Internet Gatekeeper error logs The information in this article applies to F-Secure Internet Gatekeeper version 4.10 and later.
Bracketed strings indicate fields that vary from message to message. Brackets ('<' and '>') are not actually printed as part of messages; they are included below for clarity only.
Message
CRITICAL [<Location>] bind=Address already in use(98)(addr=<Address>, port=<Port>). # Please check whether other service(mail/web server,etc...) is already running on port <Port>.
Description
The service cannot be started because the configured port and address cannot be reached. The product stands by to receive the port number specified by the bind() Linux system call. This error is displayed when bind() fails because the specified port number is already in use.
Solution
Check the other service that uses the same port. Stop the service if it is not needed. If the service is needed, configure the port of the service and the port used by the product to be different. You can check the process used by each port and address by using "netstat -anp" ("system/netstat_anp.txt" for diagnostic information).
Message
WARNING [<Location>] Maximum connections: warning: Client connections reached maximum connections(<Maximum value>). More request will be blocked/rejected. If there is many warnings, please increase 'Maximum Connections' settings(pre_spawn value of virusgw.ini) of this service. (<Provisional value> will be good value as start line).
Description
The service cannot be started because the configured port and address cannot be reached. The product stands by to receive the port number specified by the bind() Linux system call. This error is displayed when bind() fails because the specified port number is already in use.
Logged when the maximum number of client connections is reached. When the maximum number of connections is reached, processing continues only after the number of connections is decreased.
The backlog (backlog of Linux listen() system call) is set to 5 when the maximum number of connections is reached. For this reason, up to 6 TCP connect requests can be "ESTABLISHED" normally when the maximum number of connections is reached and for connect requests beyond the limit, "SYN_RECV" is assigned as the connection status. Processing does not continue even for TCP connections responded by Linux if the maximum number of connections is reached.
You can check the maximum number of connections by looking at the Internal process ID ("PROXY-STAT:[Service type]:[Internal process ID]:..") in the access logs. The internal process IDs (identifier starts with 0) with smaller numbers have higher priority. Therefore, [internal process ID]+1) applies to the simultaneous number of connections during the startup of the corresponding access. In addition, you can check the ESTABLISH status of the corresponding port numbers with the netstat command (port 9080 is used in the example):
# netstat -anp | grep :9080 | grep ESTABLISHED | wc -l
Solution
Situation: only a small number of messages appear (for example, 1 error every hour), the product appears to be working fine, and the number of increased connections can be considered temporary.
Solution: you do not need to change any settings.
Situation: the scan timeout value is set to 90 seconds by default. If it is disabled (set to 0) or changed to a bigger value, scanning can take a long time for a specific file. This may cause the number of connections to reach the maximum.
Solution: reset the timeout value to the default value of 90 seconds.
Situation: if there is a network problem between the product and the server or client, the number of connections may reach the maximum.
Solution: fix the network problem.
Situation: if the above cases do not apply (several errors are logged, scan timeout value is not changed, no network problems exist) and servers cannot be accessed, the number of connections needed may be over the maximum value set.
Solution: increase the maximum number of connections as needed. If the number of client connections that are needed cannot be determined, configure the following provisional values to test the system: HTTP 200, SMTP 50, POP 50, FTP 10. After testing the system, revise the settings if needed. Usually, the maximum number of connections should be set to under 2000 connections.
If you increase the maximum number of connections, more connections are allowed, but it requires more memory. Approximately 500 KB of memory is used for each connection.
Message
WARNING [<Location>] getaddrinfo failed. admin_mx_host=[<Host name>] admin_mx_port=[<Host port>] gai_strerror=[<Error details>]
Description
The SMTP server ("admin_mx_host" in /opt/f-secure/fsigk/conf/fsigk.ini), which is configured to send notifications to the administrator after a virus or spam detection, could not be retrieved.
Solution
Check if the configured host name of the SMTP server can be retrieved.
Message
WARNING [<Location>] connect=<Error message>(<Error code>) cannot connect to admin mail server[<Host name>:<Host port>]
Description
Connection to the SMTP server ("admin_mx_host", "admin_mx_port" in /opt/f-secure/fsigk/conf/fsigk.ini), which is configured to send notifications to the administrator after a virus or spam detection, was successful. However, an error occurred.
Solution
Check if the host name and port number of the configured SMTP server can be accessed.
Message
WARNING [<Location>] smtp error: Send command line: buf=[<Response line>] (expected <Expected response code>)
Description
The response message using SMTP for sending notifications to the administrator after a virus or spam detection returned an error.
The send command indicates the SMTP connection status. It can be either "HELO/MAIL FROM/RCPT TO/DATA/QUIT" (when each command is sent), "GREETING" (when the connection is started) or "DATA END" (when data has been sent).
Solution
Check the [Response line] if mail can be sent to the configured SMTP server.
Message
CRITICAL [<Location>] semget=<Error message>(<Error code>) semget failure. Childnum(pre_spawn=<Maximum value>) may be large. If needed, maximum semaphore number(SEMMNI) can be increased by adding a line like 'kernel.sem=250 128000 32 512' in '/etc/sysctl.conf' and running 'sysctl -p'.
Description
The service could not be started because the semaphore could not be secured.
Solution
If a service process (fsigk_xxx) is terminated, for example by the "kill -KILL" command, an error can occur if semaphores are not released and left in the system process. In this case, restart the server (Operating System). You can check the semaphores that are currently used at "/proc/sysvipc/sem".
If the maximum number of connections is set to a large number, this error is more likely to occur because more semaphores are needed. Set the maximum number of connections to under 2000 connections. Use a larger number only if it is absolutely necessary. Usually, the maximum number of connections should not be set to over 2000 connections.
The product requires semaphores according to the number of processes. You may sometimes need to increase the number of semaphores that the operating system can use. This may happen, for example, when the maximum number of connections needs to be increased or if other processes are using a large number of semaphores. To increase the number of semaphores:
- Add the following line to /etc/sysctl.conf:
kernel.sem=250 128000 32 512
- Run the following command:
# sysctl -p
- Check that the number of semaphores has been configured. Use the following command:
# cat /proc/sys/kernel/sem 250 128000 32 512
Message
WARNING [<Location>] sendfile timeout: No data can be sent for 120 seconds. There may be a temporary network problem between receiver. / URL=[<URL>], n=<Count>, written=<Count>, filelen=<Count>, writesize=<Count>
Description
Logged when a session is disconnected because no data could be sent for 120 seconds.
Solution
Check if there are any problems in the network.
Message
WARNING [<Location>] Too large header (><Limit bytes>) ignored. URL=[<URL>]
Description
Is displayed when a HTTP response header is too large (over 17 KB). The service is working without any problems.
Solution
Check if the problem occurs for a specific URL or browser.
Message
CRITICAL [<Location>] not enough diskspace in temporary directory [<Directory name>]. (<Count> kB free?)(ret=<Return code>)
Description
Is displayed when the temporary directory has less than 5 MB of free space. The service does not start.
Solution
Free up disk space in the temporary directory.
Message
CRITICAL [<Location>] Realtime virus scan seems to be enabled. Please stop realtime virus scan, or exclude scanning for temporary directory(<Directory name>)
Description
Is displayed when another anti-virus software is found and real-time virus protection is enabled for the temporary directory. The service does not start.
Solution
Disable real-time virus protection altogether or disable it against the temporary directory.
Message
WARNING [<Location>] [<Action on detection>]:smtp error:[<Send command name>]: buf=[<Response line>]
Description
The response message using SMTP for sending notifications to the sender/recipient after a virus or spam detection returned an error.
The options for [What to do when a virus is detected] are "Block", "Notify recipients after deleting the mail", and "Delete".
The send command indicates the SMTP connection status. It can be either "RSET/MAIL FROM/RCPT TO/DATA/QUIT" (when each command is sent), or "DATA END" (when data has been sent).
Solution
Check the [Response line] and see if mail can be sent to the SMTP server.
Message
WARNING [<Location>] NOOP command reply error [<Response line>]
Description
Is displayed when a NOOP command sent to a FTP server returns a response other than 200.
Solution
Check if the FTP server is disconnected or if it is correctly responding to the NOOP command.
Message
CRITICAL/WARNING [<Location>] System call=Too many open files in system(23) <Error message>
Description
Displays a message which indicates that there are too many open files. This message appears when the number of open files has reached the maximum allowed limit on the system.
You can check the number of file handles at /proc/sys/fs/file-nr in the following way:
# cat /proc/sys/fs/file-nr [Allocated file handles] [File handles being used] [Maximum allowed files handles]
Example:
# cat /proc/sys/fs/file-nr 1864 504 52403)
Solution
Check if there are any processes that are using a lot of file handles. You can use, for example, the "lsof" command.
If there are no problems in the system and the number of file handles being used is approaching the maximum, increase the file handles by changing "/proc/sys/fs/file-max" in the following way:
- Add the following line to sysctl.conf (the maximum number of file handles is changed to 65535):
fs.file-max = 65535
- Run the following command to apply the changes:
sysctl -p
Message
CRITICAL/WARNING [<Location>] open=No such file or directory(2) <Error message>
Description
Is displayed when a temporary file used by the product cannot be opened.
Solution
Check if the temporary file has been deleted by a command or another program.
Message
CRITICAL [<Location>] Cannot find tproxy(version2) interface. Tproxy kernel patch is required. Please apply the tproxy patch and check that "/proc/net/tproxy" exists. Please see document for "transparent_tproxy" settings for details.
Description
Is displayed when TPROXY usage settings (Source IP retained, transparent_tproxy=yes") are carried on and the tproxy patch is not working.
Solution
The tproxy patch may not be applied to the kernel. Check if /proc/net/tproxy exists.
If you use Turbolinux 10 Server, please note the following: - kernel-2.6.8-5 or later must be used. Check that the kernel version is 2.6.8-5 or later by using the "uname -a" command. If the kernel version is old, update the kernel of Turbolinux10 to the latest one.
The - iptable_tproxy module must be implemented. Check if the "iptable_tproxy" module is included in the results from the "lsmod" command. If it is not, include the module by following the steps below:
- In /etc/sysconfig/iptables-config, set iptables to read iptable_tproxy by editing the IPTABLES_MODULES line in the following way:
IPTABLES_MODULES="iptable_tproxy"
- Restart iptables:
# /etc/rc.d/init.d/iptables restart
- Check if /proc/net/tproxy exists.
- Restart the Internet Gatekeeper.
If a previous version of tproxy(version1) is used, add "transparent_tproxy_version=1" to the configuration file and restart the service. Please note that tproxy version1 may not be supported in the future. For this reason, we recommend that you use version2.
Message
WARNING [<Location>] vsc_start() error
Description
Virus definition files or the scanning engine library could not be loaded.
Solution
If virus definition files or files used by scanning engines are deleted, overwrite the installation with the following command:
For rpm package:
# rpm -Uvh --force fsigk-xxx-0.i386.rpm
For deb package:
# dpkg -r fsigk # dpkg -i fsigk-xxx_all.deb
If SELinux is used, check if there are errors in /var/log/messages to see if policies are denying the process from loading. In addition, disable SELinux to check if the error occurs. You can disable SELinux by editing "SELINUX=disabled" in /etc/sysconfig/selinux. After that, restart the server.
Message
WARNING [<Location>] child(<Index>) stopped.(sig=17[SIGCHLD], si_code=3[CLD_DUMPED], status=<Child status>, childid=<Id>, cur_pid=<Process Id>,pid=<Child Process Id>
WARNING [<Location>] core dumped(child proxy process). Please send core file(core or core.xxx) on the installation directory and diag.tar.gz to support center. (child=<Index>,sig=17[SIGCHLD], si_code=3[CLD_DUMPED],status=<Child status>(<Status string>),childid=<Id>,cur_pid=<Process Id>, pid=<Child Process Id>)
WARNING [<Location>] Error recovery: restarting service...
Description
The proxy process was terminated abnormally (core dump). In addition, the service was restarted. The 3 error messages appear consecutively.
Solution
The service is restarted and recovered automatically so it can be used again. The service is stopped while it is being restarted (approx. 10 seconds).
If this message appears, there is a good chance that a problem exists in the product. In order to have F-Secure take a look at the problem, please send all of the files which begin with "core" in the installation directory (/opt/f-secure/fsigk/) to F-Secure.
If you are not using the latest version of the product, please update to the latest version if possible.
Message
WARNING [<Location>] accept=Connection reset by peer(104) main/accept_loop/accept(s=<Id>)
Description
This message can appear if you use kernel 2.2 and if you disconnect immediately after the connection is established. The product can work properly even if this message appears.
Solution
Kernel 2.2 is not supported anymore. If possible, update your distribution.
Message
CRITICAL [<Location>] LICENSE_ERROR#ret=-1#msg=License Expired
Description
The evaluation license of the product has expired.
Solution
Purchase a license and enter the license key to activate the product.
Message
WARNING [<Location>] Commtouch database error: Initial database update may be on going. Wait a moment. (dlopen(./databases/commtouchunix.0/libfsasd-lnx32.so) failed. dlerror(): ./databases/commtouchunix.0/libfsasd-lnx32.so: cannot open shared object file: No such file or directory)
WARNING [<Location>] Commtouch database error: Initial database update may be on going. Wait a moment. (FsasFunctionsInitialize failed.)
Description
These two errors mean that there is no database for commtouch spam scanning engine.
Solution
Wait for a while until initial database downloading is done.
Message
WARNING [<Location>] fsas_open_session(./fsasd-socket) failed.
Description
This error means that there is no 'fsasd' process running.
Solution
Please start fsasd services by running "/etc/init.d/rc.fsigk_fsasd start" or "/etc/init.d/rc.virusgw_fsasd start".
Message
WARNING [<Location>] fsav_open_session: Cannot connect to fsavd's socket(./fsavd-socket-0). fsavd may be not running. Please run 'rc.fsigk_fsavd restart' to restart fsavd.
Description
The socket (./fsavd-socket-0) of the scan engine (fsavd) could not be reached. The scan engine (fsavd) may not be running.
Solution
The scan engine (fsavd) starts automatically if it is run from the web console. If the proxy service is run from the command-line, the scan engine (fsavd) must be started in advance. Restart the scan engine with the "/opt/f-secure/fsigk/rc.fsigk_fsavd restart" command.
