System Log Messages Reference

System Log Messages Reference      

This document describes some of the most common log messages you may encounter when using the UTT Router.      

Ethernet Interface Up 

  Message Ethernet Up {ie0 | ie1 | ie2 }
  Explanation This message is generated when a physical interface is enabled. ie0: LAN; ie1: WAN; ie2: WAN2.
  Cause
  1. The system is up.
  1. The related settings are changed (especially via Web UI).
  Example Ethernet Up ie0

 MAC Address Change 

  Message MAC New < mac_address> MAC Old ARP SPOOF
  Explanation This message is generated when an internal device’s MAC address changes. The first line shows the new MAC address of the device. The second line shows the old MAC address of the device. The third line shows the IP address of the device.
  Cause  
  1. An internal device has two network cards: an internal server has two network cards bonded together, appearing as a single network interface with a single IP address, which can increase throughput and availability. If this occurs, it will generate multiple duplicate MAC address change messages for that server. For example:
00:04:48 mac new 00:e0:4c:8b:08:47 00:04:48 mac old 00:e0:4c:8b:25:eb 00:04:48 arp spoof 192.168.1.26 00:04:46 mac new 00:e0:4c:8b:25:eb 00:04:46 mac old 00:e0:4c:8b:08:47 00:04:46 arp spoof 192.168.1.26 00:04:44 mac new 00:e0:4c:8b:08:47 00:04:44 mac old 00:e0:4c:8b:25:eb 00:04:44 arp spoof 192.168.1.26
  1. An internal device’s MAC address is changed manually, or its network card is changed. If either of them occurs, it will generate only one MAC address change message for that device.
 
  1. ARP spoofing attacks: an ARP spoofing Trojan program (such as the Legend of hacking software) is running on an internal device. If this case occurs, it will generate multiple MAC address change messages for that device, where either old or new MAC address is the same, but not both. For example:
00:04:44 mac old 00:01:6c:32:94:f1 00:04:44 mac new 00:05:5d:60:c7:18 00:04:44 arp spoof 10.128.103.124 00:04:44 mac old 00:01:6c:36:d1:7f 00:04:44 mac new 00:05:5d:60:c7:18 00:04:44 arp spoof 10.128.103.123
00:04:44 mac old 00:05:5d:e7:d6:19 00:04:44 mac new 00:05:5d:60:c7:18 00:04:44 arp spoof 10.128.103.93

 IP Address Conflict (1) 

  Message MAC New < mac_address> IP InUse
  Explanation This message is generated when an IP address conflict occurs, that is, the received ARP packet has the same source IP address as an existing ARP entry, but a different source MAC address. The first line shows the new MAC address associated with the conflicted IP address. The second line shows the conflicted IP address.
  Cause
The internal network suffers ARP spoofing attacks.
There are two devices that have the same IP address but different MAC addresses.
  Recommended Action   Check whether IP addresses are planned wrongly or whether the network suffers ARP spoofing attacks. To prevent arp spoofing attacks, we strongly suggest you bind the IP and MAC address of all internal devices on the Router, and bind the IP and MAC address of the Router’s LAN interface on each internal device.
  Example MAC New 00:e0:4c:8b:08:47 IP InUse 192.168.1.26

 IP Address Conflict (2) 

  Message ARP SPOOF < mac_address> IP InUse
  Explanation This message is similar to the previous one, see the above message for details.
  Cause
  Recommended Action
  Example ARP SPOOF 00:22:aa:40:17:11 IP InUse 192.168.1.1   In this example, the conflicted IP address is the IP address of the Router’s LAN interface. The cause is that the internal network suffers ARP spoofing attacks, or there is an internal device that has the same IP address as the Router’s LAN interface.

 DHCP IP Address Conflict 

  Message DHCP:IP conflicted arp:
  Explanation This message is generated when a DHCP IP address conflict occurs.
  Cause When acting as a DHCP server, the Router detects that an IP address is already in use before assigning it to a DHCP client device, and then the Router will try to assign another IP address to the device.
  Example DHCP:IP conflicted arp:192.168.16.47

 NAT Exceeded 

  Message NAT exceeded
  Explanation This message is generated when a host exceeds the maximum NAT sessions allowed. The NAT session limit feature (configured in the Security > NAT Session Limitpage) can help the Router to prevent DDoS attacks. If a user exceeds themaximum number of concurrent sessions allowed, any further request for creating a new session will be discarded, at the same time, the ¡°NAT exceeded ” message will be generated, and the Overflow (found in NAT Statistics list in theStatus > NAT Stats page) will be updated synchronously.
  Cause
A host is performing DDoS attack or infected with a worm virus, such as blaster virus, SQL worm, etc.
When a P2P or certain game software (like CS) is starting up, it will initiate a lot of connections with other peers. However, after the software startup, it will back to normal.
If a host using several hundreds of sessions suddenly crashes or is powered off, those sessions remain in the NAT list of the router until they are timed out. During this time, if the host accesses the Internet again, it is likely to exceed the maximum number of NAT sessions allowed.
  Recommended Action Go to the Status > Session Monitor page to view and analyze the Internet activities of the user, to determine what caused the message.
  Example NAT exceeded 192.168.16.221

 Route Up 

  Message Route Up /{eth2 | eth3 | }
  Explanation This message is generated when the static route on the specified physical interface becomes active. This is usually due to that the corresponding Internet connection goes up. eth2: WAN; eth3: WAN2.
  Cause When using multiple Internet connections (on which connection detection is enabled), if the Router detects that an Internet connection is back to normal, the static route associated with the Internet connection becomes active.
  Example Route Up 221.12.134.145/eth2

 Route Down 

  Message Route Down / {eth2 | eth3}
  Explanation This message is generated when the static route on the specified physical interface becomes inactive. This is usually due to that the corresponding Internet connection goes down. eth2: WAN; eth3: WAN2.
  Cause When using multiple Internet connections (on which connection detection is enabled), if the Router detects that an Internet connection is faulty, the static route associated with the Internet connection becomes inactive.
  Example Route Down 221.12.134.145/eth2

ARP Exceeded 

  Message ARP exceeded
  Explanation This message is generated when the system could not add an ARP entry for the new IP address, because the ARP table is full. The ARP table size (that is, the maximum number of ARP entries supported) depends on the product model. Please refer to http://www.uttglobal.com/productsheet.php for details.
  Cause The number of internal hosts exceeds the size of the ARP table. If the ARP table is full, the system cannot add an ARP entry for a new IP address, thus the host with that IP address cannot access the Internet through the Router.
  An ARP DoS attack or ARP scan software is running on an internal host. You can go to the Web UI > Status > NAT Stats page to view the NAT Statistics list. If an internal host’s Tx Broadcast Packets is very large, the host is suspicious of running ARP DoS attack or ARP scan software, which will cause the ARP table to be full. As a result, some (even many) internal users will be unable to access the Internet through the Router.
  Example ARP exceeded 192.168.18.254

  
PPPoE 

The following table lists the most common messages that might appear during PPPoE session establishment.

  Message   Explanation
Session Up The PPPoE session is established successfully.
PPPoE Up The PPPoE connection is established successfully. : the peer’s MAC address, e.g., 00:0c:f8:f9:66:c6.
Call Connected, on Line1, on Channel 0 The physical layer and data link layer connections are established, but IP still cannot be used.
Outgoing Call @61:1-1 The Router (acting as PPPoE client) starts dialing out.
Call Terminated @clearSession: 1 The Router fails to dial out, which is usually due to wrong user name, password, PPP authentication mode or other PPP layer error.
PPPoE Up The PPPoE connection is established successfully. (e.g., 00:0c:f8:f9:66:c6) is the MAC address of the peer.
Call Connected, on Line1, on Channel 0 The physical layer and data link layer connections are established, but IP still cannot be used.
Outgoing Call @61:1-1 The Router (acting as PPPoE client) starts dialing out.
Call Terminated @clearSession: 1 The Router fails to dial out, which is usually due to line faults.
Outgoing Call @61:1-1 The Router (acting as PPPoE client) starts dialing out.
Session down The PPPoE session is hanged up.
Session up The PPPoE session is established successfully.
Assigned to port The Router successfully negotiates with the remote client, and assigns a virtual port to the client.
Call Connected, on Line1, on Channel0 The physical layer and data link layer connections are established, but IP still cannot be used.
Incoming Call The Router (acting as PPPoE server) receives an incoming call initiated from a remote client.