Check Point policy push on firewall fails with "Installation failed. Reason: Load on Module failed – no memory"

book

Article ID: 167782

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Attempting to push policy fails with "Installation failed. Reason: Load on Module failed – no memory" error within Check Point Smart Dashboard.From time to time, a policy push fails with the error message 'Load on module failed. No memory'.
 
After rebooting the firewall the policy pushes successfully.
 
The module is not using swap space and has plenty of memory.





Cause

You are unable to push policy to a firewall vap-group due to the following error:

Installation failed. Reason: Load on Module failed – no memory. (message from member ….)

You see the following log lines in your messages file:

Feb 10 07:59:44 fw_2 kernel: [fw_0];FW1: fwloghandle_register_string: unable to put entry into table.
Feb 10 07:59:44 fw_2 kernel: [fw_0];FW-1: SIM (SecureXL Implementation Module) SecureXL device detected.
Feb 10 07:59:44 fw_1 kernel: [fw_0];FW1: fwloghandle_register_string: unable to put entry into table.
Feb 10 07:59:44 fw_1 kernel: [fw_0];FW-1: SIM (SecureXL Implementation Module) SecureXL device detected.
Feb 10 07:59:45 fw_1 kernel: [fw_0];FW1: fwloghandle_register_string: unable to put entry into table.
Feb 10 07:59:45 fw_1 kernel: [fw_0];FW-1: SIM (SecureXL Implementation Module) SecureXL device detected.
Feb 10 07:59:45 fw_2 kernel: [fw_0];FW1: fwloghandle_register_string: unable to put entry into table.
Feb 10 07:59:45 fw_2 kernel: [fw_0];FW-1: SIM (SecureXL Implementation Module) SecureXL device detected.



You will also see these log lines:

Feb 10 06:20:20 fw_1 kernel: FW1: fwloghandle_register_string: unable to put entry into table.
Feb 10 06:20:21 fw_2 kernel: FW1: fwloghandle_register_string: unable to put entry into table.
Feb 10 06:29:30 fw_1 kernel: FW1: fwloghandle_register_string: unable to put entry into table.
Feb 10 06:29:31 fw_2 kernel: FW1: fwloghandle_register_string: unable to put entry into table.
Feb 10 06:34:53 fw_1 kernel: FW1: fwloghandle_register_string: unable to put entry into table.
Feb 10 06:34:53 fw_2 kernel: FW1: fwloghandle_register_string: unable to put entry into table.


Resolution

By default the rulebase_uid_in_log parameter is set to 'true'. When set to 'true', each rule in the rulebase is logged during the policy installation and this can intermittently cause memory problems particularly with large policies.
 
By setting the parameter to 'false', these logs are no longer generated during the policy installation and consequently the memory usage on the module is no longer affected during the policy installation. To make the change to the rulebase_uids_in_log property , use Check Point SmartDashboard to go to Global Properties > SmartDashboard Customization > Advanced Configuration > Configure > FireWall-1 > General > rulebase_uids_in_log. Set the property to false. Install the security policy.

Note, if you disable the rulebase_uid_in_log setting, then Hit Count feature will stop functioning.

Workaround

SK40768 from Check Point addresses this issue.