Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Syslog message: fpc0 DFWE ERROR DFW: Cannot program filter TEST_FILTER (type IPACL) -TCAM has 0 free entries

0

0

Article ID: KB37019 KB Last Updated: 19 Nov 2021Version: 2.0
Summary:

The following syslog message is seen and the filter is not working on QFX5100/QFX5110:

DFWE ERROR DFW: Cannot program filter TEST_FILTER (type IPACL) -TCAM has 0 free entries" is seen
Symptoms:

The the following was reported:

fpc0 ERROR (dfw): No Space left. Group creation failed for IPACL-GROUP:25
fpc0 ERROR (dfw): brcm_dfw_update_filter_in_hw failed for filter TEST_FILTER type 1  operation 175203448 unit 0
fpc0 DFWE ERROR DFW: Cannot program filter TEST_FILTER (type IPACL) -TCAM has 0 free entries

Checked if the filter is programmed using vty command, 'show filter hw <index> show_term_info':

Example:

FPC0(TS1.DCA6 vty)# show filter hw 2 show_term_info     <--- index can be obtained from 'show filter' output     
======================
Filter index   : 2
======================
 
- Filter name  : TEST_FILTER
 
+ Hardware Instance : 1
  + Hardware key (struct brcm_dfw_hw_key_t):
    - Type          : IPACL
    - Vlan id       : 0
    - Direction     : ingress
    - Protocol      : 35 (L2 Bridge)
    - Port class id : 0
    - Class id      : 0
    - Loopback      : 0
    - Port          : 0(xe-1)
    - Vlan tag      : 0
    - Non-overflow  : 1
  + FP usage info (struct brcm_dfw_fp_t):
    - Group                           : IFP iPACL group (25)
    - My Mac                          : 00:00:00:00:00:00
    - Loopback Reference Count        : 00000000
    - IFL Type                        : unknown (0)
    + List of tcam entries            : [ total: 0; ]
        - Pipe: 0; []
    + List of ranges                  : [ total: 0; ]
        - Pipe: 0 []
    + List of interface match entries : [ total: 0; ]
        - Pipe: 0 []
    + List of dot1q-tag match entries : [ total: 0; ]
        - Pipe: 0 []
    - List of l3 ifl index entries    : [ total: 0; ]
    + List of vfp tcam entries        : [ total: 0; ]
        - Pipe: 0 []
  + Misc info (struct brcm_dfw_misc_info_t):
    - List of <anlz_id, entry_id> : [ total: 0; ]
  + Bind point info (union brcm_dfw_bind_point_info_t):
    - Port bitmap   :[ 1(xe0) ]
  + Programmed: NO
  + BD ID     : 244
  + Total TCAM entries available: 0
  + Total TCAM entries needed   : 31
  + Term Expansion:
    - Term    1: will expand to     4 terms: Name "Term1"
    - Term    2: will expand to     6 terms: Name "Term2"
    - Term    3: will expand to     2 terms: Name "Term3"
    - Term    4: will expand to     2 terms: Name "Term4"
    - Term    5: will expand to     4 terms: Name "Term5"
    - Term    6: will expand to     2 terms: Name "Term6"
    - Term    7: will expand to     2 terms: Name "Term7"
    - Term    8: will expand to     8 terms: Name "Term8"
    - Term    9: will expand to     1 term : Name "OTHERS"
  + Term TCAM entry requirements:
    - Term    1: needs     4 TCAM entries: Name "Term1"
    - Term    2: needs     6 TCAM entries: Name "Term2"
    - Term    3: needs     2 TCAM entries: Name "Term3"
    - Term    4: needs     2 TCAM entries: Name "Term4"
    - Term    5: needs     4 TCAM entries: Name "Term5"
    - Term    6: needs     2 TCAM entries: Name "Term6"
    - Term    7: needs     2 TCAM entries: Name "Term7"
    - Term    8: needs     8 TCAM entries: Name "Term8"
    - Term    9: needs     1 TCAM entry  : Name "OTHERS"
  + Total TCAM entries available: 0
  + Total TCAM entries needed   : 31
 
Total hardware instances: 1
Solution:
  1. Check if the Junos version running on the QFX includes the fix for PR1499647 - Firewall Filter might not get applied on QFX5100/5110/EX4600. Junos versions without the fix might fail to install new filters even though hardware slice is available according to scale limit. 

  2. Upgrade the device to Junos having the fix and check again.

  3. If the Upgrade is not possible, as a workaround, reboot the device. This should result in programming all filters at the same time so this issue can be avoided.


On Junos versions with the fix for PR1499647 - Firewall Filter might not get applied on QFX5100/5110/EX4600, if a filter fails to install, check the TCAM usage as follows:

Example for QFX5110:

To support the basic functionality on the device, there are some default slices which are used for basic dynamic filters, such as bgp trap filter, etc.
Check the used/available slices with "show filter hw fp_slice" and "show filter hw groups" vty commands. On Junos versions affected by PR1499647, these commands might display incorrect information.

As shown below, for IFP (Ingress Field Processor), 4 slices are used for dynamic filters and 8 are left to support CLI filters. In VXLAN environment, additional 4 slices are used for VxLAN default filters and only 4 slices are left for CLI filters. So IRACL/IVACL/IPACL scale in such cases will be 4 slices, such as (4*2048)/2 = 4096 TCAM entries.

 
FPC0(qfx5110 vty)# show filter hw fp_slice    

VFP used:  0 avail:  4
    slice 00 used 0
    slice 01 used 0
    slice 02 used 0
    slice 03 used 0

IFP used:  4 avail:  8
    slice 00 used 0
    slice 01 used 0
    slice 02 used 0
    slice 03 used 0
    slice 04 used 1
    slice 05 used 1
    slice 06 used 1
    slice 07 used 1
    slice 08 used 0
    slice 09 used 0
    slice 10 used 0
    slice 11 used 0

EFP used:  0 avail:  4
    slice 0 used 0
    slice 1 used 0
    slice 2 used 0
    slice 3 used 0

FPC0(qfx5110 vty)# show filter hw groups     
Unit:0 Group Information:
> VFP groups:
> IFP groups:
     BA classifier dynamic group id: 21. Pipe:  0 Entries:   78 Max Entries(total_available): 1024(13312) Pri:  2 Slice:  1 Def Entries:  0
                   Dynamic group id: 17. Pipe:  0 Entries:  153 Max Entries(total_available): 1024(7168) Pri:  4 Slice:  2 Def Entries:  0
             Dynamic HiGig group id: 37. Pipe:  0 Entries:    1 Max Entries(total_available): 1024(13312) Pri:  5 Slice:  1 Def Entries:  0
> EFP groups:


If the filter is not getting installed for reasons not specified here, please contact your JTAC Representative.

Modification History:
2021-11-18: Updated solution with more clarity in steps 1-3

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search