ETCR: TCP/IP Connection Refused

The Connection Refused Audit Message indicates that an incoming TCP/IP connection attempt was not allowed.

If the node refuses a connection, this message is generated. Failures of inbound connections can result from a variety of reasons, which are described in the entry below for the Result field.

Code Field Description
SEID Service Identifier The unique identifier of the service to which the connection was attempted. Values of interest include:
  • HING: HTTP Ingest Service
  • HCLN: HTTP Query/Retrieve Service
  • NCON: Neighbor Connection Service
CNDR Connection Direction Indicates that the connection was opened by a remote host:

INBO: connection initiated by a remote host connecting to the node

SVIP Destination Service Port The port to which the connection attempt was made.
DAIP Destination IP Address The IP address to which the connection attempt was made (remote IP address).
SAIP Source IP Address The IP address from which the connection attempt was made (local IP address).
CNID Connection Identifier The unique identifier of the attempted connection.
RSLT Result Code Why the attempted connection was refused:

IPAR: inbound IP address was not from allowed range

ATHF: TCP/IP connection-level authentication failure

For incoming connections, this audit message means that a connection was not successfully established at the lowest level due to a security violation. When this message is received, the corresponding user was not able to access the service and the TCP/IP Connection was closed. The most common reporting use of this message is to detect unauthorized attempts to access services running on the system from foreign IP addresses that have not been explicitly given access to the service.