Kernel Panic: Check Point crashes the APM running VSX NGX R65

book

Article ID: 167898

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Kernel Panic occurs on an APM due to link collision. Check Point has provided the Link Collision settings that need to be changed on the APMs running VSX NGX R65Sample of stack crash dumps from the output of show tech-support

>>EIP; 8015d245 <__free_pages+5/70> <=====
Trace; 80137b65 <__run_timers+b5/1a0>
Trace; 802afdcb <skb_release_data+bb/d0>
Trace; 802afdf7 <kfree_skbmem+17/80>
Trace; 802affa1 <__kfree_skb+141/1d0>
Trace; 802b6df7 <net_tx_action+57/130>
Trace; 80132027 <tasklet_hi_action+67/a0>
Trace; 80131db5 <do_softirq+105/140>


>>EIP; 8034032f <vsnprintf+2df/460> <=====
Trace; e65914c0 <[fwmod_smp.2.4.21.cp.i686]s.19+0/1000>
Trace; e5c5af60 <[simmod_smp.2.4.21.cp.i686].rodata.end+3201/13281>
Trace; 803404d7 <snprintf+27/30>
Trace; e65914c0 <[fwmod_smp.2.4.21.cp.i686]s.19+0/1000>
Trace; e5c5af88 <[simmod_smp.2.4.21.cp.i686].rodata.end+3229/13281>
Trace; e5dc34a9 <[fwmod_smp.2.4.21.cp.i686]vprintf_substitue+a9/120>
Trace; e65914c0 <[fwmod_smp.2.4.21.cp.i686]s.19+0/1000>

Cause

Problem: An APM running Check Point VSX NGX R65 encounters a crash due to kernel panic as a result of a Check Point Link Collision.

Resolution

This is a known Check Point issue documented in the following Check Point solutions available on Check Point web site.

sk34127 (Security Gateway restarts after initialization of VoIP session)
sk34970 (Security gateway crashes when connecting with Microsoft L2TP client).

Check Point has provided the following instructions for avoiding the APM crashes running VSX NGX R65 (see the symptoms section for an example of stack dumps).

1. Create $PPKDIR/boot/modules/simkern.conf file, if it does not exist.

2. Add the following line to $PPKDIR/boot/modules/simkern.conf file

sim_resolve_link_collision=1

3. Create $FWDIR/modules/fwkern.conf file, if it does not exist

4. Add the following line to $FWDIR/modules/fwkern.conf

cphwd_handle_link_collision=1


5. Reboot the firewall 
 

Workaround

N/A