CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Page 2 of 3 FirstFirst 123 LastLast
Results 21 to 40 of 45

Thread: ISP redundancy Load Sharing + 2nd interface pppoe not working

  1. #21
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,658
    Rep Power
    10

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    Quote Originally Posted by crosspopz View Post
    We have R77.30 without SecureXL.

    Yes, the clam is enabled on the Firewall (CLI) and Manager (GuiDBEDIT)

    I will run another capture this night, but I'm trying to find out this cap that I already have.
    Doh! 3rd times a charm huh? :D Got it! R77.30.

  2. #22
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    9

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    Quote Originally Posted by jflemingeds View Post
    Doh! 3rd times a charm huh? :D Got it! R77.30.
    You got a Hat trick ahaahhaa

  3. #23
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,658
    Rep Power
    10

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    Quote Originally Posted by crosspopz View Post
    You got a Hat trick ahaahhaa
    oh one last thing, i know i've peppered you with things to packet capture with but here is one more.

    PPPoE as primary active. The last request was with None PPPoE primary active.

  4. #24
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    9

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    Quote Originally Posted by jflemingeds View Post
    oh one last thing, i know i've peppered you with things to packet capture with but here is one more.

    PPPoE as primary active. The last request was with None PPPoE primary active.
    I will, I want to know what is the capture MSS when the pppoe is the only active.

  5. #25
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,658
    Rep Power
    10

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    ok sounds good. I've had a lot of coffee today if its not clear. I could really use a chew toy right about now.

  6. #26
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    9

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    Quote Originally Posted by jflemingeds View Post
    ok sounds good. I've had a lot of coffee today if its not clear. I could really use a chew toy right about now.
    lol

    If you join me on the troubleshoot, no problem hahahaha

  7. #27
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,658
    Rep Power
    10

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    I can't today, i just went to Boston and if I don't start working out again the lumpies will come back. If i've got time later in the week i might take you up on it though. I've never done much with PPPoE or ISP load sharing and it would be worth my time to help you out just so I could look at it.

  8. #28
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    9

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    Quote Originally Posted by jflemingeds View Post
    I can't today, i just went to Boston and if I don't start working out again the lumpies will come back. If i've got time later in the week i might take you up on it though. I've never done much with PPPoE or ISP load sharing and it would be worth my time to help you out just so I could look at it.
    Nice one, I will try to capture today and take a look at the findings.

  9. #29
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    9

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    Hey guys, yesterday I did some captures and got a conclusion.

    When the ISP redundancy is configured as Load Sharing, both interfaces uses the MSS from the “main” interface.

    Example:

    The pppoe MSS is 1452 and the ethernet is 1460.

    When the pppoe is the main one, both trafic uses 1452 and vice-versa.

    I believe that this can be the problem, since pppoe needs to use 1452 and not 1460.

    I realized that when the ethernet uses 1452, the browsing is too slow.

  10. #30
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,658
    Rep Power
    10

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    Quote Originally Posted by crosspopz View Post
    Hey guys, yesterday I did some captures and got a conclusion.

    When the ISP redundancy is configured as Load Sharing, both interfaces uses the MSS from the “main” interface.

    Example:

    The pppoe MSS is 1452 and the ethernet is 1460.

    When the pppoe is the main one, both trafic uses 1452 and vice-versa.

    I believe that this can be the problem, since pppoe needs to use 1452 and not 1460.

    I realized that when the ethernet uses 1452, the browsing is too slow.
    Nice going!!

    So, its not super clear. Even with MTU dropped using none pppoe as primary browsing still doesn't work right?

  11. #31
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    9

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    Quote Originally Posted by jflemingeds View Post
    Nice going!!

    So, its not super clear. Even with MTU dropped using none pppoe as primary browsing still doesn't work right?
    When I use the not pppoe as the default gw, both interface (pppoe and the other) uses MSS 1460.

    Then sometimes the browsing works (going to non pppoe), sometimes not (going to pppoe).

    When the pppoe is the default GW, both interfaces uses MSS 1452.

    Then all the browsing works, but got some slowness. This I believe is because the MSS 1452 is being used for the non pppoe too.

  12. #32
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,658
    Rep Power
    10

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    When I use the not pppoe as the default gw, both interface (pppoe and the other) uses MSS 1460.
    This should be turned over to checkpoint as a bug. I'm assuming this is still with mss clamping enabled and all that jazz right? Sorry not the first time I've asked redundant questions, but was that with the mtu lowered on the not pppoe default gw? Just thinking you should make all the inet facing interfaces have the same MTU (and thus MSS).

    Then sometimes the browsing works (going to non pppoe), sometimes not (going to pppoe).
    Most likely because MSS issue listed above.

    When the pppoe is the default GW, both interfaces uses MSS 1452.

    Then all the browsing works, but got some slowness. This I believe is because the MSS 1452 is being used for the non pppoe too.
    Can you define slow more? We're only talking about 8 bytes, i don't think it should be noticeable. Is it all sites are slow or a certain sights are slow? Maybe try one of those bandwidth speed test sites to get a raw overhead idea. Not great but better then nothing.

    If you can find a single website (assuming) that is slow, see if you can figure out if its only certain pages on that website loading slow. What your trying to do is narrow down the problem.

  13. #33
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    9

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    Quote Originally Posted by jflemingeds View Post
    This should be turned over to checkpoint as a bug. I'm assuming this is still with mss clamping enabled and all that jazz right? Sorry not the first time I've asked redundant questions, but was that with the mtu lowered on the not pppoe default gw? Just thinking you should make all the inet facing interfaces have the same MTU (and thus MSS).



    Most likely because MSS issue listed above.



    Can you define slow more? We're only talking about 8 bytes, i don't think it should be noticeable. Is it all sites are slow or a certain sights are slow? Maybe try one of those bandwidth speed test sites to get a raw overhead idea. Not great but better then nothing.

    If you can find a single website (assuming) that is slow, see if you can figure out if its only certain pages on that website loading slow. What your trying to do is narrow down the problem.
    We already have a case with CP, I sent my findings and hope they check the document.

    Yes, It's already set to use the clamp.

    [Expert@xxxxxx]# fw ctl get int fw_clamp_tcp_mss
    fw_clamp_tcp_mss = 1

    Click image for larger version. 

Name:	fw_clamp.png 
Views:	74 
Size:	931 Bytes 
ID:	1125

    No, I didn't change the not pppoe interface, not sure if will work or if is needed.

    The slow that I told I'm not sure that this is the reason. Certain sites that I realize that is going through the not pppoe interface.

    Remember, this happens when the pppoe is the default GW.

  14. #34
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,658
    Rep Power
    10

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    What timezone are you located in? I think i'm going to have sometime tomorrow if you want to discuss over the phone for a little while. I'll try not to ask what version your running.

  15. #35
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    9

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    Quote Originally Posted by jflemingeds View Post
    What timezone are you located in? I think i'm going to have sometime tomorrow if you want to discuss over the phone for a little while. I'll try not to ask what version your running.
    I'm from Brazil, GMT -3.

    Maybe we can talk using Skype, what you think?

    :D

  16. #36
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    Quote Originally Posted by crosspopz View Post
    I'm from Brazil, GMT -3.

    Maybe we can talk using Skype, what you think?

    :D
    Your economy is a mess and your president has been suspended from the position until the impeachment trial by the Senate where over half of them is under investigation themselves for corruption. The vice president is assuming the president position is not very popular and they might impeach him as well.

    Not that things are any better in America.

    LOL

  17. #37
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    9

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    Quote Originally Posted by cciesec2006 View Post
    Your economy is a mess and your president has been suspended from the position until the impeachment trial by the Senate where over half of them is under investigation themselves for corruption. The vice president is assuming the president position is not very popular and they might impeach him as well.

    Not that things are any better in America.

    LOL
    Not sure what Brazil's president can do with ISP redundacy ;)

    You are the guy that votes on Donald Trump and agree with his thoughts.

    Cya bro, if you want to help with the topic, I'm all ears.

  18. #38
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    Quote Originally Posted by crosspopz View Post
    Not sure what Brazil's president can do with ISP redundacy ;)

    You are the guy that votes on Donald Trump and agree with his thoughts.

    Cya bro, if you want to help with the topic, I'm all ears.

    Guess you didn't get the joke :-(

    I just brought up a pair of ClusterXL R77.30 so I might be to help you out. I have a PPOE connection as well.

    this is what I have:

    lab-fw-1> fw ver
    This is Check Point's software version R77.30 - Build 503
    lab-fw-1>

    does it match with the version you have or you are running with newer hotfixes?

  19. #39
    Join Date
    2011-10-20
    Posts
    163
    Rep Power
    9

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    Quote Originally Posted by cciesec2006 View Post
    Guess you didn't get the joke :-(

    I just brought up a pair of ClusterXL R77.30 so I might be to help you out. I have a PPOE connection as well.

    this is what I have:

    lab-fw-1> fw ver
    This is Check Point's software version R77.30 - Build 503
    lab-fw-1>

    does it match with the version you have or you are running with newer hotfixes?
    Before it all:

    http://www.wikihow.com/Be-Funny

    Now about CP.

    fw ver
    This is Check Point's software version R77.30 - Build 503


    cpinfo -y all

    ------------------------
    Hotfix versions
    ------------------------
    [FW1]
    HOTFIX_R77_20
    HOTFIX_R77_30
    HOTFIX_R77_30_JUMBO_HF

    [SecurePlatform]
    HOTFIX_R77_20
    HOTFIX_R77_30
    HOTFIX_R77_30_JUMBO_HF

    [PPACK]
    HOTFIX_R77_20
    HOTFIX_R77_30

    [CVPN]
    HOTFIX_R77_20
    HOTFIX_R77_30
    HOTFIX_R77_30_JUMBO_HF

    [CPinfo]
    No hotfixes..

    [CPUpdates]
    GAIA_WD_UPDATE_SK109359

    [rtm]
    No hotfixes..

  20. #40
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    6

    Default Re: ISP redundancy Load Sharing + 2nd interface pppoe not working

    Quote Originally Posted by crosspopz View Post
    Now THAT'S funny!...lol...

Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. problem with isp redundancy in load sharing mode pls help
    By sebastan_bach in forum ISP Redundancy
    Replies: 11
    Last Post: 2018-08-08, 12:54
  2. ISP Redundancy - does Load Sharing really work?
    By v33dubya in forum ISP Redundancy
    Replies: 5
    Last Post: 2013-04-16, 17:15
  3. Replies: 2
    Last Post: 2011-07-24, 22:44
  4. ISP redundancy with two DMZ and load-sharing
    By johnjohn in forum ISP Redundancy
    Replies: 2
    Last Post: 2011-06-14, 22:30
  5. ISP redundancy on load sharing and Qos
    By idofri in forum ISP Redundancy
    Replies: 1
    Last Post: 2009-01-01, 04:24

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •