Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Problem: fwconn_pending_intercept

To: [email protected]
Subject: Re: [FW-1] Problem: fwconn_pending_intercept
From: "Neil Kemp (Business Sense)" <[email protected]>
Date: Tue, 19 Aug 2003 12:57:06 +0100
Importance: Normal
In-reply-to: <[email protected]>
Organization: Business Sense IT Limited
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

The error fwconn_pending_intercept: ld_set_wto(conn_nsons) failed may
appear on the console and in /var/log/messages on systems running
FireWall-1 NG FP1, FP2, or FP3. This resolution outlines possible causes
of the error and how it can be corrected.

FireWall-1 keeps in each table four different representations for each
connection, also known as "links". Each link represents the connection
from different points of view (client side inbound, server side
outbound, server side inbound, client side outbound).

By default FireWall-1 will not allow a connection unless it succeeds in
creating all the links in the connection table. However, in cases of
high load, when using Network Address Translation, or when using
Security Servers there could be cases where links from expired
connections remain in the connection table. In such cases, trying to
create a new identical link would fail.

There is a workaround for it for FP2.

Regards

Neil Kemp
Security Consultant
Business Sense IT Ltd
  _____


Suite 296, 17 Holywell Hill,
St Albans, AL1 1DT.
Å
+44 (0) 8700 201694
Ë
+44 (0) 7958 545129
Ê
07092 153679
+
[email protected]
"
http://www.businesssense.co.uk
http://www.secureadvice.co.uk
http://www.adsllink.co.uk


















-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]] On Behalf Of Michael
Schwartzkopff
Sent: 19 August 2003 11:11
To: [email protected]
Subject: [FW-1] Problem: fwconn_pending_intercept

Hi,

anybody seen this in the logfiles:

fw: [ID 339752 kern.notice] FW-1: fwconn_pending_intercept:
ld_set_wto(conn_nsons) failed

The load of our firewall (NG FP2) goes up to 100% and we have a lot of
these
entries in the logfile.

Thanks for any hint.

M. Schwartzkopff

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] Problem: fwconn_pending_intercept
  - From: Michael Schwartzkopff <[email protected]>

Prev by Date: [FW-1] Vedr.: [FW-1] Check Point logs in the log viewer are 1 hour late
Next by Date: Re: [FW-1] Check Point logs in the log viewer are 1 hour late
Previous by thread: [FW-1] Problem: fwconn_pending_intercept
Next by thread: Re: [FW-1] Problem: fwconn_pending_intercept
Index(es):
- Date
- Thread