Support Center > Search Results > SecureKnowledge Details
Network outage when using Security Zones objects
Symptoms
  • Network outage is observed when the rulebase contains Security Zones objects.
  • In ClusterXL environments, failover is not being initiated automatically; the issue is resolved with a manual failover or a reboot.
  • kernel: BUG: soft lockup - CPU#X stuck for 10s! [ksoftirqd/2:9]
    kernel: CPU X:
    …
    kernel: Call Trace:
    kernel:    [] _spin_lock_bh+0x9/0x20
    kernel:  [] rt_garbage_collect+0x120/0x360
    kernel:  [] dst_alloc+0x81/0xa0
    kernel:  [] ip_route_input+0xcbb/0xf10
    
  • "kernel: dst cache overflow" messages in /var/log/messages (or dmesg).
  • Leftmost value of grep ip_dst_cache /proc/slabinfo is higher than the one in cat /proc/sys/net/ipv4/route/max_size.
Cause

The SecureXL routing code does not release the routing cache back to the OS, causing more and more entires to become stuck until the limit for the number of routing caches is reached.


Solution
Note: To view this solution you need to Sign In .