The PFE:.*DFW: jtree cutover failed.* message is reported in the system message file whenever a PFE is unable to apply a change in the firewall filter configuration.
When a router’s firewall configuration is changed by a commit, the new firewall is pushed into the PFE memory, and the new filter configuration is then applied. This message indicates that there was a failure in the cutover from the old filters to the new ones.
Below are sample messages that may be displayed:
fpc7 DFW: jtree cutover failed (memory allocation failure) for filter (16) change!
/kernel: DFW_PFE: add/change for filter xxx-xxx failed due to lack of memory space.
fpc7 DFW: firewall addition failed (No memory)
fpc7 DFW: %PFE-3: firewall addition failed (No memory)
fpc7 DFW: %PFE-3: jtree cutover failed (memory allocation failure) for filter (1) change!
fpc3 dfw_change_program_filter:1957 DFW: jtree cutover failed (generic failure) for filter (5) change!
/kernel: DFW_PFE: add/change for filter lo0 failed due to lack of memory space.
cfeb DFW: firewall addition failed (No memory)
cfeb DFW: jtree cutover failed (memory allocation failure) for filter (1) change!
The cause for such a notification is an insufficient amount of contiguous memory on the SRAM of the PFE. This may be due to a memory leak in the software version that is running, jtree memory fragmentation, or firewall filters that are too large.
If the amount of memory used by the firewall application in the output of the show jtree 0 memory extensive composition command regularly increases with or without changes to the firewall filter configuration, the message is due to a memory leak.
If the output of show jtree 0 memory extensive shows plenty of free bytes but only a few (or zero) free pages, the jtree memory is fragmented.
The amount of jtree memory used by firewall filters can be determined by examining the outputs of the show jtree 0 memory extensive composition and show jtree 0 memory extensive commands.
If there is a memory leak, resetting the PFE will temporarily resolve the issue.
Jtree memory fragmentation can be resolved only by restarting the PFE. The current jtree memory allocation algorithm rarely encounters problems with fragmentation.
A workaround to update the firewall filter configuration without experiencing this issue is to deactivate or delete the first filter and commit, then activate or re-add the new/updated filter.
If the message is not due to jtree memory fragmentation, open a case with your technical support representative.