CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Page 1 of 2 12 LastLast
Results 1 to 20 of 23

Thread: VPN Remote User with timeouts and low performance

  1. #1
    Join Date
    2017-07-21
    Location
    Duesseldorf, Germany
    Posts
    21
    Rep Power
    0

    Unhappy VPN Remote User with timeouts and low performance

    Hello all,

    i am new here and hope to find help with a problem i have with 2 4800 appliances. We are running 77.30 on our Cluster and have Cluster XL active.

    The remote vpn user expexting in the morning and lunch time heavy timeouts when they are connected remotely. This is the time when the system is
    under high load, more or less. I see in that time 1200 Encrypted Packets per second what should not be so much for the system.

    We using office mode where the ip range for the remote user is defined in a netwok group on each checkpoint cluster. I am wondering now that the defined
    VPN Network seems to be routet on the checkpoint. If i do a traceoute it looks for me that the VPN users are send to our internet router directed by the
    default route and than from the internet router back to the checkpoint.

    Can that be the problem for the perormance issue ? In my idea the defined VPN Network should not be routed just used for the VPN uses and maybe handled
    like a local interface that is more specific on the system and not get catched by the default route.

    The problem exist also when turning of secureXL. Rebooting the cluster also not helped.

    Would be great if somebody could help be cause i am stuck with checkpoint support on this problem for more than 2 weeks.

    BR
    Marco

  2. #2
    Join Date
    2014-09-02
    Posts
    349
    Rep Power
    10

    Default Re: VPN Remote User with timeouts and low performance

    Sounds like you've got "Hub Mode" enabled (under Gateway properties, VPN Clients, Remote Access). This allows clients to route all traffic (including Internet-bound) through the VPN. The reason would be to allow you, as the firewall admin, to fully enforce policy/blades (think IPS/DLP/etc.), even on Internet traffic of remote users. Of course, the cost (as you're likely experiencing) is that all remote users' traffic (including high-bandwidth applications like video streaming) is using your internet pipe, as well as theirs.

    A typical alternative is to block "split tunneling" altogether, meaning users cannot reach external resources while connected to your site. If that's not an option, you either need to make sure the users' endpoints are well secured, or keep your fingers crossed that they're not compromised while being allowed to access your site.

    -E

  3. #3
    Join Date
    2017-07-21
    Location
    Duesseldorf, Germany
    Posts
    21
    Rep Power
    0

    Default Re: VPN Remote User with timeouts and low performance

    Hello Eric,

    thank you very much for your answer. The hup mode is not marked in the remote access section.
    Today i had another session with the checkpoint support. They checked if traffic was dropped but without result and changed the mss adjustment for vpn and tcp but it also not helped.
    I did a ping from both firewalls to my remote vpn ip and both had the same loss of packets. Ping to Site to Site VPN tunnel is working perfect all time. We updated also my VPN Client to
    Verstion 80.70

    I waiting for the next suggestions checkpoint support wanted to deliver to the end of the day.

    BR
    Marco

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,648
    Rep Power
    9

    Default Re: VPN Remote User with timeouts and low performance

    Can you run top while the system is underload can show the output? Let it refresh a few times would be useful.

    When you run top, hit "1" to switch to multi cpu view as well. If you like this view hitting "w" should save the view for the next time.

    A 2nd question, if you connect remotely and upload or download a file through the vpn during high load, what is the transfer rate? Does anything else go through this firewall or is it only used for remote access?

  5. #5
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: VPN Remote User with timeouts and low performance

    If your VPNs are using SSL/TLS (or IPSec for that matter) they can only be processed on one CPU core by default which is a classic bottleneck. Symptoms of this will be your lead firewall worker core pegging out during slow periods (Run "top" and hit 1 to check). Multicore SSL allows this load to be spread across all 3 of your firewall worker cores. What do the following commands show:

    fwaccel stat
    fw ctl affinity -l -r
    netstat -ni
    fw ctl get int enable_ssl_multi_core

    Multicore SSL is disabled by default prior to R80.10 gateway. sk101223 has more information on it. If your clients are using IPSec as the transport only the lead firewall worker core can process it and there is nothing you can do about that bottleneck, other than upgrade to R80.10 which supports Multicore IPSec.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  6. #6
    Join Date
    2006-09-26
    Posts
    3,190
    Rep Power
    16

    Default Re: VPN Remote User with timeouts and low performance

    Quote Originally Posted by ShadowPeak.com View Post
    If your VPNs are using SSL/TLS (or IPSec for that matter) they can only be processed on one CPU core by default which is a classic bottleneck. Symptoms of this will be your lead firewall worker core pegging out during slow periods (Run "top" and hit 1 to check). Multicore SSL allows this load to be spread across all 3 of your firewall worker cores. What do the following commands show:

    fwaccel stat
    fw ctl affinity -l -r
    netstat -ni
    fw ctl get int enable_ssl_multi_core

    Multicore SSL is disabled by default prior to R80.10 gateway. sk101223 has more information on it. If your clients are using IPSec as the transport only the lead firewall worker core can process it and there is nothing you can do about that bottleneck, other than upgrade to R80.10 which supports Multicore IPSec.
    how is multicore IPSec going to interact with Dynamic Dispatchers? Is it possible that an IPSec session inbound handle by fw worker 0 and outbound by fw worker 1 and cause issue?

  7. #7
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: VPN Remote User with timeouts and low performance

    Quote Originally Posted by cciesec2006 View Post
    how is multicore IPSec going to interact with Dynamic Dispatchers? Is it possible that an IPSec session inbound handle by fw worker 0 and outbound by fw worker 1 and cause issue?
    no, afaik
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  8. #8
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: VPN Remote User with timeouts and low performance

    Quote Originally Posted by cciesec2006 View Post
    how is multicore IPSec going to interact with Dynamic Dispatchers? Is it possible that an IPSec session inbound handle by fw worker 0 and outbound by fw worker 1 and cause issue?
    The single-core limitation for processing Remote Access SSL/TLS and IPSec has been around since the beginning, end enabling the DD has zero effect on it.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  9. #9
    Join Date
    2006-09-26
    Posts
    3,190
    Rep Power
    16

    Default Re: VPN Remote User with timeouts and low performance

    Quote Originally Posted by ShadowPeak.com View Post
    The single-core limitation for processing Remote Access SSL/TLS and IPSec has been around since the beginning, end enabling the DD has zero effect on it.
    LOL... obviously Checkpoint said the same thing about DD as well, zero effect and boost in performance, until there is issue :-(. My issue has been opened for two months, not the IPSec but DD.

    Now you can see why I am always skeptical !!!!

  10. #10
    Join Date
    2017-07-21
    Location
    Duesseldorf, Germany
    Posts
    21
    Rep Power
    0

    Default Re: VPN Remote User with timeouts and low performance

    Thank you all for your responses. I will just give an quick update. Tomorrow i will answer your questions. Today we spend much time with checkpoint support again
    and we installed Check_Point_R77_30_JUMBO_HF_1_Bundle_T216_FULL.tgz . It took some time to take the snapshots before updating. For the moment all is looging good
    but we have now 05:00 pm here and most people are logged out. Tomorrow is usual a day with much remote ussers cause friday much employees working from home
    and so i will see tomorrow if all is running better now. If not it will give me good chance to take the results of the commands you all reuested.

    Thank you very much
    Marco

  11. #11
    Join Date
    2017-07-21
    Location
    Duesseldorf, Germany
    Posts
    21
    Rep Power
    0

    Default Re: VPN Remote User with timeouts and low performance

    Hello again,

    just sending my last post. My session was running in timeouts again. So below you find the output that was requested before.
    The firewall is handling the internet traffic for the employees. There is no effect and also handling site to site vpn tunnel these
    are also not affected. Traffic handled by firewall between different network segments connected to the firewall is also fine.

    We just see the problems on remote access vpn. To be honest it looks for me like we have now more problems than before the patch.
    There are just 79 Tunnel acitve and we have timeouts. In the day we have ~150 tunnel.

    Thank you very much for your support.

    Best regards
    Marco

    Download speed with ftp was 1,5 mbit/s with 10 mbit internet access.

    =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2017.07.27 17:13:29 =~=~=~=~=~=~=~=~=~=~=~=

    Accelerator Status : on
    Accept Templates : enabled
    Drop Templates : disabled
    NAT Templates : disabled by user

    Accelerator Features : Accounting, NAT, Cryptography, Routing,
    HasClock, Templates, Synchronous, IdleDetection,
    Sequencing, TcpStateDetect, AutoExpire,
    DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
    WireMode, DropTemplates, NatTemplates,
    Streaming, MultiFW, AntiSpoofing, Nac,
    ViolationStats, AsychronicNotif, ERDOS,
    NAT64, GTPAcceleration, SCTPAcceleration,
    McastRoutingV2
    Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
    3DES, DES, CAST, CAST-40, AES-128, AES-256,
    ESP, LinkSelection, DynamicVPN, NatTraversal,
    EncRouting, AES-XCBC, SHA256
    [Expert@CP01:0]# fw w ctl affinity -l -rf
    CPU 0:eth1 eth6 eth2 eth7 eth3 Mgmt eth4
    CPU 1:fw_2
    CPU 2:fw_1
    CPU 3:fw_0
    All:fwpushd vpnd fwd mpdaemon cprid cpd
    [Expert@CP01:0]# netstat -ni
    Kernel Interface table
    Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
    Mgmt 1500 0 0 0 0 0 0 0 0 0 BMU
    bond1 1500 0 20731545 0 0 0 12523152 0 0 0 BMmRU
    bond1.125 1500 0 20324024 0 0 0 12169304 0 0 0 BMmRU
    bond1.127 1500 0 30711 0 0 0 30096 0 0 0 BMmRU
    bond1.128 1500 0 64778 0 0 0 30864 0 0 0 BMmRU
    bond1.180 1500 0 286562 0 0 0 254166 0 0 0 BMmRU
    bond1.181 1500 0 3 0 0 0 0 0 0 0 BMmRU
    bond1.182 1500 0 5734 0 0 0 4764 0 0 0 BMmRU
    bond1.183 1500 0 4 0 0 0 54 0 0 0 BMmRU
    bond1.185 1500 0 19508 0 0 0 33684 0 0 0 BMmRU
    eth1 1500 0 13301059 0 29 0 20252340 0 0 0 BMRU
    eth2 1500 0 30776427 0 34 0 31842844 0 0 0 BMRU
    eth3 1500 0 918762 0 0 0 6498844 0 0 0 BMsRU
    eth4 1500 0 19812791 0 0 0 6024312 0 0 0 BMsRU
    eth6 1500 0 173114 0 0 0 38832 0 0 0 BMRU
    eth7 1500 0 131243 0 0 0 848696 0 0 0 BMRU
    lo 16436 0 56930 0 0 0 56930 0 0 0 LRU
    [Expert@CP01:0]# fw ctl get int enable_ssl_multi_core
    enable_ssl_multi_core = 0
    [Expert@CP01:0]# top
    top - 17:14:29 up 50 min, 1 user, load average: 0.23, 0.11, 0.09
    Tasks: 139 total, 2 running, 137 sleeping, 0 stopped, 0 zombie
    Cpu(s): 0.9%us, 0.9%sy, 0.1%ni, 91.2%id, 1.5%wa, 1.0%hi, 4.3%si, 0.0%st
    Mem: 4043336k total, 3378536k used, 664800k free, 27748k buffers
    Swap: 10514532k total, 0k used, 10514532k free, 1903076k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    7883 admin 15 0 0 0 0 R 2 0.0 0:21.91 fw_worker_2
    1 admin 15 0 2044 720 624 S 0 0.0 0:00.75 init
    2 admin RT -5 0 0 0 S 0 0.0 0:00.00 migration/0
    3 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/0
    4 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/0
    5 admin RT -5 0 0 0 S 0 0.0 0:00.01 migration/1
    6 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1
    7 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/1
    8 admin RT -5 0 0 0 S 0 0.0 0:00.00 migration/2
    9 admin 21 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/2
    10 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/2
    11 admin RT -5 0 0 0 S 0 0.0 0:00.01 migration/3
    12 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/3
    13 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/3
    14 admin 10 -5 0 0 0 S 0 0.0 0:00.88 events/0
    15 admin 10 -5 0 0 0 S 0 0.0 0:00.01 events/1
    16 admin 10 -5 0 0 0 S 0 0.0 0:00.00 events/2
    top - 17:14:32 up 50 min, 1 user, load average: 0.21, 0.10, 0.09
    Tasks: 139 total, 2 running, 137 sleeping, 0 stopped, 0 zombie
    Cpu0 : 0.9%us, 0.7%sy, 0.1%ni, 78.5%id, 1.5%wa, 4.1%hi, 14.2%si, 0.0%st
    Cpu1 : 1.1%us, 1.1%sy, 0.1%ni, 95.5%id, 1.5%wa, 0.0%hi, 0.7%si, 0.0%st
    Cpu2 : 0.7%us, 0.7%sy, 0.1%ni, 96.6%id, 1.4%wa, 0.0%hi, 0.6%si, 0.0%st
    Cpu3 : 1.1%us, 1.1%sy, 0.0%ni, 94.4%id, 1.6%wa, 0.0%hi, 1.8%si, 0.0%st
    Mem: 4043336k total, 3378412k used, 664924k free, 27748k buffers
    Swap: 10514532k total, 0k used, 10514532k free, 1903076k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    7881 admin 15 0 0 0 0 S 1 0.0 0:55.11 fw_worker_0
    7883 admin 15 0 0 0 0 R 1 0.0 0:21.93 fw_worker_2
    1959 admin 18 0 33752 10m 8204 S 0 0.3 0:00.10 routed
    7882 admin 15 0 0 0 0 S 0 0.0 0:17.09 fw_worker_1
    9553 admin 15 0 429m 47m 25m S 0 1.2 0:29.77 fw_full
    1 admin 15 0 2044 720 624 S 0 0.0 0:00.75 init
    2 admin RT -5 0 0 0 S 0 0.0 0:00.00 migration/0
    3 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/0
    4 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/0
    5 admin RT -5 0 0 0 S 0 0.0 0:00.01 migration/1
    6 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1
    7 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/1
    8 admin RT -5 0 0 0 S 0 0.0 0:00.00 migration/2
    9 admin 21 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/2 top - 17:14:35 up 50 min, 1 user, load average: 0.21, 0.10, 0.09
    Tasks: 139 total, 2 running, 137 sleeping, 0 stopped, 0 zombie
    Cpu0 : 0.0%us, 0.0%sy, 0.0%ni, 77.3%id, 0.0%wa, 3.3%hi, 19.4%si, 0.0%st
    Cpu1 : 0.3%us, 0.7%sy, 0.0%ni, 98.4%id, 0.0%wa, 0.0%hi, 0.7%si, 0.0%st
    Cpu2 : 0.0%us, 0.0%sy, 0.0%ni, 99.7%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st
    Cpu3 : 0.0%us, 0.0%sy, 0.0%ni, 98.4%id, 0.7%wa, 0.0%hi, 1.0%si, 0.0%st
    Mem: 4043336k total, 3378380k used, 664956k free, 27764k buffers
    Swap: 10514532k total, 0k used, 10514532k free, 1903068k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    7881 admin 15 0 0 0 0 S 1 0.0 0:55.14 fw_worker_0
    9553 admin 15 0 429m 47m 25m S 1 1.2 0:29.80 fw_full
    8786 admin 21 0 24872 9960 6940 S 1 0.2 0:01.15 snmpd
    7882 admin 15 0 0 0 0 S 0 0.0 0:17.10 fw_worker_1
    7883 admin 15 0 0 0 0 R 0 0.0 0:21.94 fw_worker_2
    16442 admin 15 0 2176 1104 828 R 0 0.0 0:00.01 top
    1 admin 15 0 2044 720 624 S 0 0.0 0:00.75 init
    2 admin RT -5 0 0 0 S 0 0.0 0:00.00 migration/0
    3 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/0
    4 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/0
    5 admin RT -5 0 0 0 S 0 0.0 0:00.01 migration/1
    6 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1
    7 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/1
    8 admin RT -5 0 0 0 S 0 0.0 0:00.00 migration/2 top - 17:14:38 up 50 min, 1 user, load average: 0.19, 0.10, 0.09
    Tasks: 139 total, 2 running, 137 sleeping, 0 stopped, 0 zombie
    Cpu0 : 0.7%us, 3.0%sy, 0.0%ni, 78.9%id, 0.0%wa, 4.6%hi, 12.9%si, 0.0%st
    Cpu1 : 7.9%us, 5.9%sy, 0.0%ni, 84.9%id, 0.7%wa, 0.0%hi, 0.7%si, 0.0%st
    Cpu2 : 0.7%us, 2.3%sy, 0.0%ni, 96.1%id, 0.0%wa, 0.0%hi, 1.0%si, 0.0%st
    Cpu3 : 6.6%us, 6.0%sy, 0.0%ni, 86.4%id, 0.0%wa, 0.0%hi, 1.0%si, 0.0%st
    Mem: 4043336k total, 3379928k used, 663408k free, 27772k buffers
    Swap: 10514532k total, 0k used, 10514532k free, 1903072k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    7881 admin 15 0 0 0 0 S 1 0.0 0:55.17 fw_worker_0
    7882 admin 15 0 0 0 0 S 1 0.0 0:17.12 fw_worker_1
    7883 admin 15 0 0 0 0 R 1 0.0 0:21.96 fw_worker_2
    9553 admin 15 0 429m 47m 25m S 1 1.2 0:29.82 fw_full
    1 admin 15 0 2044 720 624 S 0 0.0 0:00.75 init
    2 admin RT -5 0 0 0 S 0 0.0 0:00.00 migration/0
    3 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/0
    4 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/0
    5 admin RT -5 0 0 0 S 0 0.0 0:00.01 migration/1
    6 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1
    7 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/1
    8 admin RT -5 0 0 0 S 0 0.0 0:00.00 migration/2
    9 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/2
    10 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/2 top - 17:14:41 up 50 min, 1 user, load average: 0.19, 0.10, 0.09
    Tasks: 139 total, 2 running, 137 sleeping, 0 stopped, 0 zombie
    Cpu0 : 0.0%us, 0.0%sy, 0.0%ni, 82.2%id, 0.0%wa, 3.0%hi, 14.8%si, 0.0%st
    Cpu1 : 0.0%us, 0.3%sy, 0.0%ni, 99.3%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st
    Cpu2 : 0.3%us, 0.0%sy, 0.0%ni, 99.3%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st
    Cpu3 : 0.3%us, 0.3%sy, 0.0%ni, 98.7%id, 0.0%wa, 0.0%hi, 0.7%si, 0.0%st
    Mem: 4043336k total, 3379256k used, 664080k free, 27780k buffers
    Swap: 10514532k total, 0k used, 10514532k free, 1903076k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    7881 admin 15 0 0 0 0 S 1 0.0 0:55.20 fw_worker_0
    7882 admin 15 0 0 0 0 S 1 0.0 0:17.14 fw_worker_1
    7883 admin 15 0 0 0 0 R 0 0.0 0:21.97 fw_worker_2
    8724 admin 16 0 34332 14m 9140 S 0 0.4 0:03.81 confd
    9109 admin 15 0 207m 46m 28m S 0 1.2 0:06.15 cpd
    9553 admin 15 0 429m 47m 25m S 0 1.2 0:29.83 fw_full
    1 admin 15 0 2044 720 624 S 0 0.0 0:00.75 init
    2 admin RT -5 0 0 0 S 0 0.0 0:00.00 migration/0
    3 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/0
    4 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/0
    5 admin RT -5 0 0 0 S 0 0.0 0:00.01 migration/1
    6 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1
    7 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/1
    8 admin RT -5 0 0 0 S 0 0.0 0:00.00 migration/2 top - 17:14:44 up 50 min, 1 user, load average: 0.18, 0.10, 0.09
    Tasks: 139 total, 2 running, 137 sleeping, 0 stopped, 0 zombie
    Cpu0 : 0.0%us, 0.0%sy, 0.0%ni, 75.9%id, 0.0%wa, 3.3%hi, 20.8%si, 0.0%st
    Cpu1 : 0.3%us, 0.0%sy, 0.0%ni, 99.3%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st
    Cpu2 : 0.0%us, 0.0%sy, 0.0%ni, 99.7%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st
    Cpu3 : 0.0%us, 0.7%sy, 0.0%ni, 98.3%id, 0.0%wa, 0.0%hi, 1.0%si, 0.0%st
    Mem: 4043336k total, 3379144k used, 664192k free, 27792k buffers
    Swap: 10514532k total, 0k used, 10514532k free, 1903076k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    7881 admin 15 0 0 0 0 S 1 0.0 0:55.23 fw_worker_0
    9553 admin 15 0 429m 47m 25m S 1 1.2 0:29.86 fw_full
    7882 admin 15 0 0 0 0 S 0 0.0 0:17.15 fw_worker_1
    7883 admin 15 0 0 0 0 R 0 0.0 0:21.98 fw_worker_2
    10475 admin 15 0 189m 28m 20m S 0 0.7 0:01.51 cvpnd
    16442 admin 15 0 2176 1104 828 R 0 0.0 0:00.02 top







    top - 17:14:47 up 50 min, 1 user, load average: 0.16, 0.10, 0.09
    Tasks: 139 total, 2 running, 137 sleeping, 0 stopped, 0 zombie
    Cpu0 : 0.3%us, 0.3%sy, 0.0%ni, 77.3%id, 0.0%wa, 3.3%hi, 18.8%si, 0.0%st
    Cpu1 : 0.0%us, 0.7%sy, 0.0%ni, 98.7%id, 0.0%wa, 0.0%hi, 0.7%si, 0.0%st
    Cpu2 : 0.0%us, 0.0%sy, 0.0%ni, 99.7%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st
    Cpu3 : 0.3%us, 0.7%sy, 0.0%ni, 97.4%id, 0.0%wa, 0.0%hi, 1.6%si, 0.0%st
    Mem: 4043336k total, 3378800k used, 664536k free, 27800k buffers
    Swap: 10514532k total, 0k used, 10514532k free, 1903076k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    7881 admin 15 0 0 0 0 S 1 0.0 0:55.27 fw_worker_0
    7883 admin 15 0 0 0 0 R 1 0.0 0:22.00 fw_worker_2
    14 admin 10 -5 0 0 0 S 0 0.0 0:00.89 events/0
    7882 admin 15 0 0 0 0 S 0 0.0 0:17.16 fw_worker_1
    9553 admin 15 0 429m 47m 25m S 0 1.2 0:29.87 fw_full
    10294 admin 15 0 241m 36m 18m S 0 0.9 0:11.69 vpnd
    16442 admin 15 0 2176 1104 828 R 0 0.0 0:00.03 top
    1 admin 15 0 2044 720 624 S 0 0.0 0:00.75 init
    2 admin RT -5 0 0 0 S 0 0.0 0:00.00 migration/0
    3 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/0
    4 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/0
    5 admin RT -5 0 0 0 S 0 0.0 0:00.01 migration/1
    6 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1
    7 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/1 top - 17:14:50 up 51 min, 1 user, load average: 0.16, 0.10, 0.09
    Tasks: 139 total, 2 running, 137 sleeping, 0 stopped, 0 zombie
    Cpu0 : 0.0%us, 0.0%sy, 0.0%ni, 83.2%id, 0.0%wa, 3.6%hi, 13.2%si, 0.0%st
    Cpu1 : 0.0%us, 0.0%sy, 0.0%ni, 99.7%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st
    Cpu2 : 0.3%us, 0.0%sy, 0.0%ni, 99.0%id, 0.0%wa, 0.0%hi, 0.7%si, 0.0%st
    Cpu3 : 0.0%us, 0.3%sy, 0.0%ni, 99.0%id, 0.0%wa, 0.0%hi, 0.7%si, 0.0%st
    Mem: 4043336k total, 3378800k used, 664536k free, 27808k buffers
    Swap: 10514532k total, 0k used, 10514532k free, 1903076k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    7881 admin 15 0 0 0 0 S 1 0.0 0:55.30 fw_worker_0
    7883 admin 15 0 0 0 0 R 1 0.0 0:22.02 fw_worker_2
    9553 admin 15 0 429m 47m 25m S 1 1.2 0:29.89 fw_full
    7882 admin 15 0 0 0 0 S 0 0.0 0:17.17 fw_worker_1
    10294 admin 15 0 241m 36m 18m S 0 0.9 0:11.70 vpnd
    1 admin 15 0 2044 720 624 S 0 0.0 0:00.75 init
    2 admin RT -5 0 0 0 S 0 0.0 0:00.00 migration/0
    3 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/0
    4 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/0
    5 admin RT -5 0 0 0 S 0 0.0 0:00.01 migration/1
    6 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1
    7 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/1
    8 admin RT -5 0 0 0 S 0 0.0 0:00.00 migration/2
    9 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/2 top - 17:14:53 up 51 min, 1 user, load average: 0.15, 0.10, 0.09
    Tasks: 139 total, 2 running, 137 sleeping, 0 stopped, 0 zombie
    Cpu0 : 0.0%us, 0.3%sy, 0.0%ni, 81.5%id, 0.0%wa, 3.3%hi, 14.9%si, 0.0%st
    Cpu1 : 0.0%us, 0.0%sy, 0.0%ni, 99.3%id, 0.0%wa, 0.0%hi, 0.7%si, 0.0%st
    Cpu2 : 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
    Cpu3 : 0.3%us, 0.3%sy, 0.0%ni, 98.0%id, 0.0%wa, 0.0%hi, 1.3%si, 0.0%st
    Mem: 4043336k total, 3378364k used, 664972k free, 27852k buffers
    Swap: 10514532k total, 0k used, 10514532k free, 1902928k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    7881 admin 15 0 0 0 0 S 1 0.0 0:55.33 fw_worker_0
    7882 admin 15 0 0 0 0 S 0 0.0 0:17.18 fw_worker_1
    7883 admin 15 0 0 0 0 R 0 0.0 0:22.03 fw_worker_2
    9553 admin 15 0 429m 47m 25m S 0 1.2 0:29.90 fw_full
    1 admin 15 0 2044 720 624 S 0 0.0 0:00.75 init
    2 admin RT -5 0 0 0 S 0 0.0 0:00.00 migration/0
    3 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/0
    4 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/0
    5 admin RT -5 0 0 0 S 0 0.0 0:00.01 migration/1
    6 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1
    7 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/1
    8 admin RT -5 0 0 0 S 0 0.0 0:00.00 migration/2
    9 admin 15 0 0 0 0 S 0 0.0 0:00.00 ksoftirqd/2
    10 admin RT -5 0 0 0 S 0 0.0 0:00.00 watchdog/2
    Ping of my remote client ip
    [Expert@CP01:0]# ping 10.8.210.30
    PING 10.8.210.30 (10.8.210.30) 56(84) bytes of data.
    64 bytes from 10.8.210.30: icmp_seq=3 ttl=128 time=14.3 ms
    64 bytes from 10.8.210.30: icmp_seq=7 ttl=128 time=14.4 ms
    64 bytes from 10.8.210.30: icmp_seq=8 ttl=128 time=14.7 ms
    64 bytes from 10.8.210.30: icmp_seq=11 ttl=128 time=13.4 ms
    64 bytes from 10.8.210.30: icmp_seq=12 ttl=128 time=14.2 ms
    64 bytes from 10.8.210.30: icmp_seq=15 ttl=128 time=13.0 ms
    64 bytes from 10.8.210.30: icmp_seq=16 ttl=128 time=15.1 ms
    64 bytes from 10.8.210.30: icmp_seq=18 ttl=128 time=14.0 ms
    64 bytes from 10.8.210.30: icmp_seq=19 ttl=128 time=36.6 ms
    64 bytes from 10.8.210.30: icmp_seq=20 ttl=128 time=32.6 ms
    64 bytes from 10.8.210.30: icmp_seq=22 ttl=128 time=15.5 ms
    64 bytes from 10.8.210.30: icmp_seq=23 ttl=128 time=17.4 ms
    64 bytes from 10.8.210.30: icmp_seq=24 ttl=128 time=14.8 ms
    64 bytes from 10.8.210.30: icmp_seq=26 ttl=128 time=13.4 ms

    --- 10.8.210.30 ping statistics ---
    26 packets transmitted, 14 received, 46% packet loss, time 25003ms
    rtt min/avg/max/mdev = 13.033/17.434/36.695/7.161 ms
    Ping to google to compare
    [Expert@CP01:0]# ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=48 time=11.7 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=48 time=12.3 ms
    64 bytes from 8.8.8.8: icmp_seq=3 ttl=48 time=11.6 ms
    64 bytes from 8.8.8.8: icmp_seq=4 ttl=48 time=11.7 ms
    64 bytes from 8.8.8.8: icmp_seq=5 ttl=48 time=11.5 ms
    64 bytes from 8.8.8.8: icmp_seq=6 ttl=48 time=11.5 ms
    64 bytes from 8.8.8.8: icmp_seq=7 ttl=48 time=11.6 ms
    64 bytes from 8.8.8.8: icmp_seq=8 ttl=48 time=11.5 ms
    64 bytes from 8.8.8.8: icmp_seq=9 ttl=48 time=11.5 ms
    64 bytes from 8.8.8.8: icmp_seq=10 ttl=48 time=11.6 ms
    64 bytes from 8.8.8.8: icmp_seq=11 ttl=48 time=11.6 ms
    64 bytes from 8.8.8.8: icmp_seq=12 ttl=48 time=11.9 ms
    64 bytes from 8.8.8.8: icmp_seq=13 ttl=48 time=11.5 ms

    --- 8.8.8.8 ping statistics ---
    13 packets transmitted, 13 received, 0% packet loss, time 12000ms
    rtt min/avg/max/mdev = 11.530/11.687/12.343/0.235 ms
    [Expert@CP01:0]#
    Last edited by marco_d; 2017-07-27 at 11:41.

  12. #12
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: VPN Remote User with timeouts and low performance

    Quote Originally Posted by marco_d View Post
    Ping of my remote client ip
    [Expert@CP01:0]# ping 10.8.210.30
    PING 10.8.210.30 (10.8.210.30) 56(84) bytes of data.
    64 bytes from 10.8.210.30: icmp_seq=3 ttl=128 time=14.3 ms
    64 bytes from 10.8.210.30: icmp_seq=7 ttl=128 time=14.4 ms
    64 bytes from 10.8.210.30: icmp_seq=8 ttl=128 time=14.7 ms
    64 bytes from 10.8.210.30: icmp_seq=11 ttl=128 time=13.4 ms
    64 bytes from 10.8.210.30: icmp_seq=12 ttl=128 time=14.2 ms
    64 bytes from 10.8.210.30: icmp_seq=15 ttl=128 time=13.0 ms
    64 bytes from 10.8.210.30: icmp_seq=16 ttl=128 time=15.1 ms
    64 bytes from 10.8.210.30: icmp_seq=18 ttl=128 time=14.0 ms
    64 bytes from 10.8.210.30: icmp_seq=19 ttl=128 time=36.6 ms
    64 bytes from 10.8.210.30: icmp_seq=20 ttl=128 time=32.6 ms
    64 bytes from 10.8.210.30: icmp_seq=22 ttl=128 time=15.5 ms
    64 bytes from 10.8.210.30: icmp_seq=23 ttl=128 time=17.4 ms
    64 bytes from 10.8.210.30: icmp_seq=24 ttl=128 time=14.8 ms
    64 bytes from 10.8.210.30: icmp_seq=26 ttl=128 time=13.4 ms

    --- 10.8.210.30 ping statistics ---
    26 packets transmitted, 14 received, 46% packet loss, time 25003ms
    rtt min/avg/max/mdev = 13.033/17.434/36.695/7.161 ms
    Ping to google to compare
    [Expert@CP01:0]# ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=48 time=11.7 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=48 time=12.3 ms
    64 bytes from 8.8.8.8: icmp_seq=3 ttl=48 time=11.6 ms
    64 bytes from 8.8.8.8: icmp_seq=4 ttl=48 time=11.7 ms
    64 bytes from 8.8.8.8: icmp_seq=5 ttl=48 time=11.5 ms
    64 bytes from 8.8.8.8: icmp_seq=6 ttl=48 time=11.5 ms
    64 bytes from 8.8.8.8: icmp_seq=7 ttl=48 time=11.6 ms
    64 bytes from 8.8.8.8: icmp_seq=8 ttl=48 time=11.5 ms
    64 bytes from 8.8.8.8: icmp_seq=9 ttl=48 time=11.5 ms
    64 bytes from 8.8.8.8: icmp_seq=10 ttl=48 time=11.6 ms
    64 bytes from 8.8.8.8: icmp_seq=11 ttl=48 time=11.6 ms
    64 bytes from 8.8.8.8: icmp_seq=12 ttl=48 time=11.9 ms
    64 bytes from 8.8.8.8: icmp_seq=13 ttl=48 time=11.5 ms

    --- 8.8.8.8 ping statistics ---
    13 packets transmitted, 13 received, 0% packet loss, time 12000ms
    rtt min/avg/max/mdev = 11.530/11.687/12.343/0.235 ms
    [Expert@CP01:0]#
    Uh yeah, 50% packet loss in your Remote Access VPN tunnels is probably going to cause a performance problem. There is massive packet loss in the RA VPN tunnel but latency is pretty stable (at least for crossing the Internet) so I doubt it is some kind of network problem.

    It looks like the firewall has plenty of memory and CPU so I doubt it is a tuning issue nor is MultiCore SSL needed. ICMP is never accelerated by SecureXL so I doubt disabling that will help.

    So at least you have a clear problem occurring (packet loss) during the periods of crappy performance. The next step is to figure out exactly how the ping packet loss is occurring:

    1) Is the echo request never leaving the firewall in the first place or being dropped/not encrypted?
    2) Is the echo request leaving the firewall but being lost in the forward direction to the client?
    3) Is the echo request arriving at the client but the client is dropping it? (or not answering)
    4) Is the echo reply sent by the client being lost on the return network path?
    5) Is the echo reply being dropped/not decrypted by the firewall on the return path?

    During the next period of lousy performance, I'd suggest running the following firewall commands in separate windows:
    (assume client's Office Mode IP is 10.8.210.30, and Client's real Internet-routable address is 129.82.102.32 for these examples)

    ping -n 10.8.210.30
    fw ctl zdebug drop
    fw monitor -e "icmp and (host(10.8.210.30) or host(129.82.102.32)), accept;"

    First zdebug command will show all packets being dropped by the firewall itself and the reason. You should see no drops for either IP Address occurring.

    Second command will show icmp packets prior to encryption and after encryption as they leave the firewall, and hopefully the packets coming back. Because you are running the ping from the firewall itself in the third command, only the o and O capture points will appear in the output for the echo request leaving, and only i and I capture points will appear for echo replies. Please post the results of running all these commands simultaneously in different windows during a period of crappy performance and we'll go from there.

    One other question: Do you also see roughly 50% packet loss pinging the RA VPN client from a system inside your network somewhere?
    Last edited by ShadowPeak.com; 2017-07-27 at 13:45.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  13. #13
    Join Date
    2017-07-21
    Location
    Duesseldorf, Germany
    Posts
    21
    Rep Power
    0

    Default Re: VPN Remote User with timeouts and low performance

    Hello,

    I checked the pings with wireshark at different positions. For me it looks like that the packet get lost back to remote client from checkpoint. I
    see all the way to the client and back request and reply without lost. Also on the interface of the checkpoint eth1 that is going to our internal network
    i see with tcpdump that for each request comes a reply but the reply never arrived to the client connected via remote vpn. The same timeout happend
    when i try ping from internal network to RA VPN

    Here are now the outputs.

    Thanks and regards
    Marco


    [Expert@CP02:0]# ping -n 10.8.211.46
    PING 10.8.211.46 (10.8.211.46) 56(84) bytes of data.
    64 bytes from 10.8.211.46: icmp_seq=1 ttl=128 time=27.8 ms
    64 bytes from 10.8.211.46: icmp_seq=2 ttl=128 time=22.6 ms
    64 bytes from 10.8.211.46: icmp_seq=4 ttl=128 time=32.3 ms
    64 bytes from 10.8.211.46: icmp_seq=5 ttl=128 time=25.9 ms
    64 bytes from 10.8.211.46: icmp_seq=7 ttl=128 time=22.4 ms
    64 bytes from 10.8.211.46: icmp_seq=8 ttl=128 time=43.3 ms
    64 bytes from 10.8.211.46: icmp_seq=10 ttl=128 time=23.2 ms
    64 bytes from 10.8.211.46: icmp_seq=11 ttl=128 time=24.1 ms
    64 bytes from 10.8.211.46: icmp_seq=13 ttl=128 time=28.6 ms
    64 bytes from 10.8.211.46: icmp_seq=14 ttl=128 time=24.2 ms
    64 bytes from 10.8.211.46: icmp_seq=16 ttl=128 time=23.8 ms
    64 bytes from 10.8.211.46: icmp_seq=17 ttl=128 time=23.5 ms
    64 bytes from 10.8.211.46: icmp_seq=19 ttl=128 time=22.2 ms

    --- 10.8.211.46 ping statistics ---
    19 packets transmitted, 13 received, 31% packet loss, time 18001ms
    rtt min/avg/max/mdev = 22.257/26.505/43.387/5.629 ms
    [Expert@CP02:0]# fw ctl zdebug drop
    Defaulting all kernel debugging options
    Initialized kernel debugging buffer to size 1023K
    Updated kernel's debug variable for module fw
    Kernel debugging buffer size: 1023KB
    Module: kiss
    Enabled Kernel debugging options: None

    Module: kissflow
    Enabled Kernel debugging options: error warning
    Messaging threshold set to type=Info freq=Common

    Module: fw
    Enabled Kernel debugging options: drop
    Messaging threshold set to type=Info freq=Common

    Module: h323
    Enabled Kernel debugging options: error
    Messaging threshold set to type=Info freq=Common

    Module: WS_SIP
    Enabled Kernel debugging options: None

    Module: multik
    Enabled Kernel debugging options: None

    Module: UC
    Enabled Kernel debugging options: None

    Module: dlpk
    Enabled Kernel debugging options: None

    Module: dlpuk
    Enabled Kernel debugging options: None

    Module: gtp
    Enabled Kernel debugging options: None

    Module: cluster
    Enabled Kernel debugging options: None

    Module: BOA
    Enabled Kernel debugging options: None

    Module: WSIS
    Enabled Kernel debugging options: None

    Module: cmi_loader
    Enabled Kernel debugging options: None

    Module: NRB
    Enabled Kernel debugging options: None

    Module: SGEN
    Enabled Kernel debugging options: None

    Module: RAD_KERNEL
    Enabled Kernel debugging options: None

    Module: WS
    Enabled Kernel debugging options: None

    Module: APPI
    Enabled Kernel debugging options: None

    Module: CI
    Enabled Kernel debugging options: None

    Module: SFT
    Enabled Kernel debugging options: None

    Module: ICAP_CLIENT
    Enabled Kernel debugging options: None

    Module: CPAS
    Enabled Kernel debugging options: error warning
    Messaging threshold set to type=Info freq=Common

    Module: VPN
    Enabled Kernel debugging options: err
    Messaging threshold set to type=Info freq=Common

    kiss_debug_report: start
    ;[cpu_0];[fw4_0];FW-1: Initializing debugging buffer to size 1023K;
    ;[cpu_0];[fw4_0];Setting the flags for debug module fw: drop;
    ;[cpu_0];[fw4_1];Setting the flags for debug module fw: drop;
    ;[cpu_0];[fw4_2];Setting the flags for debug module fw: drop;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 10.8.224.22:10123 -> 10.8.210.135:50936 dropped by vpn_encrypt_chain Reason: No error;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.43.39:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 10.8.224.90:54344 -> 80.169.150.17:80 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 241;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 10.8.224.91:57828 -> 80.169.150.17:80 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 241;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 10.8.230.52:37895 -> 10.8.224.54:37891 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 241;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=-1 ?:0 -> ?:0 dropped by fwha_select_arp_packet Reason: CPHA replies to arp;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 10.8.230.41:38125 -> 192.168.1.101:6379 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 241;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=17 10.8.210.138:138 -> 10.8.211.255:138 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 241;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 10.8.230.52:50549 -> 216.58.201.46:443 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 241;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.178.34:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;
    ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=17 213.61.154.140:4500 -> 192.168.2.104:4500 dropped by vpnktcp_tunnel_out Reason: vpnk_tcpt have to be tunneled;

    Defaulting all kernel debugging options

    [Expert@CP02:0]# fw monitor -e "icmp and (host(10.8.211.146) or host(213.61.153.82)), accept;"
    monitor: getting filter (from command line)
    monitor: compiling
    monitorfilter:
    Compiled OK.
    monitor: loading
    monitor: monitoring (control-C to stop)
    [vs_0][fw_0] eth2:I[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8537
    ICMP: type=8 code=0 echo request id=1 seq=45
    [vs_0][fw_0] eth1[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8537
    ICMP: type=8 code=0 echo request id=1 seq=45
    [vs_0][fw_0] eth1:O[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8537
    ICMP: type=8 code=0 echo request id=1 seq=45
    [vs_0][fw_0] eth1:i[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26007
    ICMP: type=0 code=0 echo reply id=1 seq=45
    [vs_0][fw_0] eth1:I[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26007
    ICMP: type=0 code=0 echo reply id=1 seq=45
    [vs_0][fw_0] eth1[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26007
    ICMP: type=0 code=0 echo reply id=1 seq=45
    [vs_0][fw_0] eth2:I[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8568
    ICMP: type=8 code=0 echo request id=1 seq=47
    [vs_0][fw_0] eth1[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8568
    ICMP: type=8 code=0 echo request id=1 seq=47
    [vs_0][fw_0] eth1:O[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8568
    ICMP: type=8 code=0 echo request id=1 seq=47
    [vs_0][fw_0] eth1:i[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26115
    ICMP: type=0 code=0 echo reply id=1 seq=47
    [vs_0][fw_0] eth1:I[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26115
    ICMP: type=0 code=0 echo reply id=1 seq=47
    [vs_0][fw_0] eth1[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26115
    ICMP: type=0 code=0 echo reply id=1 seq=47
    [vs_0][fw_0] eth2:I[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8596
    ICMP: type=8 code=0 echo request id=1 seq=49
    [vs_0][fw_0] eth1[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8596
    ICMP: type=8 code=0 echo request id=1 seq=49
    [vs_0][fw_0] eth1:O[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8596
    ICMP: type=8 code=0 echo request id=1 seq=49
    [vs_0][fw_0] eth1:i[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26179
    ICMP: type=0 code=0 echo reply id=1 seq=49
    [vs_0][fw_0] eth1:I[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26179
    ICMP: type=0 code=0 echo reply id=1 seq=49
    [vs_0][fw_0] eth1[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26179
    ICMP: type=0 code=0 echo reply id=1 seq=49
    [vs_0][fw_0] eth2:I[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8615
    ICMP: type=8 code=0 echo request id=1 seq=51
    [vs_0][fw_0] eth1[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8615
    ICMP: type=8 code=0 echo request id=1 seq=51
    [vs_0][fw_0] eth1:O[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8615
    ICMP: type=8 code=0 echo request id=1 seq=51
    [vs_0][fw_0] eth1:i[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26270
    ICMP: type=0 code=0 echo reply id=1 seq=51
    [vs_0][fw_0] eth1:I[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26270
    ICMP: type=0 code=0 echo reply id=1 seq=51
    [vs_0][fw_0] eth1[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26270
    ICMP: type=0 code=0 echo reply id=1 seq=51
    [vs_0][fw_0] eth2:I[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8632
    ICMP: type=8 code=0 echo request id=1 seq=53
    [vs_0][fw_0] eth1[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8632
    ICMP: type=8 code=0 echo request id=1 seq=53
    [vs_0][fw_0] eth1:O[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8632
    ICMP: type=8 code=0 echo request id=1 seq=53
    [vs_0][fw_0] eth1:i[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26355
    ICMP: type=0 code=0 echo reply id=1 seq=53
    [vs_0][fw_0] eth1:I[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26355
    ICMP: type=0 code=0 echo reply id=1 seq=53
    [vs_0][fw_0] eth1[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26355
    ICMP: type=0 code=0 echo reply id=1 seq=53
    [vs_0][fw_0] eth2:I[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8661
    ICMP: type=8 code=0 echo request id=1 seq=55
    [vs_0][fw_0] eth1[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8661
    ICMP: type=8 code=0 echo request id=1 seq=55
    [vs_0][fw_0] eth1:O[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8661
    ICMP: type=8 code=0 echo request id=1 seq=55
    [vs_0][fw_0] eth1:i[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26429
    ICMP: type=0 code=0 echo reply id=1 seq=55
    [vs_0][fw_0] eth1:I[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26429
    ICMP: type=0 code=0 echo reply id=1 seq=55
    [vs_0][fw_0] eth1[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26429
    ICMP: type=0 code=0 echo reply id=1 seq=55
    [vs_0][fw_0] eth2:I[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8687
    ICMP: type=8 code=0 echo request id=1 seq=57
    [vs_0][fw_0] eth1[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8687
    ICMP: type=8 code=0 echo request id=1 seq=57
    [vs_0][fw_0] eth1:O[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8687
    ICMP: type=8 code=0 echo request id=1 seq=57
    [vs_0][fw_0] eth1:i[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26507
    ICMP: type=0 code=0 echo reply id=1 seq=57
    [vs_0][fw_0] eth1:I[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26507
    ICMP: type=0 code=0 echo reply id=1 seq=57
    [vs_0][fw_0] eth1[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26507
    ICMP: type=0 code=0 echo reply id=1 seq=57
    [vs_0][fw_0] eth2:I[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8734
    ICMP: type=8 code=0 echo request id=1 seq=59
    [vs_0][fw_0] eth1[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8734
    ICMP: type=8 code=0 echo request id=1 seq=59
    [vs_0][fw_0] eth1:O[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8734
    ICMP: type=8 code=0 echo request id=1 seq=59
    [vs_0][fw_0] eth1:i[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26583
    ICMP: type=0 code=0 echo reply id=1 seq=59
    [vs_0][fw_0] eth1:I[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26583
    ICMP: type=0 code=0 echo reply id=1 seq=59
    [vs_0][fw_0] eth1[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26583
    ICMP: type=0 code=0 echo reply id=1 seq=59
    [vs_0][fw_0] eth2:I[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8738
    ICMP: type=8 code=0 echo request id=1 seq=60
    [vs_0][fw_0] eth1[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8738
    ICMP: type=8 code=0 echo request id=1 seq=60
    [vs_0][fw_0] eth1:O[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8738
    ICMP: type=8 code=0 echo request id=1 seq=60
    [vs_0][fw_0] eth1:i[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26595
    ICMP: type=0 code=0 echo reply id=1 seq=60
    [vs_0][fw_0] eth1:I[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26595
    ICMP: type=0 code=0 echo reply id=1 seq=60
    [vs_0][fw_0] eth1[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26595
    ICMP: type=0 code=0 echo reply id=1 seq=60
    [vs_0][fw_0] eth2:I[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8758
    ICMP: type=8 code=0 echo request id=1 seq=62
    [vs_0][fw_0] eth1[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8758
    ICMP: type=8 code=0 echo request id=1 seq=62
    [vs_0][fw_0] eth1:O[60]: 10.8.211.146 -> 10.8.232.42 (ICMP) len=60 id=8758
    ICMP: type=8 code=0 echo request id=1 seq=62
    [vs_0][fw_0] eth1:i[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26657
    ICMP: type=0 code=0 echo reply id=1 seq=62
    [vs_0][fw_0] eth1:I[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26657
    ICMP: type=0 code=0 echo reply id=1 seq=62
    [vs_0][fw_0] eth1[60]: 10.8.232.42 -> 10.8.211.146 (ICMP) len=60 id=26657
    ICMP: type=0 code=0 echo reply id=1 seq=62
    monitor: caught sig 2
    monitor: unloading
    [Expert@CP02:0]# timed out waiting for input: auto-logout

  14. #14
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: VPN Remote User with timeouts and low performance

    Your test ping is to 10.8.211.46, but your fw monitor is filtering on 10.8.211.146. I guess I'm a bit confused about what IP addresses are involved here as far as client's office mode IP address, Internet-routable address of the client, and source IP of the firewall used in the tunnel to ping the client. Please clarify. Ideally the test ping is running at the exact same time as the fw monitor to the same address so we can see the drops in real time.

    The "vpnk_tcpt have to be tunneled;" messages in the zdebug are just stating that the VPN traffic is being sent into process space because NAT-T (UDP/4500) is in use. Any strange error messages in $FWDIR/log/vpnd.elg or $CVPNDIR/log/cvpnd.elg? Are the vpnd/cvpnd daemons crashing and restarting constantly on the firewall? A "fw ctl zdebug drop" will not show drops/crashes occurring in process space on the firewall.
    Last edited by ShadowPeak.com; 2017-07-28 at 11:39.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  15. #15
    Join Date
    2017-07-21
    Location
    Duesseldorf, Germany
    Posts
    21
    Rep Power
    0

    Default Re: VPN Remote User with timeouts and low performance

    Quote Originally Posted by ShadowPeak.com View Post
    Your test ping is to 10.8.211.46, but your fw monitor is filtering on 10.8.211.146. I guess I'm a bit confused about what IP addresses are involved here as far as client's office mode IP address, Internet-routable address of the client, and source IP of the firewall used in the tunnel to ping the client. Please clarify. Ideally the test ping is running at the exact same time as the fw monitor to the same address so we can see the drops in real time.

    The "vpnk_tcpt have to be tunneled;" messages in the zdebug are just stating that the VPN traffic is being sent into process space because NAT-T (UDP/4500) is in use. Any strange error messages in $FWDIR/log/vpnd.elg or $CVPNDIR/log/cvpnd.elg? Are the vpnd/cvpnd daemons crashing and restarting constantly on the firewall? A "fw ctl zdebug drop" will not show drops/crashes occurring in process space on the firewall.
    Hello,

    i am sorry i did a misstake with the ping. My ip of my remote client was 10.8.211.146 and another user had remote 10.8.211.46. I was one time stopping in between and i think i choose the wrong ip continue. But in fact its the same issue. We have the remote office network 10.8.210.0/23 so both adresses facing the same problem.

    I can do the test on monday again.

    Attached i put the output of the 2 files you requested as zip file

    Thanks and regards
    Marco
    Attached Files Attached Files

  16. #16
    Join Date
    2017-07-21
    Location
    Duesseldorf, Germany
    Posts
    21
    Rep Power
    0

    Default Re: VPN Remote User with timeouts and low performance

    Hello,

    today i tryed to change one old configuration i did 3 weeks ago with Remote Access Community back. Before it was for Remote Community set to same as gateway. We changed it to a defined network that is for our Remote Access user included one third party vpn. Okay when i try to change this via Checkpoint/topology.. it works. But when VPN Community/ Remote Access and change thant the Community for the Cluster is get this messaqge

    Click image for larger version. 

Name:	2017-07-31 17_26_48-10.8.232.41 - Remotedesktopverbindung.png 
Views:	122 
Size:	5.5 KB 
ID:	1294

    Checkpoint just say to me that this is very interresting and should not happen.

    I have no idea what is wrong here. The users are hunting me for the perfomrance issues

    BR
    Marco

  17. #17
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,648
    Rep Power
    9

    Default Re: VPN Remote User with timeouts and low performance

    i'm not sure if you've tried this, but you said you did a ftp and while logged in via vpn and it was slow. Have you tried doing the exact same fpl only using a nat rule to give the access? Just trying to verify the network path doesn't have issues basically.

    Also is this sslvpn or the end point security client? If its sslvpn can you try the end point client and see if it behaves differently?

  18. #18
    Join Date
    2017-07-21
    Location
    Duesseldorf, Germany
    Posts
    21
    Rep Power
    0

    Default Re: VPN Remote User with timeouts and low performance

    Quote Originally Posted by jflemingeds View Post
    i'm not sure if you've tried this, but you said you did a ftp and while logged in via vpn and it was slow. Have you tried doing the exact same fpl only using a nat rule to give the access? Just trying to verify the network path doesn't have issues basically.

    Also is this sslvpn or the end point security client? If its sslvpn can you try the end point client and see if it behaves differently?

    Hello,

    we already checked the ftp transfer. That is working fine. We have a public ip nat to one privat ip in our internal network working as ftp server. There the performance is great. We connect with
    Checkpoint Remote Client Version 80.70 The test where i wrote that was slow ftp was when i connected via remote access client and do an ftp connect to a server in our office network. There i had
    timeouts.

    Checkpoint now ask me to change to visitor mode as only transport mode but i have no idea how to do that. Waiting for checkpoint that they tell me how to do.

    BR
    Marco

  19. #19
    Join Date
    2017-07-21
    Location
    Duesseldorf, Germany
    Posts
    21
    Rep Power
    0

    Default Re: VPN Remote User with timeouts and low performance

    Hello all,

    the problem is solved. We changed the transport mode with GuiDBedit to visitor mode. Before was auto detect configured. The timeouts are gone and now we have much more throughput on the
    remote connection.

    Thanks for all the help.

    Marco

  20. #20
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,648
    Rep Power
    9

    Default Re: VPN Remote User with timeouts and low performance

    Quote Originally Posted by marco_d View Post
    Hello all,

    the problem is solved. We changed the transport mode with GuiDBedit to visitor mode. Before was auto detect configured. The timeouts are gone and now we have much more throughput on the
    remote connection.

    Thanks for all the help.

    Marco
    Wow, thats kind of shocking. I've never heard of making a change like that, but vistor mode is the process where a remote vpn client logs in and get an IP address off a subnet that lives inside the firewall.

    do you happen to remember the full name of item you changed in guidbedit? Was it endpoint_vpn_ipsec_transport?

    I see that has autodetect, nat_t and vistor_mode as the options.

    Strange never heard of this before.

Page 1 of 2 12 LastLast

Similar Threads

  1. tunneling all remote VPN user traffic through edge
    By lucid in forum Check Point UTM-1 Edge Appliances
    Replies: 1
    Last Post: 2010-10-25, 07:01
  2. max remote access user with R65 on HP380 G5
    By suber in forum SecureClient/SecuRemote
    Replies: 1
    Last Post: 2009-09-09, 11:51
  3. Remote user to External Lan/Site
    By jasomo in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2009-06-04, 11:39
  4. Remote VPN User cannot connect to distant network
    By hotice_ in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 8
    Last Post: 2008-02-12, 14:54
  5. Issues with Remote User Access?
    By PuRowdy in forum Check Point UTM-1 Edge Appliances
    Replies: 1
    Last Post: 2006-08-09, 00:00

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •