Re: [FW1] Solaris machine hangs

[Paul . Simons]

Go here...

http://www.phoneboy.com/fw1/docs/4.0-summary.html

and search on 'udp_rejects'

Thanks again to phoneboy ...!!
Paul
--------------------------------------------------------------------------------------------

C. Paul Simons
Corporate Network Services
IHS Energy Group, Englewood, CO.

Main: +1 303 736 3000
Direct: +1 303 736 3451
Fax: +1 303 736 3860
Mobile: +1 303 748 5242


|--------+----------------------->
|        |          "Jeffrey L.  |
|        |          Oliver"      |
|        |          <jeff.oliver@|
|        |          uleth.ca>    |
|        |                       |
|        |          12-07-00     |
|        |          11:45        |
|        |                       |
|--------+----------------------->
  >---------------------------------------------------------------|
  |                                                               |
  |       To:     Dieter Gobbers <[EMAIL PROTECTED]>, Sujit  |
  |       Choudhury <[EMAIL PROTECTED]>,                      |
  |       [EMAIL PROTECTED]                |
  |       cc:     (bcc: Paul Simons/Den/US/IHSE)                  |
  |       Subject:     Re: [FW1] Solaris machine hangs            |
  >---------------------------------------------------------------|






I was emailed a tip as follows:

***************************
Gentlemen,

I too suffered long and hard with this problem, sending many dumps to SUN,
talking myself blue in the face to my VAR. Finally, a friend at CKP,
pointed me to a url. They used
to have www pages that listed known bugs and the associated FW
version/level along with operating systems. Oh, how I long for those days,
the knowledge base is almost useless
in my opinion. I would much prefer to page through ALL known problems, what
is to say I don't have a problem that I have yet to even find!!!!! But I
have rambled enough.

This patch worked for me... running FW 4.0 sp1 on Solaris 2.6 with
recommend security patches.  The following came directly from a "old" CKP
page. (Remember back up the file
before altering, AND, I nor my employer take no responsibility;  just
trying to help.)

1. Stop Firewall-1 by running $FWDIR/bin/stop.
2. Edit $FWDIR/conf/objects.C After the line: :props( Add the line:
:udp_reject (false)
3. Start Firewall-1 by running $FWDIR/bin/fwstart.


Good luck,
********************

Does anyone know what will this actually do?

Jeff



"Jeffrey L. Oliver" wrote:
>
> Dieter Gobbers wrote:
> >
> > On 10-Jul-00 Sujit Choudhury wrote:
> > >
> > > I have used fw ctl pstat command.
> > > It says about 3Mbytes have been allocaated into FW-1's kernel memory
> > > and most of it is still available.
> > > However looking at the way Solaris works, it appears that the size of
> > > freelist as found from vmstat and sar -r will apear to shrink to a very
> > > small value, determined by lotsfree.  In our case we have used the
> > > default which is 1/64 of the RAM i.e. 2Mbytyes.  The problem usually
> > > starts when the freelist attains the value of around 2Mbytes.
> > > I was wondering whether increasing lostsfree (making it bigger that
> > > 3Mbytes)would stop the machine hang.  Has it been tried?
> > >
> > > Sujit
> > >
> > >
> > >> Sujit Choudhury wrote:
> > >> >
> > >> > We are running Checkpoint FireWall-1 Version 4.0 Build 4094. I have
> > >> > applied service pack 4 and 5 to bring it up to the latest build.  The
> > >> > hardware is Sun Ultra 5/10, with 128Mbytes of memory.  The OS is
> > >> > Solaris 2.6 with kernel patch 105181-21.  I am not running CDE so most
> > >> > of the memory is used for running the OS and Firewall.
> > >> > In spite of this I am getting system hang on a regular basis.  It seems
> > >> > from sar output, whenever the free memory drops below a certain figure
> > >> > we are then in the danger zone.
> > >> > Has anybody come across this thing or any solution for this?  We are
> > >> > having great difficulty in maintaing our service.
> > >> >
> > >> > Many thanks
> > >> >
> > >> > Sujit
> >
> > >>
> > >> Sujit,
> > >>
> > >> Just so you don't feel all alone, I also am experiencing this problem.
> > >> From
> > >> my standpoint, it looks like a memory leak.  The Sun guys do not think
so.
> > >>
> > >> I have a Ultra 10 running 2.6, with the jumbo patch installed.  The
machine
> > >> has 128MB ram and 2 quad 10/100 nic's.  The console sits not logged in at
> > >> the login prompt (not openwin or cde).
> > >>
> > >> If I use vmstat on the box, I can see that the memory goes away in about
> > >> 8k chunks until I start using swap space.  It then keeps chunking away
> > >> memory
> > >> until I run out of swap and the machine will hang.
> > >>
> > >> As yet, I have not found a fix.
> > >>
> > >> Jeff
> >
> > Hello,
> >
> > We have the same problem here at our site, about every week our firewall
> > started to slow down and then stopped. We've been unable to use even the
> > console...
> > I've written a few scripts to watch certain system parameters/conditions
which
> > reboot the system if the defined limits are exceeded.
> > During the "development" of those scripts I've noticed that the available
> > memory is decreasing without any sign who is consuming it.
> > I always thought that this is caused due to the fact that I cannot install
any
> > kernel patches on our server (E250/Solaris 2.6 HW3/98)...
> >
> > I could send you my scripts if you are interested. They don't solve the
cause
> > of the problem but the ugly effects are minimized.
> >
> > Greetings,
> >
> > Dieter Gobbers
>
> Something to note.  I tried this a little while ago and am convinced
> that it is not a FW-1 problem, but a OS/HW bug.
>
> I disabled the FW software from loading (renamed the startup scripts in
> the /etc/rcX.d directories) and rebooted the box.  Same thing, the machine
> lost memory in 8K chunks untilit died (no response even on the console).
> This makes me think that it is an OS problem???
>
> I don't know if FW-1 makes modifications to the ethernet drivers when it
> installs.  If it does, there could be some problem with the mods.
>
> Jeff
> --
>      Sys Admin. It's a dirty job, but someone said I had to do it!
> ------------------------------------------------------------------------
>       Jeffrey L. Oliver               Tel:  (403) 329-5162
>        Network Analyst                Cell: (403) 315-4461
> The University of Lethbridge
>    4401 University Drive             email: [EMAIL PROTECTED]
>     Lethbridge, Alberta          www:  http://home.uleth.ca/~jeff.oliver
>
>
================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
================================================================================

--
     Sys Admin. It's a dirty job, but someone said I had to do it!
------------------------------------------------------------------------
      Jeffrey L. Oliver               Tel:  (403) 329-5162
       Network Analyst                Cell: (403) 315-4461
The University of Lethbridge
   4401 University Drive             email: [EMAIL PROTECTED]
    Lethbridge, Alberta          www:  http://home.uleth.ca/~jeff.oliver


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================






================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================