IPFW firewall failed to create dynamic "keep-state" entry can cause DNS outage

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 647

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas

Last Updated:

Applies to

ONTAP 9
Object Storage

Issue

When ONTAP is configured to use object storage as an aggregate and it is unable to connect to the object store servers, ONTAP may encounter connectivity problems with other servers
EMS events for "ipfw.ReachedMaxStates":

[?] Tue Nov 15 16:51:25 1100 [node1: OscHighPriThreadPoo: ems.engine.suppressed:debug]: Event 'ipfw.ReachedMaxStates' suppressed 1532977 times in last 61 seconds. [?] Tue Nov 15 16:51:25 1100 [node1: OscHighPriThreadPoo: ipfw.ReachedMaxStates:notice]: The ipfw firewall failed to create dynamic "keep-state" entry. Reason: Dynamic entries for 'keep-state' rules allocation failure, current # of entries: 32800. Recent connections reaching this limit: [10.1.1.1]:14040->[10.22.33.44]:80 (TCP):32800; [10.2.2.1]:14036->[10.22.33.44]:80 (TCP):32800; [10.3.3.1]:14037->[10.22.33.44]:80 (TCP):32800; [10.4.4.1]:14038->[10.22.33.44]:80 (TCP):32800; [10.5.5.5]:14039->[10.22.33.44]:80 (TCP):32800;