On Wed, 20 Sep 2000 [EMAIL PROTECTED] wrote:
> We have some problems with a CP2000-SP2 (gateway/server module) when
> installing and running a rulebase. Management server located on another
> box.
> When FW-1 downloads the policy and installs we get this error message in
> the log: "FW-1: b_getvals: fw_kmalloc(982056) failed". The message repeats
> a couple of times.
>
> Is there a fix for this? Or is this a problem that could be ignored if the
> messages stops coming after a while.
I've been battling with my vendor (and indirectly with CheckPoint) on exactly
this issue for a couple of months now. They (CheckPoint) are giving me the
runaround. They keep asking about silly little details of how I installed
Linux, even after I made it clear that I did a stock install of Networked
Workstation, without adding or changing any installed package.
Looking at the kmalloc source code, it clearly accommodates up to 128Kb of
kernel memory to be allocated in a single block. CheckPoint is trying to
allocate larger chunks of kernel memory. In my case, it's about 280Kb.
While diagnosing, I created a separate .W file and deleted everything that
didn't apply to this particular firewall. That left me with 12 rules. Of
course, the objects are common to all rulebases, so I couldn't reduce
that. So, I had almost 400 NAT rules. Uploading this produced the same
symptom, and reduced the memory it tried to allocated to about 260Kb.
Reducing the ruleset further to a single Any -> Any rule made it work without
complaining. It also, of course, made it totally useless.
Our vendor, probably at CheckPoint's suggestion, suggested upgrading to RedHat
6.2 (remember they said FW-1 is supported up to 6.1, on kernels <2.2.14) and
install service pack 2. Similar problem (it still complains about kmalloc).
BTW, on 6.1, the machine would panic within a minute or so, depending on
activity. A single web page access was enough to crash it. On 6.2 with SP2,
it kept working. Only problem is that, for every connection attempt (plus
every broadcast plus every UDP packet, more or less, basically anything that it
might log) it would try the kmalloc four or five times, logging each one to
disk. Clearly performance will suffer incredibly, and I will need to rotate
the log file daily if not more frequently.
This machine is not currently in production. I've put an old Sun box in its
place for now. I'm still waiting for a real response from CheckPoint.
------------------------------------------------------------------
Sid Van den Heede Open Text Corporation
+1 519 888 7111 x2211 185 Columbia Street West
+1 519 888 0677 (fax) Waterloo, Ontario, Canada N2L 5Z5
[EMAIL PROTECTED] OpenPGP key available on www.keyserver.net
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
