topic Re: R80.10 gateway, can't set sim_clamp_vpn_mss in General Topics

R80.10 gateway, can't set sim_clamp_vpn_mss

Johan_Hillstrom — Tue, 14 Nov 2017 20:05:32 GMT

We recently went from R75.46 to R80.10 on a new cluster.

But now we are experiencing IPSec VPN issues, mostly with Azure VPN gw.

We have verified that this is an MTU/MSS issue by temporarily lowering MTU on one of our AD DCs in-house as well as one of the Azure AD servers. However that is not a desirable configuration in the long run.

After plowing through a bunch of SKs I have concluded that what we need to do is enable the sim_clamp_vpn_mss kernel parameter.

Following instructions in this SK doesn't work, even if it says that it applies to R80.10

New VPN features in R77.20

So how can we enable sim_clamp_vpn_mss?

Is it as simple as using GuiDBedit?

Here are the relevant settings from one of the cluster gateways:

Edited simkern.conf and rebooted, no effect.

# @cat $PPKDIR/boot/modules/simkern.conf
sim_clamp_vpn_mss=1

# fw ctl get int fw_clamp_vpn_mss
fw_clamp_vpn_mss = 1

# fw ctl get int sim_clamp_vpn_mss
fw: Get operation failed: failed to get parameter

# fw ctl get int fw_clamp_tcp_mss
fw_clamp_tcp_mss = 0

# fw ctl get int fw_clamp_tcp_mss_control
fw: Get operation failed: failed to get parameter

# fw ctl get int mss_value
fw: Get operation failed: failed to get parameter

# fw ctl get int sim_ipsec_dont_fragment
fw: Get operation failed: failed to get parameter

# fw ctl get int sim_keep_DF_flag
fw: Get operation failed: failed to get parameter

Any ideas?

Hakan Palmryd

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

Vladimir — Tue, 14 Nov 2017 21:03:17 GMT

Hakan,

I recall changing these settings when setting up the tunnels to AWS VPG.

According to the document on AWS describing VPN with Check Point:

To enable TCP MSS clamping

Navigate to the following directory: C:\Program Files (x86)\CheckPoint\SmartConsole\R77.10\PROGRAM\.
Open the Check Point Database Tool by running the GuiDBEdit.exe file.
Choose Table, Global Properties, properties.
For fw_clamp_tcp_mss, choose Edit. Change the value to true and choose OK.

The source could be found here:

Example: Check Point Device without Border Gateway Protocol - Amazon Virtual Private Cloud

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

Johan_Hillstrom — Tue, 14 Nov 2017 21:16:22 GMT

Hi Vladimir.

Thanks for your quick reply.

The problem is that we only want to enable MSS clamping on VPN tunnels, not globally on the gateway.

Also, the "sim_clamp_vpn_mss" parameter is not defined at all, searching for it in GuiDBEdit yields nothing.

(However fw_clamp_vpn_mss is enabled, so disabling SecureXL would probably work, but obviously that is not a desired solution)

So it is still a mystery how to define and enable this setting in R80.10...

/Johan

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

Vladimir — Tue, 14 Nov 2017 21:29:34 GMT

Johan,

I am as well uncertain if it is possible to implement it exclusively on tunnels, but considering that creation of VTIs will disable CoreXL, maybe using Azure's (or AWS), default VPN gateways is not the best option unless you have dedicated on-premises check point gateways allocated for cloud connectivity specifically.

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

Timothy_Hall — Tue, 14 Nov 2017 22:11:58 GMT

sim_clamp_vpn_mss definitely exists in the simmod SecureXL driver in R80.10, so you have the right variable name and it hasn't changed. Unfortunately there is no way to query the live value of SecureXL variables, unlike doing fw ctl get int for the INSPECT driver. Looks like you have verified the proper variables are set for clamping in the INSPECT driver.

I would suggest running "sim vpn off; fwaccel off; fwaccel on" and see if the situation improves. That command will force all VPN traffic into INSPECT (where it will hopefully get clamped correctly) and keep SecureXL from handling it at all.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

Johan_Hillstrom — Tue, 14 Nov 2017 22:22:16 GMT

Thanks for your insight on this.

Yeah, crippling SecureXL would obviously verify that we are correct in our assumptions.

Not sure what the performance hit would be?

We run about a dozen IPSec tunnels across the globe...

Anyhow, I will disable VPN acceleration now and see if thing look better.

/Johan

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

Johan_Hillstrom — Tue, 14 Nov 2017 22:28:50 GMT

Just nitpicking, but syntax appears to have changed to fwaccel on|off

Change verified by fwaccel stat, showing "Cryptography Features Mask : not available"

Let's see if it works.

/Johan

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

Timothy_Hall — Tue, 14 Nov 2017 22:31:56 GMT

Those commands don't really cripple SecureXL, it will still do all acceleration except site to site VPN. Shouldn't be a huge performance hit. Also fixed syntax in above commands.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

Johan_Hillstrom — Tue, 14 Nov 2017 22:48:43 GMT

SUCCESS!

Following Tim Hall‌ 's suggestions appear do have done the trick.

Running 'tcpdump -i <IF-name> host <a.b.c.d> and "tcp[13] == 2"' now shows MSS adjusted down to 1366 as opposed to 1460

Lets just hop the AD-replications complete successfully now...

/Johan

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

Timothy_Hall — Tue, 14 Nov 2017 22:55:19 GMT

Glad to hear it, however it sounds like MSS clamping (or setting the variable) has a problem with SecureXL for R80.10. Are you running the latest R80.10 GA jumbo hotfix? There don't seem to be any fixes related to your problem in the jumbo HFAs but I thought I'd ask anyway.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

Johan_Hillstrom — Tue, 14 Nov 2017 22:59:08 GMT

Yes, up-to-date on the maintrain release, no custom HFs.

# fw ver
This is Check Point's software version R80.10 - Build 423
# fwaccel ver
Firewall version: R80.10 - Build 025
Acceleration Device: Performance Pack
Accelerator Version 2.1
Firewall API version: 2.91NG (15/5/2014)
Accelerator API version: 2.91NG (15/5/2014)
#

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

Timothy_Hall — Tue, 14 Nov 2017 23:07:55 GMT

OK hopefully Dameon Welch Abernathy will see this thread and can alert the SecureXL team about this possible issue.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

PhoneBoy — Tue, 14 Nov 2017 23:32:01 GMT

I eventually get to all the threads on CheckMates

While I will alert the relevant R&D folks, your best bet is to open a TAC case: Contact Support | Check Point Software

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

Johan_Hillstrom — Tue, 14 Nov 2017 23:40:10 GMT

I think I'll drop this in the Swedish SEs' lap... 😉

Ping https://community.checkpoint.com/people/hakane93c2d47-872d-4ed8-a523-121a5b601b8e‌ https://community.checkpoint.com/people/fredre96b5099-96e3-3899-b4f8-9f1cb401955d‌

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

Timothy_Hall — Wed, 15 Nov 2017 12:48:20 GMT

One last thing: the sim vpn off command will not survive a reboot. To make it persistent add sim_is_vpn_disabled=1 to $PPKDIR/boot/modules/simkern.conf. Because there is no way to pull the live state of SecureXL variables, I'm curious to see if adding this variable works properly in your environment, such that after a reboot fwaccel stat says that cryptography features are disabled which can easily be checked.

I find it odd that the clamping function in SecureXL is suddenly broken in R80.10, and wonder if the sim_clamp_vpn_mss variable is just not being set properly at boot time. Might be interesting to run an od -c $PPKDIR/boot/modules/simkern.conf to make sure there are no unprintable characters messing up the parsing of the file at boot, also did you see any sim errors written to syslog at boot time? Pretty sure that's where simmod would complain if it had a boot-time problem parsing the simkern.conf file.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

Johan_Hillstrom — Wed, 15 Nov 2017 15:07:17 GMT

Unfortunately, sim vpn off led to a lot of problems with our tunnels to older GWs, both R77.30 and R75.46 (I know, we SHOULD update)

Really weird behavior where we saw outgoing traffic getting encrypted, but 0 packets coming back.

And at the far end of the tunnel we saw exactly nothing.

So I guess we completely broke MSS, leading to silent drops..

I have started the process of creating a TAC, will post case # here when we get it. (On Collaborative support ;-(

Here is the od -c, found no sim related errors, will do a reboot of passive gateway later tonight.

# od -c $PPKDIR/boot/modules/simkern.conf

0000000 s i m _ c l a m p _ v p n _ m s

0000020 s = 1 \n

0000024

/Johan

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

CP-NDA — Wed, 15 Nov 2017 19:56:33 GMT

Hi,

We had a similar issue and here is how we solved it with TAC:

1. Enable MSS Clamping on the Gateway for VPN
fw ctl set int fw_clamp_vpn_mss 1

If SecureXL is enable you have to enable MSS Clamping in SecureXL
vi $PPKDIR/boot/modules/simkern.conf
sim_clamp_vpn_mss=1

Reboot the GW . I don't know how to reload this parameter on fly

2. Decrease MSS value via GUIDbEdit
Set "mss_value" to the desired value (1360 in our case) on each involved interface in the VPN communication

Nicolas

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

Johan_Hillstrom — Tue, 21 Nov 2017 07:47:45 GMT

Sorry for late feedback on this.

We got the same answer as Nicolas from TAC.

Enabling fw_clamp_vpn_mss, AND manually specifying mss_value (we set 1350 per MS recommendations)

Previously we had mss_value set to 0 to facilitate automatic calculation of MSS.

Strange thing is that this was working properly on R75.46, so apparently something has changed when it comes to automatically calculating MSS.

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

Ilmo_Anttonen — Wed, 03 Jan 2018 07:21:44 GMT

Johan, thanks for the update.

Did you set mss_value globally or on specific interfaces? I'm curious to learn if there are any negative side effects from setting it globally.. I have a client with the same issue as described in OP, except that we were able to set all values but with no effect.

Re: R80.10 gateway, can't set sim_clamp_vpn_mss

CP-NDA — Wed, 03 Jan 2018 07:39:45 GMT

Yes we set it globally on each interfaces involved in the VPN communication (External / Internal / DMZ / ...)