diff --git a/How-fail2ban-works.md b/How-fail2ban-works.md
index 104e3cb..e297392 100644
--- a/How-fail2ban-works.md
+++ b/How-fail2ban-works.md
@@ -47,4 +47,14 @@ If your fail2ban version is larger as 0.9 and database was not disabled, you can
 Following script shows all failures of all IPs across all jails:
 ```bash
 ?sudo? python -c "db='/var/lib/fail2ban/fail2ban.sqlite3';  import sys, logging; logging.basicConfig(stream=sys.stdout, level=logging.ERROR); from fail2ban.server.database import Fail2BanDb; db = Fail2BanDb(db); t = db.getBansMerged(); print('\n'.join((('%s - %d attempts, matches:\n  %s' % (t.getIP(), t.getAttempt(), '\n  '.join(t.getMatches())) ) for t in t)))"
+```
+
+***
+**[Q]** Fail2ban does not ban and logs include `iptables v...: unknown option "-w"`
+
+**[A]** Default configuration of Fail2Ban requires iptables with locking support (`-w` option).  If you run on a system with older iptables (before `1.4.20`), you need to disable locking option by e.g. providing   `/etc/fail2ban/action.d/iptables-common.local` file with
+
+```
+[Init]
+lockingopt =
 ```
\ No newline at end of file