Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Unexpected behavior and workaround after EX8200 reboot with overflowed firewall configuration

0

0

Article ID: KB29774 KB Last Updated: 04 Mar 2017Version: 2.0
Summary:

This article describes an unexpected behavior observed in the EX8200 when it restarts with overflowed firewall configuration. Normally, when firewall policies are over-configured, modifying the policies back to scale will restore the function of the firewall. However, if the chassis is rebooted before the firewall is restored, the tcam will be unable to refresh and a new commit with scaled configuration will not take effect. This article explains how to restore the firewall function.

Symptoms:

When firewall/cos is over-configured, a syslog message similar to the following will appear:

Dec 24 17:58:13.718 2014 EX8208 : %PFE-0: member0-fpc0 dfw_grph_merge_dfw_bind: 449 rules for UserBase class IRACL will not be installed, key: l2(0) l3(0) irb(201) hw(611) sw(0). no space in tcam db(pool 2)
Dec 24 17:58:13.719 2014 EX8208 /kernel: %CONSOLE-6: Dec 24 17:58:13.718 2014 EX8208 member0-fpc0 dfw_grph_merge_dfw_bind: 449 rules for UserBase class IRACL will not be installed, key: l2(0) l3(0) irb(201) hw(611) sw(0). no space in tcam db(pool 2)
Dec 24 17:58:13.721 2014 EX8208 : %PFE-3: member0-fpc0 Error: Out of Space inst(4): space:rules = 380:449
Dec 24 17:58:13.722 2014 EX8208 : %PFE-3: member0-fpc0 Error: No space available in tcam for 449 rules, node(4379) dfw(UserBase)
Dec 24 17:58:13.724 2014 EX8208 : %PFE-0: member0-fpc0 dfw_grph_merge_dfw_bind: 449 rules for UserBase class IRACL will not be installed, key: l2(0) l3(0) irb(202) hw(612) sw(0). no space in tcam db(pool 2)
Dec 24 17:58:13.725 2014 EX8208 /kernel: %CONSOLE-6: Dec 24 17:58:13.724 2014 EX8208 member0-fpc0 dfw_grph_merge_dfw_bind: 449 rules for UserBase class IRACL will not be installed, key: l2(0) l3(0) irb(202) hw(612) sw(0). no space in tcam db(pool 2)
Dec 24 17:58:13.727 2014 EX8208 : %PFE-3: member0-fpc0 Error: Out of Space inst(4): space:rules = 380:449
Dec 24 17:58:13.728 2014 EX8208 : %PFE-3: member0-fpc0 Error: No space available in tcam for 449 rules, node(4380) dfw(UserBase)
Dec 24 17:58:13.729 2014 EX8208 : %PFE-0: member0-fpc0 dfw_grph_merge_dfw_bind: 449 rules for UserBase class IRACL will not be installed, key: l2(0) l3(0) irb(203) hw(613) sw(0). no space in tcam db(pool 2)
Dec 24 17:58:13.730 2014 EX8208 /kernel: %CONSOLE-6: Dec 24 17:58:13.729 2014 EX8208 member0-fpc0 dfw_grph_merge_dfw_bind: 449 rules for UserBase class IRACL will not be installed, key: l2(0) l3(0) irb(203) hw(613) sw(0). no space in tcam db(pool 2)
Dec 24 17:58:13.732 2014 EX8208 : %PFE-0: member0-fpc0 dfw_grph_merge_dfw_bind: 449 rules for UserBase class IRACL will not be installed, key: l2(0) l3(0) irb(211) hw(1302) sw(0). no space in tcam db(pool 2)
Dec 24 17:58:13.734 2014 EX8208 /kernel: %CONSOLE-6: Dec 24 17:58:13.732 2014 EX8208 member0-fpc0 dfw_grph_merge_dfw_bind: 449 rules for UserBase class IRACL will not be installed, key: l2(0) l3(0) irb(211) hw(1302) sw(0). no space in tcam db(pool 2)
Dec 24 17:58:13.735 2014 EX8208 : %PFE-3: member0-fpc0 Error: Out of Space inst(4): space:rules = 380:449
Dec 24 17:58:13.737 2014 EX8208 : %PFE-3: member0-fpc0 Error: No space available in tcam for 449 rules, node(4389) dfw(UserBase)

Cause:

The syslog lists how many rules need to be installed and how much space is available. The syslog in each line represents the rules for one port. So roughly, the times the syslog repeats indicates the number of ports that are waiting for rules to be installed.

When the fpc/chassis reboots with that state, the firewall will be out of function.


Solution:
To restore firewall function, please follow the steps below as a workaround.

Option 1
   1. Remove all firewall blocks and delete filter under all interfaces.
   2. Commit.
   3. Load in scaled firewall setting and commit again.

Option 2
   1. Load in scaled firewall setting and commit.
   2. Restart fpc/chassis:
       request chassis fpc restart slot <slot>    ## All fpcs should have filter configuration
      Or
       restart chassis-control

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search