Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Nokia 650s with CP 4.1 SP5

To: [email protected]
Subject: Re: [FW-1] Nokia 650s with CP 4.1 SP5
From: Dan Hitchcock <[email protected]>
Date: Fri, 8 Feb 2002 10:40:41 -0800
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

I just encountered this EXACT scenario (2xIP650, about 8k concurrent connections with nearly all natted, 256MB RAM, 16MB (default) kernel memory allocation). The error messages were:

Feb 1 12:06:57 fw [LOG_CRIT] kernel: fw_do_filterin_deliver: pullup failed
Feb 1 12:06:58 fw [LOG_CRIT] kernel: FW-1: mbuf_alloc(32): MGET(2) failed
Feb 1 12:06:58 fw [LOG_CRIT] kernel: FW-1: mbuf_packet_duplicate(abcdef12): mbuf_alloc() failed
Feb 1 12:06:58 fw [LOG_CRIT] kernel: FW-1: one_packet_duplicate_if_needed(abcdef12): duplicate failed

From Nokia's site regarding these errors:

> > Solution Title:
> > What to do when FireWall-1 occasionally stops
> > passing traffic
> > Solution ID:
> > 10043.0.663
> > Creation Date:
> > 07/27/2000
> > Last Modified Date:
> > 11/05/2001
> >
> >
> > Environment:
> > FireWall-1 4.1
> > Nokia IP Series Appliance
> > IPSO 3.2X
> > Kernel memory
> > zap utility
> >
> > Symptoms: FireWall-1 occasionally stops passing traffic
> > FireWall-1 has to be rebooted to get traffic flowing again
> > Error message in var/log/messages
> > Error: vpn-chkpnt-1 [LOG_ERR] kernel: mb_map full
> >
> >
> > vpn-chkpnt-1 [LOG_CRIT] kernel: FW-1: mbuf_alloc(1404): cluster alloc
> >
> >
> > vpn-chkpnt-1 [LOG_CRIT] kernel: FW-1: mbuf_packet_duplicate(f467a100):
> > mbuf_alloc() failed
> > Cause: There was not enough memory available on the machine to allocate
>clusters
> > Solution: Add memory to the machine.
> >
> >
> > Workaround
> > =========
> > Try increasing the memory assigned to the fw by using a utility called
>zap. The zap
> > utility can be downloaded from the Nokia Support site
><http://support.nokia.com> (a
> > Nokia Support contract is required)

A modzap of the kernel to 24MB (0x1800000) seems to have resolved the problem; I started having problems with stability about a day after the SP5 upgrade, but since implementing the modzap, the box has now run for a week without issues. YMMV...

HTH

Dan Hitchcock
CCNP, CCSE, MCSE
Security Operations Technical Lead
Breakwater Security Associates, Inc.
"Safe Harbor for E-Business"
dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com
work

The information contained in this email message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think you have received this email message in error, please email the sender at [email protected]

-----Original Message-----
From: Brian Fritz [mailto:[email protected]]
Sent: Thursday, February 07, 2002 5:44 PM
To: [email protected]
Subject: [FW-1] Nokia 650s with CP 4.1 SP5

We recently swapped out 2x440s for 2x650s in a failover configuration =
and it seems like we're seeing some degradation in network performance =
around 8000 connections. The kernel memory is set at 16 MB, Connections =
are set to 25000 (Default) - what types of items should we be looking =
at. The box has 256 MB of memory and it typically hovers around 170MB =
Available. Any ideas? We're doing ALOT of natting (1 subnet to be =
exact...1 for 1).

Thx
Brian

Prev by Date: [FW-1] those darn messengers... (blocking AOL)
Next by Date: Re: [FW-1] Problem with SecuRemote
Previous by thread: [FW-1] Nokia 650s with CP 4.1 SP5
Next by thread: [FW-1] GUI is locked
Index(es):
- Date
- Thread