Bosch Building Technologies

    Showing results for 
    Search instead for 
    Did you mean: 

    Who rated this article

    How to explain Alarm Panel Substitution event

    Rate this article:
    100% helpful (1/1)

    The Substitution error will be a symptom of the "anti-replay" check performed between the IP panels, integrated devices-such as B426, B465,etc or Dialer capture modules – C900V2 and the receiver.  Each time the panel sends a message to the receiver, it will include a key-code in the message.  This code will change for every message to help the receiver recognize if it receives a duplicate message.  Both the receiver and panel (or network device) know which key-code will be used next.  If it gets the same message with the same key-code, then this is a "replay."  By default, if the receiver sees 3 duplicate key-codes, it will generate a Substitution Error.  By default again, if the receiver gets 20 Substitution Errors, it will disable the account "By Attack."  This process provides the extra security of blocking a 3rd party from trying to mimic good communication from the site or trying to flood the receiver with too much data.


    In a properly operating system, it is not unusual to get sporadic substitution errors in the following scenario.

    • Panel sends message to receiver
    • Receiver gets message and sends acknowledgement back
    • Receiver now expects to get a new key-code from the next message
    • Somewhere in the network, the acknowledgement from the receiver is dropped (doesn't make it to panel)
    • The panel does not receive the acknowledgement in the required time (since it was dropped), so it thinks that the receiver did not get that message
    • Panel sends the exact same message (with same key code) to the receiver again
    • The receiver receives this and sees that it is a duplicate message (replay)
    • If this occurs 3 times, the receiver gives a Substitution Error


    This scenario may happen occasionally as messages can occasionally get dropped while going through the network.  This is not a serious issue as long as the account continues to communicate without shutting off due to a "Disable by Attack" message.


    If this occurs frequently, then the Network Administrator (at the panel side most likely) will want to check his network for what is causing this loss.  Usually they will find that they have Level 3 switches with Quality of Service turned on.  This may give UDP traffic a lower priority on the network and drop the UDP messages when other, higher priority, messages are going through.  They can also analyze the network to see where these messages are being dropped and repair communications at that point.

    Version history
    Last update:
    ‎06-07-2018 10:11 PM
    Updated by:
    Who rated this article