL entry index

For example:

ORACLE# acl-show
deny entries:
intf:vlan source-ip/mask:port/mask dest-ip/mask:port/mask   prot type    index
Total number of deny entries = 0
Denied Entries not allocated due to ACL constraints:     0
task done

Viewing ACL List Entries

Display entries in the deny, untrusted, and trusted lists using the show acl command.

  • show acl denied
  • show acl untrusted
  • show acl trusted
  • show acl summary
  • show acl all
  • show acl ip

For example:

show acl denied displays summary data for denied endpoints.

ORACLE# show acl denied
Deny entries:
intf:vlan Source-IP/mask   port/mask dest-IP/mask port/mask prot type index

Total number of deny entries = 0
Denied Entries not allocated due to ACL constraints:     0

ORACLE# show acl trusted
Apr 30 17:33:05.716
Static trusted entries:
intf:vlan src-ip/mask:port dest-ip/mask:port prot type  index recv drop
0/3:3000     ICMP static    2    0    0
0/2:2000  O.0.0.0          172.16.O.123:5060 UDP  static    4    0    0
Total number of static trusted entries = 2

dynamic trusted entries:
intf:vlan source-ip/mask:port dest-ip/mask:port  prot type    index
0/3:3000 UDP  dynamic     5
Total number of dynamic trusted entries = 1

show acl summary displays cumulative and per-interface statistics on ACL traffic and drops, displaying Recent, Total and PerMax counts. The parameter also separates the display of traffic from trusted versus untrusted sites.

ORACLEshow acl summary

          ---------------- ACL  Stats Overall     ---------------------
           Entries          Packets                         Dropped
                     Recent    Total    PerMax    Recent    Total  PerMax
Trusted          0      292      292       292         0        0       0
Untrusted        2       65       65        49         0        0       0

          -------------------- ACL Stats Per Interface ------------------
            Entries         Packets                         Dropped
                     Recent    Total    PerMax    Recent    Total  PerMax
Slot 0 /Port 0
Trusted          0      164      164       164         0        0       0
Untrusted        1       37       37        29         0        0       0

Slot 0 /Port 1
Trusted          0      128      128       128         0        0       0
Untrusted        1       28       28        20         0        0       0

Column definitions for this parameter include:

  • Recent—-Number of packets or drops accumulated in the most recent 5 minute interval. Note that this interval is not configurable and is not calculated via the command output's time stamp
  • Total—Number of packets or drops accumulated since last reboot.
  • PerMax—Highest number of SIP messages and/or events that occurred during a single time period since the system was last rebooted.Identifies the highest individual Period Totals since the system was last rebooted.

show acl all displays summary data for denied endpoints, static trusted endpoints, and dynamic trusted endpoints.

ORACLE# show ad all
Deny entries: 
intf:vlan src-IP/mask port/mask dest-IP/mask port/mask prot type index

Total number of deny entries = 0

Static trusted entries:
intf:vlan src-IP/mask:port dest-IP/mask:port prot type   index recv drop
0/0:0          192,1680,80       ICMP static 65536    0    0
1/0:0       ICMP static 65537    0    0

Total number of static trusted entries = 2

dynamic trusted entries:
intf:vlan src-IP/mask port dest-IP/mask port prot type   index recv drop
0/0:0      ICMP static 65536    0    0
1/0:0       ICMP static 65537    0    0

Total number of dynamic trusted entries = 2

untrusted entries:
intf:vlan src-IP/mask port  dest-IP/mask  port  prot  type    index
0/0:0   5060  UDP   static  65538
1/0:0    5060  UDP   static  65539

Total number of untrusted entries = 2

Total deny entries:             0 (0 dropped)
Total media entries:            3
Total static trusted entries:   2 (0 dropped)
Total dynamic trusted entries:  2 (0 dropped)
Total untrusted entries:        2 (0 dropped)
Total INTFC table entries:      0

Media Entries not allocated due to ACL constraints:      0
Trusted Entries not allocated due to ACL constraints:    0
untrusted Entries not allocated due to ACL constraints:  0
Denied Entries not allocated due to ACL constraints:     0

Viewing ACL List Entries by IP Address

You can filter the output of show acl all based on IP address. For example:

ORACLE# show acl ip
deny entries:
intf:vlan src-ip/mask:port/mask dest-ip/mask:port/mask prot type index
Total number of deny entries = 0
trusted entries:
intf:vlan src-ip/mask:port/mask dest-ip/mask:port/mask prot type index recv drop
Total number of trusted entries = 0
untrusted entries:
intf:vlan src-ip/mask:port/mask dest-ip/mask:port/mask prot type index
Total number of untrusted entries = 0

Viewing ACL Entry Space in the CAM

Display how much space is used in the CAM for ACL entries, in a percentage and raw value breakdown of the use, by using the show acl info command. For example:

ORACLE# show acl info
Access Control List Statistics: 

                   | # of entries | % utilization | Reserved Entry Count 
Denied             |     0             0.0%                 32000 
Trusted            |     0             0.0%                  8000 
Media              |     1             0.0%                 64000 
Untrusted          |     0             0.0%                  2000 
Dynamic Trusted    |     0             0.0%                250000 
INTFC              |     1              -                     - 
Total CAM space used = 2 of 126976 (100.00% free) 
Total HASH-table space used = 0 of 250050 (100.00% free) 
Media Entries not allocated due to ACL constraints:        0 
Trusted Entries not allocated due to ACL constraints:      0 
Untrusted Entries not allocated due to ACL constraints:    0 
Denied Entries not allocated due to ACL constraints:       0