Search:

"Enable Always-Connect" yes, under VPN Options -> Site Properties -> Settings. Sorry for being incomplete, one of my pet peeves too.

So what if you used auto-connect instead of SDL? That should allow the drive mappings to be available after autoconnect kicks in.

AFAIK #3 isn't possible (the "without disconnecting" part)

It is here: sk75221

https://technet.microsoft.com/en-us/library/cc771419.aspx

Microsoft does have a way to redirect people to specific terminal servers using Remote Desktop Connection Broker (RD Connection Broker). However then you're delegating some of that responsibility...

For laptops, using Endpoint Security it's called "HotSpot Detection". You can find out more here. My suggestion would be to engage your local Check Point Sales Engineer as a place to start. Check...

Well put. The defacto support question used to be "Are you on the latest HFA?" now it's "Are you on the latest HFA w/Jumbo?". Things shifted when Check Point started releasing the Jumbo hotfix a...

So what are you using to detect it? Without that information we can't tell you why its failing. You basically have two options:

SCV checks (Endpoint Security VPN / full Endpoint Security client)...

There is no 83.50 client version(?) What is the disconnect error message? Is it really 20 seconds later? Some of these issues have to do with traffic intended for the gateway and being encrypted...

Aren't Nokia's using VRRP set to active/active by default? Not sure if Gaia is similiar...

Yes.

Don't find out the hard way that there's a fix released for that bug that just took down your network.

IMHO If you're doing any UTM functions then I'd probably recommend [at minimum] a 4800 instead of a 4400 for a 500 person office.

Focus on the "why is it trying to re-authenticate 10 seconds later?". I believe there's more than one SK about this issue.

In the meantime, disable password reuse so that you're not locking out:...

Thanks for following up, glad you found a resolution!

This is all excellent news & hope this trend continues. On paper E80.60 fills some of the feature gaps E80.50 had, but until I can spend time looking at it I'll hold off on commenting.


...

They may be complementary but their documentation is co-mingled to the point that the goal must be convergence. Nothing's clear about auto-renaming apps--the real kicker here is that "Capsule...

In case you missed it, Check Point revolutionized mobile security. Unfortunately during that process they decided to hijack a couple mobile apps to do it. Now everything says "Capsule" and if you...

Sorry to hear you're still having the issue. Can you share a capture of the issue? I'd like to see simultaneous tcpdumps from the DNS server and DNS client if possible.

This is a good article, I think you should read it.



It will go both ways. The master will notify the slave but the slave can also initiate a different connection to pull the DNS records...

According to this article, bash is still vulnerable. Expect more patching to be done.

Looks like Check Point is tracking this in sk102673.

https://access.redhat.com/articles/1200223

Affects Gaia R77.20:

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

Since this is the "stability thread"...The hotfix only applies to R77.x versions lower than R77.20. Installing the hotfix simply for new DHCP services is not an approach I would recommend given my...

The one thing I wanted to try, but didn't get a chance to, was to use a name server that only returned IPv4 addresses, as we were using our AD servers for DNS and they return both IPv4 and IPv6...

I've seen something similar, however I was not able to find a cause. If you Wireshark the interface(s), I will bet that you'll see the client getting an IPv4 response first and an IPv6 response...

Thanks for the pointer(s), looks like R77.20 uses Build 615--will try the newer build.

This problem persists in R77.20. Currently 45k files & can't even remove files anymore:

# ls -l plugin*
bash: /bin/ls: Argument list too long
# rm plugin-upgrade-matcher-*_Aug__*
bash:...

You're off to a good start Eric--you even got Chilly to post again :)

No more upgrading the management server? Interesting...

My initial experience with the management server on R77.20 seems like it takes longer to install policy & am seeing some packet loss during...

Interesting. Just curious as to what the Management tab in Smartview Tracker logs as the reason for the failed login attempt? (Some sample messages here:)


Authentication method: Password based...

I've seen this once or twice (can reproduce it too) and opened a ticket with Check Point about this. To make a long story short, there's a period of time when the management server is unavailable...

The best source is sk97566 which we're also seeing in R77.10. & wow R77 was in Sep 2013? Seems so long ago...and yet it's right about time for the next major release...



Thanks Barry! I knew...

Ouch, sorry to hear they closed the ticket simply because they couldn't understand the issue.

Have you done anything to minimize the load on the gateways? Specifically to traffic that gets...

Well it does....in SPLAT you have to DHCP relay via interfaces [under sysconfig] and in Gaia you have to:



The Gaia R75.40 - R77.10 DHCP bug which requires special NAT rules happens only if you...

I'm happy to see the new HFA :)



What's the reasoning behind releasing a patch that already has a patch (so to speak)? Why not integrate it directly?



AKA Check Point broke how they...

Check Point has a document specific to logging troubleshooting, it would be worthwhile to use it.

My take on the problem is that most of the time it's because the management server lost...

As a side note, R77.20 EA just posted--I don't see sk100431 or any of the issue IDs listed in sk100431 as being included in R77.20. :-/

Seems like the documentation gives you an "out" here:


13500's have 16 CPUs right? Seems odd but my guess is that your corexl firewall instances are limiting you're ability to use more than...

Ah thanks for pointing that out, after doing some reading I ran across this in Security Gateway Virtual Appliance R75.40 Getting Started Guide for Amazon Web Services VPC on page 13 (regarding blade...

Well there's just the one NAT (the port forwarding), right?

I think you can do it, particularly if it's not a Dynamic IP DSL modem. For the gateway object you'd use the DSL IP. For the topology...

If your non-clustered firewall goes down, yes it will be a single point of failure and you will lose connectivity to your hosts in the AWS cloud.

There's no "special" documentation for AWS that I...

AFAIK SSO only works if you log in with domain password, not your radius one. There's no way to tie these two together without another authentication window appearing for your domain information...

cpsizeme does not work with multiqueue, however I doubt you have that enabled, so carry on.



Enabling SecureXL does run you the risk of dropping packets in weird ways, however those were...

Your output is what I would expect, because you are running the wrong command.


[Expert@csfmvc1c2:0]# arp -a |grep 18191
[Expert@csfmvc1c2:0]# netstat -an |grep 18191
tcp 0 0...

It's rare that my reseller sends me notices to patch...actually its never happened before, so I'm guessing this one is pretty serious.



sk100431

A potential stability issue might be...

According to sk32086 you have to use Hostname Translation (HT), not PT.

You're missing a closing parenthesis:


:restart_dns_service_on_vna_init (
:gateway (
:default (true)
)
)
...

I assume with Win 7 you've disabled UAC completely? Some things (like this) might not work until you do. Is the user you're logged in as an Administrator?

Have you tried the new parameter...

Yeah :-/ We had it configured like sk32473 recommended however we were getting drops--only seen in "fw ctl zdebug + drop". After switching it to "Any" the communication started working again. I...

Plenty of people on Gaia, however I think most of us use broadcast instead of multicast for ccp. In addition to what the SK states you could also try disabling "Extended Cluster Anti-spoofing" in...

That's most likely the aggregated average. If you have 10 CPUs, one is at 100% while the other 9 are at 0%, you only have 10% CPU average.

In the command line, from expert mode, run "top". Hit...

Don't use split DNS? I've never been a fan of hostnameX resolves differently externally than it does internally. If you have to use split, try shrinking your cache timeout. Or if they're using a...

You should've been able to push the policy after the update and then have the client reconnect to get the updated setting (to allow disabling). There's a couple things that could go wrong, but...

So correct me if I'm wrong, but fw workers (aka CoreXL / kernel instances) don't handle any of NIC CPU (aka SND / cpu 0 - 1 for you)--what you've shown here is simply the fw workers (cpu 2-7)...

There is this option in the $FWDIR/conf/trac_client_1.ttm file:



:flush_dns_cache (
:gateway (
:default (client_decide)...

That seems extremely low for a connections table, even the low end appliances can handle at least 50k connections.

As for why the count can change--there could be a couple factors. The primary...

Were you bonding before R75.47? I am interested in testing to see if simply bonding up my external interface will help distribute SI% across both.

Thanks

Haven't tested E80.50 too much, however I think I've seen it happen once--regardless try upgrading the big offenders to E80.50 or E80.42 (which is actually newer than E80.50) and see if it helps.
...

Take a look at sk42096 if you can. In the past we've seen something like this due to CoreXL being set up differently on each cluster member [you can check this in cpconfig], although in Gaia it...

Anti-spoofing?

"fw ctl zdebug + drop" will help explain why / where its dropping

Looks like this issue persists with R77.10:

4997 admin 18 0 326m 270m 4984 R 48 1.7 3530:16 DAService

50% cpu usage on the management server. Stopping it took the server from a...

The problem is that I have remote users who need to access their data securely. You can split that six ways to Sunday, but its still a VPN solution when it comes down to it.

You mean you're using the R75 upgrade_export version on the R65 gateway? Using the R65 version of the upgrade_export will not create the proper file for an R75 import. You have to run the export...

Some web applications aren't designed to be publicly available on the internet. OWA is designed to be, however I'd be more concerned about other web access portals (ie for MS SQL). How do they...

You have to install the second policy before it becomes active, which would replace the first policy that was active. All the rules in policy A would then be lost because they are not in Policy B.

It should be noted that sk97642 replaced the SK you referenced.

Is your management server also R75.47?

Are you using ClusterXL, if so what kind?

What kind of NAT, if any?

Running the...

At least you skipped over R75.40--I think I like your approach. I do think its ironic that they're advocating the use of software [R77.10] that's not even out yet. That's like saying Windows 8.2 is...

The place you should already know about: SmartDashboard - NAT. What does it say you're doing?

Summary of usage from the CLI:
fw tab -t fwx_alloc -s

Or go to Tracker and show the XlateSrc...

I don't really understand the notification choices. How can SecurePlatform be an option but GAIA is not? The inability to select product versions seems odd too. Doesn't seem like it knows I'm on...

Still behind a EA questionnaire access for me. I see they added a place to submit EA bugs, which is nice. Based on the EA questionnaire, I find it interesting that they're sending people onsite to...

If you're using an Intel nic and are on version R75.40 or higher, then it's Check Point's fault you're seeing these errors & sk42181 describes how to resolve it. I'd recommend doing it for every...

Funny you should mention this--we had issues similar to this around R75.30 or R75.45. Once we moved up a version we started getting all of these verification errors & had thought the upgrade failed....

You're missing rules in regards to DHCP. In tracker, try filtering the services column on bootp and all the dhcp-* services w/ no source IP or dest IP filters and you should see the drops / accepts....

My initial thought was: "What are you doing for NAT?"

My second thought was: "How can you minimize your NAT utilization?"

I'm not very good at answering questions, but one thing I do know is...

If you're on R77 and haven't installed the hot fix from sk96124, I would recommend doing so. Not sure how this one didn't merit a new ISO release...

Scripts (bash is your friend)! I'd probably script the analysis too....

We haven't been able to resolve it. Although with your frequency, I'd expect you'd have to take time to debug it (and it'd be much easier). As a side note, to update your earlier post with...

Did you try E80.50?

Thanks

Thanks for the quick response, here's my output:

# cpvinfo /opt/CPda/bin/DAService | grep 'Build'
Build Number = 502

# file /opt/CPda/bin/DAService
/opt/CPda/bin/DAService: ELF 32-bit LSB...

The only thing that sticks out is your NAT. You're doing more NAT than you have connections, which could mean some double NAT rules--not a terrible thing but odd. What's the output of this:

fw...

Anyone else seeing extremely high CPU usage by the DAService? On my management server its anywhere from 40% - 70% cpu usage + 15% of the memory.

Seems a bit high for something that I don't even...

Not without further investigation, honestly it could take you two months to debug it and get the appropriate hot fix.

Do you only have 1 fw_worker (aka CoreXL instance)? With four cores I would suggest at least 2.

Are you using SecureXL?

Since it's SI traffic, my primary concern would be throughput. I would...

They're most likely right. The problem you're describing, where you get the the login prompt but it doesn't complete and eventually disconnects you is indicative of a memory leak / consumption of...

Can you list contents of rule 10? IE is the X_Server in source or destination?

Using the "Active" tab in Smartview Tracker is not recommended due to the load it puts on the gateway. You should...

Ping is included in any, it's just tracker which can be confusing between ??icmp and icmp. The protocol ??icmp is the filter you want, which is a different column than the service one.

Somewhere there's a drop. ICMP is also a protocol so you should be filtering on that and NOT the service. If you still can't find it, try using "fw ctl zdebug + drop" from the command line and...

Try filtering the service in tracker on 18234 (udp), which is tunnel test. It could be getting dropped due to anti-spoofing if you use Office Mode. If you don't see anything then try "fw ctl zdebug...

Yes you must update the trac file on the gateway and push policy again, and then I'd suggest recreating all your sites in the VPN client for anyone who connected to that site. I'd look into the...

We've heard for a long time that moving heavy hitting rules to the top of the rulebase helps, as recent as this year w/ R75.46 by people who deal with it day in and day out so there must be some...

If your only concern is stability, then R75.30 is for you, although I'd probably consider moving to Gaia now that R75.47 is out... R75.46 was good but still a bit premature for Gaia adoption IMHO.
...

Well I hope no news is good news :)

That is interesting about the offline files and the domain bit. All of our shortcuts tend to use the shortname too, but we haven't had to remap to the fqdn...

1) We haven't left it off, but disabling SecureXL while the problem is happening did not help. It's been on every time the problem has started.
2) No hardware accelerator but we do use SecureXL....

Support tickets about CIFS performance over VPN. Our original problem was CIFS transfers breaking across our Check Point site to site tunnels, it just so happened that it improved CIFS performance...

We see one-off replay attack messages frequently enough, so the tunnel isn't always going down when it appears. However it's when the message appears, traffic stops traversing the tunnel, then...

Aye we've seen intermittent problems like this, is your cifs_tcpstr_max_window set to 131072? I think in versions previous to R75.30 it was called fwtcpstr_max_window.

We're having the same problem, our attempt to debug it has stopped due to how difficult it is w/the randomness of the occurrence. Debugging the problem while its ongoing [typically lasts 15 minutes]...

Have you used this with VPN traffic?

I think there's some confusion as to whether or not he's upgrading vs doing a fresh install. His original post said upgrade then his second post was only talking about "update" via "fresh install"...

For fresh installs, you can use an external DVD drive, however using a USB Device is much easier.

You can upgrade it from the CLI / WebUI. :)