Support Center > Search Results > SecureKnowledge Details
Appliance with enabled IPv6 and 40 FW instances may stop responding on boot Technical Level
Symptoms
  • After an upgrade to R80.40 Jumbo Hotfix Takes 91/93, the appliance in kernel mode with enabled IPv6 and 40 FW instances may not respond on boot and enters into maintenance mode.

  • These errors show on the appliance console during boot:
    "CKP: Loading FW-1 IPv4 Instance 35: insmod: error inserting '/etc/fw.boot/modules/fw_kern_64_3_10_64.o': -1 Cannot allocate memory"

  • These errors show on the appliance console during boot:
    "netns: internal error, please report a bug!failed to set nsid ... CKP: Loading FW-1 IPv4 Instance 13: [ OK ] INIT: Sending processes the TERM signal Removing all namespaces: netns: A number is expected. NIT: Sending processes the KILL signal"

  • Checking dmesg in "sh-4.4#" shell, shows : "[ 36.998738] insmod: page allocation failure: order:0, mode:0xd2"
Cause
  • When running in Kernel mode, the firewall instances are loaded into the driver (when running as USFW it is a dynamic loaded library).
  • There are only 2GB of memory to load drivers and at least 500M is used by the OS.
    2G is for all drivers loaded, including SecureXL (4 and 6) and FW (4 and 6 per instance).
  • The issue occurs when the device reaches the maximum size (2G). It results in a memory allocation failure that causes the OS to revert to init mode 1.

Contributing factors triggering the issue:
  • Non-VSX Firewall operating in Kernel mode.
  • High instance count (32, 36 etc).
  • IPv6 is enabled - which means additional firewall instances and SIM module are loaded.


Solution
Note: To view this solution you need to Sign In .