[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Virtual defragmentation error
What mbufs fix is this? I haven't seen this fix? Thanks, ----- Original Message ----- From: <[email protected]> To: <[email protected]> Sent: Monday, November 03, 2003 10:11 AM Subject: Re: [FW-1] Virtual defragmentation error > Run "fw ctl pstat" and look for failed fragments. If you have them, you > most likely need the mbufs hotfix. These only output to the console, not to > the fw1 logs. > > -Aaron > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Monday, November 03, 2003 7:49 AM > To: [email protected] > Subject: [FW-1] Virtual defragmentation error > > Hi all, > > I'm running a VPN network with Check Point FW-1/VPN-1 on different > platforms. > Firewall-alpha: Nokia 530 IPSO 3.7 build 23 NG AI (Primary site) > Firewall-bravo: SecurePlatform 2. Edt. NG FP3 > Firewall-gamma: SecurePlatform NG AI > Firewall-omega: Nokia 120 IPSO 3.7 build 23 NG AI > > I'm starting to get a lot of these log entries in my fw-log: > Date: ##### > Time: ##### > Product: VPN-1 & FireWall-1 > Interface: eth0 > Origin: Firewall-bravo > Type: Log > Action: Drop > Protocol: 50 > Source: Firewall-alpha > Destination: Firewall-bravo > Information: message: Virtual defragmentation error: Timeout > ip_id: 62989 > ip_len: 0 > ip_offset: 0 > fragments_dropped: 2 > during_sec: 60 > > Where source always is Firewall-alpha but destination is the other three > firewall's. Destination and origin is always the same. > > I started looking in the mailing-list archive, phoneboy, Nokia, Check Point > KB and google. I found some useful articles but I'm still a little unsure. > > I've looked at Nokia res: 3370. I've set ipsec_don't_fragment ture (It's > true by default so I haven't changed it) But the article is about from one > server to another behind the firewall's, having MTU problem. > > My problem being with at firewall's them selves and the protocol is 50, my > eyes are turned to the MTU on the firewall's. > > I should add the when I ping -f -l 1473 server I get the message "Packet > needs to be fragmented but DF set." If I set the size to 1472 it's ok. Then > my attention is back on my server (res. 3370) and thus my confusion. > > I also found a fix mentioned SHF_FW1_AI_0020, but as I understood this is > for a problem with log entries like this "Virtual Defragmentation error: > low on mbufs . . ." and that's not my case. > > My question is where to edit my MTU size. Is it on my server or on my > firewall's or should I not change my MTU and look in a total different > place? > > > Any help would be appreciated. > > Best Regards, > > Ole Jakobsen > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|