CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


** Announcing the #CPUGchallenge **

I'm very happy to announce that CPUG will be hosting "The CPUG Challenge" during CPX this year.
It promises to be a fun and interesting event that will test (and maybe even expand) your knowledge of Check Point.
Whether or not you plan to attend CPX, we have something for you. Please check out this post or the CPUGchallenge.com web site for more information. -E

 

Results 1 to 16 of 16

Thread: SecureXL randomly turned off

  1. #1
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    184
    Rep Power
    5

    Default SecureXL randomly turned off

    Environment:
    2 Node 12400 Cluster with vrrp
    Blades: Firewall, ClusterXL, IPSec VPN, Qos
    R77.30 JHFA 185
    SecureXL enabled

    Since a couple of days, we notice that the CPU time from the acive node suddenly raises from 24% to 75%. Checking SecureXL shows that is is turned off at that stage.
    Just setting "fwaccel on" solves the issue and the CPU drops immediately to 24%.

    Some time later (hours, day) the game starts over again.
    We cannot reproduce the phenomena.

    Any ideas?

  2. #2
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    840
    Rep Power
    12

    Default Re: SecureXL randomly turned off

    Someone tried to troubleshoot and switched it off by mistake?

    No way it turns itself down without human interaction.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    1,933
    Rep Power
    10

    Default Re: SecureXL randomly turned off

    I have seen this happen but it is rare and fwaccel stat will usually show some kind of error like "waiting for policy load" or "too many errors" instead of "off". Assuming your fwaccel stat output is just showing "off" I'd be pretty skeptical it got that way all by itself.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  4. #4
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    840
    Rep Power
    12

    Default Re: SecureXL randomly turned off

    Quote Originally Posted by ShadowPeak.com View Post
    Assuming your fwaccel stat output is just showing "off" I'd be pretty skeptical it got that way all by itself.
    as I said... :-)
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  5. #5
    Join Date
    2006-09-26
    Posts
    2,882
    Rep Power
    13

    Default Re: SecureXL randomly turned off

    Quote Originally Posted by varera View Post
    as I said... :-)
    Having seen a lot of crazy sh_ts from checkpoint, I would NOT rule anything out.

    I've seen SecureXL turned off for no reason on my gateways without anyone touching it. As the OP said, it is intermittent so I have to spend more time opening the ticket with Checkpoint and it goes nowhere.

  6. #6
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    840
    Rep Power
    12

    Default Re: SecureXL randomly turned off

    Quote Originally Posted by cciesec2006 View Post
    Having seen a lot of crazy sh_ts from checkpoint, I would NOT rule anything out.

    I've seen SecureXL turned off for no reason on my gateways without anyone touching it. As the OP said, it is intermittent so I have to spend more time opening the ticket with Checkpoint and it goes nowhere.
    And I have seem all your comments in this forum. With all due respect, in 17 years with Check Point, I have never seen SXL turning itself off. It does not work like that.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  7. #7
    Join Date
    2006-09-26
    Posts
    2,882
    Rep Power
    13

    Default Re: SecureXL randomly turned off

    Quote Originally Posted by varera View Post
    And I have seem all your comments in this forum. With all due respect, in 17 years with Check Point, I have never seen SXL turning itself off. It does not work like that.
    LOL; there is a first time for everything.

    If you ever watch the movie "For the love of the game" starring Kevin Costner as an aging baseball pitcher Billy Chappel. There is a scene in the movie where Billy almost showed up late for the warm up because he is scheduled to pitch that game. The manager told him "Billy I thought you were not going to show up". Billy replied, in my 19th year pitching career, has I ever not show up. The manager replied "well, everyone said that until the first time they don't show up".

    That reminded me about the the issue I have with cpdiag. Checkpoint R&D stated, well, it should "not" behave like this but we don't understand why your system is behaving differently. This is the first time it happened to a customer.

    As I've said, there is a first time for everything. Just because you've not seen it in 17 years with Checkpoint does not mean it does not happen.

  8. #8
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    840
    Rep Power
    12

    Default Re: SecureXL randomly turned off

    Quote Originally Posted by cciesec2006 View Post
    LOL; there is a first time for everything.

    If you ever watch the movie "For the love of the game" starring Kevin Costner as an aging baseball pitcher Billy Chappel. There is a scene in the movie where Billy almost showed up late for the warm up because he is scheduled to pitch that game. The manager told him "Billy I thought you were not going to show up". Billy replied, in my 19th year pitching career, has I ever not show up. The manager replied "well, everyone said that until the first time they don't show up".

    That reminded me about the the issue I have with cpdiag. Checkpoint R&D stated, well, it should "not" behave like this but we don't understand why your system is behaving differently. This is the first time it happened to a customer.

    As I've said, there is a first time for everything. Just because you've not seen it in 17 years with Checkpoint does not mean it does not happen.
    We all know you are unhappy with Check Point. Would you please produce something that you be actually helpful to other members, finally? After all, the whole idea around CPUG is to help other people out with their technical, not physiological problems.

    Thank you very much
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  9. #9
    Join Date
    2006-09-26
    Posts
    2,882
    Rep Power
    13

    Default Re: SecureXL randomly turned off

    Quote Originally Posted by varera View Post
    We all know you are unhappy with Check Point.
    I am not unhappy with Checkpoint products. I am unhappy with the way checkpoint provides support to the product.


    Quote Originally Posted by varera View Post
    Would you please produce something that you be actually helpful to other members, finally? After all, the whole idea around CPUG is to help other people out with their technical, not physiological problems.
    Apparently you didn't read my post. see below.
    https://www.cpug.org/forums/showthre...-vulnerability

  10. #10
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    840
    Rep Power
    12

    Default Re: SecureXL randomly turned off

    Quote Originally Posted by cciesec2006 View Post
    Apparently you didn't read my post. see below.
    https://www.cpug.org/forums/showthre...-vulnerability
    Thank you sir
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  11. #11
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,167
    Rep Power
    7

    Default Re: SecureXL randomly turned off

    Quote Originally Posted by varera View Post
    And I have seem all your comments in this forum. With all due respect, in 17 years with Check Point, I have never seen SXL turning itself off. It does not work like that.
    I haven't seen it happen myself, but...

    sk116379

    sk114261

    sk100467

    There does seem to be more than a few ways for securexl to disable itself.
    Last edited by jflemingeds; 2 Weeks Ago at 16:23.

  12. #12
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    840
    Rep Power
    12

    Default Re: SecureXL randomly turned off

    Quote Originally Posted by jflemingeds View Post
    I haven't seen it happen myself, but...

    sk116379

    sk114261

    sk100467

    There does seem to be more than a few ways for securexl to disable itself.
    Thanks for digging this out. Two of the SKs are actually referring to the case "disabled by FW" related to collision avoidance in PPK. One more seems to be related to a land attack, although it is hard to say from the SK.

    Looking forward for more details from TS
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  13. #13
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    184
    Rep Power
    5

    Default Re: SecureXL randomly turned off

    After carefully watching our environment we can state the following:

    1. SecureXL is definitely turned off when, and only when a policy is installed
    2- SecureXL is NOT ALWAYS turned off when a policy is installed

    It might sound somehow crazy and we see no relation between the events, but the problem started last week, where we enabled IPS and Antibot ON ANOTHER CLUSTER, meaning NOT on the cluster where SecureXL is beeing turned off now.

    Happy easter

  14. #14
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    1,933
    Rep Power
    10

    Default Re: SecureXL randomly turned off

    Looks like enabling Optimized Drops (Drop Templates) or NAT Templates can create many more situations where SecureXL can get disabled, do you have either of these enabled?

    Once SecureXL has disabled itself after a policy load, run "fwaccel test -v -stat". I suspect SecureXL is stuck at "waiting for policy load" but for some reason fwaccel stat is not showing that. This command should give you a more definitive reason SecureXL is off.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  15. #15
    Join Date
    2014-09-07
    Posts
    5
    Rep Power
    0

    Default Re: SecureXL randomly turned off

    Hi

    Indeed this is related to the templates mechanism as some noticed over here, this mechanism is relatively new and caused by a race condition when multiple instances are involved.

    You can find the the technical explanation and an example in sk100467 Scenario #5, SK requires a valid support agreement in order to be able to access the article.
    Check Point provides a remediation fix to address this issue via our support organization.

    Regards,
    Uri

  16. #16
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    184
    Rep Power
    5

    Default Re: SecureXL randomly turned off

    Hm, the SKs described above do not seem to match.
    I just installed the policy, and agin, fwaccel was turned off.

    The proposed commands show:

    Expert@test:0]# fwaccel test -v -stat
    Accelerator Status : off
    [Expert@test:0]# fwaccel stat
    Accelerator Status : off

    Accelerator Features : Accounting, NAT, Cryptography, QOS, Routing,
    HasClock, Templates, Synchronous, IdleDetection,
    Sequencing, TcpStateDetect, AutoExpire,
    DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
    WireMode, DropTemplates, NatTemplates,
    Streaming, MultiFW, AntiSpoofing, Nac,
    ViolationStats, AsychronicNotif, ERDOS,
    NAT64, GTPAcceleration, SCTPAcceleration,
    McastRoutingV2
    Cryptography Features Mask : not available
    [Expert@test:0]#


    In the fwd.elg file we see the following:

    [FWD 11521 4065044176]@test[19 Apr 8:31:24] ha_fetch_callback: Cluster policy installation successful
    fwdgxsam_init(): gx_sam_proxy_create failed.
    Unable to open '/dev/fw6v0': No such file or directory
    coreXL_aff_handler: This is a cb respond to: FW1_INSTALLED msg
    coreXL_aff_handler: User has not enabled auto core affinity


    is this anything of importance?

Similar Threads

  1. cpsnmpagentx crash/stops randomly
    By billford@billford.com in forum SNMP
    Replies: 4
    Last Post: 2011-04-13, 12:18
  2. Is it just me or has this site turned into a Reality TV show?
    By rubber_chicken in forum About This Discussion Board
    Replies: 8
    Last Post: 2011-02-23, 17:22
  3. Firewall dropping EDNS packets, smartdefense is turned off
    By B A Booracus in forum Content Security/Security Servers/CVP/UFP
    Replies: 1
    Last Post: 2010-07-22, 16:17
  4. SmartDefense randomly blocking 135
    By banduraj in forum IPS Blade (Formerly SmartDefense)
    Replies: 8
    Last Post: 2008-12-31, 12:18
  5. Meshed VPN - Tunnel drops randomly
    By khanta in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2008-05-01, 17:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •