Support Center > Search Results > SecureKnowledge Details
Security Gateway might crash during boot if drop optimization is enabled in 'Firewall Policy Optimization'
Symptoms
  • Security Gateway might crash during boot if drop optimization is enabled per sk90861 (Security Gateway Properties - 'Optimizations' pane - section 'Firewall Policy Optimization' - check the box 'Enable drop optimization').

  • Example output from console during the crash:

    login: wdt stop function not defined
    Oops: 0000 [#1]
    ... ... ...
    EIP is at simlinux_br_port+... [simmod]
    ... ... ...
    Process fw_worker_<N> (pid: ..., ti=... task=... task.ti=...)
    ... ... ...
    Call Trace:
    [...] <N> [...] handle_inbound_packet+... [simmod]
    [...] <N> [...] drv_write_lock+... [simmod]
    [...] <N> [...] sim_filterout_deliver_internal+... [simmod]
    [...] <N> [...] e1000_xmit_frame+... [e1000e]
    [...] <N> [...] fwlock_lock_release+... [fw_0]
    [...] <N> [...] fwmultik_dispatch_outbound+... [fw_0]
    [...] <N> [...] fg_qxl_enqueue_packet+... [etm_0]
    [...] <N> [...] drv_write_lock+... [simmod]
    [...] <N> [...] ip_finish_output+...
    [...] <N> [...] sim_filterout+... [simmod]
    [...] <N> [...] nf_hook_slow+...
    ... ... ...
    BUG: soft lockup - CPU#0 stuck for 2s! [fgd50:PID]
    Pid: PID, comm:                fgd50
    ... ... ...
    EIP is at drv_write_lock+... [simmod]
    ... ... ...
    [...]  [...] sim_db_get_conn+... [simmod]
    [...]  [...] __find_get_block+...
    [...]  [...] drv_write_lock+... [simmod]
    [...]  [...] __getblk+...
    [...]  [...] simi_packet_sanity_checks+... [simmod]
    [...]  [...] handle_inbound_packet+... [simmod]
    ... ... ...
    EIP: [...] simlinux_br_port+... [simmod]
    
  • Example outputs from KDB mode (per sk31511):

    • With QoS enabled:
      esp    eip Function (args)
      ...    ... [simmod]simlinux_br_port+...
      ...    ... [simmod]handle_inbound_packet+...
      ...    ... [simmod]sim_fromlinux+...
      ...    ... netif_receive_skb_do+...
      ...    ... netif_receive_skb+...
      ... ... ...
      
    • With QoS disabled:
      esp    eip Function (args)
      ...    ... [simmod]do_routing+...
      ...    ... [simmod]handle_inbound_packet+...
      ...    ... [simmod]sim_fromlinux+...
      ...    ... netif_receive_skb_do+...
      ...    ... netif_receive_skb+...
      ... ... ...
      
Cause

Since SecureXL Drop Templates were enabled and traffic was running during boot, all the existing connections were offloaded from FireWall to SecureXL as partial ones, without valid interface numbers.

Due to the issue with global variable jiffies in Linux kernel (which holds the number of ticks that have occurred since the system booted), if a connection was accelerated in the first 5 seconds (the routing interval) of the 5-th minute (when the issue with variable jiffies occurs), a route lookup was not performed for the outbound interface number, and the previous number is used, which might cause the kernel panic.


Solution
Note: To view this solution you need to Sign In .