Internet Gatekeeper error logs - F-Secure Community
<main> <article class="userContent"> <p> </p> Internet Gatekeeper error logs <p>The information in this article applies to F-Secure Internet Gatekeeper version 4.10 and later. </p> <p>Bracketed strings indicate fields that vary from message to message. Brackets ('<' and '>') are not actually printed as part of messages; they are included below for clarity only. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">CRITICAL [<Location>] bind=Address already in use(98)(addr=<Address>, port=<Port>). # Please check whether other service(mail/web server,etc...) is already running on port <Port>.</pre> <h3>Description</h3> <p>The service cannot be started because the configured port and address cannot be reached. The product stands by to receive the port number specified by the bind() Linux system call. This error is displayed when bind() fails because the specified port number is already in use. </p> <h3>Solution</h3> <p>Check the other service that uses the same port. Stop the service if it is not needed. If the service is needed, configure the port of the service and the port used by the product to be different. You can check the process used by each port and address by using "netstat -anp" ("system/netstat_anp.txt" for diagnostic information). </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] Maximum connections: warning: Client connections reached maximum connections(<Maximum value>). More request will be blocked/rejected. If there is many warnings, please increase 'Maximum Connections' settings(pre_spawn value of virusgw.ini) of this service. (<Provisional value> will be good value as start line).</pre> <h3>Description</h3> <p>The service cannot be started because the configured port and address cannot be reached. The product stands by to receive the port number specified by the bind() Linux system call. This error is displayed when bind() fails because the specified port number is already in use. </p> <p>Logged when the maximum number of client connections is reached. When the maximum number of connections is reached, processing continues only after the number of connections is decreased. </p> <p>The backlog (backlog of Linux listen() system call) is set to 5 when the maximum number of connections is reached. For this reason, up to 6 TCP connect requests can be "ESTABLISHED" normally when the maximum number of connections is reached and for connect requests beyond the limit, "SYN_RECV" is assigned as the connection status. Processing does not continue even for TCP connections responded by Linux if the maximum number of connections is reached. </p> <p> You can check the maximum number of connections by looking at the Internal process ID ("PROXY-STAT:[Service type]:[Internal process ID]:..") in the access logs. The internal process IDs (identifier starts with 0) with smaller numbers have higher priority. Therefore, [internal process ID]+1) applies to the simultaneous number of connections during the startup of the corresponding access. In addition, you can check the ESTABLISH status of the corresponding port numbers with the netstat command (port 9080 is used in the example): </p><pre class="code codeBlock" spellcheck="false"># netstat -anp | grep :9080 | grep ESTABLISHED | wc -l</pre> <h3>Solution</h3> <p><strong>Situation</strong>: only a small number of messages appear (for example, 1 error every hour), the product appears to be working fine, and the number of increased connections can be considered temporary. </p> <p><strong>Solution</strong>: you do not need to change any settings. </p> <p><strong>Situation</strong>: the scan timeout value is set to 90 seconds by default. If it is disabled (set to 0) or changed to a bigger value, scanning can take a long time for a specific file. This may cause the number of connections to reach the maximum. </p> <p><strong>Solution</strong>: reset the timeout value to the default value of 90 seconds. </p> <p><strong>Situation</strong>: if there is a network problem between the product and the server or client, the number of connections may reach the maximum. </p> <p><strong>Solution</strong>: fix the network problem. </p> <p><strong>Situation</strong>: if the above cases do not apply (several errors are logged, scan timeout value is not changed, no network problems exist) and servers cannot be accessed, the number of connections needed may be over the maximum value set. </p> <p><strong>Solution</strong>: increase the maximum number of connections as needed. If the number of client connections that are needed cannot be determined, configure the following provisional values to test the system: HTTP 200, SMTP 50, POP 50, FTP 10. After testing the system, revise the settings if needed. Usually, the maximum number of connections should be set to under 2000 connections. </p> <p>If you increase the maximum number of connections, more connections are allowed, but it requires more memory. Approximately 500 KB of memory is used for each connection. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] getaddrinfo failed. admin_mx_host=[<Host name>] admin_mx_port=[<Host port>] gai_strerror=[<Error details>]</pre> <h3>Description</h3> <p>The SMTP server ("admin_mx_host" in /opt/f-secure/fsigk/conf/fsigk.ini), which is configured to send notifications to the administrator after a virus or spam detection, could not be retrieved. </p> <h3>Solution</h3> <p>Check if the configured host name of the SMTP server can be retrieved. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] connect=<Error message>(<Error code>) cannot connect to admin mail server[<Host name>:<Host port>]</pre> <h3>Description</h3> <p>Connection to the SMTP server ("admin_mx_host", "admin_mx_port" in /opt/f-secure/fsigk/conf/fsigk.ini), which is configured to send notifications to the administrator after a virus or spam detection, was successful. However, an error occurred. </p> <h3>Solution</h3> <p>Check if the host name and port number of the configured SMTP server can be accessed. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] smtp error: Send command line: buf=[<Response line>] (expected <Expected response code>)</pre> <h3>Description</h3> <p>The response message using SMTP for sending notifications to the administrator after a virus or spam detection returned an error. </p> <p>The send command indicates the SMTP connection status. It can be either "HELO/MAIL FROM/RCPT TO/DATA/QUIT" (when each command is sent), "GREETING" (when the connection is started) or "DATA END" (when data has been sent). </p> <h3>Solution</h3> <p>Check the [Response line] if mail can be sent to the configured SMTP server. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">CRITICAL [<Location>] semget=<Error message>(<Error code>) semget failure. Childnum(pre_spawn=<Maximum value>) may be large. If needed, maximum semaphore number(SEMMNI) can be increased by adding a line like 'kernel.sem=250 128000 32 512' in '/etc/sysctl.conf' and running 'sysctl -p'.</pre> <h3>Description</h3> <p>The service could not be started because the semaphore could not be secured. </p> <h3>Solution</h3> <p>If a service process (fsigk_xxx) is terminated, for example by the "kill -KILL" command, an error can occur if semaphores are not released and left in the system process. In this case, restart the server (Operating System). You can check the semaphores that are currently used at "/proc/sysvipc/sem". </p> <p>If the maximum number of connections is set to a large number, this error is more likely to occur because more semaphores are needed. Set the maximum number of connections to under 2000 connections. Use a larger number only if it is absolutely necessary. Usually, the maximum number of connections should not be set to over 2000 connections. </p> <div>The product requires semaphores according to the number of processes. You may sometimes need to increase the number of semaphores that the operating system can use. This may happen, for example, when the maximum number of connections needs to be increased or if other processes are using a large number of semaphores. To increase the number of semaphores: <ol><li>Add the following line to /etc/sysctl.conf: <pre class="code codeBlock" spellcheck="false">kernel.sem=250 128000 32 512</pre> </li> <li>Run the following command: <pre class="code codeBlock" spellcheck="false"># sysctl -p</pre> </li> <li>Check that the number of semaphores has been configured. Use the following command: <pre class="code codeBlock" spellcheck="false"># cat /proc/sys/kernel/sem 250 128000 32 512</pre> </li> </ol></div> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] sendfile timeout: No data can be sent for 120 seconds. There may be a temporary network problem between receiver. / URL=[<URL>], n=<Count>, written=<Count>, filelen=<Count>, writesize=<Count></pre> <h3>Description</h3> <p>Logged when a session is disconnected because no data could be sent for 120 seconds. </p> <h3>Solution</h3> <p>Check if there are any problems in the network. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] Too large header (><Limit bytes>) ignored. URL=[<URL>]</pre> <h3>Description</h3> <p>Is displayed when a HTTP response header is too large (over 17 KB). The service is working without any problems. </p> <h3>Solution</h3> <p>Check if the problem occurs for a specific URL or browser. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">CRITICAL [<Location>] not enough diskspace in temporary directory [<Directory name>]. (<Count> kB free?)(ret=<Return code>)</pre> <h3>Description</h3> <p>Is displayed when the temporary directory has less than 5 MB of free space. The service does not start. </p> <h3>Solution</h3> <p>Free up disk space in the temporary directory. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">CRITICAL [<Location>] Realtime virus scan seems to be enabled. Please stop realtime virus scan, or exclude scanning for temporary directory(<Directory name>)</pre> <h3>Description</h3> <p>Is displayed when another anti-virus software is found and real-time virus protection is enabled for the temporary directory. The service does not start. </p> <h3>Solution</h3> <p>Disable real-time virus protection altogether or disable it against the temporary directory. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] [<Action on detection>]:smtp error:[<Send command name>]: buf=[<Response line>]</pre> <h3>Description</h3> <p>The response message using SMTP for sending notifications to the sender/recipient after a virus or spam detection returned an error. </p> <p>The options for [What to do when a virus is detected] are "Block", "Notify recipients after deleting the mail", and "Delete". </p> <p>The send command indicates the SMTP connection status. It can be either "RSET/MAIL FROM/RCPT TO/DATA/QUIT" (when each command is sent), or "DATA END" (when data has been sent). </p> <h3>Solution</h3> <p>Check the [Response line] and see if mail can be sent to the SMTP server. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] NOOP command reply error [<Response line>]</pre> <h3>Description</h3> <p>Is displayed when a NOOP command sent to a FTP server returns a response other than 200. </p> <h3>Solution</h3> <p>Check if the FTP server is disconnected or if it is correctly responding to the NOOP command. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">CRITICAL/WARNING [<Location>] System call=Too many open files in system(23) <Error message></pre> <h3>Description</h3> <p>Displays a message which indicates that there are too many open files. This message appears when the number of open files has reached the maximum allowed limit on the system. </p> <div>You can check the number of file handles at /proc/sys/fs/file-nr in the following way: <pre class="code codeBlock" spellcheck="false"># cat /proc/sys/fs/file-nr [Allocated file handles] [File handles being used] [Maximum allowed files handles]</pre> </div> <div> Example: <pre class="code codeBlock" spellcheck="false"># cat /proc/sys/fs/file-nr 1864 504 52403)</pre> </div> <h3>Solution</h3> <p>Check if there are any processes that are using a lot of file handles. You can use, for example, the "lsof" command. </p> <p>If there are no problems in the system and the number of file handles being used is approaching the maximum, increase the file handles by changing "/proc/sys/fs/file-max" in the following way: </p> <div> <ol><li>Add the following line to sysctl.conf (the maximum number of file handles is changed to 65535): <pre class="code codeBlock" spellcheck="false">fs.file-max = 65535</pre> </li> <li>Run the following command to apply the changes: <pre class="code codeBlock" spellcheck="false">sysctl -p</pre> </li> </ol></div> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">CRITICAL/WARNING [<Location>] open=No such file or directory(2) <Error message></pre> <h3>Description</h3> <p>Is displayed when a temporary file used by the product cannot be opened. </p> <h3>Solution</h3> <p>Check if the temporary file has been deleted by a command or another program. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">CRITICAL [<Location>] Cannot find tproxy(version2) interface. Tproxy kernel patch is required. Please apply the tproxy patch and check that "/proc/net/tproxy" exists. Please see document for "transparent_tproxy" settings for details.</pre> <h3>Description</h3> <p>Is displayed when TPROXY usage settings (Source IP retained, transparent_tproxy=yes") are carried on and the tproxy patch is not working. </p> <h3>Solution</h3> <p>The tproxy patch may not be applied to the kernel. Check if /proc/net/tproxy exists. </p> <p>If you use Turbolinux 10 Server, please note the following: - kernel-2.6.8-5 or later must be used. Check that the kernel version is 2.6.8-5 or later by using the "uname -a" command. If the kernel version is old, update the kernel of Turbolinux10 to the latest one. </p> <p>The - iptable_tproxy module must be implemented. Check if the "iptable_tproxy" module is included in the results from the "lsmod" command. If it is not, include the module by following the steps below: </p> <div> <ol><li>In /etc/sysconfig/iptables-config, set iptables to read iptable_tproxy by editing the IPTABLES_MODULES line in the following way:<pre class="code codeBlock" spellcheck="false">IPTABLES_MODULES="iptable_tproxy"</pre> </li> <li>Restart iptables: <pre class="code codeBlock" spellcheck="false"># /etc/rc.d/init.d/iptables restart</pre> </li> <li>Check if /proc/net/tproxy exists. </li> <li>Restart the Internet Gatekeeper. </li> </ol></div> <p>If a previous version of tproxy(version1) is used, add "transparent_tproxy_version=1" to the configuration file and restart the service. Please note that tproxy version1 may not be supported in the future. For this reason, we recommend that you use version2. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] vsc_start() error</pre> <h3>Description</h3> <p>Virus definition files or the scanning engine library could not be loaded. </p> <h3>Solution</h3> <p>If virus definition files or files used by scanning engines are deleted, overwrite the installation with the following command: </p> <div>For rpm package: <pre class="code codeBlock" spellcheck="false"># rpm -Uvh --force fsigk-xxx-0.i386.rpm</pre> </div> <div>For deb package: <pre class="code codeBlock" spellcheck="false"># dpkg -r fsigk # dpkg -i fsigk-xxx_all.deb</pre> </div> <p>If SELinux is used, check if there are errors in /var/log/messages to see if policies are denying the process from loading. In addition, disable SELinux to check if the error occurs. You can disable SELinux by editing "SELINUX=disabled" in /etc/sysconfig/selinux. After that, restart the server. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] child(<Index>) stopped.(sig=17[SIGCHLD], si_code=3[CLD_DUMPED], status=<Child status>, childid=<Id>, cur_pid=<Process Id>,pid=<Child Process Id></pre> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] core dumped(child proxy process). Please send core file(core or core.xxx) on the installation directory and diag.tar.gz to support center. (child=<Index>,sig=17[SIGCHLD], si_code=3[CLD_DUMPED],status=<Child status>(<Status string>),childid=<Id>,cur_pid=<Process Id>, pid=<Child Process Id>)</pre> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] Error recovery: restarting service...</pre> <h3>Description</h3> <p>The proxy process was terminated abnormally (core dump). In addition, the service was restarted. The 3 error messages appear consecutively. </p> <h3>Solution</h3> <p>The service is restarted and recovered automatically so it can be used again. The service is stopped while it is being restarted (approx. 10 seconds). </p> <p>If this message appears, there is a good chance that a problem exists in the product. In order to have F-Secure take a look at the problem, please send all of the files which begin with "core" in the installation directory (/opt/f-secure/fsigk/) to F-Secure. </p> <p>If you are not using the latest version of the product, please update to the latest version if possible. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] accept=Connection reset by peer(104) main/accept_loop/accept(s=<Id>)</pre> <h3>Description</h3> <p>This message can appear if you use kernel 2.2 and if you disconnect immediately after the connection is established. The product can work properly even if this message appears. </p> <h3>Solution</h3> <p>Kernel 2.2 is not supported anymore. If possible, update your distribution. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">CRITICAL [<Location>] LICENSE_ERROR#ret=-1#msg=License Expired</pre> <h3>Description</h3> <p>The evaluation license of the product has expired. </p> <h3>Solution</h3> <p>Purchase a license and enter the license key to activate the product. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] Commtouch database error: Initial database update may be on going. Wait a moment. (dlopen(./databases/commtouchunix.0/libfsasd-lnx32.so) failed. dlerror(): ./databases/commtouchunix.0/libfsasd-lnx32.so: cannot open shared object file: No such file or directory)</pre> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] Commtouch database error: Initial database update may be on going. Wait a moment. (FsasFunctionsInitialize failed.)</pre> <h3>Description</h3> <p>These two errors mean that there is no database for commtouch spam scanning engine. </p> <h3>Solution</h3> <p>Wait for a while until initial database downloading is done. </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] fsas_open_session(./fsasd-socket) failed.</pre> <h3>Description</h3> <p>This error means that there is no 'fsasd' process running. </p> <h3>Solution</h3> <p>Please start fsasd services by running "/etc/init.d/rc.fsigk_fsasd start" or "/etc/init.d/rc.virusgw_fsasd start". </p> <h3>Message</h3> <pre class="code codeBlock" spellcheck="false">WARNING [<Location>] fsav_open_session: Cannot connect to fsavd's socket(./fsavd-socket-0). fsavd may be not running. Please run 'rc.fsigk_fsavd restart' to restart fsavd.</pre> <h3>Description</h3> <p>The socket (./fsavd-socket-0) of the scan engine (fsavd) could not be reached. The scan engine (fsavd) may not be running. </p> <h3>Solution</h3> <p>The scan engine (fsavd) starts automatically if it is run from the web console. If the proxy service is run from the command-line, the scan engine (fsavd) must be started in advance. Restart the scan engine with the "/opt/f-secure/fsigk/rc.fsigk_fsavd restart" command. </p> </article> </main>