cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
George_Liu
Nickel

Failed to Load Security Policy: Cannot allocate memory

Affected version: R71 SPLAT

Sympton:

1. install policy, Failed to Load Security Policy: Cannot allocate memory.

2. Gateway disk space not full.

Check procedure:

1. manual fetch policy from gateway, got same error message

   (fw fetch SmartCenterIP)

2. check cpd.elg, memory allocate fail.

    ($CPDIR/log/cpd.elg)

3. check kernel tab, found string_dictionary_table full

   (output from fw tab -s)

Workaround:

1. Disable log rulebase uuid.

    (Policy -> Global Properties -> SmartDashboard Customization -> Configure -> Firewall -> General
Uncheck rulebase_uids_in_log ; click ok; then push policy.)

9 Replies
Neville_Kuo
Silver

Re: Failed to Load Security Policy: Cannot allocate memory

這個好多版本都有發生,情況會都一樣嗎?

Employee++
Employee++

Re: Failed to Load Security Policy: Cannot allocate memory

George可曾看過support center中有相關的kb參考嗎?

0 Kudos
George_Liu
Nickel

Re: Failed to Load Security Policy: Cannot allocate memory

這個問題會發生在很多版本上,正確的說,這個訊息只是一個 normal message,而發生的原因,就要逐一拆解才有機會知道是什麼狀況了。

ps. normal message 的意思是如同 debug vpn 時,常常會看到 invalid sa 的訊息一樣,但實際並不會一定 sa 有誤造成的。

George_Liu
Nickel

Re: Failed to Load Security Policy: Cannot allocate memory

可以參考 Policy installation fails with "Load on module failed - no memory" error

Solution ID

sk101875

之前幾次的經驗是:

  • Gateway 硬碟空間不足
  • Policy Rule name 欄位用到中文字。(comment可以是中文,section title也可以是中文,就是 Rule name 不行)
  • 此次的 log uuid 問題。(fw tab 中要增加 string dictionary 來做 log uuid 的對應)
  • 不可考原因。(reboot 就解了)
Dawei_Ye
Copper

Re: Failed to Load Security Policy: Cannot allocate memory

但是,Disable log rulebase uuid之后,好像rulebase中的hit count的就不能用了?

之前我们也是碰到中文字的问题,显示这个message。

George_Liu
Nickel

Re: Failed to Load Security Policy: Cannot allocate memory

感謝 Dawei Ye 兄的回報,確實,我剛上系統看了一下,disable uid 後的 install policy 確實造成 hit count 無法更新了,我來研究一下二全齊美的方法。

George_Liu
Nickel

Re: Failed to Load Security Policy: Cannot allocate memory

剛在找 rulebase_uid_in_logstring_dictionary_table 時,看到 (sk101875) 有寫到:

This error can also be corrected by:

  • Make sure to remove the long hyphen character ' ? ' as well from rule names and/or comments , which is created automatically by Microsoft Word.
  • To verify whether the problem is caused by the non-ASCII (international) character, follow these steps:

    1. On a Security Gateway, run: fw ctl zdebug filter > /var/log/debug.txt.
    2. Install the security policy in SmartDashboard.
    3. Analyze the /var/log/debug.txt file.

    If this error is indeed caused by the non-ASCII (international) character, the the following message will appear in the output file:
    fw_rules_uid_handle_uid: couldn't allocate dictionary string id for rule no. <N>

Neville_Kuo
Silver

Re: Failed to Load Security Policy: Cannot allocate memory

今天用以下這篇治好公司80.10的hit count問題:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 心得:

1.uid不能亡

2.Clear console cache

3.到80.10還是會,超靠悲

Employee++
Employee++

Re: Failed to Load Security Policy: Cannot allocate memory

你才靠悲,你全家都靠悲

0 Kudos