Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Frequently Asked Questions (FAQs) about filter driver heap size in Deep Security

    • Updated:
    • 29 Feb 2016
    • Product/Version:
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Platform:
    • VMware ESX 4.1
    • VMware ESX 5.0
    • VMware vSphere 4.x
    • VMware vSphere 5.x
Summary

Learn about the Frequently Asked Questions (FAQs) about filter driver heap size setting, its default allocation, as well as how and when to modify its value.

Details
Public
 
Since there is no filter driver existing in ESXi for Deep Security 9.6, we do not need to adjust the heap memory anymore.
The DSA_FILTER_HEAP_MAX_SIZE is primarily used for maintaining connection state tables and loading configuration. This is commonly used when DPI, Firewall and WRS is turned on in Deep Security.
  • Deep Security 8.0: 64MB
  • Deep Security 9.0: 256MB
  • Deep Security 9.5: 256MB

The minimum allocation is 1MB for Deep Security 8.0, and 128MB for Deep Security 9.0.

The maximum heap size is set by VMware. See How to Increase Heap Memory for more details on the recommended allocation.

  • Packets are dropped, or “Internal Engine Error” or “Memory Allocation Error” appears in the Firewall or DPI events.
  • Firewall and/or DPI can no longer process the packets and thus no more Firewall/DPI events appear in the Deep Security Manager (DSM) console.
  • Messages similar to the following appear in the host’s /var/log/messages file:

    Mar 6 21:24:47 vmkernel: 0:00:24:33.582 cpu7:10500)WARNING: Heap: 2218: Heap dvfilter-dsa already at its maximumSize. Cannot expand.

  • Messages similar to the following appear in the vmkernel.log:

    2012-12-15T22:54:38.765Z cpu43:11114742)dvfilter-dsa: tb_trace_write_formatted:43: iap_emit_logentry:44 logentry alloc error sz=228

  • The following message appears, indicating insufficient heap to save state during a vMotion activity:

    2012-12-20 5:22:03:22.749 cpu2:1414506)dvfilter-dsa: tb_trace_write_formatted: dsa_save_state:876 vmkfilter no buffer buf too small (need 7375)

    This may be followed by an ESX crash and stack trace (PSOD).

  • Adjusting heap memory is almost always required, especially if Firewall, DPI, and WRS features are used.
  • Verify if Firewall and DPI events for enabled rules are being generated. To do this, you can manually trigger one of the DPI rules. If the event is not logged, then the heap size is not enough to process the traffic and pass it on to the Firewall and DPI.
  • Check if the values of the following counters on the protected VMs are close to zero (0) and do not increase drastically.

    visor: pkt_err_to_sp:
    visor: mem_cache_alloc_err:
    visor: mem_alloc_err:

    You can find them by logging into the Deep Security Virtual Appliance (DSVA), going to Virtual Agents, and selecting a protected VM.

    If the value is high and continues to increase, you may need to increase heap memory.

A. Determine the amount of heap memory needed

For Deep Security 9.5:

# of VM Guests1 - 3031 - 9091 - 100
DSVA Memory4GB6GB8GB
DSVA CPUs2 x vCPU2 x vCPU2 x vCPU
dv_filter Heap Size256MB1GB1GB

For Deep Security 9.0 and 8.0

# of VM Guests1-50100150200250
DSVA Memory2GB4GB8GB8GB12GB
DSVA CPUs2 x vCPU2 x vCPU4 x vCPU4 x vCPU6 x vCPU
dv_filter Heap Size256MB512MB1GB1GB1.5GB

B. Increase the heap memory size

Increase the heap memory size using any of the following options:

Option 1: ESXi console

  1. From the ESXi console, execute this command to determine the existing filter driver heap memory size:

    % esxcfg-module -g dvfilter-dsa

    If the value has never been adjusted from the default, the output will be like this:

    dvfilter-dsa enabled = 1 options = ''

    If the value of DSAFILTER_HEAP_MAX_SIZE has been adjusted previously, the outcome will be similar to this:

    dvfilter-dsa enabled = 1 options = 'DSAFILTER_HEAP_MAX_SIZE=1074790400'

  2. Change the heap size using this command:

    % esxcfg-module -s "DSAFILTER_HEAP_MAX_SIZE=<new max value>" dvfilter-dsa

  3. Verify if the changes were successfully applied by running this command:

    % esxcfg-module -g dvfilter-dsa

  4. Reboot the ESX/ESXi server for the changes to take effect.

Option 2: PowerCLI

  1. From the PowerCLI Command, connect to the ESXi host.
  2. Execute the command below to determine the existing filter driver heap memory size:

    Get-VMHostModule dvfilter-dsa

  3. Change the heap size using this command:

    Get-VMHostModule dvfilter-dsa | Set-VMHostModule -options "DSAFILTER_HEAP_MAX_SIZE=<new max value>"

    For example, Get-VMHostModule dvfilter-dsa | Set-VMHostModule -options DSAFILTER_HEAP_MAX_SIZE=512000000

  • Estimate the number of connections for each VM running, and know the total number of VMs you will run on each ESX/ESXi host. This will guide you in properly adjusting the heap memory needed for your environment.
  • Consider adjusting the number of TCP/UDP connections to a lower value. The default number is set to 10000 and this contributes to a higher filter driver memory requirement.
    To change the number of connections, go to the DSM > System Settings menu > Network Engine tab and change the settings of the following:
    • Maximum TCP Connections
    • Maximum UDP Connections
    Notes:
    • These settings can be changed either on the global level or only on the affected VMs.
    • The value for maximum connections is applied per VM, and not a total for all VMs running on the ESXi host.
    • Lowering the maximum number of connections means the Deep Security will be more aggressive in removing older stale connections before accepting new active connections.
  • Increase the heap memory.
  • Increase the minimum heap size to prevent the driver from loading at all when you cannot allocate enough memory.

    The default minimum memory for Deep Security 8.0 is 1MB. If only the maximum was defined and there is less memory than what you need, the driver will not load.

The driver gets the maximum if available. If not, it gets an amount between the minimum and the maximum heap size. The vmkernel will then grow the heap size when it can. Whatever size is given is considered used as far as ESXi is concerned.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
1095995
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.