[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] kmalloc problem in Linux
On Wed, 20 Sep 2000 [email protected] wrote: > We have some problems with a CP2000-SP2 (gateway/server module) when > installing and running a rulebase. Management server located on another > box. > When FW-1 downloads the policy and installs we get this error message in > the log: "FW-1: b_getvals: fw_kmalloc(982056) failed". The message repeats > a couple of times. > > Is there a fix for this? Or is this a problem that could be ignored if the > messages stops coming after a while. I've been battling with my vendor (and indirectly with CheckPoint) on exactly this issue for a couple of months now. They (CheckPoint) are giving me the runaround. They keep asking about silly little details of how I installed Linux, even after I made it clear that I did a stock install of Networked Workstation, without adding or changing any installed package. Looking at the kmalloc source code, it clearly accommodates up to 128Kb of kernel memory to be allocated in a single block. CheckPoint is trying to allocate larger chunks of kernel memory. In my case, it's about 280Kb. While diagnosing, I created a separate .W file and deleted everything that didn't apply to this particular firewall. That left me with 12 rules. Of course, the objects are common to all rulebases, so I couldn't reduce that. So, I had almost 400 NAT rules. Uploading this produced the same symptom, and reduced the memory it tried to allocated to about 260Kb. Reducing the ruleset further to a single Any -> Any rule made it work without complaining. It also, of course, made it totally useless. Our vendor, probably at CheckPoint's suggestion, suggested upgrading to RedHat 6.2 (remember they said FW-1 is supported up to 6.1, on kernels <2.2.14) and install service pack 2. Similar problem (it still complains about kmalloc). BTW, on 6.1, the machine would panic within a minute or so, depending on activity. A single web page access was enough to crash it. On 6.2 with SP2, it kept working. Only problem is that, for every connection attempt (plus every broadcast plus every UDP packet, more or less, basically anything that it might log) it would try the kmalloc four or five times, logging each one to disk. Clearly performance will suffer incredibly, and I will need to rotate the log file daily if not more frequently. This machine is not currently in production. I've put an old Sun box in its place for now. I'm still waiting for a real response from CheckPoint. ------------------------------------------------------------------ Sid Van den Heede Open Text Corporation185 Columbia Street West(fax) Waterloo, Ontario, Canada N2L 5Z5 [email protected] OpenPGP key available on www.keyserver.net ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|