2

Hi I have a watchguard firewall, and I lost access to the firewall before xmas, therefore I visited the site, upgraded the firewall to the latest firmware but unfortunatly, I am now having similar issues where I will lose access to the firewall, sometimes it will let me in sometimes nothing. I thought this was an issue with the actual hardware but now in the logs I see a constant stream of: 

2011-12-29 09:47:38 kernel printk: 90 messages suppressed.

Which makes me think this could be a DOS attack, I have contacted both my ISP's who say they are not seeing any unusual traffic on the connecitons, I have a support call logged with Watchguard just awaiting a response.

Does anyone know what these kernel printk messages are? My understanding is that they are blocking multiple identical messages, but I am unsure if this is correct or where they are coming from.

Any help will be much appreciated.

Tom O'Connor
  • 27,440
  • 10
  • 72
  • 148
Kevin
  • 87
  • 1
  • 7

2 Answers2

3

The suppressed messages are the kernel's way to prevent DoS'ing the machine (even) further - You have to check which message was suppressed in the first place.

You can adjust the printk() rate via /proc/sys/kernel/printk_ratelimit*. The printk function is actually one of the few (reliable and crash-proof) ways the kernel can issue (debugging) information into user space.

pfo
  • 5,630
  • 23
  • 36
3

It's a bug in the 11.3.x series software, has been around for well over a year. I'm not sure if the 11.4.x versions still have this (11.4 only runs on the newer XTM model's, not the e-series devices which I suspect you have) but the answer I got from Watchguard Support was to just ignore them.

More discussion over on the Watchguard Forums. Would highly recommend you post your problem over there as there's a couple of real Watchguard guru's who offer amazing help. Make sure you post your device model and current software version.

SteveBurkett
  • 990
  • 4
  • 6
  • Hi Steve, Many Thanks, you are quite correct this is an x55e, I will post this question over in the watchguard forums. The one issue this provides is if its a bug with software, it appears to be using all the memory the firewall has to offer causing it to lock up, do you think a downgrade maybe an idea, or it may just be time for a new box. – Kevin Dec 29 '11 at 10:23
  • We've got about 50 of the little e-series Edge devices running on 11.3.x software (mostly 11.3.2 at the moment) and don't get this lock up issue, so you shouldn't be getting it on your box. I'd say the 'kernel printk' warning is a red herring (we get those as well) and you need to be looking for another issue there somewhere. There was also meant to be a 11.3.5 released in December, doesnt look like thats going to happen. :) – SteveBurkett Dec 30 '11 at 11:48
  • The 11.3.5 release is definately on its way as I am now running a Preview version provided by there live security team, and seems pretty stable and im no longer getting any printk messages etc :) Steve do you prurchase live security for each of these boxes? or do they do a company live security that covers them all? – Kevin Jan 04 '12 at 16:08