failed alloc Checkpoint - Firewalls

This is a discussion on failed alloc Checkpoint - Firewalls ; Below is the out put of a fw ctl pstat on both of my Nokia firewalls Of interest is the Hash kernel memory, pertaining to the connection table. Total memory bytes used: 7735064 unused: 9042152 (53%) peak: 7688747 Total memory ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: failed alloc Checkpoint

  1. failed alloc Checkpoint

    Below is the out put of a fw ctl pstat on both of my Nokia firewalls

    Of interest is the Hash kernel memory, pertaining to the connection
    table.

    Total memory bytes used: 7735064 unused: 9042152 (53%) peak:
    7688747
    Total memory blocks used: 1956 unused: 2139 (52%)

    Is this utilisation high? The peak value appears to be lower than the
    used value. How can this be?

    Also the kmem stats
    21769 failed alloc

    What does this "failed alloc" counter mean?

    The boxes are IP530s with 256M RAM running CPFW4.1.
    My_Live_Nokia_BOX[admin]# fw ctl pstat
    Hash kernel memory (hmem) statistics:
    Total memory allocated: 16777216 bytes in 4095 4KB blocks using 1
    pool
    Total memory bytes used: 7735064 unused: 9042152 (53%) peak:
    7688747
    Total memory blocks used: 1956 unused: 2139 (52%)
    Allocations: 1566079999 alloc, 0 failed alloc, 1565782667 free
    System kernel memory (kmem) statistics:
    Total memory bytes used: 35836242 peak: 36688299
    Allocations: 357615 alloc, 21769 failed alloc, 352745 free, 0 failed
    free
    Inspct: -1036650508 packets, -1735760691 operations, 887715715
    lookups, -1951500668 record, -1852592722 extract
    Cookies: 1605859132 total, 0 alloc, 0 free, 434820304 dup, -2071286067
    get, 1376301625 put, -1144880978 len, 0 chain alloc, 0 chain free
    Fragments: 931824 fragments, 461494 packets, 95 expired, 0 short, 0
    large, 0 duplicates, 0 failures
    Encryption: 0 encryption, 0 decryption, 0 short, 0 failures
    Translation: 231008814/847959357 forw, 204864164/467675903 bckw,
    435820247 tcpudp, 52731 icmp, 27894361-51800563 alloc


    My_Backup_Nokia_BOX[admin]# fw ctl pstat
    Hash kernel memory (hmem) statistics:
    Total memory allocated: 16777216 bytes in 4095 4KB blocks using 1
    pool
    Total memory bytes used: 376844 unused: 16400372 (97%) peak:
    1241720
    Total memory blocks used: 118 unused: 3977 (97%)
    Allocations: 1224566034 alloc, 0 failed alloc, 1224558765 free
    System kernel memory (kmem) statistics:
    Total memory bytes used: 19611002 peak: 21030454
    Allocations: 14471322 alloc, 0 failed alloc, 14469354 free, 0 failed
    free
    Inspct: 712131458 packets, -808801861 operations, -2135335051 lookups,
    494775 record, 1576382501 extract
    Cookies: 1477103177 total, 0 alloc, 0 free, 73 dup, 1754045232 get,
    275 put, -641680339 len, 0 chain alloc, 0 chain free
    Fragments: 0 fragments, 0 packets, 0 expired, 0 short, 0 large, 0
    duplicates, 0 failures
    Encryption: 0 encryption, 0 decryption, 0 short, 0 failures
    Translation: 2/388217065 forw, 46/1082207238 bckw, 48 tcpudp, 0 icmp,
    0-51791854 alloc


    Any info on this would be appreciated.


    FWS

  2. Re: failed alloc Checkpoint

    Firewall is alleged to have said in comp.security.firewalls:

    > 21769 failed alloc
    >
    > What does this "failed alloc" counter mean?
    >


    It's high for your config, apparently. What it means is that the firewall
    kernel needed to allocate memory and didn't have enough free to allocate a
    block of the requested size, or just couldn't find a large enough block
    which can happen when the firewall memory becomes fragmented. Use modzap to
    increase the kernel memory, or reboot more often if these boxes have been
    up a long time.

    modzap _fwhmem $FWDIR/boot/modules/fwmod.o 0x1000000

    That will increase it to 10 meg.

    --
    If at first you don't succeed, skydiving is not for you.

+ Reply to Thread