topic Re: Repeated debug error messages in fwk.elg in Firewall and Security Management

Repeated debug error messages in fwk.elg

kamilazat — Mon, 30 Sep 2024 14:52:44 GMT

Hi all!

I'm seeing a lot of messages like below in the fwk.elg file.

FW-1: stopping debug messages for the next 13 seconds. To disable this suppression see sk74580
[28 Sep 20:42:47][fw4_3];[vs_0];[10.x.x.x:32638 -> 10.y.y.y:10250] [ERROR]: up_calc_service_id_key_list: num_of_service_clobs (58) reached limit of entry key

Kernel debug parameters are set to default (as in we do fw ctl debug 0), and tracing options for routed daemon is off. I tried looking up the parts of the messages but found nothing.

Apparently there is a problem that has been going on for a while. Where can I be getting these messages from?

Thanks!

Re: Repeated debug error messages in fwk.elg

PhoneBoy — Mon, 30 Sep 2024 15:40:36 GMT

From the TAC cases that mention this error, it appears that there are too many matched services for a single connection.
In this case, the error refers to port 10250.
If you have multiple services that mention this port (either directly or as part of a range), reduce/eliminate them.
These messages will show even if you've disabled debugs.

These errors are happening as part of a caching function that be disabled with: fw ctl set int up_rulebase_use_compound_matching_cache 0
(To permanently disable this, see: https://support.checkpoint.com/results/sk/sk26202 )
However, this can negatively impact performance and is thus not recommended.

Re: Repeated debug error messages in fwk.elg

kamilazat — Tue, 01 Oct 2024 11:50:05 GMT

@PhoneBoy Thank you for the information.

There are a lot of lines that show other ports as well, however I can see a pattern in those ports. So do I understand you correctly that these messages occur when there are too many connections that correspond to one port?

For example, I see a lot of entries that correspond to port 10250, and only a few IP addresses that are associated with that port. What kind of reduction/elimination do you suggest? We cannot prevent that traffic from happening, and obviously a performance impacting parameter modification is not feasible.

Re: Repeated debug error messages in fwk.elg

PhoneBoy — Tue, 01 Oct 2024 15:07:01 GMT

What I'm suggesting is you have multiple service objects in your policy configuration that reference port 10250, either directly or as a result of a range.
Reduce/eliminate these objects.