PDA

View Full Version : halloc: unable to allocate 68 bytes



Barry J. Stiefel
2005-08-13, 14:58
halloc: unable to allocate 68 bytes



This error message indicates FireWall-1's kernel module is running out of memory.

In NG FP2 and above, you can configure these parameters in the Gateway object definition under "Capacity Optimization". You can either configure the parameters manually or configure based on the number of connections you wish to support.

In FireWall-1 NG FP1 and before, you need to allocate more memory to the firewall kernel loadable module to hold the state tables. This is controlled by a kernel variable called fwhmem. The default is generally too low. How high should it be? This depends. Each connection takes 60 bytes of memory. If a connection requires NAT, an additional 120 bytes are needed. If a connection is logged in accounting mode, an extra 72 bytes are needed. This is in addition to a "base" amount of memory (somewhere between 500k and 3 megs) that FireWall-1 will need to manipulate the state tables, perform logging functions, etc.

With this in mind, let's assume we want to handle 25,000 connections. Of these connections, we expect 4,000 of them will involve NAT. Since we plan to log most of these connections, allocating an adequate amount of kernel memory is vital. In this case, we calculate fwhmem as follows:

3154728 (3 megabytes) + (60 * 25000) + (120 * 4000) = 5134728,

or slightly less than 5 megabytes. Below, we will show you how to modify fwhmem to allocate 10 megabytes of memory. The number 0xa00000 is a hexadecimal value for 10 megabytes, which is 10485760 in decimal.

On Solaris machines, add the following line to the bottom of the /etc/system file and reboot:

set fw:fwhmem=0xa00000

On SunOS 4 machines, use the following commands: # $FWDIR/bin/fwstop # echo "fwhmem?W0xa00000" | adb -w $FWDIR/modules/fwmod.4.1.3.o # $FWDIR/bin/fwstartOn HP-UX 9 machines use the following command and reboot the gateway:



# echo "fwhmem?W0xa00000" | adb -w /hp-ux

On HP-UX 10 machines use the following command and reboot the gateway:

# echo "fwhmem?W0xa00000" | adb -w /stand/vmunix

On AIX machines use the following commands: # fwstop # echo "fw_heap_size?W 800000" | adb -w $FWDIR/modules/fwmod.4.x.o # echo "fwhmem?W a00000" | adb -w $FWDIR/modules/fwmod.4.x.o # fwstartOn Windows:




Run regedt32 (the registry editor)
Go to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesF W1Parameters
Select "Add Value" from the Edit menu
The value's name is Memory, and the data type is REG_DWORD
Enter the new amount of kernel memory (in bytes)
Reboot


On a Linux platform, add the following to $FWDIR/boot/modules/fwkern.conf and restart FireWall? (http://www.phoneboy.com/bin/edit.pl/FAQs/FireWall?topicparent=FAQs.HallocUnableToAllocate)-1:

fwhmem=0xa00000

On an IPSO system (VPN-1 Appliance or Nokia IPxxx), it is not necessary to adjust this value on FireWall-1 4.1 SP2 on IPSO 3.3 and later because this value is dynamically set based on physical memory according to the following table, which is usually more than is needed:

Physical Memory (http://www.phoneboy.com/bin/view.pl/FAQs/HallocUnableToAllocate?sortcol=0&table=1&up=0#sorted_table) Value for Modzap (http://www.phoneboy.com/bin/view.pl/FAQs/HallocUnableToAllocate?sortcol=1&table=1&up=0#sorted_table) 64mb 0xa00000 (10mb) 128mb 0xc00000 (12mb) 256mb 0x1000000 (16mb) 512mb 0x1b00000 (28mb)

In FireWall-1 4.0 SP3 thru FireWall-1 4.1 SP2 on IPSO 3.2.1, the default is 5mb. If you are using an earlier version of FireWall-1 on IPSO or you want to force a different value on the more recent versions, you will need to get the zap or modzap utility from Resolution 1261 in Nokia's Knowledge Base. You can then use the following command line to modify the fwhmem parameter and reboot the system: # zap -s _fwhmem $FWDIR/modules/fwmod.o 0xa00000 (For FireWall-1 3.x) # modzap _fwhmem $FWDIR/boot/modules/fwmod.o 0xa00000 (For FireWall-1 4.x) -- PhoneBoy (http://www.phoneboy.com/bin/view.pl/Main/PhoneBoy) - 11 Jan 2004



FAQForm (http://www.phoneboy.com/bin/view.pl/FAQs/FAQForm) FAQs.Class: TroubleshootingFAQs (http://www.phoneboy.com/bin/view.pl/FAQs/TroubleshootingFAQs) FAQs.OS: OsAIX (http://www.phoneboy.com/bin/view.pl/FAQs/OsAIX), OsSolaris (http://www.phoneboy.com/bin/view.pl/FAQs/OsSolaris), OsNokiaIPSO (http://www.phoneboy.com/bin/view.pl/FAQs/OsNokiaIPSO), OsWindows (http://www.phoneboy.com/bin/view.pl/FAQs/OsWindows), OsHpux (http://www.phoneboy.com/bin/view.pl/FAQs/OsHpux), OsLinux (http://www.phoneboy.com/bin/view.pl/FAQs/OsLinux) FAQs.Version: