https://community.checkpoint.com/t5/Firewall-and-Security-Management/fw-monitor-stops-working-after-upgrade-to-R80-40/m-p/86886#M9159 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/16718">@Lincoln_Webber</a>&nbsp;,</P> <P>&nbsp;</P> <P>i tried same command in my lab and it works, as i mention before it looks like buffer issue.</P> <P>Are you sure you don't have any debugs turned on?&nbsp;</P> Sun, 31 May 2020 17:54:12 GMT Ilya_Yusupov 2020-05-31T17:54:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/fw-monitor-stops-working-after-upgrade-to-R80-40/m-p/86542#M9154 <P>Hi Guys,</P><P>We upgrade our R80.30 VSX cluster to R80.40 JHF Take 45 over the weekend and fw monitor complains that it cant allocate buffer then throws me back to the shell. See the screenshot for the actual messages.</P><P>Has anyone experienced this of has insight into the cause and solution?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="fw_monitor_error.PNG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6263iF9E6B09AA1F9EC84/image-size/large?v=v2&amp;px=999" role="button" title="fw_monitor_error.PNG" alt="fw_monitor_error.PNG" /></span></P> Thu, 28 May 2020 00:20:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/fw-monitor-stops-working-after-upgrade-to-R80-40/m-p/86542#M9154 Lincoln_Webber 2020-05-28T00:20:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/fw-monitor-stops-working-after-upgrade-to-R80-40/m-p/86553#M9155 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/16718">@Lincoln_Webber</a>,</P> <P>Add your VS to fw monitor:</P> <P>fw monitor <FONT color="#FF0000">-v &lt;vsx instance&gt;</FONT> -e "accept(host ...);"</P> <P>Specifies the capture filter (for both accelerated and non-accelerated traffic):<BR /><BR />-F "&lt;Source IP&gt;,&lt;Source Port&gt;,&lt;Dest IP&gt;,&lt;Dest Port&gt;,&lt;Protocol Number&gt;"</P> <P>If that doesn't help, I'd open a TAC case.</P> <P>PS:<BR />With R80.40 fw monitor works slightly different than in older versions. Showing list of chain modules with the "fw monitor", when you do not change the <FONT color="#FF0000">default capture positions</FONT>:</P> <P>in chain (17):<BR />0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)<BR />1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)<BR />2: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)<BR />3: -70000000 (ffffffff8b6774d0) (ffffffff) <FONT color="#FF0000">fwmonitor (i/f side)</FONT><BR />4: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)<BR />5: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding<BR />6: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)<BR />7: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)<BR />8: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module<BR />9: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)<BR />10: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)<BR />11: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)<BR />12: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)<BR />13: 70000000 (ffffffff8b6774d0) (ffffffff) <FONT color="#FF0000">fwmonitor (IP side)</FONT><BR />14: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)<BR />15: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)<BR />16: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)</P> <P>out chain (16):<BR />0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)<BR />1: -70000000 (ffffffff8b6774d0) (ffffffff) <FONT color="#FF0000">fwmonitor (i/f side)</FONT><BR />2: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)<BR />3: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)<BR />4: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)<BR />5: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)<BR />6: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)<BR />7: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)<BR />8: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)<BR />9: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)<BR />10: 70000000 (ffffffff8b6774d0) (ffffffff) <FONT color="#FF0000">fwmonitor (IP side)</FONT><BR />11: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)<BR />12: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)<BR />13: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)<BR />14: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)<BR />15: 7fa00000</P> Thu, 28 May 2020 06:18:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/fw-monitor-stops-working-after-upgrade-to-R80-40/m-p/86553#M9155 HeikoAnkenbrand 2020-05-28T06:18:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/fw-monitor-stops-working-after-upgrade-to-R80-40/m-p/86566#M9156 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/16718">@Lincoln_Webber</a>&nbsp;,</P> <P>&nbsp;</P> <P>Can you share the exact command you used for fw monitor? it's not seen in the screenshot.</P> <P>Also any chance that you run some debug on the system before running the fw monitor command?</P> <P>&nbsp;</P> <P>In general looks like your buffer is full this is why the fw monitor is not able to load.</P> Thu, 28 May 2020 09:01:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/fw-monitor-stops-working-after-upgrade-to-R80-40/m-p/86566#M9156 Ilya_Yusupov 2020-05-28T09:01:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/fw-monitor-stops-working-after-upgrade-to-R80-40/m-p/86630#M9157 Hi Ilya,<BR />The command is in the first line of the screenshot (fw monitor -e 'accept host(x.x.x.x);' Thu, 28 May 2020 17:05:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/fw-monitor-stops-working-after-upgrade-to-R80-40/m-p/86630#M9157 Lincoln_Webber 2020-05-28T17:05:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/fw-monitor-stops-working-after-upgrade-to-R80-40/m-p/86631#M9158 <P>Hey Heiko,</P><P>I got it to run by adding the -v option.</P> Thu, 28 May 2020 17:22:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/fw-monitor-stops-working-after-upgrade-to-R80-40/m-p/86631#M9158 Lincoln_Webber 2020-05-28T17:22:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/fw-monitor-stops-working-after-upgrade-to-R80-40/m-p/86886#M9159 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/16718">@Lincoln_Webber</a>&nbsp;,</P> <P>&nbsp;</P> <P>i tried same command in my lab and it works, as i mention before it looks like buffer issue.</P> <P>Are you sure you don't have any debugs turned on?&nbsp;</P> Sun, 31 May 2020 17:54:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/fw-monitor-stops-working-after-upgrade-to-R80-40/m-p/86886#M9159 Ilya_Yusupov 2020-05-31T17:54:12Z