I just
encountered this EXACT scenario (2xIP650, about 8k concurrent connections with
nearly all natted, 256MB RAM, 16MB (default) kernel memory allocation).
The error messages were:
Feb 1 12:06:57 fw [LOG_CRIT] kernel: fw_do_filterin_deliver:
pullup failed Feb 1 12:06:58 fw
[LOG_CRIT] kernel: FW-1: mbuf_alloc(32): MGET(2) failed Feb 1
12:06:58 fw [LOG_CRIT] kernel: FW-1:
mbuf_packet_duplicate(abcdef12):
mbuf_alloc() failed Feb 1 12:06:58 fw
[LOG_CRIT] kernel: FW-1: one_packet_duplicate_if_needed(abcdef12): duplicate failed
From
Nokia's site regarding these errors:
>
> Solution Title: > > What to do when FireWall-1 occasionally
stops > > passing traffic > > Solution ID: > >
10043.0.663 > > Creation Date: > >
07/27/2000 > > Last Modified Date: > > 11/05/2001 >
> > > > > Environment: > > FireWall-1 4.1 >
> Nokia IP Series Appliance > > IPSO 3.2X > > Kernel
memory > > zap utility > > > > Symptoms: FireWall-1
occasionally stops passing traffic > > FireWall-1 has to be rebooted to
get traffic flowing again > > Error message in var/log/messages >
> Error: vpn-chkpnt-1 [LOG_ERR] kernel: mb_map full > > >
> > > vpn-chkpnt-1 [LOG_CRIT] kernel: FW-1: mbuf_alloc(1404):
cluster alloc > > > > > > vpn-chkpnt-1 [LOG_CRIT]
kernel: FW-1: mbuf_packet_duplicate(f467a100): > > mbuf_alloc()
failed > > Cause: There was not enough memory available on the machine
to allocate >clusters > > Solution: Add memory to the
machine. > > > > > > Workaround > >
========= > > Try increasing the memory assigned to the fw by using a
utility called >zap. The zap > > utility can be downloaded from
the Nokia Support site ><http://support.nokia.com> (a > >
Nokia Support contract is required)
A
modzap of the kernel to 24MB (0x1800000) seems to have resolved the problem; I
started having problems with stability about a day after the SP5 upgrade, but
since implementing the modzap, the box has now run for a week without
issues. YMMV...
HTH
Dan Hitchcock CCNP, CCSE, MCSE Security Operations
Technical Lead Breakwater Security Associates,
Inc. "Safe Harbor for E-Business"
dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com work
The information contained in this
email message may be privileged, confidential and protected from
disclosure. If you are not the intended recipient, any dissemination,
distribution or copying is strictly prohibited. If you think you have
received this email message in error, please email the sender at [email protected]
We recently swapped out 2x440s for 2x650s in a failover configuration
= and it seems like we're seeing some degradation in network performance
= around 8000 connections. The kernel memory is set at 16 MB,
Connections = are set to 25000 (Default) - what types of items should we be
looking = at. The box has 256 MB of memory and it typically hovers
around 170MB = Available. Any ideas? We're doing ALOT of
natting (1 subnet to be = exact...1 for
1).
Thx Brian
|