4 Replies Latest reply on Jan 6, 2010 6:39 PM by orionweb

    560 V 4.0.5 reboots

    JohnsIsland

      Hello,

       

      560 with 4.0.5 is experiencing reboots,

       

      syslog shows

       

      can not start crypto helper: failed to find any available worker
      2009-12-31 09:37:41 System0.Warning x.x.x.x Dec 31 09:37:50 yyy pluto[338]: "w2z" #5: message in state STATE_AGGR_R0 ignored due to cryptographic overload

       

      Is this error message connected with the reboots?

       

      Thanks,

       

      Jeff

        • 1. Re: 560 V 4.0.5 reboots
          JohnsIsland

          I am also seeing

           

          kernel: nf_conntrack: table full, dropping packet

           

          Googling this error seems to indicate it might be wise to change the table size.  Does anyone have a some words of wisdom on this?

           

          Thanks,

           

          Jeff

          • 2. Re: 560 V 4.0.5 reboots

            pluto is a user space daemon used for the Key-exchange portion of the IPsec protocol. linux should protect you from it causing reboots.

             

            cryptographic overload though, is badness none the less. combined with conntrack tables overflows it looks like you have a 'out of memory' problem.

             

            Its not just a question of sizing up the connection tracking table - we set that to about as big as the system can handle memory wise already anyway.

             

            Best bet is to take a TSR and hand it to support so we can have a look at what is causing this condition and advise you on what to do about it from there. eg. as an example, one can suck up quite a bit of RAM by using a few PPTP tunnels, whcih are way more memory hungry than say IPsec tunnels.

             

            Regards

            tom

            • 3. Re: 560 V 4.0.5 reboots

              This entry in the TSR tell you the current number of connections

               

              FILE:/proc/sys/net/ipv4/netfilter/ip_conntrack_count

              If this is abnormally high, you are likely to have an internal network issue. If this is the case it needs to be fixed rather than working around the issue on the UTM device.

              the current max is shown in

              FILE:/proc/sys/net/ipv4/netfilter/ip_conntrack_max
              32768

              default for the 565 is 32768


              If count is as expected you need to increase it under

              System -> System Setup -> Memory Allocation -> Connection Tracking

              this will increate the above file max value accordingly if required.
              • 4. Re: 560 V 4.0.5 reboots

                Talking about PPTP one issue I had when upgrading from 3 to 4 was that all the PPTP account password and setting had to be reseted before it will work as the password did not come across during migration (password was blank out I believe). Could there be other settings that are still hanging around (incorrectly) causing the issue?