[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Virtual defragmentation error
Run "fw ctl pstat" and look for failed fragments. If you have them, you most likely need the mbufs hotfix. These only output to the console, not to the fw1 logs. -Aaron -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Monday, November 03, 2003 7:49 AM To: [email protected] Subject: [FW-1] Virtual defragmentation error Hi all, I'm running a VPN network with Check Point FW-1/VPN-1 on different platforms. Firewall-alpha: Nokia 530 IPSO 3.7 build 23 NG AI (Primary site) Firewall-bravo: SecurePlatform 2. Edt. NG FP3 Firewall-gamma: SecurePlatform NG AI Firewall-omega: Nokia 120 IPSO 3.7 build 23 NG AI I'm starting to get a lot of these log entries in my fw-log: Date: ##### Time: ##### Product: VPN-1 & FireWall-1 Interface: eth0 Origin: Firewall-bravo Type: Log Action: Drop Protocol: 50 Source: Firewall-alpha Destination: Firewall-bravo Information: message: Virtual defragmentation error: Timeout ip_id: 62989 ip_len: 0 ip_offset: 0 fragments_dropped: 2 during_sec: 60 Where source always is Firewall-alpha but destination is the other three firewall's. Destination and origin is always the same. I started looking in the mailing-list archive, phoneboy, Nokia, Check Point KB and google. I found some useful articles but I'm still a little unsure. I've looked at Nokia res: 3370. I've set ipsec_don't_fragment ture (It's true by default so I haven't changed it) But the article is about from one server to another behind the firewall's, having MTU problem. My problem being with at firewall's them selves and the protocol is 50, my eyes are turned to the MTU on the firewall's. I should add the when I ping -f -l 1473 server I get the message "Packet needs to be fragmented but DF set." If I set the size to 1472 it's ok. Then my attention is back on my server (res. 3370) and thus my confusion. I also found a fix mentioned SHF_FW1_AI_0020, but as I understood this is for a problem with log entries like this "Virtual Defragmentation error: low on mbufs . . ." and that's not my case. My question is where to edit my MTU size. Is it on my server or on my firewall's or should I not change my MTU and look in a total different place? Any help would be appreciated. Best Regards, Ole Jakobsen ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|