High number of connections lead to ONTAP firewall error ipfw.ReachedMaxStates causing CIFS and NFS outage
Applies to
- ONTAP 9
- Node Firewall (IPFW)
- CIFS/SMB
- NFS
Issue
- Event
ipfw.ReachedMaxStatesaccompanied by NFS or CIFS outage
[Node-01: secd: ipfw.ReachedMaxStates:notice]: The ipfw firewall failed to create dynamic "keep-state" entry. Reason: Dynamic entries for 'keep-state' rules allocation failure, current # of entries: 32768. Recent connections reaching this limit: [10.1.1.10]:29441->[0.0.0.0]:53 (UDP):32768; [10.1.1.10]:12204->[0.0.0.0]:53 (UDP):32768; [10.1.1.10]:51003->[0.0.0.0]:53 (UDP):32768; [10.1.1.10]:17652->[0.0.0.0]:53 (UDP):32768;
- ONTAP is not able to connect to AD for authentication leading to CIFS access issue
- CIFS/NFS inaccessible intermittently
- External name-services are unavailable with error
permission denied
[Node-01 ERROR secd.cifsAuth.problem: vserver (SVM1) General CIFS authentication problem. Error: User authentication procedure failed
CIFS SMB2 Share mapping - Client Ip = 10.1.1.115
[ 0 ms] Login attempt by domain user 'HBEU\HBEU-SVC-SA-S1SVC' using NTLMv2 style security
[ 3] Failed to connect to 10.1.1.245 for DNS via Source Address 10.1.1.10: Permission denied
[ 4] Failed to connect to 10.1.1.245 for DNS via Source Address 10.1.1.10: Permission denied
**[ 5] FAILURE: Unable to contact DNS to discover domain controllers.
[ 5] Unable to make a connection (NetLogon:DOMAIN.AD.CO), Result: RESULT_ERROR_DNS_CANT_REACH_SERVER
[ 5] CIFS authentication failed