We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Log Files: FAQ

  • Last updated on

The following sections display messages and issues that you may encounter for common processes that are handled by the Barracuda CloudGen Firewall or Firewall Control Center. In this list, search for your message or issue to determine its possible cause and solution.

Log File Messages

Max. workers (30) limit hit

  • Issue: Clients receive ICAP errors and the CloudGen Firewall Virus Scanner Service reports the following message in the cas-log:
    Max. workers (30) limit hit 
  • Reason: The CloudGen Firewall Antivirus service has a predefined worker limit of 30 scanner instances that can be launched to handle requests. If 30 worker processes are used and an additional scan request should be processed, the Antivirus service blocks this request and an ICAP error is displayed at the client.
  • SolutionConfigure the Max. Num Workers setting according to your requirements. For more information, see How to Enable the Virus Scanner.  

Unresolvable clock skew detected 

  • Issue After system reboot, a time inconsistency occurs. The following error messages are recorded in the dstatm log file:  Error *** Unresolvable clock skew detected *** (last run 1066262400, today 1280707200) Error Main stopped.
  • Reason: The system time on the Control Center does not match with the time of the last statistics collection.
  • SolutionReset the timestamp in the header of the dstatm.db file. For more information, see the "System Reboot" section of Best Practice - How to Handle Incorrect Time Settings.

quantum of class [n] is big 

  • Issue: In the Log > Box > System > klogd.log file, messages similar to the following are reported: 
    Info +0200 kernel: HTB: quantum of class 2740004 is big. Consider r2q change
  • ReasonThese log messages are associated with the Traffic Shaping configuration. They are generated by the kernel when traffic shaping has been configured for high outbound/inbound bandwidth utilization.
  • SolutionThis message is informational and does not report a malfunction. It may be ignored.  

'Size limit exceeded' reported in the phibs.log  

  • Issue: While retrieving a CRL of a root certificate in the VPN server, the CRL update does not work and the following messages are displayed in the Log > Servicename > vpnserver.log file: 
    Error +0200 CRL Destination path on LDAP-Server ldap.server.com for yourcertname not found (Size limit exceeded).
  • Reason: Some LDAP servers use a maxHits limit to protect the server for long search requests. If this limit is reached, the size limit exceeded  error occurs. The reason could be the global search string "  ?cn=*  "at the CRL path, which is configured for the certificate:  ou=VPNROOT,o=TEST,c=COM?cn=*
  • SolutionEnter your certificate name for the global search setting to limit the search request:  ou=VPNROOT,o=TEST,c=COM?cn=VPNROOT

'cannot get exclusive lock' reported in /var/lib/rpm/Packages

  • IssueA hotfix or patch installation that is executed from the Control > Firmware Update page for a Control Center-administered system fails. The following error message is written to the system log file: error: cannot get exclusive lock on /var/lib/rpm/Packages
  • Reason Exclusive access to the /var/lib/rpm/Packages file is required by the phionRelCheck tool that is responsible for version control of RPM packages and is executed on a regular basis at 2:30 AM (based on local system time), when a system is rebooted and after a software update. The time that is required by the phionRelCheck tool to complete its task depends on system performance. On a high-performance system, 15 seconds might be sufficient. On a low-performance system, up to 10 minutes may be required. The error message indicates that phionRelCheck is already running, so the /var/lib/rpm/Packages file is locked and prevents the software update procedure from locking the file itself.
  • Solution: Before commencing a software update, make sure  that phionRelCheck is not running. When active, the phionRelCheck process is listed on the Control > Processes page for the respective system.

'cannot create ktina socket' reported in fatal.log  

  • Issue: The VPN service does not start anymore and the Log > fatal.log displays following error message: 
    Fatal Exit: Cannot create ktina socket: Address family not supported by protocol
  • ReasonThis error happens only on hardware with a single CPU which always uses the 32bit architecture, when you increased the value for the Max. Session Slots of the firewall over the default value of 65536. In this case the acpf (firewall kernel module) allocates too much kernel memory and the ktina (VPN kernel module) does not have enough free kernel memory available. This does not happen if you use a Multi-CPU hardware with 64bit architecture.
  • Solution: Check the Box > Infrastructure Services > General Firewall Configuration > Global Limits > Max. Session Slots value and decrease it at least to the default value of 65536. After a reboot of the box, the VPN service will start normally.

    Multi-CPU and 64bit are just supported on Barracuda CloudGen Firewall release 5.0.x. and higher. For Barracuda CloudGen Firewall 4.2.x you cannot use more than 65536 session slots.

'Unexpected EOF while reading body' and 'Broken pipe' reported in the cas.log

  • Issue: These messages are reported in the Log > Servicename cas.log file:
    Warning +0100 Error in request from 127.0.0.1:17874: Unexpected EOF while reading body; Warning +0100 Error in request from 127.0.0.1:14378: Unexpected EOF while reading body; Warning +0100 Error in connection with 127.0.0.1:4315: Broken pipe;  Warning +0100 Error in connection with 127.0.0.1:1380: Broken pipe.
  • ReasonThese messages display when a user closes the browser while a website is loading.
  • SolutionThese messages are not warnings. They just notify you that a client has unexpectedly closed the connection.

kernel: 'dst cache overflow' reported in klogd.log

  • Issue: In the Log > Box > System > klogd.log file, log messages similar to the following are reported:
    2009 07 19 10:41:14 Info kernel: dst cache overflow
  • ReasonThe message is related to the state of the routing cache. It is recorded as soon as the routing cache empties itself due to a content overflow. The cache then builds up anew.
  • SolutionBy default, a maximum number of 32768 entries are assigned to the routing cache. To avoid frequent kernel: dst cache overflow notifications, this value may be increased. The setting is located in Config > Box > Advanced Configuration > System Settings Routing Settings Max Routing Cache Entries

kernel: 'DriveStatusError BadCRC' reported in klogd.log

  • IssueSometimes, especially on phionOS startup, the following lines are displayed in klogd: 
    hdc: dma_intr: error=0x84 { DriveStatusError BadCRC }; hdc: dma_intr: status=0x51 { DriveReady SeekComplete Error }; hdc: dma_intr: error=0x84 { DriveStatusError BadCRC }; hdc: dma_intr: status=0x51 { DriveReady SeekComplete Error }.
  • ReasonThis line is either related to the speed supported by the hard disk or may also occur after an IDE reset.
  • SolutionIgnore these harmless lines on CloudGen Firewall OS startup and after an IDE BUS reset.

'ACPF clock' reported in klogd.log

  • Issue: This message is reported  in the Log > Box > System > klogd.log file: 
    ACPF: clock changed by -1 seconds
  • ReasonThis message is generated by the ACPF module in order of holding the FW Audit log (available since 4.2.0). The switch between standard and daylight saving time could be a reason for inconsistencies and the ACPF module, which uses jiffies as time, automatically corrects  time divergences and this will be logged in the klogd.log file.
  • SolutionThe message displays standard information by the ACPF. No further investigation is required.

'device [x] entered promiscuous mode' reported in klogd.log

  • Issue: I n the Log > Box > System > klogd.log file, log messages similar to the following are displayed: 
    Info +0200 kernel: device eth6 entered promiscuous mode
  • ReasonThe messages are associated with tcpdump (network sniffing tool) execution. A device changes to promiscuous mode every time tcpdump is executed.
  • SolutionThe messages are purely informational and do not report a malfunction.

'TCP Packet Belongs to no Active Session' reported in the firewall access cache    

  • Issue: This message is reported in the firewall access cache (will be displayed only with activated "drop"-cache):
    TCP Packet Belongs to no Active Session
  • Reason: This message can originate from issues related to unscheduled session termination or to frequent TCP packets that cannot be allotted to an active session.
  • Solution: Follow these steps to solve the issue:
    1. Increase the Session Timeout value in the Service Entry Parameters window (default: 86400) in Config > Box > Affected Services > Servicename Forwarding Rules > Services Objects. For more information, see How to Create Service Objects.
    2. Increase the Last ACK Timeout (s)ession value in the Advanced Settings window (default: 10) in Config > Box > Affected Services > Servicename > Forwarding Rules > Rule Configuration.

'Neighbour table overflow' reported in klogd.log

  • IssueIn the  Log > Box > System > klogd.log file, log messages similar to the following are displayed: 
    Info Neighbour table overflow
  • ReasonThis message is related to the state of the ARP cache. It is recorded when the ARP cache empties itself due to a content overflow. The cache hence builds up anew.
  • SolutionThe setting is located in Config > Box  > Advanced Configuration > System Settings > ARP Settings > ARP Cache Size. By default, a maximum number of 1024 entries are assigned to the ARP cache. To avoid frequent Neighbour table overflow  notifications, increase this value.

'Too many queued ntlmauthenticator requests' reported in cache.log  

  • Issue: The proxy service crashes with a similar line in Log > Servicename cache.log:
    Error: Too many queued ntlmauthenticator requests (<X> on <Y>)
  • Reason: Your configuration allows squid to use only  <Y>  authenticator requests. At the moment  <X>  authenticator requests are queued.
  • Solution: Configure your settings according your network size. At Config > Box > Assigned Services > Servicename > HTTP Proxy Settings > Access Control  > Authentication Settings. You have configured a number for Authentication Worker - increase this number until your proxy runs stable. 

'PAYLOAD_MALFORMED', 'INVALID_PAYLOAD_TYPE', 'INVALID_COOKIE' reported in ike.log

  • Issue: These messages are reported in the Log > Servicename  > ike.log file: 
    dropped message from x.x.x.x port 500 due to notification type PAYLOAD_MALFORMED; dropped message from x.x.x.x port 500 due to notification type INVALID_PAYLOAD_TYPE; dropped message from x.x.x.x port 500 due to notification type INVALID_COOKIE
  • Reasons
    • The following errors indicate that the preshared-key does not match on the two peers: 
      dropped message from x.x.x.x port 500 due to notification type PAYLOAD_MALFORMED  
      and 
      dropped message from x.x.x.x port 500 due to notification type INVALID_PAYLOAD_TYPE   
      As a result, the encrypted fifth main-mode packet will be "incorrectly" decrypted, or decrypted with another key.
    • The following error indicates that the configuration of Phase1 or Phase2 does not match between both peers: 
      dropped message from x.x.x.x port 500 due to notification type INVALID_COOKIE
  • Solutions
    • If the issue is related to preshared keys, change or renew the keys in your VPN configuration.  For more information, see VPN.
    • If the issue is related to Phase 1 / Phase 2 configuration, check the settings for your VPN tunnel. For more information, see VPN.   

'Disk space over limit' reported in the proxy cache.log

  • Issue: These messages are reported in the Log > Servicename > cache.log file: 
    WARNING: Disk space over limit: 184624 KB > 102400 KB; WARNING: Disk space over limit: 174576 KB > 102400 KB;   WARNING: Disk space over limit: 163982 KB > 102400 KB;  WARNING: 1 swapin MD5 mismatches
  • ReasonThis problem may occur if the swap.state file has been corrupted, often as a result of a power failure or other uncontrolled system restart that corrupts the file system. Please note that this issue has no productive effects on the proxy service itself.
  • SolutionFollow these steps to solve the issue: 
    1. Block the proxy service on the Control > Service page.
    2. Delete the swap.state file. At the command line, enter: rm /phion0/cache/squid-cache_<servername>_<servicename>/swap.state
    3. Start the proxy service on the Control > Service page.

'Size limit exceeded' reported while retrieving CRLs 

  • IssueThese messages are reported in the Log > Box > Control > phibs.log file: 
    MSAD-Offline-Groups Search for groups on x.x.x.x failed (Size limit exceeded) (bad Active-Directory-configuration?). MSAD-group sync failed.
  • Reason: These messages occur if the size for the synced authentication group is too big. To avoid DOS attacks, MSAD limits the size of its replies. The groups will be synced from the BaseDN downward, and the answer of your configured BaseDN contains too much data. So the Active Directory only answers with Size limit exceeded , which is logged in your phibs-log.
  • Solution: You must set a more specific BaseDN in order to decrease the size of your group:
    • Example 1: Bigger request size of groups: 
      BaseDN = OU=de,DC=mydomain,DC=com
    • Example 2:  Smaller request size of groups: 
      BaseDN = OU=groups,OU=users,OU=de,DC=mydomain,DC=com
      • You can also increase the maximum allowed request size for Active Directory (AD). Run Ntdsutil to edit the  MaxPageSize setting for AD.  By default, this setting is 1000 so an LDAP request must not have more than 1000 results.   

MailGW HA-Sync error 'filename too long'

  • Issue: In the MailGW log, the following error lines are logged: 
    HA-SYNC (11646) (2) CDiPacket::Send() (2) CReqPacket::Code(): filename too long
  • Reason: There is an email in your queue that has a file attached with more than XX chars.
  • SolutionSearch for the spoolID that caused the error in your CloudGen Firewall Mail Gateway interface and delete it.  

'csum failure' reported in klogd.log

  • Issue: The following error message is reported in the Log > Box > System > klogd.log file: 
    Info kernel: udp v4 hw csum failure<notice lines>
  • Reason: The network interface card is either receiving corrupt data on the Ethernet level or the network interface card driver is generating errors during checksum calculation.
  • Solution: This error has no harmful effect. Deactivation of HW checksumming will stop the message recording if faulty checksum calculation has been the cause. If deactivation of HW checksumming is possible, depending on the available network interface card driver options.
    • Example 1: Deactivation of HW checksumming for the e1000 driver: Option:   XsumRX=0  (0=off, 1=on)
    • Example 2: Deactivation of HW checksumming for the e100 driver works exactly the same way: Option:  XsumRX=0  (0=off, 1=on)  

'Block Local Loop' reported in the firewall history

  • Issue: This message is reported in the firewall access cache (will be displayed only with activated "drop" cache): 
    FWD eth0 10.0.0.100 10.0.0.1 TCP139 Block Local.
  • ReasonIn the firewall rule that is responsible for traffic redirection to a local IP address, the Dst NAT action type is used instead of App Redirect .
  • SolutionIn the firewall rule that is blocking traffic redirection to the local IP address, change the action type  to App Redirect. For more information, see How to Create an App Redirect Access Rule. 

'No route to NTP Servers'  

  • IssueIn some cases you will get the following warning after the logical check: 
    Warning: [0141176] o boxnet(k,ARGS): no route from 192.168.245.186 to all NTP servers >>x.x.x.x x.x.x.x<<
  • ReasonBarracuda has the concept for CC-administered boxes that the time-synchronization always runs over the remote management-tunnel (box tunnel) and for that the system always uses a private/local IP to contact the NTP server(s). Barracuda recommends this concept, cause in this way it ensures that the CC/box has the correct and identical time.
  • SolutionChange the configuration to the following:
  1. Define the external NTP server(s) on the CC box and start the ntpd.
  2. On the remote boxes you define the CC-Box-IP as NTP server (ntpd binds always on the Box-IP) and start the ntpd.

Request handler got signal 25 

  • Issue: The Barracuda CloudGen Firewall stops forwarding traffic. The following entries are displayed in the Log > Box > fatal.log section: 
    Fatal +0100 [box_Control_daemon] Box service boxfw is NOT active; Fatal +0100 [box_Firewall] [Main] Process: Request handler got signal 25 lastPos=1

  • ReasonThis problem occurs if the firewall handles high traffic load and thus generates huge log files. When the log file size reaches 2 GB, the firewall crashes.
  • Solution: C ycle the logwrap in short intervals. Insert the following cronjob on the system and run it every two hours:  /opt/phion/modules/box/boxsrv/logwrap/bin/logwrapd -w & &>/dev/null

    Do not run the cronjob between 01:00 and 02:00 am. This would invoke a conflict between logstor and logwrap, because logstor as well runs at this time.

acpf_mmap_not_present

  • Issue:The Host firewall does not start the installation of a patch or hotfix. In the Log > fatal.log file and on the  Control > Service page, the following message is displayed for the boxfw module:
    acpf_mmap_not_present
  • ReasonThis message occurs when the acpf kernel module cannot be reloaded automatically.
  • SolutionReboot the Barracuda NG Firewall to initialize the new acpf module.

Event Message

'Corrupted Data File' with ID 150

  • Issue: This message is reported in the event viewer: 
    Corrupted Data File deleted cstat cstatd 150

  • ReasonIf a statistics file is erroneous, the statistics cook daemon deletes this file and Event ID 150 is displayed in the event viewer.
  • Solutions  
    • The system was shut down (powered off) while writing the statistics into a file. Check the CPU and MEM statistics for irregularities in the records. Then check the Status interface in phiona for uptime.
    • Either the hard disk or file system has an error. Consult the Log > Box > System > klogd.log file for hard disk error messages. Then consult the Log > Box > Statistic > cstatd.log file for clock skew messages (many entries). If you use an IDE hard disk, enter the following on the command line: 
      smartctl -a /dev/hda 
      For more information on clock skew events, see Logging of Clock Skew Events.

Status Messages

Parent License not found  

  • IssueThe box license of an Control Center-administered system is in "Grace Mode" with a status message that states "Parent License not found". The following status message is displayed in Control > Licenses > Active Licenses > Status: 
    Parent-License-xxxxxxxx-xxxxx-xx-not-found.

  • Reason: An incorrect license was inserted into the Barracuda NG Control Center. The license was imported directly from a file, instead of from the pool.
  • Solution: Import the license from the license pool on the Config > Multi-Range > Global Settings > Pool Licenses page.

Connect Script Failed

  • Issue: This message is continuously reported at a connection to the CloudGen Firewall via serial console: 
    Connect script failed.

  • Reason: O Config > Administrative Settings > System Access > Serial Settings, the wrong connection setting value may have been selected.
  • SolutionSwitch the access type to Console Only. Save the configuration by clicking Send Changes and then Activate.

respawning too fast

  • Issue: This message is continuously reported at the command-line prompt: 
    INIT: Id "s0" respawning too fast: disabled for 5 minutes; INIT: Id "s0" respawning too fast: disabled for 5 minutes; INIT: Id "s0" respawning too fast: disabled for 5 minutes.

  • ReasonThis message occurs when the serial console is disabled in the BIOS and enabled in the configuration,  or the serial console is disabled in the configuration  and enabled in the BIOS.
  • SolutionCheck the BIOS and serial console settings (Config > Box > Administrative Settings > System Access). Make sure that the serial console settings are similar for both configurations.

RPM not clean

  • Issue: The CloudGen Firewall displays a Dirty Release of the phionnet_boxmisc package on the Control > Licenses page. The following links are missing:
    ....L... /opt/phion/config/sessions; ....L... /opt/phion/config/update; ....L... /opt/phion/run; ....L... /var/phion/logs; ....L... /var/phion/run; ....L... /var/phion/stat; ....L... /var/phion/sys

  • ReasonThese links are used on Flash systems to prevent write access to the CF card. The system is configured as a non-Flash system, although OS detects a CF-card. Because the autodetection affects the necessary package state, these links are marked as missing.
  • SolutionConfigure your CloudGen Firewall as a Flash system. Configure your settings at Config > Box > Box Properties > Storage Architecture to Flash-RAM  and then reboot your system.

Dirty Sync State  

  • IssueThe HA sync of the Barracuda NG Control Center is pending in the " Dirty Sync State " status.

  • ReasonA restart of the Control service or the CC-Conf service can cause HA synchronization disruption. In this case, the PAR file used in the synchronization process is not deleted from the file system in the final step. This disturbs the synchronization process.
  • Solution
    1. Log into the Barracuda NG  Control Center, click Config and open the HA Sync dialog.
    2. Press Clear Dirty Status to clear the "dirty" state.  

'Permission denied'  on /tmp/ folder 

  • Issue: In some cases it can happen that you have not the correct permissions on the /tmp/ folder. You will get the following warning in the spam-filter log:
    Warning +0100 spamd[13413]: util: secure_tmpfile failed to create file \'/tmp/.spamassassin13413iriSVztmp\': Permission denied 
    If you check the rights for the directory you will get the following output:
    drwxr-xr-x
  • Reason: This issue can occur after a software update.
  • Solution: Login to the concerning system via SSH and change the rights of the /tmp/ directory as following: 
    chmod -R 777 /tmp/

Authentication Failed   

  • IssueThe Config HA Sync of a Single Box HA System or the Rangetree HA Sync fails with the " Authentication Failed " status.

  • ReasonThe trust-chain between the two HA systems does not work correctly .
  • Solution  
    1. Clear the "dirty sync" as described in Monitoring, Managing and Rebuilding HA Clusters NEW.
    2. On both systems, go to the  Control > Box page and change the  Authentication Level setting from Check Key and IP address to No Authentication .
    3. Complete an initial HA sync as described in High Availability NEW, and then wait for the sync to finish successfully.
    4. On both systems, go to the  Control > Box page and change the Authentication Level setting from No Authentication to Check Key and IP address.

Boot Messages and Issues

'LI' prompt 

  • IssueThe CloudGen Firewall is unable to boot successfully. The bootloader stops with an "LI" prompt.
  • ReasonIf the CloudGen Firewall bootloader (LILO)  is configured  to write the monitor output to a serial console , at least the serial interface 1 (COM 1) must be activated on the system. If the system does not have any serial interfaces or if all serial interfaces are disabled in the BIOS, the bootloader hangs.
  • Solution
    • Enable serial interface 1 (COM 1) in the system's BIOS.
      or 
    • Disable the serial console. If you are installing without a PAR file, disable it when specifying your settings with Barracuda F-Series Install. If you are installing with a PAR file, disable it in the configuration of the system (Settings section). 

Destroyed inittab file 

  • Issue: The CloudGen Firewall does not start anymore but instead hangs up when LILO initializes. If the system can be started in single user mode, a destroyed inittab file is going to be discovered. Possibly numerous faults display in the superblocks .

  • Reason: One possible reason can be a power blackout.
  • Solution:
    1. Start the CloudGen Firewall in single-user mode and run the following commands:

      umount /boot
      umount /phion0
      mount -o remount,ro /
      fsck -AT -- -yf
      sync
    2. Restart the system with the following command:  
      reboot  
    3. If the superblock has been destroyed, use the following command to fix the error: 
      fsck -AT -- -yf   
      The fsck command should also display the e2fs-error 
    4. If no bad blocks can be found, run the following command:  
      fsck -AT -- -yfc 
freeing unused kernel
  • IssueThe firewall system boots but the boot process stops. The last message displayed is:
    Freeing unused kernel memory
  • Reason This mostly happens if the system is restarted by pressing reset or after a power breakdown.
  • Solution:
    1. Check whether there is HDD activity on the system or not. If there is massive HDD activity, the system is performing an automatic file system check. Wait until the check is done. The system will continue its boot process automatically.
    2. If there is no HDD activity (or the system has no HDD activity light), connect to the system's serial console with the following settings: 
      19200,8,n,1 flow control off
    3. You can see at the prompt that a manual file system check is required. Perform the following steps:

For IDE HDD systems:

/bin/umount /dev/hda1
/bin/umount /dev/hda2
/bin/umount /dev/hda3
/bin/umount /dev/hda4
/bin/umount /dev/hda5

ext2 file system:

/sbin/fsck.ext2 -y /dev/hda1 
/sbin/fsck.ext2 -y /dev/hda2
/sbin/fsck.ext2 -y /dev/hda3
/sbin/fsck.ext2 -y /dev/hda4
/sbin/fsck.ext2 -y /dev/hda5
/sbin/fsck.ext2 -y /dev/hda6

ext3 file system:

/sbin/fsck.ext3 -y /dev/hda1
/sbin/fsck.ext3 -y /dev/hda2
/sbin/fsck.ext3 -y /dev/hda3
/sbin/fsck.ext3 -y /dev/hda4
/sbin/fsck.ext3 -y /dev/hda5
/sbin/fsck.ext3 -y /dev/hda6

For SCSI HDD systems:

/bin/umount /dev/sda1
/bin/umount /dev/sda2
/bin/umount /dev/sda3
/bin/umount /dev/sda4
/bin/umount /dev/sda5

ext2 file system:

/sbin/fsck.ext2 -y /dev/sda1 
/sbin/fsck.ext2 -y /dev/sda2
/sbin/fsck.ext2 -y /dev/sda3
/sbin/fsck.ext2 -y /dev/sda4
/sbin/fsck.ext2 -y /dev/sda5
/sbin/fsck.ext2 -y /dev/sda6

ext3 file system:

/sbin/fsck.ext3 -y /dev/sda1
/sbin/fsck.ext3 -y /dev/sda2
/sbin/fsck.ext3 -y /dev/sda3
/sbin/fsck.ext3 -y /dev/sda4
/sbin/fsck.ext3 -y /dev/sda5
/sbin/fsck.ext3 -y /dev/sda6
Last updated on