Log Messages

Check Point products provide you with the ability to collect comprehensive information on your network activity in the form of logs. You can audit these logs at any given time, analyze your traffic patterns and troubleshoot networking and security issues. Familiarizing yourself with the logs can help you understand and learn the status of your network, as well as resolve problems you are experiencing with the system. Reviewing traffic logs is a very important aspect of security management, and should get careful attention.

Carrier Security Log Messages

This section contains a list of Carrier Security log messages and resolutions, listed alphabetically. You may encounter self-explanatory log messages that are not included here.

Log Message

Meaning

Resolution

Duplicate sequence number

This G-PDUClosed A user data message, comprising a G-PDU and a GTP header. carries a duplicated sequence number.

Enforcement of G-PDUClosed Protocol Data Unit - a packet. sequence numbers is determined in the Carrier Security page of the Global Properties window.

Also, it is possible to change the drop and alert behavior of the rate limiting feature by editing the gtp_sequence_deviation_drop and gtp_sequence_deviation_alert properties with the GUI Dbedit tool.

Echo Request not within time limit

An echo request was received too close to a previous echo request. This echo request will be dropped.

This will happen only if you set the value of the gtp_echo_frequency property to the number of seconds required between Echo Requests. You can use this parameter to protect against Echo Request Flooding.

Echo Request on a path which is not in use

An echo request was received on a path (SGSNClosed Serving GSN - a GPRS Support Node.-GGSNClosed Gateway GSN (GPRS Support Node). pair) that currently has no active PDPClosed Packet Data Protocol - a network protocol used by an external packet data network (usually IP). Context. The request will be dropped.

This happens if you set the value of the gtp_echo_requires_path_in_use property. By default such Echo Requests are not dropped.

GTPClosed GPRS Tunnel Protocol. quota threshold alert: too many packets

This packet (PDU) exceeded the Signaling Rate Limit defined for the indicated destination host

This could be the result of a Signaling flood attack. If this happens during normal operation it might be advisable to increase Enforce GTP Signal packet rate limit for this GSNClosed GPRS Support Node. entity in the Carrier Security page of the Workstation Properties window or increase Rate limit sampling interval in the Carrier Security page of the Global Properties window. Also, it is possible to change the drop and alert behavior of the rate limiting feature by editing the gtp_rate_limit_drop and gtp_rate_limit_alert properties using the GUI Dbedit tool.

GTP: T-PDUClosed An original packet from an MS or a network node in an external packet data network. is a GTP message

This T-PDU packet (The internal packet of a G-PDU) is a GTP packet by itself. This may indicate on attempt to inject GTP packets into the system.

If you do want to enable such type of packets, you can check the Allow GTP in GTP in the Carrier Security page of the Global Properties tab (equivalent to setting block_gtp_in_gtp to 0).

GTP: Invalid End User IP Address

This T-PDU packet (The internal packet of a G-PDU) has an end user address IP that does not match the end user IP address of the PDP contextClosed Information sets held in MS and GSNs for a specific PDP address. associated with this G-PDU packet.

Uncheck the Enforce GTP AntiSpoofing property in the Carrier Security page of the Global Properties window (this is equivalent to setting the gtp_anti_spoofing property to 0).

To uncheck only GTP IPv6 AntiSpoofing, set the gtp_ipv6_anti_spoofing property to 0.

GTP intra-tunnel Inspection: Forbidden MSClosed Mobile Station - a portable device that connects subscribers to a wireless network, for example a cellular phone or a laptop with a cellular modem.-to-MS traffic

The end user address of this T-PDU does not conform to the end user Domain Policy defined for the APNClosed Access Point Name - the identifier of an external packet data network. of the PDP Context associated with this G-PDU packet.

Change the end user Domain Policy in the APN Properties window.

Illegal Handover

An Update Request was initiated from a new SGSN (source IP) which is not in the Handover group of the old SGSN of the tunnel. You can see the new SGSN IP in the Source column and the old SGSN IP in the SGSN Signal column.

Adjust the GSN Handover Group definitions in the GSN Handover Group window.

Illegal Handover GSN Signaling

Illegal redirection attempt for GSN signaling. The GSN Signaling Information Element IP is not in the same Handover group as the Source IP of the message. You can see both IPs in the log.

Adjust the GSN Handover Group definitions in the GSN Handover Group window.

Illegal Handover - GSN Traffic

Illegal redirection attempt for GSN traffic. The GSN traffic Information Element IP is not in the same Handover group as the source IP of the message. You can see both IPs in the log.

Adjust the GSN Handover Group definitions in the GSN Handover Group window.

Illegal Handover Recreate PDPC

This "Create PDP Context Request" PDU did not conform to the handover policy.

If the gtp_allow_recreate_pdpc property is set to open, the policy allows recreating a tunnel using SGSN addresses complying with the SGSN handover policy.

GSN handover and GSN redirection are only allowed within a GSN Handover Group.

If this PDU does conform to your handover policy, adjust the GSN Handover Group definitions in the GSN Handover Group window.

Illegal response cause

The response cause in this response message is illegal for this message type.

 

Invalid G-PDU

Relevant for V0 G-PDUs. The SGSN IP, GGSN IP or Flow Label of the G-PDU does not match the definitions of the tunnel the G-PDU belongs to. (Tunnel association is according to TIDClosed Tunnel ID - the GTP version 0 GTP tunnel identifier. Consists of the user ID, or equivalent when Anonymous Access is used, and NSAPI.).

You can remove flow label compliance on the Carrier Security page of the Global Properties window. However if the Flow Labels are wrong, it is recommended to investigate the cause. IP checking cannot be disabled.

Invalid Signaling Recreate Req PDU

Relevant for V0. There was an attempt to create a PDP Context of an already established tunnel.

The recreate policy of established tunnels is determined by the gtp_allow_recreate_pdpc property.

A strict policy allows recreating a tunnel using only the identical GSN addresses. If a tunnel is recreated using different GSN addresses and we are in a strict "Re-Create" Policy - the create is dropped and this message is logged. An open policy allows GSN handover for tunnel recreations.

Invalid Signaling Req PDU

Relevant for V0 Delete Request, V0 Update Request, and V0->V1 Update Request. Either the source IP address, dest. IP address, or flow label does not match those of the tunnel (TID) to which the packet belongs.

Flow label verification can be disabled by deselecting the Verify Flow Label setting, found in the Carrier Security tab of Global

Properties. IP checking cannot be disabled.

Invalid Signaling Flow Label PDU (Update Resp)

V0 Update Resp. The flow label does not match the tunnel (TID) to which the packet belongs.

Flow label verification can be disabled by deselecting the Verify Flow Label setting, found in the Carrier Security tab of Global

Properties. IP checking cannot be disabled.

 

Invalid Signaling Flow Label PDU (Create Resp)

V0 Create Resp. The flow label does not match the tunnel (TID) to which the packet belongs.

Flow label verification can be disabled by deselecting the Verify Flow Label setting, found in the Carrier Security tab of Global

Properties. IP checking cannot be disabled.

 

Invalid Signaling Flow Label PDU (Delete Resp)

V0 Delete Resp. The flow label does not match the tunnel (TID) to which the packet belongs.

Flow label verification can be disabled by deselecting the Verify Flow Label setting, found in the Carrier Security tab of Global

Properties. IP checking cannot be disabled.

 

IP is not in the APN domain

The assigned static or dynamic end user IP is not part of end user Domain defined for the related APN.

This packet is dropped according to the APN end user Domain defined in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Malformed Path Management PDU

This Path management PDU does not conform to GTP standards.

Path management PDUs are verified against GTP Release 1997 and 1999 Standards.

 

No Match on Create PDP Context PDU

A "Create PDP Context Request" PDU was not matched on the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase..

The allowed types of "Create PDP Context Request" PDUs are defined in the RuleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base using Source, Destination and the Advanced GTP Service Properties window.

If the combination of the above in the dropped PDU should have been allowed, please review your Rule Base to allow this traffic.

If the last rule in the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. Rule Base is an "Accept" rule, set Produce extended log on unmatched PDUs to "Last" instead of "Before Last" in the Carrier Security page of the Global Properties window.

Out of range sequence number

This G-PDU carries an out-of-range sequence number.

Enforcement of G-PDU sequence numbers is determined in the Carrier Security page of the Global Properties window, where you can also define the maximum allowed deviation for all Carrier Security Gateways.

Also, it is possible to change the drop and alert behavior of the rate limiting feature by editing gtp_sequence_deviation_drop and gtp_sequence_deviation_alert properties using the GUI Dbedit tool.

Packet or some Information Element is shorter than expected

During stateful inspection, this packet (PDU) was shorter than expected.

This packet does not have the minimal length to hold the GTP header information, or the packet size is small than indicated by the length field in the GTP header.

Passed maximum create request

Too many re-transmissions of the same delete request were received (while create response not received yet by the Carrier Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.). This request packet will be dropped.

Set the gtp_max_req_retransmit variable to the number of allowed outstanding re-transmits.

Passed maximum delete request

Too many re-transmissions of the same delete request were received (while delete response not received yet by the Carrier Security Gateway). This request packet will be dropped.

This can occur if the Carrier Security Gateway is configured to close all end user connections using the SAM API.

Set the gtp_max_req_retransmit variable to the number of allowed outstanding re-transmits.

Passed maximum update request

Too many re-transmissions of the same update request were received (while update response not received yet by the Carrier Security Gateway).
This request packet will be dropped.

Set the gtp_max_req_retransmit variable to the number of allowed outstanding re-transmits.

re-using TEIDClosed Tunnel End Point Identification - The GTP version 1 uni-directional tunnel identifier. Control Downlink

The specified TEID of this tunnel create attempt is in use by another tunnel (for the same SGSN- GGSN pair). The new tunnel is created.

If the attribute gtp_allow_recreate_pdpc is set to strict, the new tunnel is not created in this case.

re-using TEID Data Downlink

The specified TEID of this tunnel create attempt is in use by another tunnel (for the same SGSN- GGSN pair). The new tunnel is created.

If the attribute gtp_allow_recreate_pdpc is set to strict, the new tunnel is not created in this case.

re-using TEID Data Uplink

The specified TEID of this tunnel create attempt is in use by another tunnel (for the same SGSN- GGSN pair). The new tunnel is created.

If the attribute gtp_allow_recreate_pdpc is set to strict, the new tunnel is not created in this case.

re-using TEID Control Uplink

The specified TEID of this tunnel create attempt is in use by another tunnel (for the same SGSN- GGSN pair). The new tunnel is created.

If the attribute gtp_allow_recreate_pdpc is set to strict, the new tunnel is not created in this case.

re-using TEID Control Uplink, SRC=0

The specified TEID of this tunnel create attempt is in use by another tunnel (for the same SGSN-GGSN pair). The new tunnel is created.

If the attribute gtp_allow_recreate_pdpc is set to strict, the new tunnel is not created in this case.

Request/ Response Mismatch

This Signaling Response PDU carries a wrong Sequence number or does not match any Signaling Request.

Signaling Response PDUs must match a previously approved Signaling Request PDU in order to pass the Carrier Security Gateway. This cannot be configured.

TEID 0 not allowed for Update message type

A V1 Update Request has TEID 0. This is valid only for V0 to V1 handover cases. However the imsi and nsapi Information Elements of this Request do not match an existing V0 tunnel.

This packet will be dropped.

TID 0 not allowed for this message type

A Signaling PDU carries a NULL TID violating the GTP protocol.

This packet violated basic packet integrity and will not pass through the Carrier Security Gateway.

Unestablished Tunnel

This signaling or data packet belongs to an unestablished tunnel.

  • For V0, the packet has a Tunnel ID (TID) of an Unknown PDP Context.

  • For V1, the packet has a Tunnel EndPoint Identifier (TEID) of an Unknown PDP Context.

PDUs can only pass the Carrier Security Gateway if they carry a Tunnel ID (V0) or a Tunnel EndPoint ID (V1) of a previously established PDP context that was not yet terminated. This packet violates basic tunnel integrity and will not be allowed.

Unknown GTP Message Type

This packet constitutes an unsupported GTP Signaling message.

 

Unsupported version

A GTP packet with version other than V0 or V1 was received.

The packet will be dropped.

Adding Information Elements to Logs

Carrier Security 6.0 provides the option of including certain Information Elements to logs with GTP information. These Information Elements are:

  • RAT - (Radio Access Type)

  • IMEI-SV (International Mobile Equipment Identity - Software Version)

  • MS-Time Zone

  • Mobile User Location

To add these Information Elements to the log, use the GuiDBedit database tool to set the attribute gtp_log_additional_fields to true. The default setting is false. Adding Information Elements to Logs

Carrier Security 6.0 provides the option of including certain Information Elements to logs with GTP information. These Information Elements are:

  • RAT - (Radio Access Type)

  • IMEI-SV (International Mobile Equipment Identity - Software Version)

  • MS-Time Zone

  • Mobile User Location

To add these Information Elements to the log, use the GuiDBedit database tool to set the attribute gtp_log_additional_fields to true. The default setting is false. Adding Information Elements to Logs

Carrier Security 6.0 provides the option of including certain Information Elements to logs with GTP information. These Information Elements are:

  • RAT - (Radio Access Type)

  • IMEI-SV (International Mobile Equipment Identity - Software Version)

  • MS-Time Zone

  • Mobile User Location

To add these Information Elements to the log, use the GuiDBedit database tool to set the attribute gtp_log_additional_fields to true. The default setting is false.