NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Virtual defragmentation error



Hi Aaron

fw ctl stat:
Fragments:
        1052 fragments, 525 packets, 2 expired, 0 short,
        0 large, 0 duplicates, 0 failures

So I guess it's not the mbufs hotfix I need.

/Ole


|---------+-------------------------------------------->
|         |           [email protected] |
|         |           Sent by: Mailing list for        |
|         |           discussion of Firewall-1         |
|         |           <[email protected]|
|         |           KPOINT.COM>                      |
|         |                                            |
|         |                                            |
|         |           03-11-2003 17:11                 |
|         |           Please respond to Mailing list   |
|         |           for discussion of Firewall-1     |
|         |                                            |
|---------+-------------------------------------------->
  >---------------------------------------------------------------------------------------------------------------|
  |                                                                                                               |
  |       To:       [email protected]                                                    |
  |       cc:                                                                                                     |
  |       Subject:  Re: [FW-1] Virtual defragmentation error                                                      |
  >---------------------------------------------------------------------------------------------------------------|




Run "fw ctl pstat" and look for failed fragments.  If you have them, you
most likely need the mbufs hotfix.  These only output to the console, not
to
the fw1 logs.

-Aaron

-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Monday, November 03, 2003 7:49 AM
To: [email protected]
Subject: [FW-1] Virtual defragmentation error

Hi all,

I'm running a VPN network with Check Point FW-1/VPN-1 on different
platforms.
Firewall-alpha: Nokia 530 IPSO 3.7 build 23 NG AI (Primary site)
Firewall-bravo: SecurePlatform 2. Edt. NG FP3
Firewall-gamma: SecurePlatform NG AI
Firewall-omega: Nokia 120 IPSO 3.7 build 23 NG AI

I'm starting to get a lot of these log entries in my fw-log:
Date:       #####
Time:             #####
Product:          VPN-1 & FireWall-1
Interface:        eth0
Origin:           Firewall-bravo
Type:             Log
Action:           Drop
Protocol:         50
Source:           Firewall-alpha
Destination:      Firewall-bravo
Information:      message: Virtual defragmentation error: Timeout
                        ip_id: 62989
                        ip_len: 0
                        ip_offset: 0
                        fragments_dropped: 2
                        during_sec: 60

Where source always is Firewall-alpha but destination is the other three
firewall's. Destination and origin is always the same.

I started looking in the mailing-list archive, phoneboy, Nokia, Check Point
KB and google. I found some useful articles but I'm still a little unsure.

I've looked at Nokia res: 3370. I've set ipsec_don't_fragment ture (It's
true by default so I haven't changed it) But the article is about from one
server to another behind the firewall's, having MTU problem.

My problem being with at firewall's them selves and the protocol is 50, my
eyes are turned to the MTU on the firewall's.

I should add the when I ping -f -l 1473 server I get the message "Packet
needs to be fragmented but DF set." If I set the size to 1472 it's ok. Then
my attention is back on my server (res. 3370) and thus my confusion.

I also found a fix mentioned SHF_FW1_AI_0020, but as I understood this is
for a problem with log entries like this "Virtual Defragmentation error:
low on mbufs . . ." and that's not my case.

My question is where to edit my MTU size. Is it on my server or on my
firewall's or should I not change my MTU and look in a total different
place?


Any help would be appreciated.

Best Regards,

Ole Jakobsen

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.