Support Center > Search Results > SecureKnowledge Details
Various errors for SSM Load Balancing and enforcement of interfaces on Scalable Platforms Appliances Technical Level
Symptoms
  • "VSX.... error: Vlan cannot be created" message on pushing VSX configuration failure.

  • The "add interface X vlan Y" command fails with Error NMSETH0059 in Security Gateway mode.

  • The "add bonding group X interface Y" command fails Error KERLAG0109 in Security Gateway mode.

  • "interfaces will not function properly" warning is printed when changing distribution mode configuration in global clish.

  • Asg diag Distribution Mode test reports warning/failure on "load balancing interfaces"

Cause

SSM Load Balancing interfaces are limited to 1024 entries in per-port distribution mode. 

The physical interfaces are counted, therefore:

SSM Type   Physical Interfaces   VLAN interfaces limit 
SSM160 15 1009
SSM440 39 985

Exceeding this limit will result in traffic interruption.


Solution

Code of SSM Load Balancing monitoring and enforcing mechanism was improved starting from Take 98 of Jumbo Hotfix Accumulator for R76SP.30

How it works

In per-port distribution mode, the SSM has distribution mode (user/network) per-port. This distribution mode represented by load balancing interface entry per physical/VLAN/bond-slaves ports.

There is a limit of 1024 load balancing interfaces entries. 

The new SSM Load Balancing mechanism introduces monitoring and enforcing of the limit:

  • Tool asg diag "Distribution Mode" test introduces new verifications for load balancing interfaces
  • User operations which may exceed the limit, are prevented (e.g Add new VLAN, Add new slave to bond)


If you need more than 1024 interfaces, a distribution change is required to be done. Contact Check Point Support for further information and assistance.


Comments and solutions of the listed problems 

In each below scenario, to diagnose the Load Balancing interfaces status on the system, run:

  • asg diag list - look for the test ID of "Distribution Mode" test
  • asg diag print <test-id> - run the test

Scenarios 

  1. "VSX.... error: Vlan cannot be created" message when pushing VSX configuration failure in VSX mode

    If this operation would have exceed the maximal number of load balancing interfaces on the SSM, the error is correct, hence preventing situtation where the SSM would have exceed the limit.


  2. In Security Gateway mode, the "add interface X vlan Y" command fails with "Cannot add VLAN on top of <interface>. This will exceed the maximal number of load balancing interfaces on <SSM> (see sk121094)"

    If this operation would have exceed the maximal number of load balancing interfaces on the SSM, the error is correct, hence preventing situtation where the SSM would have exceed the limit.

    Important note: when adding new VLAN on top of bond interface, there will be load balancing interface per slave of the bond.

    For example, bond1 with 4 slaves:
    eth1-01, eth1-02, eth2-01, eth2-02

    will result in 2 more load balacing interfaces on SSM1 (due to slaves eth1-01 and eth1-02) and SSM2 (due to slaves eth2-01 and eth2-02)


  3. In Security Gateway mode, "add bonding group X interface Y" command fails with "Cannot add slave to <bond>. This will exceed the maximal number of load balancing interfaces on <SSM> (see sk121094)"

    If this operation would have exceed the maximal number of load balancing interfaces on the SSM, the error is correct, hence preventing situtation where the SSM would have exceed the limit.

    Important note: when adding new slave to bond interface, there will be load balancing interface per VLAN of the bond.

    For example: bond1 with 100 VLANs.
    When adding new slave eth1-03, it will result in more 100 load balancing interfaces on SSM1 (due to eth1-03).

  4. The "interfaces will not function properly" warning is printed when attempting to change distribution mode configuration in global clish.

    The warning indicates a transition to per-port distribution mode occured while the number of interfaces are exceeding the limit. Thefore the exceeding interfaces were not pushed to the SSM and they will not function.

    To sustain the configuration, it is highly recommended to revert to the previous mode before the change.

  5. Asg diag Distribution Mode test reports different warning/failure on "load balancing interfaces"

    Scenarios:

    • Asg diag report: "Warning: Mismatch in number of load balancing interfaces between SGM and SSM"

      If the SSM has old configuration of load balancing interfaces, follow the diagnostic report and run the cleaning tool on the relevant Chassis.

      If the SGM has more interfaces, where the total is not exceeding the limit, install policy and check if the issue has been resolved.

    • Asg diag Distribution Mode test reports: "Warning: Number of load balancing interfaces exceeded 85% of the limit"

      This is an expected behavior. Since SSM load balancing interfaces have reached 85% of the limit, it shows a warning.

    • Asg diag Distribution Mode test reports failure: "Number of load balancing interfaces on SSM exceeded the limit"

      Remove the exceeding interfaces from the topology and install policy and check if the issue been resolved.

    • Asg diag Distribution Mode test reports failure: "Number of load balancing interfaces on SGM exceeded the limit"

      In this scenario there was attempt to configure more interfaces than the limit. the SGM local database contain the VLANs but they were not pushed to the SSMs to avoid exceeding the limit.

      Remove the new VLANs which resulted in exceeding the limit or refer to above solution in how to configure more than 1024 interfaces.

    • Asg diag Distribution Mode test reports failure: "Error during diagnostic test of load balancing interfaces"

      The test reports a failure to diagnose specific SSM, re-run the test or check SSM status by using asg stat -v

      If problem remains while the SSM seems to be working, contact Check Point Support

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment