Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nflnetwork29
Collaborator

Installation failed. Reason: Memory allocation problem in Policy installation function.

we have a centrally managed 1550 Cluster XL running R80.20.15 - Build 682

when i try to install policy it always fails on the active member and installs on the standby no issues.

The message is indicating a memory error but the boxes do not seem to be running out of memory.

 

[Expert@GW1]# free -m
total used free shared buffers cached
Mem: 2000884 1677392 323492 46460 12196 516604
-/+ buffers/cache: 1148592 852292
Swap: 0 0 0

 

I've had a ticket open with TAC for about 10 days with still no resolution . Though I would check in the forums for any ideas?

0 Kudos
9 Replies
nflnetwork29
Collaborator

[Expert@GW2]# free -m
total used free shared buffers cached
Mem: 2000884 1738000 262884 56924 8056 560276
-/+ buffers/cache: 1169668 831216
Swap: 0 0 0

0 Kudos
G_W_Albrecht
Legend
Legend

This post should be in SMB ! What happens if you do a policy pull on the active node ? What happens after a failover ?

nflnetwork29
Collaborator

 

I've manually forced a failover and tried that as well. again it will ONLY fail on the active member of the ClusterXL.

 

I've only tried pushing policy from the  MDS

0 Kudos
G_W_Albrecht
Legend
Legend

Connect using SSH to each node and issue

 # fetch policy mgmt-ipv4-address <sms IP>

nflnetwork29
Collaborator

 

 

same message on both :

 

HQ-FW2> fetch policy mgmt-ipv4-address x.x.x.x
Fetching policy from x.x.x.x
Fetching Security Policy from 'x.x.x.x'

Local Security Policy is Up-To-Date.

Installing Security Policy...
IPS package: Compiled OK.

Installing Security Policy Succeeded.
Done.


sfw_mac_filtering_config: ioctl SFW_MAC_FILTERING failed.
ioctl 43 to the sim device failed (ppak_id=0, rc=-1, errno=22)
sim_arp_spoofing: ioctl to the SecureXL device failed -1
Unable to configure anti ARP spoofing

 

sk167416 - "sfw_mac_filtering_config: ioctl SFW_MAC_FILTERING failed" message when pushing policy on a 1500 device

Cause
This is a cosmetic issue. MAC filtering is not supported on 1500 appliances.
0 Kudos
G_W_Albrecht
Legend
Legend

Both nodes have the current policy - alter the policy, install and try on the failing node again.

0 Kudos
nflnetwork29
Collaborator

install via fetch or via sms push?

0 Kudos
PhoneBoy
Admin
Admin

What version/JHF are you pushing from?
Also, has TAC asked you to debug the policy installation process yet?
Send the SR number in a PM.

0 Kudos
nflnetwork29
Collaborator

80.40 take 89

yes they have taken a debug during policy push and nothing has been resolved yet. 

i will send the SR in a PM 

0 Kudos