CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 12 of 12

Thread: RX errors increasing on External Interface of Splat firewall

  1. #1
    Join Date
    2012-01-29
    Posts
    63
    Rep Power
    9

    Default RX errors increasing on External Interface of Splat firewall

    we are using open server server and RX errors are increasing on external interface we check speed and duplex is fine on both side CPU utilization is also normal.

    eth2 Link encap:Ethernet HWaddr D4:AE:52:77:84:6D
    inet addr:1.1.1.1 Bcast:1.0.0.0 Mask:255.255.255.252
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:231970885 errors:9799015 dropped:0 overruns:0 frame:9799015
    TX packets:189706920 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:1558922218 (1486.7 Mb) TX bytes:1424810081 (1358.8 Mb)
    Interrupt:177 Memory:da000000-da012100

    what could be cause of issue ?

  2. #2
    Join Date
    2006-12-04
    Posts
    1,316
    Rep Power
    15

    Default Re: RX errors increasing on External Interface of Splat firewall

    Quote Originally Posted by m_1607 View Post
    we are using open server server and RX errors are increasing on external interface we check speed and duplex is fine on both side CPU utilization is also normal.

    RX packets:231970885 errors:9799015 dropped:0 overruns:0 frame:9799015


    what could be cause of issue ?

    RX errors mean that your NIC is receiving malformed frames from the transmitting switchport.

    Frame errors mean CRC failures on receipt of a frame. The root cause of this could be a bad cable, or a bad interface on either the machine or the switch. Try replacing the cable, then moving to another port on the switch or use other NIC on open server..
    (source : http://serverfault.com/questions/185...fconfig-output )

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    14

    Default Re: RX errors increasing on External Interface of Splat firewall

    Quote Originally Posted by m_1607 View Post
    we are using open server server and RX errors are increasing on external interface we check speed and duplex is fine on both side CPU utilization is also normal.

    eth2 Link encap:Ethernet HWaddr D4:AE:52:77:84:6D
    inet addr:1.1.1.1 Bcast:1.0.0.0 Mask:255.255.255.252
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:231970885 errors:9799015 dropped:0 overruns:0 frame:9799015
    TX packets:189706920 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:1558922218 (1486.7 Mb) TX bytes:1424810081 (1358.8 Mb)
    Interrupt:177 Memory:da000000-da012100

    what could be cause of issue ?
    Please provide output of the following:

    ethtool eth2
    ethtool -S eth2

    If you are running at 100Mbps Fast Ethernet speed it is almost certainly a duplex mismatch. If you are piling up errors at 1Gbps speeds it probably is a cable issue or perhaps even a bad switchport.

  4. #4
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: RX errors increasing on External Interface of Splat firewall

    Using ethtool should give more detail on the specific rx error. It can mean that the firewall is receiving more packets than it can process. Read up on SecureXL and CoreXL.

    I recommend you disable all SmartView Monitor history gathering.. Three checkboxes in the cluster/gateway object. This feature has a surprising amount of overhead in the kernel.
    Next step is to follow standard policy optimization processes; Move frequently used rules to the top, Tune IPS etc. etc. etc.

  5. #5
    Join Date
    2013-02-13
    Posts
    32
    Rep Power
    0

    Default Re: RX errors increasing on External Interface of Splat firewall

    It could also due to half-speed/duplex or mtu size

  6. #6
    Join Date
    2012-01-29
    Posts
    63
    Rep Power
    9

    Default Re: RX errors increasing on External Interface of Splat firewall

    Settings for eth2:
    Supported ports: [ TP ]
    Supported link modes: 10baseT/Half 10baseT/Full
    100baseT/Half 100baseT/Full
    1000baseT/Full
    Supports auto-negotiation: Yes
    Advertised link modes: Not reported
    Advertised auto-negotiation: No
    Speed: 100Mb/s
    Duplex: Full
    Port: Twisted Pair
    PHYAD: 1
    Transceiver: internal
    Auto-negotiation: off
    Supports Wake-on: g
    Wake-on: d
    Link detected: yes

  7. #7
    Join Date
    2012-01-29
    Posts
    63
    Rep Power
    9

    Default Re: RX errors increasing on External Interface of Splat firewall

    NIC statistics:
    rx_bytes: 251666659859
    rx_error_bytes: 0
    tx_bytes: 55334578774
    tx_error_bytes: 0
    rx_ucast_packets: 280757565
    rx_mcast_packets: 0
    rx_bcast_packets: 1
    tx_ucast_packets: 233348714
    tx_mcast_packets: 42
    tx_bcast_packets: 66799
    tx_mac_errors: 0
    tx_carrier_errors: 0
    rx_crc_errors: 11749135
    rx_align_errors: 0
    tx_single_collisions: 0
    tx_multi_collisions: 0
    tx_deferred: 0
    tx_excess_collisions: 0
    tx_late_collisions: 0
    tx_total_collisions: 0
    rx_fragments: 2787718
    rx_jabbers: 15038
    rx_undersize_packets: 1
    rx_oversize_packets: 0
    rx_64_byte_packets: 14617433
    rx_65_to_127_byte_packets: 23557258
    rx_128_to_255_byte_packets: 71244239
    rx_256_to_511_byte_packets: 13728179
    rx_512_to_1023_byte_packets: 7627710
    rx_1024_to_1522_byte_packets: 149982747
    rx_1523_to_9022_byte_packets: 0
    tx_64_byte_packets: 60835443
    tx_65_to_127_byte_packets: 59025624
    tx_128_to_255_byte_packets: 75901992
    tx_256_to_511_byte_packets: 14235694
    tx_512_to_1023_byte_packets: 6419754
    tx_1024_to_1522_byte_packets: 16997048
    tx_1523_to_9022_byte_packets: 0
    rx_xon_frames: 0
    rx_xoff_frames: 0
    tx_xon_frames: 0
    tx_xoff_frames: 0
    rx_mac_ctrl_frames: 0
    rx_filtered_packets: 2555429
    rx_discards: 0
    rx_fw_discards: 0

  8. #8
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    14

    Default Re: RX errors increasing on External Interface of Splat firewall

    Quote Originally Posted by m_1607 View Post
    NIC statistics:
    rx_bytes: 251666659859
    rx_error_bytes: 0
    tx_bytes: 55334578774
    tx_error_bytes: 0
    rx_ucast_packets: 280757565
    rx_mcast_packets: 0
    rx_bcast_packets: 1
    tx_ucast_packets: 233348714
    tx_mcast_packets: 42
    tx_bcast_packets: 66799
    tx_mac_errors: 0
    tx_carrier_errors: 0
    rx_crc_errors: 11749135
    rx_align_errors: 0
    tx_single_collisions: 0
    tx_multi_collisions: 0
    tx_deferred: 0
    tx_excess_collisions: 0
    tx_late_collisions: 0
    tx_total_collisions: 0
    rx_fragments: 2787718
    rx_jabbers: 15038
    rx_undersize_packets: 1
    rx_oversize_packets: 0
    rx_64_byte_packets: 14617433
    rx_65_to_127_byte_packets: 23557258
    rx_128_to_255_byte_packets: 71244239
    rx_256_to_511_byte_packets: 13728179
    rx_512_to_1023_byte_packets: 7627710
    rx_1024_to_1522_byte_packets: 149982747
    rx_1523_to_9022_byte_packets: 0
    tx_64_byte_packets: 60835443
    tx_65_to_127_byte_packets: 59025624
    tx_128_to_255_byte_packets: 75901992
    tx_256_to_511_byte_packets: 14235694
    tx_512_to_1023_byte_packets: 6419754
    tx_1024_to_1522_byte_packets: 16997048
    tx_1523_to_9022_byte_packets: 0
    rx_xon_frames: 0
    rx_xoff_frames: 0
    tx_xon_frames: 0
    tx_xoff_frames: 0
    rx_mac_ctrl_frames: 0
    rx_filtered_packets: 2555429
    rx_discards: 0
    rx_fw_discards: 0
    The switchport this interface is attached to is running at half duplex while your end is at full duplex; I know you say you checked it but that is the most likely culprit. Unless you are using an absolutely terrible cat 3 cable (or there is non-cat5 somewhere in the wiring path via patch panel) there is simply no way you should be racking up a packet CRC error rate of 4.2% at 100Mbps. I guess it could also be some kind of crazy electromagnetic interference but that is doubtful; the interface is not logging carrier transitions so it is not a negotiation flap. Your performance on this interface has got to be pitiful.

  9. #9
    Join Date
    2012-01-29
    Posts
    63
    Rep Power
    9

    Default Re: RX errors increasing on External Interface of Splat firewall

    Just one doubt how do you know ISP side is set to half duplex.

    Thanks.

  10. #10
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    14

    Default Re: RX errors increasing on External Interface of Splat firewall

    Quote Originally Posted by m_1607 View Post
    Just one doubt how do you know ISP side is set to half duplex.

    Thanks.
    Someone on the ISP side will have to look at their router interface to see the duplex. However your eth2 interface is reporting this:

    Advertised auto-negotiation: No
    If the ISP side is set for auto it will set for half duplex since your interface is not responding to an auto-negotiation request. The ISP router will conclude in that case that it is attached to a hub instead of switch and go half duplex. Has the speed been hardcoded in /etc/rc.local like this on your firewall?

    ethtool -s eth2 speed 100 duplex full autoneg off
    That is the typical way an interface is hard-coded. You could try the following during a downtime window and see what happens:

    ethtool -s eth2 speed 100 duplex full autoneg on
    This may cause an outage; if you stop racking up errors hardcode it into /etc/rc.local to make it persistent. If you are still piling up errors you are stuck doing this:

    ethtool -s eth2 speed 100 duplex half autoneg off
    Basically dropping your side to 100/half to match the other side. 100/full is definitely preferable though...

  11. #11
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    16

    Default Re: RX errors increasing on External Interface of Splat firewall

    If you're using an Intel nic and are on version R75.40 or higher, then it's Check Point's fault you're seeing these errors & sk42181 describes how to resolve it. I'd recommend doing it for every Intel nic regardless of whether or not you're currently seeing errors.

    Code:
    ethtool -G eth2 rx 4096 tx 4096
    Executing that command will interrupt traffic for ~2-5 seconds.
    Its all in the documentation.

  12. #12
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    14

    Default Re: RX errors increasing on External Interface of Splat firewall

    Quote Originally Posted by melipla View Post
    If you're using an Intel nic and are on version R75.40 or higher, then it's Check Point's fault you're seeing these errors & sk42181 describes how to resolve it. I'd recommend doing it for every Intel nic regardless of whether or not you're currently seeing errors.

    Code:
    ethtool -G eth2 rx 4096 tx 4096
    Executing that command will interrupt traffic for ~2-5 seconds.
    This will definitely help if excessive drops and misses are being encountered, but I don't see how this will help with the CRC errors the OP is seeing.

Similar Threads

  1. Firewall rules backup keeps on increasing daily
    By Satish .J in forum Firewall Blade
    Replies: 2
    Last Post: 2013-03-18, 10:28
  2. Firewall rules backup keep on increasing
    By Satish .J in forum Firewall Blade
    Replies: 1
    Last Post: 2013-01-03, 11:19
  3. External to Internal NAT goes back out on External interface
    By Magoo in forum NAT (Network Address Translation)
    Replies: 5
    Last Post: 2012-08-22, 16:18
  4. Allow ping to firewall external interface
    By antonyso88 in forum SmartDashboard
    Replies: 1
    Last Post: 2009-02-18, 13:42
  5. Interface errors/collisions on SPLAT
    By ldgunnink in forum Check Point SecurePlatform (SPLAT)
    Replies: 8
    Last Post: 2008-03-19, 23:35

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •