This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lincoln_Webber
Participant
‎2020-05-27 05:20 PM

fw monitor stops working after upgrade to R80.40

Hi Guys,

We upgrade our R80.30 VSX cluster to R80.40 JHF Take 45 over the weekend and fw monitor complains that it cant allocate buffer then throws me back to the shell. See the screenshot for the actual messages.

Has anyone experienced this of has insight into the cause and solution?

fw_monitor_error.PNG

5 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2020-05-27 10:58 PM

Hi @Lincoln_Webber,

Add your VS to fw monitor:

fw monitor -v <vsx instance> -e "accept(host ...);"

Specifies the capture filter (for both accelerated and non-accelerated traffic):

-F "<Source IP>,<Source Port>,<Dest IP>,<Dest Port>,<Protocol Number>"

If that doesn't help, I'd open a TAC case.

PS:
With R80.40 fw monitor works slightly different than in older versions. Showing list of chain modules with the "fw monitor", when you do not change the default capture positions:

in chain (17):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
4: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
5: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
6: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)
7: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
8: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
9: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
10: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)
11: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
12: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
13: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
14: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
15: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
16: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)

out chain (16):
0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
2: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
4: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
5: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
6: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
7: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)
8: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
9: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
10: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
11: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
12: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)
13: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)
14: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
15: 7fa00000

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Ilya_Yusupov
Employee
Employee
‎2020-05-28 02:01 AM
In response to HeikoAnkenbrand

Hi @Lincoln_Webber ,

 

Can you share the exact command you used for fw monitor? it's not seen in the screenshot.

Also any chance that you run some debug on the system before running the fw monitor command?

 

In general looks like your buffer is full this is why the fw monitor is not able to load.

0 Kudos
Lincoln_Webber
Participant
‎2020-05-28 10:05 AM
In response to Ilya_Yusupov

Hi Ilya,
The command is in the first line of the screenshot (fw monitor -e 'accept host(x.x.x.x);'
0 Kudos
Ilya_Yusupov
Employee
Employee
‎2020-05-31 10:54 AM
In response to Lincoln_Webber

Hi @Lincoln_Webber ,

 

i tried same command in my lab and it works, as i mention before it looks like buffer issue.

Are you sure you don't have any debugs turned on? 

0 Kudos
Lincoln_Webber
Participant
‎2020-05-28 10:22 AM
In response to HeikoAnkenbrand

Hey Heiko,

I got it to run by adding the -v option.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events