 |
|
Re: [FW-1] Connections dropping when pushing policy
I'm confused. I thought the Nokia on R65 was the firewall. The firewalls are licensed by CPU but the SmartCenters are not.
I'm pretty sure that Check Point did not enforce the CPU limit until very recent versions. But maybe not. I do get confused easily any more, especially on Check Point licensing. :-) Ray > Date: Thu, 23 Feb 2012 12:18:33 +0530 > From: mohamedn@FSS.... > Subject: Re: [FW-1] Connections dropping when pushing policy > To: FW-1-MAILINGLIST@AMAD... > > I am not getting this NTP error message, anyway have enabled "Keep all > connections" as per Tom's advice. We are looking for a good time to push > and test. Thanks for all people replied, will get back with the results. > > Ray, > > Why we used R75.20 was the Nokia was told to have 4 processors and it > was using only 1 at a time. We were advised to use R75.20 to solve this. > > > Regards > Mohamed.n > > > > > 2380 > mohamedn@fss.... > +91 95001 29207 > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:FW-1-MAILINGLIST@AMAD...] On Behalf Of Matthew > Rossiter > Sent: Wednesday, February 22, 2012 12:39 AM > To: FW-1-MAILINGLIST@AMAD... > Subject: Re: [FW-1] Connections dropping when pushing policy > > I had the same problem with a pair of Nokia's in a vrrp configuration > and a large policy. Every time I pushed policy connections would get > dropped. In the Nokia system logs I would see a lot of ' xntpd: > restarting' messages. > I found sk40322 and ended up disabling NTP as it recommends and just > running an ntpdate once an hour. First thing I noticed was the CPU load > dropped by quite a bit and haven't seen a problem with dropped > connections since then. > > Matt > > On 2/20/2012 10:19 PM, Mohamed N. - T.I. wrote: > > Dear Ray, > > > > Ours is a Nokia box hardware and Smart center running in another > > separate PC with 4GB RAM > > Version: NGX (R65) > > OS: IPSO Version: 4.2 > > > > Avergae CPU - 14% > > Active virtual memory - 650MB > > Disk free % - 84 > > > > cpmodule > > Version: R75.20 > > OS: SecurePlatform > > > > > > Even when disabling logging, we are seeing connections reset when a > > policy is pushed. I thought the below information might be useful for > > you. If not, please neglect. > > > > Thanks > > > > Regards > > Mohamed.N > > > > > > > > Interface table > > ------------------------------------------ > > |Name |Dir|Accept |Drop | Reject|Log | > > ------------------------------------------ > > |re1c0 |in | 324109097| 297534| 15| 887| > > |re1c0 |out| 333252079| 1229| 0| 22| > > |eth4c0|in | 0| 0| 0| 0| > > |eth4c0|out| 0| 0| 0| 0| > > |eth3c0|in | 180| 0| 0| 0| > > |eth3c0|out| 164| 0| 0| 0| > > |re2c0 |in | 332223094| 391575| 0|1787| > > |re2c0 |out| 323659116| 74667| 0| 5| > > ------------------------------------------ > > | | |1313243730| 765005| 15|2701| > > ------------------------------------------ > > > > > > > > ----------------------- > > CP Status - FW (/opt/CPsuite-R65/svn/bin/cpstat -f perf fw) > > ----------------------- > > > > Product name: FireWall-1 > > hmem - block size: 4096 > > hmem - requested bytes: 20971520 > > hmem - initial allocated bytes: 20971520 > > hmem - initial allocated blocks: 0 > > hmem - initial allocated pools: 0 > > hmem - current allocated bytes: 20971520 > > hmem - current allocated blocks: 5119 > > hmem - current allocated pools: 1 > > hmem - maximum bytes: 31457280 > > hmem - maximum pools: 10 > > hmem - bytes used: 8864536 > > hmem - blocks used: 3332 > > hmem - bytes unused: 12106984 > > hmem - blocks unused: 1787 > > hmem - bytes peak: 15669876 > > hmem - blocks peak: 4430 > > hmem - bytes internal use: 70736 > > hmem - number of items: 99428 > > hmem - alloc operations: 114095822 > > hmem - free operations: 113996394 > > hmem - failed alloc: 0 > > hmem - failed free: 0 > > kmem - system physical mem: 0 > > kmem - available physical mem: 0 > > kmem - aix heap size: 0 > > kmem - bytes used: 44883372 > > kmem - blocking bytes used: 1404360 > > kmem - non blocking bytes used: 43479012 > > kmem - bytes unused: 0 > > kmem - bytes peak: 54765700 > > kmem - blocking bytes peak: 1696556 > > kmem - non blocking bytes peak: 53069144 > > kmem - bytes internal use: 5192 > > kmem - number of items: 649 > > kmem - alloc operations: 22074683 > > kmem - free operations: 22074034 > > kmem - failed alloc: 0 > > kmem - failed free: 0 > > inspect - packets: 1455110299 > > inspect - operations: 3919265977 > > inspect - lookups: 884037145 > > inspect - record: 0 > > inspect - extract: 2384748506 > > cookies - total: 1495017859 > > cookies - alloc: 0 > > cookies - free: 0 > > cookies - dup: 5 > > cookies - get: 3683290696 > > cookies - put: 9252701 > > cookies - len: 1495188831 > > chains - alloc: 0 > > chains - free: 0 > > fragments - fragments: 0 > > fragments - expired: 0 > > fragments - packets: 0 > > ufp - % hits ratio: 0 > > ufp - total connections: 0 > > ufp - hits connections: 0 > > ufp - session max: 0 > > ufp - session current: 0 > > ufp - session count: 0 > > ufp - rej session : 0 > > ufp - time stamp: > > ufp - is alive: 0 > > http - pid: 0 > > http - proto: 0 > > http - port: 0 > > http - logical port: 0 > > http - max avail socket: 0 > > http - socket in use max: 0 > > http - socket in use current: 0 > > http - socket in use count: 0 > > http - session max: 0 > > http - session current: 0 > > http - session count: 0 > > http - auth session max: 0 > > http - auth session current: 0 > > http - auth session count: 0 > > http - accepted session: 0 > > http - rejected session: 0 > > http - auth failures: 0 > > http - opsec cvp session max: 0 > > http - opsec cvp session current: 0 > > http - opsec cvp session count: 0 > > http - opsec cvp rej session : 0 > > http - ssl encryp session max: 0 > > http - ssl encryp session current: 0 > > http - ssl encryp session count: 0 > > http - transparent session max: 0 > > http - transparent session current: 0 > > http - transparent session count: 0 > > http - proxied session max: 0 > > http - proxied session current: 0 > > http - proxied session count: 0 > > http - tunneled session max: 0 > > http - tunneled session current: 0 > > http - tunneled session count: 0 > > http - ftp session max: 0 > > http - ftp session current: 0 > > http - ftp session count: 0 > > http - time stamp: > > http - is alive: 0 > > ftp - pid: 0 > > ftp - proto: 0 > > ftp - port: 0 > > ftp - logical port: 0 > > ftp - max avail socket: 0 > > ftp - socket in use max: 0 > > ftp - socket in use current: 0 > > ftp - socket in use count: 0 > > ftp - session max: 0 > > ftp - session current: 0 > > ftp - session count: 0 > > ftp - auth session max: 0 > > ftp - auth session current: 0 > > ftp - auth session count: 0 > > ftp - accepted session: 0 > > ftp - rejected session: 0 > > ftp - auth failures: 0 > > ftp - opsec cvp session max: 0 > > ftp - opsec cvp session current: 0 > > ftp - opsec cvp session count: 0 > > ftp - opsec cvp rej session : 0 > > ftp - time stamp: > > ftp - is alive: 0 > > telnet - pid: 0 > > telnet - proto: 0 > > telnet - port: 0 > > telnet - logical port: 0 > > telnet - max avail socket: 0 > > telnet - socket in use max: 0 > > telnet - socket in use current: 0 > > telnet - socket in use count: 0 > > telnet - session max: 0 > > telnet - session current: 0 > > telnet - session count: 0 > > telnet - auth session max: 0 > > telnet - auth session current: 0 > > telnet - auth session count: 0 > > telnet - accepted session: 0 > > telnet - rejected session: 0 > > telnet - auth failures: 0 > > telnet - time stamp: > > telnet - is alive: 0 > > rlogin - pid: 0 > > rlogin - proto: 0 > > rlogin - port: 0 > > rlogin - logical port: 0 > > rlogin - max avail socket: 0 > > rlogin - socket in use max: 0 > > rlogin - socket in use current: 0 > > rlogin - socket in use count: 0 > > rlogin - session max: 0 > > rlogin - session current: 0 > > rlogin - session count: 0 > > rlogin - auth session max: 0 > > rlogin - auth session current: 0 > > rlogin - auth session count: 0 > > rlogin - accepted session: 0 > > rlogin - rejected session: 0 > > rlogin - auth failures: 0 > > rlogin - time stamp: > > rlogin - is alive: 0 > > smtp - pid: 0 > > smtp - proto: 0 > > smtp - port: 0 > > smtp - logical port: 0 > > smtp - max avail socket: 0 > > smtp - socket in use max: 0 > > smtp - socket in use current: 0 > > smtp - socket in use count: 0 > > smtp - session max: 0 > > smtp - session current: 0 > > smtp - session count: 0 > > smtp - accepted session: 0 > > smtp - rejected session: 0 > > smtp - mail max: 0 > > smtp - mail curr: 0 > > smtp - mail count: 0 > > smtp - outgoing mail max: 0 > > smtp - outgoing mail curr: 0 > > smtp - outgoing mail count: 0 > > smtp - max mail on conn: 0 > > smtp - total mails : 0 > > smtp - time stamp: > > smtp - is alive: 0 > > sync - configured: Yes > > sync - out state: On > > sync - in state: On > > sync - number of sent packets: 6159304 > > sync - number of Kbytes sent: 5345165 > > sync - number of packets received: 4871821 > > sync - number of Kbytes received: 5597043 > > sync - number of retrans requests sent: 4599 > > sync - number of retrans requests received: 755 > > sync - number of ack packets sent: 100250 > > sync - number of ack packets received: 3087169 > > sync - number of packets dropped by network: 139 > > sync - overall number of table updates to be synced: 54785806 > > sync - number of updates filtered by 'non sync': 227 > > > > > > ----------------------- > > CP Status - FW (/opt/CPsuite-R65/svn/bin/cpstat -f hmem fw) > > ----------------------- > > > > Product name: FireWall-1 > > hmem - block size: 4096 > > hmem - requested bytes: 20971520 > > hmem - initial allocated bytes: 20971520 > > hmem - initial allocated blocks: 0 > > hmem - initial allocated pools: 0 > > hmem - current allocated bytes: 20971520 > > hmem - current allocated blocks: 5119 > > hmem - current allocated pools: 1 > > hmem - maximum bytes: 31457280 > > hmem - maximum pools: 10 > > hmem - bytes used: 8864536 > > hmem - blocks used: 3332 > > hmem - bytes unused: 12106984 > > hmem - blocks unused: 1787 > > hmem - bytes peak: 15669876 > > hmem - blocks peak: 4430 > > hmem - bytes internal use: 70736 > > hmem - number of items: 99428 > > hmem - alloc operations: 114095822 > > hmem - free operations: 113996394 > > hmem - failed alloc: 0 > > hmem - failed free: 0 > > > > > > ----------------------- > > CP Status - FW (/opt/CPsuite-R65/svn/bin/cpstat -f kmem fw) > > ----------------------- > > > > Product name: FireWall-1 > > kmem - system physical mem: 0 > > kmem - available physical mem: 0 > > kmem - aix heap size: 0 > > kmem - bytes used: 44883372 > > kmem - blocking bytes used: 1404360 > > kmem - non blocking bytes used: 43479012 > > kmem - bytes unused: 0 > > kmem - bytes peak: 54765700 > > kmem - blocking bytes peak: 1696556 > > kmem - non blocking bytes peak: 53069144 > > kmem - bytes internal use: 5192 > > kmem - number of items: 649 > > kmem - alloc operations: 22074683 > > kmem - free operations: 22074034 > > kmem - failed alloc: 0 > > kmem - failed free: 0 > > > > > > ----------------------- > > CP Status - FW (/opt/CPsuite-R65/svn/bin/cpstat -f inspect fw) > > ----------------------- > > > > Product name: FireWall-1 > > inspect - packets: 1455127417 > > inspect - operations: 3920038161 > > inspect - lookups: 884053472 > > inspect - record: 0 > > inspect - extract: 2384993499 > > > > > > ----------------------- > > CP Status - FW (/opt/CPsuite-R65/svn/bin/cpstat -f cookies fw) > > ----------------------- > > > > Product name: FireWall-1 > > cookies - total: 1495035775 > > cookies - alloc: 0 > > cookies - free: 0 > > cookies - dup: 5 > > cookies - get: 3683385478 > > cookies - put: 9252851 > > cookies - len: 1495206747 > > > > > > > > > > > > 2380 > > > mohamedn@fss.... > > +91 95001 29207 > > > > -----Original Message----- > > From: Mailing list for discussion of Firewall-1 > > [mailto:FW-1-MAILINGLIST@AMAD...] On Behalf Of Ray > > Sent: Tuesday, February 21, 2012 1:18 AM > > To: FW-1-MAILINGLIST@AMAD... > > Subject: Re: [FW-1] Connections dropping when pushing policy > > > > It sounds more like under-powered hardware. What are you using and is > > the SmartCenter on the same box as the firewall? > > > > Ray > > > >> Date: Mon, 20 Feb 2012 17:33:05 +0530 > >> From: mohamedn@FSS.... > >> Subject: Re: [FW-1] Connections dropping when pushing policy > >> To: FW-1-MAILINGLIST@AMAD... > >> > >> Dear All, > >> > >> > >> > >> We have a nokia and Checkpoint R75.20 is running over it. We have > some > >> 300 rule bases and enabled logging for all the rules. When put on > >> production and the CPU got overloaded and particularly when I push > the > >> policy, all ongoing connections are dropping. We have disabled the > > logs > >> and thereafter found a normal behavior. Wonder if enabling logging > >> caused the CPU hog.. > >> > >> > >> > >> > >> > >> Regards > >> > >> > >> > >> Mohamed.N > >> > >> > >> > >> DISCLAIMER: > >> > > > ======================================================================== > > > ======================================================================== > > ==========The information contained in this e-mail message may be > > privileged and/or confidential and protected from disclosure under > > applicable law. It is intended only for the individual to whom or > entity > > to which it is addressed as shown at the beginning of the message. If > > the reader of this message is not the intended recipient, or if the > > employee or agent responsible for delivering the message is not an > > employee or agent of the intended recipient, you are hereby notified > > that any review, dissemination,distribution, use, or copying of this > > message is strictly prohibited. If you have received this message in > > error, please notify us immediately by return e-mail and permanently > > delete this message and your reply to the extent it includes this > > message. Any views or opinions presented in this message or > attachments > > are those of the author and do not necessarily represent those of the > > Company. All e-mails and attachments sent and received are subject to > > monitoring, reading, and archival by the > > > Company.================================================================ > > > ======================================================================== > > ================== > >> ================================================= > >> To set vacation, Out-Of-Office, or away messages, > >> send an email to LISTSERV@amad... > >> in the BODY of the email add: > >> set fw-1-mailinglist nomail > >> ================================================= > >> To unsubscribe from this mailing list, > >> please see the instructions at > >> http://www.checkpoint.com/services/mailing.html > >> ================================================= > >> If you have any questions on how to change your > >> subscription options, email > >> fw-1-owner@ts.c... > >> ================================================= > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to LISTSERV@amad... > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > fw-1-owner@ts.c... > > ================================================= > > > > > > DISCLAIMER: > > > ======================================================================== > ======================================================================== > ==========The information contained in this e-mail message may be > privileged and/or confidential and protected from disclosure under > applicable law. It is intended only for the individual to whom or entity > to which it is addressed as shown at the beginning of the message. If > the reader of this message is not the intended recipient, or if the > employee or agent responsible for delivering the message is not an > employee or agent of the intended recipient, you are hereby notified > that any review, dissemination,distribution, use, or copying of this > message is strictly prohibited. If you have received this message in > error, please notify us immediately by return e-mail and permanently > delete this message and your reply to the extent it includes this > message. Any views or opinions presented in this message or attachments > are those of the aut! > > hor and do not necessarily represent those of the Company. All > e-mails and attachments sent and received are subject to monitoring, > reading, and archival by the > Company.================================================================ > ======================================================================== > ================== > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to LISTSERV@amad... > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > fw-1-owner@ts.c... > > ================================================= > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to LISTSERV@amad... > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > fw-1-owner@ts.c... > ================================================= > > > DISCLAIMER: > ==========================================================================================================================================================The information contained in this e-mail message may be privileged and/or confidential and protected from disclosure under applicable law. It is intended only for the individual to whom or entity to which it is addressed as shown at the beginning of the message. If the reader of this message is not the intended recipient, or if the employee or agent responsible for delivering the message is not an employee or agent of the intended recipient, you are hereby notified that any review, dissemination,distribution, use, or copying of this message is strictly prohibited. If you have received this message in error, please notify us immediately by return e-mail and permanently delete this message and your reply to the extent it includes this message. Any views or opinions presented in this message or attachments are those of the aut! > hor and do not necessarily represent those of the Company. All e-mails and attachments sent and received are subject to monitoring, reading, and archival by the Company.========================================================================================================================================================== > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to LISTSERV@amad... > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > fw-1-owner@ts.c... > ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERV@amad... in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-owner@ts.c... ================================================= Bookmark with:  Delicious
 Digg
 reddit
 Facebook
 StumbleUpon
Related Messages
opensubscriber is not affiliated with the authors of this message nor responsible for its content. |
All rights reserved.
Alternate link - Alternate link