Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ACX] Changing the lo0 filter fails with "No resources for operation" and filter counters stop working

0

0

Article ID: KB32437 KB Last Updated: 23 Feb 2018Version: 1.0
Summary:
The filter counters work fine before changing the last term in an active lo0 filter.  However, after making a change to an active filter, most counters stop working and an error is logged.  This issue could be related to the number of 'Used Counters'. 
 
Symptoms:
(Demonstration of the issue)
First, enter show firewall to review the filters and counters. At the beginning, both lo0 filter and counters are working fine:
==================================================================================
labroot@jtac-ACX2100-r002> show firewall                                

Filter: RE_FILTER-lo0.0-i                                     
Counters:
Name                                                Bytes              Packets
count_LOG_OTHERS-lo0.0-i                          5097262                 9995
count_PERMIT_BFD-lo0.0-i                                0                    0
count_PERMIT_BGP-lo0.0-i                           408576                  798
count_PERMIT_FTP-lo0.0-i                          4698624                 9177
count_PERMIT_ICMP-lo0.0-i                               0                    0
count_PERMIT_LDP-lo0.0-i                          5709312                11151
count_PERMIT_LDP_ACK-lo0.0-i                            0                    0
count_PERMIT_MPLS_PING-lo0.0-i                          0                    0
count_PERMIT_NTP-lo0.0-i                                0                    0
count_PERMIT_PTP-lo0.0-i                                0                    0
count_PERMIT_RSVP-lo0.0-i                         3666432                 7161
count_PERMIT_SNMP-lo0.0-i                               0                    0
count_PERMIT_TACACS-lo0.0-i                       4992512                 9751
count_PERMIT_TELNET_SSH-lo0.0-i                     48684                  516
count_PERMIT_UDP_TRACEROUTE-lo0.0-i                     0                    0
Policers:
Name                                                Bytes              Packets
RE_POLICER_100K-DENY_LOG_OTHERS-lo0.0-i           9142626                18047
RE_POLICER_100K-PERMIT_ICMP-lo0.0-i                     0                    0
RE_POLICER_100K-PERMIT_MPLS_PING-lo0.0-i                0                    0
RE_POLICER_100K-PERMIT_NTP-lo0.0-i                      0                    0
RE_POLICER_100K-PERMIT_TACACS-lo0.0-i              744240                 1456
RE_POLICER_100K-PERMIT_TELNET_SSH-lo0.0-i               0                    0
RE_POLICER_100K-PERMIT_UDP_TRACEROUTE-lo0.0-i           0                    0
RE_POLICER_1M-PERMIT_FTP-lo0.0-i                        0                    0
RE_POLICER_1M-PERMIT_SNMP-lo0.0-i                       0                    0
Next, change the last term action from "accept to discard" or "discard to accept"
==================================================================================
[edit firewall family inet filter RE_FILTER term DENY_LOG_OTHERS]
labroot@jtac-ACX2100-r002# show

then {
    policer RE_POLICER_100K;
    count count_LOG_OTHERS;
    log;
    accept;           <---Change this action 
}

labroot@jtac-ACX2100-r002# show | compare

[edit firewall family inet filter RE_FILTER term DENY_LOG_OTHERS then]
-  policer RE_POLICER_100K;
-  count count_LOG_OTHERS;
-  log;
-  accept;
+  policer RE_POLICER_100K;
+  count count_LOG_OTHERS;
+  log;
+  discard;

[edit firewall family inet filter RE_FILTER term DENY_LOG_OTHERS]
labroot@jtac-ACX2100-r002# commit and-quit

commit complete
Exiting configuration mode
Last, clear the firewall stats and reenter show firewall.   Notice most of the counters fail to work:
==================================================================================
labroot@jtac-ACX2100-r002> clear firewall all

labroot@jtac-ACX2100-r002> show firewall
Filter: RE_FILTER-lo0.0-i                                     
Counters:
Name                                                Bytes              Packets
count_LOG_OTHERS-lo0.0-i                           175445                  359
count_PERMIT_BFD-lo0.0-i                                0                    0
count_PERMIT_BGP-lo0.0-i                                0                    0
count_PERMIT_FTP-lo0.0-i                                0                    0
count_PERMIT_ICMP-lo0.0-i                               0                    0
count_PERMIT_LDP-lo0.0-i                                0                    0
count_PERMIT_LDP_ACK-lo0.0-i                            0                    0
count_PERMIT_MPLS_PING-lo0.0-i                          0                    0
count_PERMIT_NTP-lo0.0-i                                0                    0
count_PERMIT_PTP-lo0.0-i                                0                    0
count_PERMIT_RSVP-lo0.0-i                               0                    0
count_PERMIT_TACACS-lo0.0-i                             0                    0
count_PERMIT_TELNET_SSH-lo0.0-i                      1488                   18
count_PERMIT_UDP_TRACEROUTE-lo0.0-i                     0                    0
Policers:
Name                                                Bytes              Packets
RE_POLICER_100K-DENY_LOG_OTHERS-lo0.0-i             72520                  148
RE_POLICER_100K-PERMIT_ICMP-lo0.0-i                     0                    0
RE_POLICER_100K-PERMIT_MPLS_PING-lo0.0-i                0                    0
RE_POLICER_100K-PERMIT_NTP-lo0.0-i                      0                    0
RE_POLICER_100K-PERMIT_TACACS-lo0.0-i               26950                   55
RE_POLICER_100K-PERMIT_TELNET_SSH-lo0.0-i               0                    0
RE_POLICER_100K-PERMIT_UDP_TRACEROUTE-lo0.0-i           0                    0
RE_POLICER_1M-PERMIT_FTP-lo0.0-i                        0                    0
RE_POLICER_1M-PERMIT_SNMP-lo0.0-i                       0                    0
Additionally, the system reports "No resources for operation" in the error log messages.
================================================================================
labroot@jtac-ACX2100-r002> show log messages
Jan 11 09:25:27 jtac-ACX2100-r002 clear-log[4445]: logfile cleared
Jan 11 09:25:37  jtac-ACX2100-r002 dfwinfo: tvptest:dfwi_counter_output policer_byte_count support 0
Jan 11 09:26:47  jtac-ACX2100-r002 last message repeated 26 times
Jan 11 09:28:38  jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_field_entry_install :failed to install entry 322 in unit 0
Jan 11 09:28:38  jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_field_entry_install :rv -14 error "No resources for operation"
Jan 11 09:28:38  jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_rule_create :Could not install entry; unit: 0, entry: 322, group: 16
Jan 11 09:28:38  jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_filter_create_exp :[-1] from acx_dfw_rule_create_exp
term(DENY_LOG_OTHERS)
Jan 11 09:28:38  jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_change_end :Status:-1: Tcam rule add failed(old_cnt:76 for hw instance
0x64e91b08 at filter index: 65537 of IFP_FOR_Lo0_FILTER
Jan 11 09:28:38  jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_change_end :is_filter_cleanup_done set to TRUE for dfw(RE_FILTER-lo0.0-i)
type(IFP_FOR_Lo0_FILTER), new: dfw(RE_FILTER-lo0.0-i) type (IFP_FOR_Lo0_FILTER)
Jan 11 09:29:02  jtac-ACX2100-r002 dfwinfo: tvptest:dfwi_counter_output policer_byte_count support 0
Cause:
DFW (dynamic firewall) module usually works in 'make-before-break' model.  If there is not enough resource to install the new filter (which occurs when the original filter is modified), the PFE (Packet Forwarding Engine) will report resource error in runtime via bcm sdk.

Then, the original filter will be removed from the PFE completely.

TCAM usage before configuration change:
==================================================================================
App tcam usage:
----------------
App-Name              Entries Counters Policers Precedence  State
  Related-App-Name ..
-----------------------------------------------------------------
fw-ccc-in                  30       12        6          2     OK
  fw-semantics              0        X        X          1     OK
inet_skip_mpls              1        1        0          6     OK

Group: 8, Mode: SINGLE, Hw grps used: 1, Tcam apps: 1
               Used  Allocated  Available     Errors
Tcam-Entries     76        256        180          0
Counters        130        256        126          0
Policers          9       2048       2030          0

"Used Counters" is the issue triggered. When a modification is performed, 130 new counters are allocated.  The addition of the new counters exceeds the 256 the max counters for Lo0 filters.  As a result, a filter cleanup is done.

If the total used counters before the modification is '128' or less, the modification will succeed without any problem.
Solution:
Workaround: Deactivate/Activate the Lo0 filter
===================================================================
labroot@jtac-ACX2100-r002# show | compare
[edit interfaces lo0 unit 0 family inet]
-       filter {
-           input RE_FILTER;
-       }
[edit firewall family inet]
!      inactive: filter RE_FILTER { ... }

[edit]
labroot@jtac-ACX2100-r002# commit
commit complete

[edit]
labroot@jtac-ACX2100-r002# set interfaces lo0 unit 0 family inet filter input RE_FILTER

[edit]
labroot@jtac-ACX2100-r002# activate firewall family inet filter RE_FILTER
Modification History:
 
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search