[j-nsp] DFW_PFE out of memory errors

Kevin Day toasty at dragondata.com
Thu Jul 6 02:09:33 EDT 2006 

Has anyone seen anything like this:

Jul  6 00:48:36  core1-chi mgd[4366]: UI_COMMIT: User 'admin'  
performed commit: no comment
Jul  6 00:48:50  core1-chi /kernel:
Jul  6 00:48:50  core1-chi /kernel: DFW_PFE: add/change for filter fw- 
to-lan failed due to lack of memory space.
Jul  6 00:48:50  core1-chi ssb DFW: firewall addition failed (No memory)
Jul  6 00:48:50  core1-chi ssb DFW: jtree cutover failed (memory  
allocation failure) for filter (1) change!


admin at core1-chi# show firewall |match "term" |count
Count: 249 lines

SSB status:
Slot 0 information:
   State                                 Master
   Temperature                        40 degrees C / 104 degrees F
   CPU utilization                     7 percent
   Interrupt utilization               0 percent
   Heap utilization                   78 percent
   Buffer utilization                 52 percent
   Total CPU DRAM                     64 MB
   Internet Processor II                 Version 1, Foundry IBM, Part  
number 9
   Start time:                           2006-07-05 16:40:10 CDT
   Uptime:                              8 hours, 18 minutes, 59 seconds



I seem to have hit some limit in my firewall config - I have 249  
active terms right now. If I add 1 or 2 more, I get the above  
message. Once I pass 250, either my commit has no effect, or it  
silently turns some of my firewall rules into "accept" which is kinda  
scary. Is there a limit of 250 terms that I'm missing somewhere?  
Which memory am I exceeding? Is there any way to boost this up any,  
or is it a hard limit?


Failing that, is there an accounting system that can do things more  
efficiently than:

         term inhost160 {
             from {
                 destination-address {
                     xx.xx.xx.160/32;
                 }
             }
             then {
                 count inhost160;
                 accept;
             }
         }
         term inhost161 {
             from {
                 destination-address {
                     xx.xx.xx.161/32;
                 }
             }
             then {
                 count inhost161;
                 accept;
             }
         }


to generate counters for every IP passing through within a certain  
range? I only need to monitor about a /27 worth, but we need to track  
in/out on each IP. Or any way to make that more memory efficient?

We're doing too much traffic for the RE to handle any decent  
percentage of traffic for generating netflow records, and an AS or MS  
pic is a bit out of our budget.

More information about the juniper-nsp mailing list