FireWall-1 FAQ: FW-1: halloc: unable to allocate 68 bytes
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
This error message indicates FireWall-1's kernel module is running out of memory.
In NG FP2 and above, you can configure these parameters in the Gateway object definition under "Capacity Optimization". You can either configure the parameters manually or configure based on the number of connections you wish to support.
In FireWall-1 NG FP1 and before, you need to allocate more memory to the firewall kernel loadable module to hold the state tables. This is controlled by a kernel variable called fwhmem. The default is generally too low. How high should it be? This depends. Each connection takes 60 bytes of memory. If a connection requires NAT, an additional 120 bytes are needed. If a connection is logged in accounting mode, an extra 72 bytes are needed. This is in addition to a "base" amount of memory (somewhere between 500k and 3 megs) that FireWall-1 will need to manipulate the state tables, perform logging functions, etc.
With this in mind, let's assume we want to handle 25,000 connections. Of these connections, we expect 4,000 of them will involve NAT. Since we plan to log most of these connections, allocating an adequate amount of kernel memory is vital. In this case, we calculate fwhmem as follows:
3154728 (3 megabytes) + (60 * 25000) + (120 * 4000) = 5134728,
or slightly less than 5 megabytes. Below, we will show you how to modify fwhmem to allocate 10 megabytes of memory. The number 0xa00000 is a hexadecimal value for 10 megabytes, which is 10485760 in decimal.
On Solaris machines, add the following line to the bottom of the /etc/system file and reboot:
On SunOS 4 machines, use the following commands:
# $FWDIR/bin/fwstop # echo "fwhmem?W0xa00000" | adb -w $FWDIR/modules/fwmod.4.1.3.o # $FWDIR/bin/fwstart
On HP-UX 9 machines use the following command and reboot the gateway:
# echo "fwhmem?W0xa00000" | adb -w /hp-ux
On HP-UX 10 machines use the following command and reboot the gateway:
# echo "fwhmem?W0xa00000" | adb -w /stand/vmunix
On AIX machines use the following commands:
# fwstop # echo "fw_heap_size?W 800000" | adb -w $FWDIR/modules/fwmod.4.x.o # echo "fwhmem?W a00000" | adb -w $FWDIR/modules/fwmod.4.x.o # fwstart
- Run regedt32 (the registry editor)
- Go to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesFW1Parameters
- Select "Add Value" from the Edit menu
- The value's name is Memory, and the data type is REG_DWORD
- Enter the new amount of kernel memory (in bytes)
On a Linux platform, add the following to $FWDIR/boot/modules/fwkern.conf and restart FireWall?-1:
On an IPSO system (VPN-1 Appliance or Nokia IPxxx), it is not necessary to adjust this value on FireWall-1 4.1 SP2 on IPSO 3.3 and later because this value is dynamically set based on physical memory according to the following table, which is usually more than is needed:
|Physical Memory||Value for Modzap|
In FireWall-1 4.0 SP3 thru FireWall-1 4.1 SP2 on IPSO 3.2.1, the default is 5mb. If you are using an earlier version of FireWall-1 on IPSO or you want to force a different value on the more recent versions, you will need to get the zap or modzap utility from Resolution 1261 in Nokia's Knowledge Base. You can then use the following command line to modify the fwhmem parameter and reboot the system:
# zap -s _fwhmem $FWDIR/modules/fwmod.o 0xa00000 (For FireWall-1 3.x) # modzap _fwhmem $FWDIR/boot/modules/fwmod.o 0xa00000 (For FireWall-1 4.x)