Re: [FW-1] Nokia 650s with CP 4.1 SP5

[Dan Hitchcock]

I just encountered this EXACT scenario (2xIP650, about 8k concurrent connections with nearly all natted, 256MB RAM, 16MB (default) kernel memory allocation).  The error messages were:   Feb 1 12:06:57 fw [LOG_CRIT] kernel: fw_do_filterin_deliver: pullup failed Feb 1 12:06:58 fw [LOG_CRIT] kernel: FW-1: mbuf_alloc(32): MGET(2) failed Feb 1 12:06:58 fw [LOG_CRIT] kernel: FW-1: mbuf_packet_duplicate(abcdef12): mbuf_alloc() failed Feb 1 12:06:58 fw [LOG_CRIT] kernel: FW-1: one_packet_duplicate_if_needed(abcdef12): duplicate failed From Nokia's site regarding these errors:   > > Solution Title: > > What to do when FireWall-1 occasionally stops > > passing traffic > > Solution ID: > > 10043.0.8617216.2776663 > > Creation Date: > > 07/27/2000 > > Last Modified Date: > > 11/05/2001 > > > > > > Environment: > > FireWall-1 4.1 > > Nokia IP Series Appliance > > IPSO 3.2X > > Kernel memory > > zap utility > > > > Symptoms: FireWall-1 occasionally stops passing traffic > > FireWall-1 has to be rebooted to get traffic flowing again > > Error message in var/log/messages > > Error: vpn-chkpnt-1 [LOG_ERR] kernel: mb_map full > > > > > > vpn-chkpnt-1 [LOG_CRIT] kernel: FW-1: mbuf_alloc(1404): cluster alloc > > > > > > vpn-chkpnt-1 [LOG_CRIT] kernel: FW-1: mbuf_packet_duplicate(f467a100): > > mbuf_alloc() failed > > Cause: There was not enough memory available on the machine to allocate >clusters > > Solution: Add memory to the machine. > > > > > > Workaround > > ========= > > Try increasing the memory assigned to the fw by using a utility called >zap. The zap > > utility can be downloaded from the Nokia Support site ><http://support.nokia.com> (a > > Nokia Support contract is required)   A modzap of the kernel to 24MB (0x1800000) seems to have resolved the problem; I started having problems with stability about a day after the SP5 upgrade, but since implementing the modzap, the box has now run for a week without issues.  YMMV...   HTH   Dan Hitchcock CCNP, CCSE, MCSE Security Operations Technical Lead Breakwater Security Associates, Inc. "Safe Harbor for E-Business" dhitchcock (at) breakwatersecurity (dot) com http://www.breakwatersecurity.com 206-770-0700 work The information contained in this email message may be privileged, confidential and protected from disclosure.  If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited.  If you think you have received this email message in error, please email the sender at [EMAIL PROTECTED] -----Original Message----- From: Brian Fritz [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 07, 2002 5:44 PM To: [EMAIL PROTECTED] Subject: [FW-1] Nokia 650s with CP 4.1 SP5 We recently swapped out 2x440s for 2x650s in a failover configuration = and it seems like we're seeing some degradation in network performance = around 8000 connections.  The kernel memory is set at 16 MB, Connections = are set to 25000 (Default) - what types of items should we be looking = at.  The box has 256 MB of memory and it typically hovers around 170MB = Available.  Any ideas?  We're doing ALOT of natting (1 subnet to be = exact...1 for 1). Thx Brian