[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[fw1-wizards] IKE Problems

Subject: [fw1-wizards] IKE Problems
From: "Mack, Tony" <TonyMack@xxxxxxxxxx>
To: "'fw1-wizards@xxxxxxxxxxxx'" <fw1-wizards@xxxxxxxxxxxx>
Date: Fri, 17 Nov 2000 15:38:52 -0500

We currently cannot run IKE VPNs with Firewall-1 on NT due to what appears
to be a memory leak in CP's version 4.1 code.  After a period of time,
usually only a few hours, the firewall stops all traffic.  We run "fw ctl
pstat" and observe the NDIS packet and buffer values.  As soon as the number
of packets gets to the registry value (default is 1024) VPNs cease to
function. Increasing the registry value just increases the time before
another restart is required.  Restarting the firewall daemon alone does not
correct the probelm.

Event log errors include:
\Device\FW1, FW-1: Virtual defragmentation error: Packet pool-->.
\Device\FW1, --> exhausted (<fw ip address> -> <fw ip address> pr-->.
\Device\FW1, -->oto 50 id 40284 len 1500 offset 0) - 1 fragme-->.
\Device\FW1, -->nts dropped during the last 60 seconds.
\Device\FW1, -->oto 57 id 474 len 1500 offset 0) - 38 fragmen-->.
\Device\FW1, ndis_allocate_packet: Cannot allocate new packets.

The error messages always start out with:
"The description for Event ID ( 1 ) in Source ( FW1 ) cannot be found. The
local computer may not have the necessary registry information or message
DLL files to display messages from a remote computer. The following
information is part of the event:"

We discovered these errors along with the 100 host seesion issue on version
4.0 months ago and reverted to Skip VPNs.  See "ISAKMP AddNegotiation: try
to handle too many negotiations" FAQ at http://www.phoneboy.com/fw1/ .  The
host session issue also stopped all traffic and even brought down 4.1
firewalls doing IKE VPNs with version 4.0 firewalls.  We brought it to CP's
attention along with the above event errors at that time.  Once we had
multiple installations on 4.1 Sp2 we once again tried IKE only to experience
outages again.

Is anyone else running FW1 on NT experiencing this problem?


Tony Mack



---------------------------------------------------------------------
This email came from the FireWall-1 Wizards Mailing List
To unsubscribe, e-mail: fw1-wizards-unsubscribe@xxxxxxxxxxxx
For more information, email: fw1-wizards-faq@xxxxxxxxxxxx

Prev by Date: Re: [fw1-wizards] Policy install clears FTP transfers
Next by Date: [fw1-wizards] VPN with Internet Services expecting a specific IP number
Previous by thread: [fw1-wizards] MTU & Fragmentation question
Next by thread: [fw1-wizards] VPN with Internet Services expecting a specific IP number
Index(es):
- Date
- Thread