Log Files: FAQ

The following sections display messages and issues that you may encounter for common processes that are handled by the Barracuda CloudGen Firewall or Firewall Control Center. In this list, search for your message or issue to determine its possible cause and solution.

Max. workers (30) limit hit

• Issue: Clients receive ICAP errors and t he CloudGen Firewall Virus Scanner Service reports the following message in the cas-log:
  Max. workers (30) limit hit 

• Reason: The CloudGen Firewall Antivirus service has a predefined worker limit of 30 scanner instances that can be launched to handle requests. If 30 worker processes are used and an additional scan request should be processed, the Antivirus service blocks this request and an ICAP error is displayed at the client.

• Solution: Configure the Max. Num Workers setting according to your requirements. For more information, see How to Enable the Virus Scanner.
  

Unresolvable clock skew detected 

• Issue: After system reboot, a time inconsistency occurs. The following error messages are recorded in the dstatm log file: Error *** Unresolvable clock skew detected *** (last run 1066262400, today 1280707200) Error Main stopped.

• Reason: The system time on the Control Center does not match with the time of the last statistics collection.

• Solution: Reset the timestamp in the header of the dstatm.db file. For more information, see the "System Reboot" section of Best Practice - How to Handle Incorrect Time Settings.
  

quantum of class [n] is big 

• Issue: I n the Log > Box > System > klogd.log file, messages similar to the following are reported: 
  Info +0200 kernel: HTB: quantum of class 2740004 is big. Consider r2q change

• Reason: These log messages are associated with the Traffic Shaping configuration. They are generated by the kernel when traffic shaping has been configured for high outbound/inbound bandwidth utilization.

• Solution: This message is informational and does not report a malfunction. It may be ignored.
  

'Size limit exceeded' reported in the phibs.log

• Issue: While retrieving a CRL of a root certificate in the VPN server, the CRL update does not work and the following messages are displayed in the Log > Servicename > vpnserver.log file: 
  Error +0200 CRL Destination path on LDAP-Server ldap.server.com for yourcertname not found (Size limit exceeded).

• Reason:  Some LDAP servers use a maxHits limit to protect the server for long search requests. If this limit is reached, the size limit exceeded error occurs. The reason could be the global search string " ?cn=* "at the CRL path, which is configured for the certificate: ou=VPNROOT,o=TEST,c=COM?cn=*

• Solution: Enter your certificate name for the global search setting to limit the search request: ou=VPNROOT,o=TEST,c=COM?cn=VPNROOT

'cannot get exclusive lock' reported in /var/lib/rpm/Packages

• Issue: A h otfix or patch installation that is executed from the Control > Firmware Update page for a Control Center-administered system fails. The following error message is written to the system log file: error: cannot get exclusive lock on /var/lib/rpm/Packages

• Reason: Exclusive access to the /var/lib/rpm/Packages file is required by the phionRelCheck tool that is responsible for version control of RPM packages and is executed on a regular basis at 2:30 AM (based on local system time), when a system is rebooted and after a software update. The time that is required by the phionRelCheck tool to complete its task depends on system performance. On a high-performance system, 15 seconds might be sufficient. On a low-performance system, up to 10 minutes may be required. The error message indicates that phionRelCheck is already running, so the /var/lib/rpm/Packages file is locked and prevents the software update procedure from locking the file itself.

• Solution: Before commencing a software update, make sure that phionRelCheck is not running. When active, the phionRelCheck process is listed on the Control > Processes page for the respective system.
  

'cannot create ktina socket' reported in fatal.log

• Issue: The VPN service does not start anymore and the Log > fatal.log displays following error message: 
  Fatal Exit: Cannot create ktina socket: Address family not supported by protocol

• Reason: This error happens only on hardware with a single CPU which always uses the 32bit architecture, when you increased the value for the Max. Session Slots of the firewall over the default value of 65536. In this case the acpf (firewall kernel module) allocates too much kernel memory and the ktina (VPN kernel module) does not have enough free kernel memory available. This does not happen if you use a Multi-CPU hardware with 64bit architecture.

• Solution: Check the Box > Infrastructure Services > General Firewall Configuration > Global Limits > Max. Session Slots value and decrease it at least to the default value of 65536. After a reboot of the box, the VPN service will start normally.

'Unexpected EOF while reading body' and 'Broken pipe' reported in the cas.log

• Issue: These messages are reported in the Log > Servicename > cas.log file:
  Warning +0100 Error in request from 127.0.0.1:17874: Unexpected EOF while reading body; Warning +0100 Error in request from 127.0.0.1:14378: Unexpected EOF while reading body; Warning +0100 Error in connection with 127.0.0.1:4315: Broken pipe; Warning +0100 Error in connection with 127.0.0.1:1380: Broken pipe.

• Reason: These messages display when a user closes the browser while a website is loading.

• Solution: These messages are not warnings. They just notify you that a client has unexpectedly closed the connection.
  

kernel: 'dst cache overflow' reported in klogd.log

• Issue: In the Log > Box > System > klogd.log file, log messages similar to the following are reported:
  2009 07 19 10:41:14 Info kernel: dst cache overflow

• Reason: The message is related to the state of the routing cache. It is recorded as soon as the routing cache empties itself due to a content overflow. The cache then builds up anew.

• Solution: By default, a maximum number of 32768 entries are assigned to the routing cache. To avoid frequent kernel: dst cache overflow notifications, this value may be increased. The setting is located in Config > Box > Advanced Configuration > System Settings > Routing Settings > Max Routing Cache Entries . 

kernel: 'DriveStatusError BadCRC' reported in klogd.log

• Issue: Sometimes, especially on phionOS startup, the following lines are displayed in klogd: 
  hdc: dma_intr: error=0x84 { DriveStatusError BadCRC }; hdc: dma_intr: status=0x51 { DriveReady SeekComplete Error }; hdc: dma_intr: error=0x84 { DriveStatusError BadCRC }; hdc: dma_intr: status=0x51 { DriveReady SeekComplete Error }.

• Reason: This line is either related to the speed supported by the hard disk or may also occur after an IDE reset.

• Solution: Ignore these harmless lines on CloudGen Firewall OS startup and after an IDE BUS reset.
  

'ACPF clock' reported in klogd.log

• Issue: This message is reported in the Log > Box > System > klogd.log file: 
  ACPF: clock changed by -1 seconds

• Reason:  This message is generated by the ACPF module in order of holding the FW Audit log (available since 4.2.0). The switch between standard and daylight saving time could be a reason for inconsistencies and the ACPF module, which uses jiffies as time, automatically corrects time divergences and this will be logged in the klogd.log file.

• Solution: The message displays standard information by the ACPF. No further investigation is required.

'device [x] entered promiscuous mode' reported in klogd.log

• Issue: I n the Log > Box > System > klogd.log file, log messages similar to the following are displayed: 
  Info +0200 kernel: device eth6 entered promiscuous mode

• Reason: The messages are associated with tcpdump (network sniffing tool) execution. A device changes to promiscuous mode every time tcpdump is executed.

• Solution: The messages are purely informational and do not report a malfunction.
  

'TCP Packet Belongs to no Active Session' reported in the firewall access cache

• Issue: This message is reported in the firewall access cache (will be displayed only with activated "drop"-cache):
  TCP Packet Belongs to no Active Session

• Reason: This message can originate from issues related to unscheduled session termination or to frequent TCP packets that cannot be allotted to an active session.

• Solution: Follow these steps to solve the issue:

  1. Increase the Session Timeout value in the Service Entry Parameters window (default: 86400) in Config > Box > Affected Services > Servicename > Forwarding Rules > Services Objects. For more information, see How to Create Service Objects.

  2. Increase the Last ACK Timeout (s)ession value in the Advanced Settings window (default: 10) in Config > Box > Affected Services > Servicename > Forwarding Rules > Rule Configuration.

'Neighbour table overflow' reported in klogd.log

• Issue: In the Log > Box > System > klogd.log file, log messages similar to the following are displayed: 
  Info Neighbour table overflow

• Reason: This message is related to the state of the ARP cache. It is recorded when the ARP cache empties itself due to a content overflow. The cache hence builds up anew.

• Solution: The setting is located in Config > Box > Advanced Configuration > System Settings > ARP Settings > ARP Cache Size . By default, a maximum number of 1024 entries are assigned to the ARP cache. To avoid frequent Neighbour table overflow notifications, increase this value.
  

'Too many queued ntlmauthenticator requests' reported in cache.log

• Issue: The proxy service crashes with a similar line in Log > Servicename > cache.log:
  Error: Too many queued ntlmauthenticator requests (<X> on <Y>)

• Reason: Your configuration allows squid to use only <Y> authenticator requests. At the moment <X> authenticator requests are queued.

• Solution: Configure your settings according your network size. At Config > Box > Assigned Services > Servicename > HTTP Proxy Settings > Access Control > Authentication Settings. You have configured a number for Authentication Worker - increase this number until your proxy runs stable. 

'PAYLOAD_MALFORMED', 'INVALID_PAYLOAD_TYPE', 'INVALID_COOKIE' reported in ike.log

• Issue: These messages are reported in the Log > Servicename > ike.log file: 
  dropped message from x.x.x.x port 500 due to notification type PAYLOAD_MALFORMED; dropped message from x.x.x.x port 500 due to notification type INVALID_PAYLOAD_TYPE; dropped message from x.x.x.x port 500 due to notification type INVALID_COOKIE

• Reasons: 

  • The following errors indicate that the preshared-key does not match on the two peers: 
    dropped message from x.x.x.x port 500 due to notification type PAYLOAD_MALFORMED
    and 
    dropped message from x.x.x.x port 500 due to notification type INVALID_PAYLOAD_TYPE
    As a result, the encrypted fifth main-mode packet will be "incorrectly" decrypted, or decrypted with another key.

  • The following error indicates that the configuration of Phase1 or Phase2 does not match between both peers: 
    dropped message from x.x.x.x port 500 due to notification type INVALID_COOKIE

• Solutions: 

  • If the issue is related to preshared keys, change or renew the keys in your VPN configuration. For more information, see VPN.

  • If the issue is related to Phase 1 / Phase 2 configuration, check the settings for your VPN tunnel. For more information, see VPN.  

'Disk space over limit' reported in the proxy cache.log

• Issue: These messages are reported in the Log > Servicename > cache.log file: 
  WARNING: Disk space over limit: 184624 KB > 102400 KB; WARNING: Disk space over limit: 174576 KB > 102400 KB;  WARNING: Disk space over limit: 163982 KB > 102400 KB;  WARNING: 1 swapin MD5 mismatches

• Reason: This problem may occur if the swap.state file has been corrupted, often as a result of a power failure or other uncontrolled system restart that corrupts the file system. Please note that this issue has no productive effects on the proxy service itself.

• Solution: Follow these steps to solve the issue: 

  1. Block the proxy service on the Control > Service page.

  2. Delete the swap.state file. At the command line, enter: rm /phion0/cache/squid-cache_<servername>_<servicename>/swap.state

  3. Start the proxy service on the Control > Service page.

'Size limit exceeded' reported while retrieving CRLs 

• Issue: These messages are reported in the Log > Box > Control > phibs.log file: 
  MSAD-Offline-Groups Search for groups on x.x.x.x failed (Size limit exceeded) (bad Active-Directory-configuration?). MSAD-group sync failed.

• Reason: These messages occur if the size for the synced authentication group is too big. To avoid DOS attacks, MSAD limits the size of its replies. The groups will be synced from the BaseDN downward, and the answer of your configured BaseDN contains too much data. So the Active Directory only answers with Size limit exceeded , which is logged in your phibs-log.

• Solution: You must set a more specific BaseDN in order to decrease the size of your group:

1.  

   • Example 1: Bigger request size of groups: 
     BaseDN = OU=de,DC=mydomain,DC=com

   • Example 2: Smaller request size of groups: 
     BaseDN = OU=groups,OU=users,OU=de,DC=mydomain,DC=com

     • You can also increase the maximum allowed request size for Active Directory (AD). Run Ntdsutil to edit the MaxPageSize setting for AD. By default, this setting is 1000 so an LDAP request must not have more than 1000 results.

MailGW HA-Sync error 'filename too long'

• Issue: In the MailGW log, the following error lines are logged: 
  HA-SYNC (11646) (2) CDiPacket::Send() (2) CReqPacket::Code(): filename too long

• Reason: There is an email in your queue that has a file attached with more than XX chars.

• Solution: Search for the spoolID that caused the error in your CloudGen Firewall Mail Gateway interface and delete it.

'csum failure' reported in klogd.log

• Issue: The following error message is reported in the Log > Box > System > klogd.log file: 
  Info kernel: udp v4 hw csum failure<notice lines>

• Reason: The network interface card is either receiving corrupt data on the Ethernet level or the network interface card driver is generating errors during checksum calculation.

• Solution: This error has no harmful effect. Deactivation of HW checksumming will stop the message recording if faulty checksum calculation has been the cause. If deactivation of HW checksumming is possible, depending on the available network interface card driver options.

  • Example 1: Deactivation of HW checksumming for the e1000 driver: Option:  XsumRX=0 (0=off, 1=on)

  • Example 2: Deactivation of HW checksumming for the e100 driver works exactly the same way: Option: XsumRX=0 (0=off, 1=on)

'Block Local Loop' reported in the firewall history

• Issue: This message is reported in the firewall access cache (will be displayed only with activated "drop" cache):  FWD eth0 10.0.0.100 10.0.0.1 TCP139 Block Local.