https://community.checkpoint.com/t5/General-Topics/VSX-SecureXL/m-p/34661#M7274 <HTML><HEAD></HEAD><BODY><P>The first problem has been resolved.</P><P>SecureXL was not working correctly due to fragmentation.</P><P>Changing the routing and MTU changed the behaviour of SecureXL.</P><P>Now SecureXL is fast for the connection with problems.</P><P></P><P>But...</P><P></P><P>When the customer does a single connection through the firewall. It gets 100 Mbit/s (limited by the other side).</P><P>After 6-7 minutes, the speed drops to 20 Mbit/s and cpu of VSX (fwk) goes up.</P><P>I think I'm htting a limit at the other side (no Check Point).</P><P>No drops at the Check Point.</P><P></P><P>Any tips?</P></BODY></HTML> Fri, 12 Oct 2018 14:46:12 GMT Sander_Zumbrink 2018-10-12T14:46:12Z https://community.checkpoint.com/t5/General-Topics/VSX-SecureXL/m-p/34659#M7272 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I'm investigating some performance issues where a VSX firewall is in between.</P><P>The gateway is running R80.10 with JHF112.</P><P>The VS is using IPS, Antibot and application control.</P><P>But we've made some exceptions for specific traffic to bypass IPS, Antibot and not log in ApplControl.</P><P>Stats: 19% SXL, 59% PXL, 21% F2F.</P><P>fwk process uses approx. 50% of available CPU's.</P><P></P><P>Downloads where 1Mbyte/s through this VS.</P><P>When I disabled SecureXL (fwaccel off) the speed was 6 Mbyte/s.</P><P>This traffic was also using a F5 BIGIP loadbalancer.</P><P></P><P>When I make some connections without the loadbalancer, the speed was higher.</P><P>With SecureXL enabled it was 10 Mbyte/s and without secureXL it was 20 Mbyte/s.</P><P></P><P>Has anybody seen the same? Higher speeds with SecureXL disabled?</P><P>And did you find the cause of it?</P><P></P><P>Kind Regards,</P><P></P><P>Sander Zumbrink</P></BODY></HTML> Thu, 11 Oct 2018 12:13:46 GMT https://community.checkpoint.com/t5/General-Topics/VSX-SecureXL/m-p/34659#M7272 Sander_Zumbrink 2018-10-11T12:13:46Z https://community.checkpoint.com/t5/General-Topics/VSX-SecureXL/m-p/34660#M7273 <HTML><HEAD></HEAD><BODY><P>What kind of traffic?</P><P>Is it multiple flows or only a single flow?</P></BODY></HTML> Fri, 12 Oct 2018 14:36:34 GMT https://community.checkpoint.com/t5/General-Topics/VSX-SecureXL/m-p/34660#M7273 PhoneBoy 2018-10-12T14:36:34Z https://community.checkpoint.com/t5/General-Topics/VSX-SecureXL/m-p/34661#M7274 <HTML><HEAD></HEAD><BODY><P>The first problem has been resolved.</P><P>SecureXL was not working correctly due to fragmentation.</P><P>Changing the routing and MTU changed the behaviour of SecureXL.</P><P>Now SecureXL is fast for the connection with problems.</P><P></P><P>But...</P><P></P><P>When the customer does a single connection through the firewall. It gets 100 Mbit/s (limited by the other side).</P><P>After 6-7 minutes, the speed drops to 20 Mbit/s and cpu of VSX (fwk) goes up.</P><P>I think I'm htting a limit at the other side (no Check Point).</P><P>No drops at the Check Point.</P><P></P><P>Any tips?</P></BODY></HTML> Fri, 12 Oct 2018 14:46:12 GMT https://community.checkpoint.com/t5/General-Topics/VSX-SecureXL/m-p/34661#M7274 Sander_Zumbrink 2018-10-12T14:46:12Z https://community.checkpoint.com/t5/General-Topics/VSX-SecureXL/m-p/34662#M7275 <HTML><HEAD></HEAD><BODY><P>Dameon,</P><P></P><P>They are doing RSYNC over SSH on port 80.</P><P>I've excluded IPS/appl. control/TP.</P><P>And made a single port 80 service with application None.</P><P>It is a single flow.</P></BODY></HTML> Fri, 12 Oct 2018 14:48:56 GMT https://community.checkpoint.com/t5/General-Topics/VSX-SecureXL/m-p/34662#M7275 Sander_Zumbrink 2018-10-12T14:48:56Z https://community.checkpoint.com/t5/General-Topics/VSX-SecureXL/m-p/34663#M7276 <HTML><HEAD></HEAD><BODY><P>Well one thing I found out in Israel this week is that fragmented packets are no longer doomed to the slowpath on R80.20 gateways so there is that.</P><P></P><P>As far as the speed decrease that occurs after 6-7 minutes that sounds pretty odd, when troubleshooting a strange performance issue like that the main determination you need to make early is whether packet <EM>latency</EM> or <EM>loss</EM> is causing the slowdown.&nbsp; Easiest way to do that is run a continuous ping between the hosts during the transfer and see if the values being reported by ping change when the slowdown starts.&nbsp; This is not foolproof though as ICMP traffic is handled quite differently depending on the situation, the most common example I can think of is that ICMP is never accelerated by SecureXL whereas TCP and UDP can potentially be accelerated.&nbsp; The only definitive way to determine latency vs. loss as the cause is looking at a packet capture in Wireshark.</P><P></P><P>--<BR />Second Edition of my "Max Power" Firewall Book<BR /><SPAN>Now Available at </SPAN><A class="" href="http://www.maxpowerfirewalls.com" rel="nofollow">http://www.maxpowerfirewalls.com</A></P></BODY></HTML> Fri, 12 Oct 2018 22:26:50 GMT https://community.checkpoint.com/t5/General-Topics/VSX-SecureXL/m-p/34663#M7276 Timothy_Hall 2018-10-12T22:26:50Z https://community.checkpoint.com/t5/General-Topics/VSX-SecureXL/m-p/34664#M7277 <HTML><HEAD></HEAD><BODY><P>It looks like an issue on the customer side. The gateway (not checkpoint) there was limiting the traffic.</P><P>I assume that I'm receiving zero-window packets, but the dumps being provided are not complete.</P><P>For now the customer is letting the issue go and doing the backups another way.</P><P></P><P>Thanks for the replies.</P></BODY></HTML> Mon, 22 Oct 2018 07:35:31 GMT https://community.checkpoint.com/t5/General-Topics/VSX-SecureXL/m-p/34664#M7277 Sander_Zumbrink 2018-10-22T07:35:31Z