Device alarms

This page lists all device alarms and provides for each alarm the possible root causes and guidelines to solve the associated malfunction.

Battery level threshold `001`

The power of the device battery is very low.

This alarm is automatically CLEARED if the battery level goes above 40%.

Possible root causes:
- The battery level is lower than 30% (WARNING alarm).
- The battery level is lower than 10% (CRITICAL alarm).
Guidelines:
- Recharge or change the battery of the device.

Traffic exceeds the downlink regulator settings `002`

The device is receiving too many downlink packets. Its traffic exceeds the downlink regulator settings of the connectivity plan.

This alarm is associated with an occurrence number: this is the number of downlink packets exceeding the regulator settings since the creation of the alarm. The alarm is automatically CLEARED if no new occurrence is detected during one day.

Possible root causes:
- Too many acknowledgments or downlink payloads from external IoT applications.
- The downlink regulator configuration of the connectivity plan is not aligned with the behavior of the device.
Guidelines:
- Check the downlink traffic in the RADIO TRAFFIC HISTORY and LAST 10 PACKETS widgets of the device's dashboard to verify if the device's behavior is normal.
- Reduce the number of acknowledgments and downlink payloads sent from external IoT applications.
- If the device is not configured with the right connectivity plan, change it. To learn more, see Viewing connectivity plan.
- If the alarm persists, contact your support.

Traffic exceeds the uplink regulator settings `003`

The device is sending too many uplink packets. Its traffic exceeds the uplink regulator settings of the connectivity plan.

This alarm is associated with an occurrence number: this is the number of uplink packets exceeding the regulator settings since the creation of the alarm. The alarm is automatically CLEARED if no new occurrence is detected during one day.

Possible root causes:
- The device is wrongly configured and sends too many uplink packets. It may quickly discharge its battery.
- The uplink regulator configuration of the connectivity plan is not aligned with the behavior of the device.
Guidelines:
- Check the uplink traffic in the RADIO TRAFFIC HISTORY and LAST 10 PACKETS widgets of the device's dashboard to verify if the device's behavior is normal.
- Reduce the number of uplink packets sent by the device.
- If the device is not configured with the right connectivity plan, change it. To learn more, see Viewing connectivity plan.
- If the alarm persists, contact your support.

No uplink activity `004`

ThingPark did not receive any uplink frame from the device for the configured duration. To learn more about the configuration of this alarm, see Configuring the "no uplink activity" alarm.

Possible root causes:
- The device was wrongly provisioned.
- The device cannot catch the LoRaWAN® network due to bad RF coverage.
- The device is turned-off.
- The device has no power or power too low to transmit packets.
Guidelines:
- If the device was wrongly provisioned, a Wrong MIC detected in Join request 008 alarm or a Wrong MIC detected in Uplink frame 016 alarm should have been raised. In this case, remove and re-provision the device with the right settings. To learn more about device provisioning, see Activating new devices.
- Check the RF network coverage of the device and move the device if necessary.
- Check if the device is switched-on.
- If the power level of the device is low, a Battery level threshold 001 alarm should have been raised. In this case, recharge or change the battery of the device.
- If the alarm persists, contact your support.

Node uses higher data rate than expected `005`

The device sends packets with a too low spreading factor (for instance, SF7 instead of SF10). This alarm is only applicable if the ADR control is activated (ADR bit set to 1 in uplink frames sent by the device).

Possible root causes:
- The device's firmware does not support ADR or is configured with a fixed spreading factor.
Guidelines:
- Check the device's firmware ADR configuration (refer to the manufacturer's documentation).
- If the alarm persists, contact your support.

Node uses lower data rate than expected `006`

The device sends packets with a too high spreading factor (for instance, SF10 instead of SF8). This alarm is only applicable if the ADR control is activated (ADR bit set to 1 in uplink frames sent by the device).

Possible root causes:
- The device's firmware does not support ADR or is configured with a fixed spreading factor (this is probably the case if the severity is MAJOR).
- The device is using the spreading factor fallback procedure (also known as "data rate backoff" in LoRaWAN specification, see the note below) due to bad RF network coverage (this is probably the case if the severity is WARNING).
Guidelines:
- Check the device's firmware ADR configuration (refer to the manufacturer's documentation).
- Check the RF network coverage of the device and move the device if necessary.
- If the alarm persists, contact your support.

Data rate backoff procedure

The device tries to reconnect to the network by downgrading the data rate (for instance a device may take the decision to increase the spreading factor from SF10 to SF11 because 3 uplink packets were sent without any acknowledgement). This is typically the consequence of a too poor Signal-to-Noise Ratio (SNR).

Join request replay detected (DevNonce replay) `007`

ThingPark received a join request containing a DevNonce already used by the device. The illegitimate join request has been dropped by ThingPark and therefore is not visible in the Wireless Logger.

This alarm is associated with an occurrence number: this is the number of join requests with DevNonce replay received since the creation of the alarm. The alarm is automatically CLEARED if no new occurrence is detected during one day.

Possible root causes:
- The device is the victim of a join request replay attack from a malicious user.
- The device sent a join request containing a DevNonce already used.
Guidelines:
- If the number of the alarm occurrences is high:
  - If the device sent a join request containing a DevNonce already used, its DevNonce implementation does not follow the LoRaWAN® MAC layer recommendations defined by the LoRa Alliance®. Reset the device context in the network server. To do so, expand the alarm in the list as explained in Viewing the list of device alarms and click on the RESET DEVICE CONTEXT button.
  - The device may be the victim of a join request replay attack. Stop the base station radio and try to identify the attacker.
  - If the replay attack risk is high, the device is strongly recommended to implement the enhanced security feature by implementing counter-based DevNonce as recommended by the LoRa Alliance in the Technical Recommendations for Preventing State Synchronization Issues around LoRaWAN® 1.0.x Join Procedure.
- If the alarm persists, contact your support.

Wrong MIC detected in Join request `008`

ThingPark received a join request containing a wrong MIC. The illegitimate join request has been dropped by ThingPark and therefore is not visible in the Wireless Logger.

This alarm is associated with an occurrence number: this is the number of join requests containing a wrong MIC received since the creation of the alarm. The alarm is automatically CLEARED if no new occurrence is detected during one day.

Possible root causes:
- The device is the victim of a join request replay attack from a malicious user.
- The device sent a join request containing a wrong MIC possibly due to wrong device provisioning (that is, a wrong AppKey was configured).
Guidelines:
- If the number of the alarm occurrences is high,
  - If the device was wrongly provisioned, remove and re-provision the device with the right AppKey. To learn more about device provisioning, see Activating new devices.
  - Check the behavior of the device and fix it if needed.
  - The device may be the victim of a join request replay attack. Stop the base station radio and try to identify the attacker.
- If the alarm persists, contact your support.

Join request replay detected (wrong MIC correlation) `009`

ThingPark received an uplink frame for which the MIC does not match the join request previously received. The illegitimate join request has been dropped by ThingPark and therefore is not visible in the Wireless Logger.

This alarm is associated with an occurrence number: this is the number of uplink frames with wrong MIC correlation received since the creation of the alarm. The alarm is automatically CLEARED if no new occurrence is detected during one day.

Possible root causes:
- The device is the victim of a join request replay attack from a malicious user.
Guidelines:
- If the number of the alarm occurrences is high:
  - The device may be the victim of a join request replay attack. Stop the base station radio and try to identify the attacker;
  - If the replay attack risk is high, the device is strongly recommended to implement the enhanced security feature by implementing counter-based DevNonce as recommended by the LoRa Alliance in the Technical Recommendations for Preventing State Synchronization Issues around LoRaWAN® 1.0.x Join Procedure.
- If the alarm persists, contact your support.

Uplink frame replay detected (wrong FCnt) `010`

ThingPark received an uplink frame containing a wrong FCnt. The illegitimate uplink frame has been dropped by ThingPark and therefore is not visible in the Wireless Logger.

This alarm is associated with an occurrence number: this is the number of uplink frames containing a wrong FCnt received since the creation of the alarm. The alarm is automatically CLEARED if no new occurrence is detected during one day.

Possible root causes:
- The device is the victim of an uplink frame replay attack from a malicious user.
- If the device uses Activation-by-Personalization (ABP) and was recently reset, the reset may have not been detected by the network server.
Guidelines:
- If the number of the alarm occurrences is high, the device may be the victim of an uplink frame replay attack. Stop the base station radio and try to identify the attacker.
- If the device uses Activation-by-Personalization (ABP) and was recently reset, reset the device context in network server. To do so, expand the alarm in the list as explained in Viewing the list of device alarms and click on the RESET DEVICE CONTEXT button.
- If the alarm persists, contact your support.

Uplink frame replay detected (repeated FCnt) `011`

ThingPark received an uplink frame containing a repeated FCnt beyond the maximum number of authorized repetitions. The illegitimate uplink frame has been dropped by ThingPark and therefore is not visible in the Wireless Logger.

This alarm is associated with an occurrence number: this is the number of uplink frames containing a repeated FCnt received since the creation of the alarm. The alarm is automatically CLEARED if no new occurrence is detected during one day.

Possible root causes:
- The device is the victim of an uplink frame replay attack from a malicious user.
- The device exceeds its maximum number of authorized repetitions.
Guidelines:
- If the number of the alarm occurrences is high,
  - Check the behavior of the device and fix it if needed;
  - The device may be the victim of an uplink frame replay attack. Stop the base station radio and try to identify the attacker.
- If the alarm persists, contact your support.

MAC command transmission blocked (transmission rejected) `012`

ThingPark blocked the transmission of the given MAC command because the device rejected it after several attempts.

Possible root causes:
- The device rejects the MAC command sent by ThingPark.
Guidelines:
- Check the behavior of the device and fix it if needed.
- If the alarm persists, contact your support.

MAC command transmission blocked (no reply) `013`

ThingPark blocked the transmission of the given MAC command because the device did not reply to it after several attempts.

Possible root causes:
- The device did not receive the MAC command sent by ThingPark.
- The device's firmware does not support the MAC command but is wrongly configured in ThingPark with a model supporting it.
Guidelines:
- Check the RF network coverage of the device and move the device if necessary.
- If the device is not configured with the right model, change it. To learn more, see Updating device parameters, and viewing/editing device details.
- If the alarm persists, contact your support.

Invalid AppEUI detected in Join request `014`

ThingPark received a join request containing an invalid JoinEUI (AppEUI). The maximum number of different JoinEUI (AppEUI) that can be used by the same device is 32. The illegitimate join request has been dropped by ThingPark and therefore is not visible in the Wireless Logger.

This alarm is associated with an occurrence number: this is the number of join requests containing an invalid JoinEUI (AppEUI) received since the creation of the alarm. The alarm is automatically CLEARED if no new occurrence is detected during one day.

Possible root causes:
- The JoinEUI (AppEUI) value has changed too many times for this device.
Guidelines:
- If the device has used more than 32 different JoinEUI (AppEUI), fix it.
- If the alarms persist, contact your support.

Join request replay detected (invalid DevNonce) `015`

ThingPark received a join request containing an invalid DevNonce whereas the device is supposed to use counter-based DevNonce. The illegitimate join request has been dropped by ThingPark and therefore is not visible in the Wireless Logger.

This alarm is associated with an occurrence number: this is the number of join requests containing an invalid DevNonce received since the creation of the alarm. The alarm is automatically CLEARED if no new occurrence is detected during one day.

Possible root causes:
- The device is the victim of a join request replay attack from a malicious user.
- The device does not increment the DevNonce on each new join request.
Guidelines:
- If the device is not configured with the right model, change it. To learn more, see Updating device parameters, and viewing/editing device details.
- If the number of the alarm occurrences is high, the device may be the victim of a join request replay attack. Stop the base station radio and try to identify the attacker.
- If the alarm persists, contact your support.

Wrong MIC detected in Uplink frame `016`

ThingPark received an uplink frame containing a wrong MIC. The illegitimate uplink frame has been dropped by ThingPark and therefore is not visible in the Wireless Logger.

This alarm is associated with an occurrence number: this is the number of uplink frames containing a wrong MIC received since the creation of the alarm. The alarm is automatically CLEARED if no new occurrence is detected during one day.

Possible root causes:
- The device is the victim of an uplink frame replay attack from a malicious user.
- The device sent an uplink frame containing a wrong MIC possibly due to wrong device provisioning (that is, a wrong NwkSKey was configured for an ABP device).
- A device belonging to another LoRaWAN® network has the same DevAddr than your device. A wrong MIC has been detected because the network server checked the MIC generated by the external device using the NwkSKey of your device.
Guidelines:
- If the number of the alarm occurrences is high,
  - If the device uses Activation-by-Personalization (ABP) and was wrongly provisioned remove and re-provision the device with the right NwkSKey. To learn more about device provisioning, see Activating new devices.
  - Check the behavior of the device and fix it if needed.
  - The device may be the victim of an uplink frame replay attack. Stop the base station radio and try to identify the attacker.
- If the alarm persists, contact your support.

Join loop detected `017`

ThingPark received several consecutive join requests from the device without any data uplink packet.

This alarm is associated with an occurrence number: this is the number of consecutive join request received since the creation of the alarm. The alarm is automatically CLEARED as soon as a data uplink packet is received.

Possible root causes:
- The device did not receive the join accepts.
- The battery level is too low and the device is only able to send a join request on wake up.
Guidelines:
- Check the transmission status of the join accepts in the RADIO TRAFFIC HISTORY and LAST 10 PACKETS widgets of the device's dashboard: the transmission of join accepts may be in failure.
- Check the behavior of the device (for instance the battery status) and fix it.
- If the alarm persists, contact your support.

Battery level threshold 001​

Traffic exceeds the downlink regulator settings 002​

Traffic exceeds the uplink regulator settings 003​

No uplink activity 004​

Node uses higher data rate than expected 005​

Node uses lower data rate than expected 006​

Join request replay detected (DevNonce replay) 007​

Wrong MIC detected in Join request 008​

Join request replay detected (wrong MIC correlation) 009​

Uplink frame replay detected (wrong FCnt) 010​

Uplink frame replay detected (repeated FCnt) 011​

MAC command transmission blocked (transmission rejected) 012​

MAC command transmission blocked (no reply) 013​

Invalid AppEUI detected in Join request 014​

Join request replay detected (invalid DevNonce) 015​

Wrong MIC detected in Uplink frame 016​

Join loop detected 017​