R65, IPSO Cluster, slow web browsing

[kwm30]

Issue:
New IPSO cluster enforcement modules installed, Internet web browsing is slow, it takes approx 5-10 seconds of blank nothing then the whole page is displayed.
Prior to installation, a standalone IP330 (IPSO3.8.1,NGXR62) was in place, no issues.
Remove a member from the cluster, no difference, remove the other member from the cluster, no difference.

Cluster details:
Nokia IP390, 1GRAM operating in hybrid mode
IPSO: 4.2-BUILD051_HFA02
Cluster mode: Forwarding
Workload: Dynamic
Check Point VPN-1 Power/UTM NGX R65, Build 620000436)


Scenario: client->internal_proxy->firewall->DMZ_Proxy->Internet
DMZ_Proxy performs the lookups for web traffic.
FTP other related services no issues.
Have removed smartdefense from cluster, made no difference, re-ordered web browsing rules to higher up, no difference.

Load on modules is minimal, clustering configured as per "IPSO4200-ClusterConfigGuide_N450000361r001.pdf", seeing no cluster related issues, messages clean, no routing protocols on cluster running, all static with firewalls default gateway pointing to our internet router.
Cisco switch ports running clean for all systems invloved, no cvp, mail resource or the like.
R65 HFA_01 has just been released, will look at it....I suspect it has something to do with clustering but can't find any fault with it...

Any suggestions???

[RayPesek]

Any chance it's a DNS resolution issue? It sort of sounds like it based on the behavior.

Or maybe a proxy chaining problem? What are the proxy servers?

Ray

[pat13b]

How about any multicast configurations ??

I'm new to the Checkpoint / Nokia scene and have been messing with diffrerent types of clustering.

Whenever I do not have multicast configured correclty I get this symptom.

My understanding is that in forward mode you do not need any multicast configured. So far this has been my best and most reliable setup.
(Nokia Clustering in forward mode)

-pat13b

[kwm30]

cheers guys...yes it smacks like dns related, however lookups on all there are sweet, i'm leaning more towards your idea of a proxy chaining issue and its interplay with the new cluster.
internal_proxy is w3k with trenmicro "internet web security suite 2.5sp1" (absoulte rubbish/problematic product..imho). dmz_proxy is w3k, isa2000 cache only.
The trendmicro product set require updating and looking at R65 HAF_01 items 01-10, 01-13 having already experianced issues with 01-8(can't belive it took 6months to release a fix for killing mail in this way) i think the only logical course of action is to look at updating all products involved to current and start from there.

With regard to multicast, agreed.

cheers
km

[danilody]

Hi,

IPSO 4.x supports Unicast in clustering, use this feature. I use R65 in IPSO 4.2 clustering in Unicast without any glitch. Previously when IPSO is not supporting Unicast yet, whenever someone add a router I always forgot to inform them about the damn multicast MAC address. Now with IPSO supporting Unicast, we should use it.

Regards,
Dandy

[Thorpuse]

Try turning off SmartDefense. It could be an introduced SmartDefense protection is causing this.

[kwm30]

I removed "default protection" of SD from the cluster, no effect...
will look into unicast mode, cheers...

Did a fw monitor on both modules to see what was going on, am seeing alot of "this frame is a (suspected) out-of-order segment", i get 2 or 3 of these fames for every valid frame of http traffic, suspect this is the problem, weather its caused by a global setting, stateful inspection option on the cluster object or is the cluster causing it???
looking at nokia solution ID:1129686, 1354942 and checkpoint sk:13300
Have increased "time out end" from 25 to 60 sec and "Max cocurrent connections" from 25000 to 50000 on the cluster object...

And whats with the above rubbish....

Regards
km