topic Re: What is the best approach to troubleshoot "slow connections"? in Firewall and Security Management

What is the best approach to troubleshoot "slow connections"?

Maik — Tue, 06 Nov 2018 09:37:32 GMT

Hello fellow Check Point admins,

to keep it short - how do you troubleshoot slow connections?

Every now and then I receive requests from users/sys admins who complain that their backup jobs or all different kinds of traffic appears to be really slow once they have to pass a firewall in our environment. In most cases I am pretty sure that this is not the case, at least not related to the firewall. But as we all know - it always has to be the firewalls fault.

So that leads to the before mentioned questions. Currently I do several things to verify if I have some issues on the fw side, like:

- checking the related interfaces and error counters

- enable accounting in the logging of a related rule to see the transmitted data size

- check for possible TCP out of state logs, which could be related to timeouts and therefore throttle the connection due to reconnect attempts

But to be honest, I am pretty sure that there are other, better, approaches to determine if the firewall is the cause of slow downs or not. So please, tell me about your recommendations.

Regards,

Maik

Re: What is the best approach to troubleshoot "slow connections"?

G_W_Albrecht — Tue, 06 Nov 2018 12:02:55 GMT

This document here: sk98348: Best Practices - Security Gateway Performance !

Re: What is the best approach to troubleshoot "slow connections"?

Maik — Wed, 07 Nov 2018 07:42:53 GMT

Hello Günther,

Thanks for your reply. I am familiar with this document but I do not think that it is helping me in this case.

Maybe my description of the initial question was kinda bad worded.

I have users who have to run their backup service [TSM backup] via a firewall after a specific network migration. Now they complain that the backup takes 16 minutes instead of 4 minutes as before. A report of the backup from before shows a throughput of about 160MB/s while the current status only shows only about 50 MB/s. The related security gateway is a 64k appliance which has no trouble regarding the actual CPU and interface load. I'm basically struggeling to find a way to prove that the firewall is not the cause - or if it should be, to change that.

There are ways to caluclate the throughput based on the window size and round trip time - but is here any way to show the actual throughput of a specific session / between two hosts?

Maybe https://community.checkpoint.com/people/d401179d-0d5b-369d-a0f2-387c3ef54533 has an idea?

Regards,

Maik

Re: What is the best approach to troubleshoot "slow connections"?

Timothy_Hall — Thu, 08 Nov 2018 14:43:37 GMT

A good start is always running the "Super Seven" on the firewall to check its overall health and state as described here:

TechTalk: Security Gateway Performance Optimization with Tim Hall

These commands should more or less work on a 64k but that box is not one of my major areas of expertise.

Beyond that, one of the first things you should try to determine is whether the bad performance is caused by excessive latency (and possibly its evil sidekick jitter), flat-out packet loss, or maybe even both. Packet loss can generally be found and fixed, but latency issues are a bit tougher to figure out. Usually taking a packet capture of the problematic traffic then pulling it into Wireshark is helpful; look for TCP zero window events and long inter-packet delays. At a basic level you need to figure out is the client primarily waiting around for the server to do something or is it the other way around; the firewall could potentially be the cause of latency as well. That will at least give you a place to start looking for resource issues such as congestion or overloaded networks/systems.

90% of troubleshooting is knowing the right place to look, the remaining 10% of figuring out how to fix it isn't nearly as difficult.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com