Here is the cronjob that I use. Let me know if you have any questions. I
run this every minute, because I want to catch an IKE problem ASAP. I am
going to start testing running another one that will kill the daemon
regardless at 3:30 in the morning, because the problem seems to be related
to a memory leak with the daemon. If I kill daily, early in the morning, I
am hoping to avoid problems occuring during the day, when everyone is
connected. I have been killing it manually late at night, for the past
couple of weeks, and haven't had the daemon crash since December 23.
############################################################################
#
#!/bin/sh
. /var/etc/pm_profile
date=`date +%U`
isakmp_alert=70
isakmp_pid=`ps -aux | grep isakmpd | grep -v grep | awk '{print $2}'`
isakmp_cpu=`ps -aux | grep isakmpd | grep -v grep | awk '{print $3}'`
cpu=`echo $isakmp_cpu | awk -F . '{print $1}'`
echo "`date` ISAKMP_CPU at $isakmp_cpu" >> /var/log/isakmp.$date
# Check to see what our %CPU is at for the isakmpd daemon
if [ "$cpu" -gt "$isakmp_alert" ]
then
echo "`date` ALERT: ISAKMP_CPU at $isakmp_cpu." >> /var/log/isakmp.log
echo "`date` ALERT: ISAKMP_CPU at $isakmp_cpu. Restarting..." >
/tmp/isakmp.txt
kill -9 $isakmp_pid
for addr in [EMAIL PROTECTED]
do
mail $addr < /tmp/isakmp.txt
done
fi
############################################################################
#####
-----Original Message-----
From: Zeltser, Roman [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 07, 2003 6:51 AM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Problem with isakmp dameon
Aaron, can you post your cronjob script for killing this process?
**********************************
Roman Zeltser,
@National Computer Center, DNE
RS Information Systems
-----Original Message-----
From: <Aaron Reynolds> [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 06, 2003 7:21 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Problem with isakmp dameon
This is a widely known bug in SP6. I have been fighting it for almost 6
months now, since first going to SP6. The current solution recommended by
Checkpoint/Nokia is to upgrade to NG, downgrade back to previous release, or
live with it. I currently have a cronjob that watches the CPU utilization
of the isakmpd daemon and kills it if it is over 70%. This has been
working, but is a pain when it happens in the middle of the day. I have
been doing some tests with killing it in the middle of the night, each
night, to see if I can eliminate the problem from occuring during the day.
Like with you, it happens with a policy push, or user database update. Ride
support hard, and pressure them for a fix! Let me know if you have any
other questions.
-Aaron
-----Original Message-----
From: Matt Rossiter [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 06, 2003 4:52 PM
To: [EMAIL PROTECTED]
Subject: [FW-1] Problem with isakmp dameon
I'm trying to figure out a problem with a Nokia firewall (IP650) running
FW Version 4.1 SP-6, Chrysalis-ITS LunaVPN PCI driver version 4.27, IPSO
3.5. and has 320MB of memory
The firewall currently has alot of VPN's to many different firewalls.
One of the problems I'm seeing is when pushing a policy, the ISAKMP dameon
will go into running mode and just hangs never returing to sleep
mode. Sometimes I've seen other firewalls start a second isakmp process
and cause problems.
The only way to correct the problem is to kill the current process and
restart isakmpd. I was once told that this is because the VPN portion of
the firewall has run out of its allotment of memory and there is a way to
configure the firewall to correct this problem. I can also put more
memory into the firewall or reduce the number of VPNs.
root 22976 0.1 4.2 21756 13488 ?? S 2:16PM 2:09.28 isakmpd (fw)
Has anyone else run into this problem?
Thanks,
Matt
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.434 / Virus Database: 243 - Release Date: 12/25/2002
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.437 / Virus Database: 245 - Release Date: 1/6/2003
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
