PDA

View Full Version : Downloads



n2007
2009-03-19, 02:30
Hey there,

We have what seems to be an MTU problem with out UTM-1's. Some websites are either timing out or taking an extremely long time to download files, for example Microsoft and VMWare websites. In past experience this seems to be an MTU problem, though i've had a play around the with MTU settings on the firewalls internal and external interfaces and it still didn't make any difference. I've also disabled SmartDefence but still get the same problem.

Has anyone else experienced this ?

chillyjim
2009-03-19, 19:02
Are you sure its not the AV acting up?

Thorpuse
2009-03-19, 19:19
I noticed the same problem on my UTM-1 270 lab machine yesterday. Disabling AV didn't make a difference. Ironically, it was the process of downloading support fixes from the SupportCenter that exposed it....

n2007
2009-03-19, 19:24
yeah bingo!

It was the A/V Scanner, I wouldn't say playing up just timing out as it was caching the file first before delivering it to the client.

I've activated "Continuous Download" in the HTTP A/V settings which resolved it.

Thanks for pointing us in the right direction

Thorpuse
2009-03-19, 19:29
Damn... that means my problem is something else... :(

n2007
2009-03-19, 19:39
I had a support ticket open with Check Point but all they said was get the CPInfo file, so i'll be closing the ticket. So I can't pass on any other troubleshooting techniques sorry

chillyjim
2009-03-20, 14:38
Damn... that means my problem is something else... :(

Well you just like breaking things in new & interesting ways :)

Start checking interface stats. Just found one with a customer that turned out to be a misconfigured AT&T router (on the ISP side so it wasn't showing up in the gateways interface stats).

Thorpuse
2009-03-20, 20:42
Done that. It's only on certain file types and transfers - to some sites, it's capable of getting excellent/wire speeds. That's why I suspected the AV initially. When I have a bit more time I'll drill into this more.

n2007
2009-03-22, 19:37
Done that. It's only on certain file types and transfers - to some sites, it's capable of getting excellent/wire speeds. That's why I suspected the AV initially. When I have a bit more time I'll drill into this more.

Have you tried turning Smart Defence or A/V completely off ?

Have you tried dropping the MTU's on the Firewall ?

Thorpuse
2009-03-23, 02:06
Yes to AV, no to SD yet... Following my mantra of "If it doesn't make sense, it's probably SmartDefense" I wouldn't be surprised if it's an SD protection that I turned on to test that's the issue.

hobart
2009-05-06, 02:47
I am having a similar sort of issue with a UTM 1070 appliance. I have tried disabling SD, all the AV and URL filtering and yet i still have an issue with downloads. It appears if the download is from a http link it will work, and work fast, however if the download is from an FTP site the speed is extremely slow. If i bypass the UTM 1070 and download the exact same file over the same router i get very high speeds proving the UTM is causing the slowness. I have ensured the FTP bounce is disabled on the SD as well but still a problem? Anyone seen issues with downloads like this. Any help would be great.

mcnallym
2009-05-06, 09:50
Try defining a new port 21 service and set to be ftp-basic and specify that service for the connection you want in the rulebase, rather then the pre-defined ftp service.

msjouw
2009-05-07, 03:23
you will see this issue (as the thread started with also websites ) will mainly happen with HTTPS sites, this indeed looks to be more of a MTU issue than the FTP or HTTP(S) protocol related.
Find a program called TCPOPTIMIZER and run that on a test PC and see where you end up setting the MTU value to.
Lowering the MTU on the FW interfaces will only work if you allow ICMP unreachable packets from the firewall back to anything communicating directly to it (layer3 switch, router or the clients).