topic Re: 1550 VPN establishment delay in Spark Firewall (SMB)

1550 VPN establishment delay

BorisL — Fri, 15 May 2020 15:00:45 GMT

Some users observe that when connecting to VPN (from Capsule on Windows or IOS in our case), there is a delay until they can reach internal resources. They have to wait between 15 seconds and half a minute until they can reach devices with the allowed protocols.

Has anybody else experienced this problem?

Re: 1550 VPN establishment delay

PhoneBoy — Sat, 16 May 2020 22:35:45 GMT

It does take some time for the VPN to negotiate and connect.
How precisely are you measuring this?
Have you done any tcpdumps to see what's going on?

Re: 1550 VPN establishment delay

HristoGrigorov — Sun, 17 May 2020 03:38:51 GMT

What about Endpoint Security VPN client ? It has a nice progress window where you can see which phase of VPN establishment takes the most time. Usually that is the one where topology is downloaded from gateway if needed.

Re: 1550 VPN establishment delay

BorisL — Sun, 17 May 2020 06:22:05 GMT

Also happpens with Endpoint Security Client. The delay occurs after negotiation is complete.

The other strange thing is that this does not happen for all connections. Some connections (few) get immediate connectivity.

Re: 1550 VPN establishment delay

BorisL — Sun, 17 May 2020 06:24:05 GMT

I have not performed any measurements. Basically user experience being reported. And my own.

Also, as mentioned in other reports, it does not happen very time. Some connections get immediate connectivity.

How do I get a tcpdump on a 1550?

Re: 1550 VPN establishment delay

PhoneBoy — Mon, 18 May 2020 01:28:52 GMT

tcpdump is accessible in expert mode from the CLI.

Re: 1550 VPN establishment delay

G_W_Albrecht — Mon, 18 May 2020 08:28:18 GMT

I would instantly involve TAC using chat if there is a good chance to replicate the issue in a quick RAS !

Re: 1550 VPN establishment delay

Chris_Atkinson — Mon, 18 May 2020 11:06:17 GMT

For iOS setting the "tunType" custom data value to force snx (SSL) may improve the delay in cases where the client might be attempting IPSec first for example and failing.

Refer: http://supportcontent.checkpoint.com/documentation_download?id=20361

Re: 1550 VPN establishment delay

BorisL — Mon, 18 May 2020 11:46:02 GMT

Hi Chris.

I will test this creating an iPhone profile to add the setting.

Nevertheless I must note that:

- the delay in accessing internal devices occurs after negotiation is over and "connected" status is presented by the client.

- users have also reported the delay using Windows 10 Capsule and Enpoint Security from Mac, so it does not seem to be specific to IOS, but rather to the 1550.

- we have no reports on this delay when connecting to R80.10, R80.30 or R80.40 open servers

Thanks.

Re: 1550 VPN establishment delay

Chris_Atkinson — Mon, 18 May 2020 11:54:46 GMT

Thanks for clarifying, please test the latest build of R80.20.05 if not already and engage TAC to assist further.

Re: 1550 VPN establishment delay

BorisL — Mon, 18 May 2020 12:11:01 GMT

We had a very bad experience with TAC (Premium Support) in previous issue with 1550, so I prefer to wait and test available recommendations posted here.

Users will have to live with the short delay (sometimes a couple of retries connecting to their device) in the meantime.

Thanks again and best regards.

Re: 1550 VPN establishment delay

HristoGrigorov — Mon, 18 May 2020 12:14:52 GMT

Btw, are you talking about slow RDP connection ?

Re: 1550 VPN establishment delay

BorisL — Mon, 18 May 2020 12:19:50 GMT

The problem is with the first connection attempts failing to any device independently of protocol (RDP, http, https or vnc). Once connected speed and latency are fine with all protocols.

Re: 1550 VPN establishment delay

HristoGrigorov — Mon, 18 May 2020 12:25:10 GMT

I am asking because recently I had a problem with my 1470 where RDP will connect instantly on WAN interface but very slow on DMZ interface.

I guess you have already eliminated possible sources of delays such as TP blades ?

Re: 1550 VPN establishment delay

BorisL — Mon, 18 May 2020 12:36:49 GMT

These are VPN connections from Internet (WAN) to intranet.

No Threat Prevention issues detected or logged.

Re: 1550 VPN establishment delay

HristoGrigorov — Mon, 18 May 2020 12:38:54 GMT

Have you tried to temporarily disable SecureXL ?

Re: 1550 VPN establishment delay

BorisL — Mon, 18 May 2020 12:45:58 GMT

No. I have not.

I will have to leave this issue alone for a while.

Thanks to all.

Re: 1550 VPN establishment delay

BorisL — Mon, 29 Jun 2020 09:02:40 GMT

Yes. Disabling SecureXL seems to solve the issue. TAC also suggested we do that.

Question is: what is the performance hit for not using SecureXL?

Re: 1550 VPN establishment delay

HristoGrigorov — Mon, 29 Jun 2020 09:59:13 GMT

It depends. Paste 'fwaccel stats -s' with SecureXL enabled to check it.

Re: 1550 VPN establishment delay

HristoGrigorov — Mon, 29 Jun 2020 10:07:30 GMT

Btw, leaving SecureXL disabled is only a workaround and shall be temporary solution, not permanent one. You should really involve TAC for this and escalate if not satisfied with how is the problem handled. Especially if you have Premium Support.