Installation failed. Reason: Load on Module failed

[munrog]

Hi Folks,
Several times now we've been getting
"Installation failed. Reason: Load on Module failed - no memory. ( message from member connectra01x ) Unspecified error Unspecified error"
when trying to install policy on an R62 Connectra.
The only way to resolve this and allow us to deploy policies again has been to stop and start the CP services or reboot the platform.
Has anyone else seen this or know how to debug what the root cause may be.
Cheers
Greg

[dantro]

Yep, I had this issue two days ago as well. Reason was the use of special characters in the name field of a rule. Just used plain standard english chars and everything compiled and installed well.

Best regards,
Danny Trommer
CCSA/CCSE/CCSE+

[munrog]

Thanks Dantro

I will check out the config and ensure that there are no special chars used anywhere.

'No memory' is a general description in this case, so it doesn't give a clue regarding what's wrong. It indicates that the error happens when the policy files are already delivered to the module (fw1) part and "fw fetchlocal" returns a failure return code.

CheckPoint suggested debugging 'fwm' with 'fwm -d >& debug.txt' during a policy installation attempt. Rather than fwm -d, I used fw debug fwm on TDERROR_ALL_ALL=5 as the fwm process was already active and restarting it would probably have restored the ability to push policies again until next time. Note - You need to look at the fwm.elg file only after a 'cpstop' as on SecurePlatform, the file usually looks like a binary as it's locked by the process.

They suggested I try to "fw unloadlocal" and then "fw fetchlocal". If that doesnt show what caused the problem then they suggest a reboot. If the problem persists, then log a call.

Unfortunately because this connectra is in production, that becomes difficult...

I'm hoping to try these out later in the week.
Greg

[deltaforce98]

i was also getting the same error on the connectra boxes when installing the policy.

I modified the “ :rulebase_uids_in_log (false)” and did a cpstop/cpstart on the primary and I was able to install policy on the Connectra cluster.

By default the rulebase_uid_in_log parameter is set to 'true'. When set to 'true', each rule in the rulebase is logged during the policy installation and this can intermittently cause memory problems particularly with large policies.

By setting the parameter to 'false', these logs are no longer generated during the policy installation and consequently the memory usage on the module is no longer affected during the policy installation.