 | ||
 A new casualty of NGx R65 HFA_30 | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2008-09-23 | |||
| |||
 A new casualty of NGx R65 HFA_30 I have a SPLAT Provider-1 NGx R65 running HFA_02 and HF_249. I have a CMA in there managing several SPLAT cluster firewalls and a few single firewalls. I upgraded on the single firewalls from HFA_02 and hf-249 to HFA_30 yesterday. the single firewall is a DELL Poweredege 2550 (dual 1Ghz processor with 1GB RAM). Before the upgrade, I can perform Secure Copy (SCP) between the single firewall and a linux server, on the same network, at about 95Mbps throughput. After the upgrade, the throughput went from 95Mbps down to 4Mbps. Several firewall reboot didn't fix it either. I've NOT made any changes in the security policy.  |
| 2008-09-23 | |||
| |||
| Re: A new casualty of NGx R65 HFA_30 Reinstall the security policy even if there was no admin made changes. Typically there are some fundamental changes made in the underlying code that results from the HFA application that requires the policy to be recompiled and pushed on to the inspection modules. Other thing you can check is the negotiation between the NICs and the switches. I've seen in the past that more recent versions of SPLAT (or HFA) make weird choices regarding duplex and speed in the NICs. |
| 2008-09-23 | |||
| |||
| Re: A new casualty of NGx R65 HFA_30 Quote:
Already did this about 10 times. No progress. "Other thing you can check is the negotiation between the NICs and the switches. I've seen in the past that more recent versions of SPLAT" Everything looks good with ethtool. Furthermore, I also hard-code the speed/duplex settings in the /etc/rc.d/rc.local file at boot time as well: [Expert@NGx-gw1]# ethtool eth0 Settings for eth0: Supported ports: [ TP MII ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Advertised auto-negotiation: No Speed: 100Mb/s Duplex: Full Port: Twisted Pair PHYAD: 1 Transceiver: internal Auto-negotiation: off Supports Wake-on: puag Wake-on: d Link detected: yes [Expert@NGx-gw1]# ethtool eth1 Settings for eth1: Supported ports: [ TP MII ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Advertised auto-negotiation: Yes Speed: 100Mb/s Duplex: Full Port: Twisted Pair PHYAD: 1 Transceiver: internal Auto-negotiation: on Supports Wake-on: puag Wake-on: d Link detected: yes [Expert@NGx-gw1]# I also hard-code the switches to 100/full as well. |
| 2008-09-23 | |||
| |||
| Re: A new casualty of NGx R65 HFA_30 I tried to search for any related situations in SK but with no luck. HFA 030 is still brand new so there are not many reported situations yet. Only three things I can remember that you can try are: 1) Open a SR with Check Point support if you have that possibility. 2) Reinstall one of the security gateways from scratch and apply HFA 030 on top of a base R65 installation instead of going up from one hfa to another like you did 3) Verify the bios settings on the machine. Sometimes incorrect bios parameters results in slower I/O which might affect transfer speed. However this is unlikely since the problem was nonexistent with the previous HFA. Worth a shot though. I'm sorry I wasn't of much help with your issue. Last edited by pmadeira@cesce.pt; 2008-09-24 at 04:23. |
| 2008-09-27 | |||
| |||
| Re: A new casualty of NGx R65 HFA_30 cciesec2006 - what's the syntax to hard code the speed and duplex setting in the /etc/rc.d/rc.local file? I've just upgraded from R60 to R65 HFA_03. My nic settings are at half duplex. Running the command eth_set eth0 100f or eth_set eth0 autoneg is not working for me. ethtool eth0 tells me they are still set to half duplex. This also happens on eth1. The switches are set to auto auto. I have a spare_backup server with R65 HFA_02 on it and it don't have this problem. It does have a problem with vpn's, when someone connects, fwd exits with the msg "atexit_handler called", either I restart with fwd& or it seems to restart itself after x number of minutes. |
| 2008-09-27 | |||
| |||
| Re: A new casualty of NGx R65 HFA_30 Quote:
Using sysconfig or the command line to change nic speed and duplex settings So far I haven't had any issues with HFA 30. __________________ Its all in the documentation. Last edited by melipla; 2008-09-27 at 13:04. |
| 2008-09-27 | |||
| |||
| Re: A new casualty of NGx R65 HFA_30 Quote:
I used "/sbin/ethtool -s eth0 speed 100 duplex full autoneg off" in the /etc/rc.d/rc.local file. It works every time for me. One more thing, I also have some issues on the IBM x3650 that after installing HFA_02 and hf_249, after the reboot, the NIC just stopped passing for no reason. As a workaround, I use "/etc/rc.d/init.d/network restart" in the /etc/rc.d/rc.local file as well. In other my /etc/rc.d/rc.local file looks like: /etc/rc.d/init.d/network restart /sbin/ethtool -s eth0 speed 100 duplex full autoneg off /sbin/ethtool -s eth1 speed 100 duplex full autoneg off /sbin/ethtool -s eth2 speed 100 duplex full autoneg off It has worked well so far without issues, until I upgraded to HFA_30. |
| 2008-09-27 | |||
| |||
| Re: A new casualty of NGx R65 HFA_30 Quote:
|
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
