https://community.checkpoint.com/t5/Spark-Firewall-SMB/ipsec-latency-smb1570/m-p/178061#M8737 <P>Thank you,</P><P>but i found first issue on 2nd step - no .conf file in dir:</P><P>&nbsp;</P><LI-CODE lang="markup">[Expert@fw]# cp -v $FWDIR/modules/fwkern.conf{,_BKP} cp: can't stat '/opt/fw1/modules/fwkern.conf': No such file or directory [Expert@fw]# pwd /opt/fw1/modules [Expert@fw]# ls -la drwxr-xr-x 2 root root 4096 Feb 23 14:19 . drwxr-xr-x 3 root root 4096 Feb 23 14:19 .. -rw-r--r-- 1 105 80 500440 Nov 22 09:58 adp.o -rw-r--r-- 1 105 80 49280288 Nov 22 09:58 fw.o -rw-r--r-- 1 105 80 46326416 Nov 22 09:58 fwv6.o -rw-r--r-- 1 105 80 13251656 Nov 22 09:58 sim.o -rw-r--r-- 1 105 80 13049208 Nov 22 09:58 simv6.o -rw-r--r-- 1 105 80 25984 Nov 22 09:58 vpnt.o</LI-CODE><P>&nbsp;</P><P>&nbsp;Running version:</P><DIV class="">The current firmware version is<SPAN>&nbsp;</SPAN><STRONG>R81.10 (996000575)</STRONG></DIV><DIV class=""><DIV class=""><DIV class="">&nbsp;</DIV><DIV class="">I've found also this cmd in some topic, but not working:</DIV></DIV></DIV><P>&nbsp;</P><LI-CODE lang="markup">[Expert@fw]# fw ctl get int fw_clamp_tcp_mss fw_clamp_tcp_mss = 0 [Expert@fw]# fw ctl set int fw_clamp_tcp_mss 1 Set operation failed: failed to get parameter fw_clamp_tcp_mss​</LI-CODE><P>Thank you for help.</P><P>&nbsp;</P> Fri, 14 Apr 2023 06:27:58 GMT Thowtes 2023-04-14T06:27:58Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/ipsec-latency-smb1570/m-p/178043#M8734 <P>Hello,</P><P>i have a problem (probably) with high latency over IPSec (Site2Site) between SMB1570 (remote) and Mikrotik RB1100 (central).</P><P>When i try to add esxi host on remote site to vcenter on central branch, it always fails. Only host behind SMB1570 have this issue, so i think it is related to Checkpoint and/or this IPSec.</P><P>I tried some configurations with MTU, but no success.</P><P>Any idea, please?</P><P>Thank you.</P> Thu, 13 Apr 2023 19:27:09 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/ipsec-latency-smb1570/m-p/178043#M8734 Thowtes 2023-04-13T19:27:09Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/ipsec-latency-smb1570/m-p/178056#M8735 <P>It's most likely an MTU/fragmentation issue.<BR />For a discussion of this topic in general, see:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk98074" target="_blank">https://support.checkpoint.com/results/sk/sk98074</A>&nbsp;<BR />To confirm the issue, I recommend taking some packet captures.</P> <P>If your SMB appliance is locally managed (i.e. without SmartCenter), not sure it is possible to configure MSS Clamping, which is probably how you'd resolve this.<BR />Recommend engaging with the TAC: <A href="https://help.checkpoint.com" target="_blank">https://help.checkpoint.com</A>&nbsp;</P> Fri, 14 Apr 2023 00:48:51 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/ipsec-latency-smb1570/m-p/178056#M8735 PhoneBoy 2023-04-14T00:48:51Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/ipsec-latency-smb1570/m-p/178058#M8736 <P>As&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;suggests you're probably looking at something like the following:</P> <P><A href="https://support.checkpoint.com/results/sk/sk121114" target="_self">sk121114: "Fragmentation needed" error on dropped packets sent through tunnel on Quantum Spark Appliances (checkpoint.com)</A></P> <P>&nbsp;</P> Fri, 14 Apr 2023 00:55:46 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/ipsec-latency-smb1570/m-p/178058#M8736 Chris_Atkinson 2023-04-14T00:55:46Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/ipsec-latency-smb1570/m-p/178061#M8737 <P>Thank you,</P><P>but i found first issue on 2nd step - no .conf file in dir:</P><P>&nbsp;</P><LI-CODE lang="markup">[Expert@fw]# cp -v $FWDIR/modules/fwkern.conf{,_BKP} cp: can't stat '/opt/fw1/modules/fwkern.conf': No such file or directory [Expert@fw]# pwd /opt/fw1/modules [Expert@fw]# ls -la drwxr-xr-x 2 root root 4096 Feb 23 14:19 . drwxr-xr-x 3 root root 4096 Feb 23 14:19 .. -rw-r--r-- 1 105 80 500440 Nov 22 09:58 adp.o -rw-r--r-- 1 105 80 49280288 Nov 22 09:58 fw.o -rw-r--r-- 1 105 80 46326416 Nov 22 09:58 fwv6.o -rw-r--r-- 1 105 80 13251656 Nov 22 09:58 sim.o -rw-r--r-- 1 105 80 13049208 Nov 22 09:58 simv6.o -rw-r--r-- 1 105 80 25984 Nov 22 09:58 vpnt.o</LI-CODE><P>&nbsp;</P><P>&nbsp;Running version:</P><DIV class="">The current firmware version is<SPAN>&nbsp;</SPAN><STRONG>R81.10 (996000575)</STRONG></DIV><DIV class=""><DIV class=""><DIV class="">&nbsp;</DIV><DIV class="">I've found also this cmd in some topic, but not working:</DIV></DIV></DIV><P>&nbsp;</P><LI-CODE lang="markup">[Expert@fw]# fw ctl get int fw_clamp_tcp_mss fw_clamp_tcp_mss = 0 [Expert@fw]# fw ctl set int fw_clamp_tcp_mss 1 Set operation failed: failed to get parameter fw_clamp_tcp_mss​</LI-CODE><P>Thank you for help.</P><P>&nbsp;</P> Fri, 14 Apr 2023 06:27:58 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/ipsec-latency-smb1570/m-p/178061#M8737 Thowtes 2023-04-14T06:27:58Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/ipsec-latency-smb1570/m-p/178102#M8738 <P>Sounds like fw_clamp_tcp_mss can not be set "on the fly" meaning the only way is by specifying it in fwkern.conf.<BR />If this file does not exist, it must be created.</P> Fri, 14 Apr 2023 14:46:12 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/ipsec-latency-smb1570/m-p/178102#M8738 PhoneBoy 2023-04-14T14:46:12Z