This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kamilazat
Collaborator
‎2024-09-30 07:52 AM

Repeated debug error messages in fwk.elg

Hi all!

I'm seeing a lot of messages like below in the fwk.elg file.

FW-1: stopping debug messages for the next 13 seconds. To disable this suppression see sk74580
[28 Sep 20:42:47][fw4_3];[vs_0];[10.x.x.x:32638 -> 10.y.y.y:10250] [ERROR]: up_calc_service_id_key_list: num_of_service_clobs (58) reached limit of entry key

Kernel debug parameters are set to default (as in we do fw ctl debug 0), and tracing options for routed daemon is off. I tried looking up the parts of the messages but found nothing. 

Apparently there is a problem that has been going on for a while. Where can I be getting these messages from? 

Thanks!

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2024-09-30 08:40 AM

From the TAC cases that mention this error, it appears that there are too many matched services for a single connection.
In this case, the error refers to port 10250.
If you have multiple services that mention this port (either directly or as part of a range), reduce/eliminate them.
These messages will show even if you've disabled debugs.

These errors are happening as part of a caching function that be disabled with: fw ctl set int up_rulebase_use_compound_matching_cache 0
(To permanently disable this, see: https://support.checkpoint.com/results/sk/sk26202 )
However, this can negatively impact performance and is thus not recommended.

0 Kudos
kamilazat
Collaborator
‎2024-10-01 04:50 AM
In response to PhoneBoy

@PhoneBoy Thank you for the information. 

There are a lot of lines that show other ports as well, however I can see a pattern in those ports. So do I understand you correctly that these messages occur when there are too many connections that correspond to one port?

For example, I see a lot of entries that correspond to port 10250, and only a few IP addresses that are associated with that port. What kind of reduction/elimination do you suggest? We cannot prevent that traffic from happening, and obviously a performance impacting parameter modification is not feasible. 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-01 08:06 AM
In response to kamilazat

What I'm suggesting is you have multiple service objects in your policy configuration that reference port 10250, either directly or as a result of a range.
Reduce/eliminate these objects.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events