NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Re: Firewall-1 Memory Leak



Scott,

There were a couple of changes that were made going to ver 4+.  What
affected me
was the way that the UDP rejects were handled.  Below is a snippet from a
multitude
of emails that I received that seemed to solve the problem.  My machine has
bee
up now for 177 days with no reboot and the majority of my swap space is
still 
unused.

> "Jeffrey L. Oliver" wrote:
>> > 
>> > I was emailed a tip as follows:
>> > 
>> > ***************************
>> > Gentlemen,
>> > 
>> > I too suffered long and hard with this problem, sending many dumps to SUN,
>> > talking myself blue in the face to my VAR. Finally, a friend at CKP,
>> > pointed me to a url. They used
>> > to have www pages that listed known bugs and the associated FW
>> > version/level along with operating systems. Oh, how I long for those days,
>> > the knowledge base is almost useless
>> > in my opinion. I would much prefer to page through ALL known problems,
>> > what
>> > is to say I don't have a problem that I have yet to even find!!!!! But I
>> > have rambled enough.
>> > 
>> > This patch worked for me... running FW 4.0 sp1 on Solaris 2.6 with
>> > recommend security patches.  The following came directly from a "old" CKP
>> > page. (Remember back up the file
>> > before altering, AND, I nor my employer take no responsibility;  just
>> > trying to help.)
>> > 
>> > 1. Stop Firewall-1 by running $FWDIR/bin/stop.
>> > 2. Edit $FWDIR/conf/objects.C After the line: :props( Add the line:
>> > :udp_reject (false)
>> > 3. Start Firewall-1 by running $FWDIR/bin/fwstart.
>> > 
>> > Good luck,


Hope that this helps,

Jeff


"Boomgaardt, Scott" wrote:
> 
> Jeff,
> 
> I found your post to a mailing list today detailing a problem that I believe
> we are experiencing.  I found by looking at a customized ps output ("ps -e
> -o "pcpu pmem vsz rss osz pid user args" | grep alertd") that the alertd
> process is the one eating up memory in 8k chunks as you mentioned in your
> post.
> 
> We're currently running FW-1 version 4.1 build 41439 on an E-250 with
> Solaris 7.
> 
> Was a resolution found for your problem?  I've looked briefly at
> Checkpoint's site with no results.
> 
> Thanks for your help!
> Scott
> 
> Scott Boomgaardt
> EDS Canada Firewall Team
> London Solution Centre
> 150 Dufferin Ave. Suite 300
> London, ON  N6A 5N6
> * phone:> * mailto:[email protected]
> 
> FROM: Jeffrey L. Oliver
> DATE: 07/11/2000 10:28:58
> SUBJECT: RE: [FW1] Solaris machine hangs
> 
> Hans,
> 
> No, all I have running is the following:
> 
> dogbert:/ # ps -ef
>      UID   PID  PPID  C    STIME TTY      TIME CMD
>     root     0     0  0 03:31:09 ?        0:00 sched
>     root     1     0  0 03:31:09 ?        0:00 /etc/init -
>     root     2     0  0 03:31:09 ?        0:00 pageout
>     root     3     0  0 03:31:09 ?        0:00 fsflush
>     root   326   323  0 03:31:56 ?        0:00 /usr/lib/saf/ttymon
>     root   134     1  0 03:31:21 ?        0:00 /etc/fw.boot/fwboot bootd
>     root   323     1  0 03:31:55 ?        0:00 /usr/lib/saf/sac -t 300
>     root   280     1  0 03:31:43 ?        0:01 /usr/sbin/vold
>     root   243     1  0 03:31:41 ?        0:00 /usr/sbin/syslogd
>     root   251     1  0 03:31:42 ?        0:00 /usr/sbin/cron
>     root   257     1  0 03:31:42 ?        0:00 /usr/sbin/nscd
>     root   238     1  0 03:31:41 ?        0:00 /usr/sbin/inetd -s
>     root   395   389  1 08:36:51 pts/0    0:00 -ksh
>     root   324     1  0 03:31:55 console  0:00 /usr/lib/saf/ttymon -g -h -p
> dogbert console login:  -T sun -d
>     root   271     1  0 03:31:43 ?        0:00 /usr/lib/utmpd
>     root   316     1  0 03:31:51 ?        0:00 /opt/CKPfw/bin/snmpd
>     root   315   310  0 03:31:50 ?        0:00 alertd -A -l
>     root   310     1  0 03:31:49 ?        0:02 fwd
>     root   318     1  0 03:31:52 ?        0:01 fwm
>     root   320   310  0 03:31:52 ?        0:01 mdq
>     root   470   395  0 11:25:50 pts/0    0:00 ps -ef
>   oliver   389   387  0 08:36:41 pts/0    0:00 -ksh
>     root   387   238  0 08:36:41 ?        0:00 in.telnetd
> dogbert:/ #
> 
> Jeff
> 
> Hans Schaechl wrote:
> >
> > Hi Jeff,
> >
> > do you have by any chance Solaris automounter running?
> > Are /etc/rc2.d/S74autofs and files /etc/auto_master etc.
> > in place? If yes, disable the rc-script and/or comment out
> > all lines in /etc/auto_* files. (In case you don`t use it ;))
> >
> > Hans
> >
> > At 10:02 11.07.00 -0600, you wrote:
> >
> > >Dieter Gobbers wrote:
> > > >
> > > > On 10-Jul-00 Sujit Choudhury wrote:
> > > > >
> > > > > I have used fw ctl pstat command.
> > > > > It says about 3Mbytes have been allocaated into FW-1`s kernel memory
> > > > > and most of it is still available.
> > > > > However looking at the way Solaris works, it appears that the size
> of
> > > > > freelist as found from vmstat and sar -r will apear to shrink to a
> very
> > > > > small value, determined by lotsfree.  In our case we have used the
> > > > > default which is 1/64 of the RAM i.e. 2Mbytyes.  The problem usually
> > > > > starts when the freelist attains the value of around 2Mbytes.
> > > > > I was wondering whether increasing lostsfree (making it bigger that
> > > > > 3Mbytes)would stop the machine hang.  Has it been tried?
> > > > >
> > > > > Sujit
> > > > >
> > > > >
> > > > >> Sujit Choudhury wrote:
> > > > >> >
> > > > >> > We are running Checkpoint FireWall-1 Version 4.0 Build 4094. I
> have
> > > > >> > applied service pack 4 and 5 to bring it up to the latest build.
> The
> > > > >> > hardware is Sun Ultra 5/10, with 128Mbytes of memory.  The OS is
> > > > >> > Solaris 2.6 with kernel patch 105181-21.  I am not running CDE so
> most
> > > > >> > of the memory is used for running the OS and Firewall.
> > > > >> > In spite of this I am getting system hang on a regular basis.  It
> seems
> > > > >> > from sar output, whenever the free memory drops below a certain
> figure
> > > > >> > we are then in the danger zone.
> > > > >> > Has anybody come across this thing or any solution for this?  We
> are
> > > > >> > having great difficulty in maintaing our service.
> > > > >> >
> > > > >> > Many thanks
> > > > >> >
> > > > >> > Sujit
> > > >
> > > > >>
> > > > >> Sujit,
> > > > >>
> > > > >> Just so you don`t feel all alone, I also am experiencing this
> problem.
> > > > >> From
> > > > >> my standpoint, it looks like a memory leak.  The Sun guys do not
> think so.
> > > > >>
> > > > >> I have a Ultra 10 running 2.6, with the jumbo patch installed.  The
> machine
> > > > >> has 128MB ram and 2 quad 10/100 nic`s.  The console sits not logged
> in at
> > > > >> the login prompt (not openwin or cde).
> > > > >>
> > > > >> If I use vmstat on the box, I can see that the memory goes away in
> about
> > > > >> 8k chunks until I start using swap space.  It then keeps chunking
> away
> > > > >> memory
> > > > >> until I run out of swap and the machine will hang.
> > > > >>
> > > > >> As yet, I have not found a fix.
> > > > >>
> > > > >> Jeff
> > > >
> > > > Hello,
> > > >
> > > > We have the same problem here at our site, about every week our
> firewall
> > > > started to slow down and then stopped. We`ve been unable to use even
> the
> > > > console...
> > > > I`ve written a few scripts to watch certain system
> parameters/conditions which
> > > > reboot the system if the defined limits are exceeded.
> > > > During the "development" of those scripts I`ve noticed that the
> available
> > > > memory is decreasing without any sign who is consuming it.
> > > > I always thought that this is caused due to the fact that I cannot
> install any
> > > > kernel patches on our server (E250/Solaris 2.6 HW3/98)...
> > > >
> > > > I could send you my scripts if you are interested. They don`t solve
> the cause
> > > > of the problem but the ugly effects are minimized.
> > > >
> > > > Greetings,
> > > >
> > > > Dieter Gobbers
> > >
> > >Something to note.  I tried this a little while ago and am convinced
> > >that it is not a FW-1 problem, but a OS/HW bug.
> > >
> > >I disabled the FW software from loading (renamed the startup scripts in
> > >the /etc/rcX.d directories) and rebooted the box.  Same thing, the
> machine
> > >lost memory in 8K chunks untilit died (no response even on the console).
> > >This makes me think that it is an OS problem???
> > >
> > >I don`t know if FW-1 makes modifications to the ethernet drivers when it
> > >installs.  If it does, there could be some problem with the mods.
> > >
> > >
> > >Jeff
> 
> --
>      Sys Admin. It`s a dirty job, but someone said I had to do it!
> ------------------------------------------------------------------------
>       Jeffrey L. Oliver               Tel:>        Network Analyst                Cell:> The University of Lethbridge
>    4401 University Drive             email: <EMAIL: PROTECTED>
> </[email protected]_p_a_m>
>     Lethbridge, Alberta          www:  <http://home.uleth.ca/~jeff.oliver>
> 
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                <http://www.checkpoint.com/services/mailing.html>
> ============================================================================
> ====

-- 
     Sys Admin. It's a dirty job, but someone said I had to do it!
------------------------------------------------------------------------
      Jeffrey L. Oliver               Tel:Network Analyst                Cell:The University of Lethbridge
   4401 University Drive             email: [email protected]
    Lethbridge, Alberta          www:  http://home.uleth.ca/~jeff.oliver


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.