Support Center > Search Results > SecureKnowledge Details
"fwldbcast_new: too many hosts : 0" error messages in /var/log/messages
Symptoms
  • After Upgrade to R80.20 some of the connections are dropped with "TCP packet out of state: First packet isn't SYN; tcp_flags:", with flags which are not FIN or RST (These drops occurred only during high load).

  • Different TTL values can be seen in 'connections table' between the Active member and Standby member with earlier timed out value on the standby member.
    We can us the following command to filter a specific connection affected from the issue, using the following command and compare the outputs:

    [Expert@FW-A:0]# fw ctl conntab -sip=172.20.172.54 -dip=172.30.138.91
    Example:

    Active Member:
    [Expert@FW-A:0]# fw ctl conntab -sip=172.20.172.54 -dip=172.30.138.91
    <(inbound, src=[172.20.172.54,52117], dest=[172.30.138.91,22], TCP); 3599/3600, rule=1, tcp state=TCP_ESTABLISHED, service=481, Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
    <(inbound, src=[172.20.172.54,52117], dest=[172.30.138.91,22], TCP); 3582/3600, rule=1, tcp state=TCP_ESTABLISHED, service=481, Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>

    Standby Member:
    [Expert@FW-B:0]# fw ctl conntab -sip=172.20.172.54 -dip=172.30.138.91
    <(inbound, src=[172.20.172.54,52117], dest=[172.30.138.91,22], TCP); 11/3600, rule=1, tcp state=TCP_ESTABLISHED, service=481, Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>
    <(inbound, src=[172.20.172.54,52117], dest=[172.30.138.91,22], TCP); 9/3600, rule=1, tcp state=TCP_ESTABLISHED, service=481, Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1>

    Syntax options:
    Usage:
    -h/-help        # Display this help menu
    -sport          # filter by source port
    -dport          # filter by destination port
    -proto          # filter by protocol
    -sip            # filter by source ip
    -dip            # filter by destination ip
    -rule           # filter by rule
    -service        # filter by service
    

  • Many "fwldbcast_new: too many hosts : 0" kernel messages appear in /var/log/messages file which correlate with the time of the issue. Note: On VSX environment it may appear in the relevant context id of the VS under '$FWDIR/log/fwk.elg' log file.

Cause

Some synchronization packets may not be handled correctly.

Like: 'refresh timeout' that should refresh the control connection time out of the session, that's may lead the Standby member to remove the connection on standby and notify the Active to close it as well.


Solution
Note: To view this solution you need to Sign In .