[j-nsp] DFW_PFE out of memory errors
Kevin Day
toasty at dragondata.com
Sun Jul 9 16:01:58 EDT 2006
On Jul 9, 2006, at 7:47 AM, Josef Buchsteiner wrote:
> the root of the problem is not the firewall filter but the shortage of
> sram memory on the IPII. You have a board which is using 8M of SRAM
> and this space is used for all routes, firewall filter, policers,
> next-hops and so on... It happen that you are so close to the limit
> that changing a fw filter you hit the boundary already. Enhanced SSB
> have 256 on CPU Memory ( 4 times higher ) and 16MB of IPII SRAM. (
> double)
>
> Josef
>
Yeah, since I last posted, I did a bit more digging, and found this:
SSB0(core1-chi vty)# show filter memory
Instance 0
-----------
Index Byte used Name
----- --------- ----
1 1836632 fw-to-lan (0x2c8b5b0)
2 4 fw-to-wan (0xea2bc4)
2 8 fw-to-wan (0xeae234)
2 8 fw-to-wan (0xeaaf54)
2 8 fw-to-wan (0x1f923c8)
2 8 fw-to-wan (0xed9498)
3 2812 lan-to-fw (0xd907cc)
4 992 re-protect (0xcf95c0)
5 40 rpf-fail (0xeacaa0)
5 40 rpf-fail (0xe9b874)
5 40 rpf-fail (0xeaad28)
5 40 rpf-fail (0xeae008)
6 2192 wan-to-fw (0xea29b0)
6 2192 wan-to-fw (0xe9a708)
17000 24 __default_arp_policer__ (0xd8efec)
17001 24 300m-limit-ge-0/1/0.0-inet-o (0x2c95ea8)
17002 24 bbb-out-ge-0/3/0.242-inet-o (0xeaae48)
17003 24 300m-limit-ge-1/0/0.0-inet-o (0xebe698)
17004 24 100m-limit-ge-1/1/0.106-inet-o (0xeae128)
There's no way that the "fw-to-lan" rule is sucking that much memory,
it's one of the simpler rules on the system.
I know logging into the ssb is totally unsupported, but... is that
accurate? It *is* always that filter rule that it's complaining it
doesn't have enough memory for (never any others), but it's really
too simple for it to be anywhere near that size.
More information about the juniper-nsp
mailing list