Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jan_Kleinhans
Advisor
Jump to solution

R80.20 MTU and SecureXL Problem

Hello,

we have a Ethernet-Link (no VPN from Checkpoint) to a network where the MTU is 1422. If we set the mtu on the interface and disable SecureXL the Clients (with default MTU of 1500) get  the ICMP Fragmentation Packet and start to send packets with smaller MTU.

When we reactivate SecureXL the Clients starts to send 1500 byte packets again and do not get an ICMP Fragmentation paket from the Firewall.

We are using an Checkpoint 5600 Cluster with R80.20 with latest HFA.

Did anybody had the same problem?

 

Jan

35 Replies
Khalid_Aftas
Contributor
Hi,

Thx to Illya we received another hotfix (for the table not freeing up), running since 4 days without issue, i also put back the table size to 2000.

No i can see these kind of logs that i did not see before (meaining its actually freeing up the table).

@;676607171;[vs_2];[tid_3];[fw4_3];fwfrag_expires: IP fragment expiration reached, freeing cookies;

thx, keep you posted if the issue happen again, hope not.
0 Kudos
Timothy_Hall
Champion
Champion

Great, thanks for the followup.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Khalid_Aftas
Contributor
i think that i can confirm that the issue was fixed by the patch :), thx all.
0 Kudos
Kai_Kataja
Explorer

Hello! In what Jumbo Hotfix Accumulator for R80.20 is the fix included? 

Take_103 GA 26 Aug 2019 or
Take_118 Latest 27 Oct 2019

BR, Kai

0 Kudos
FedericoMeiners
Advisor

Hi all,

A customer had this exact issue this week. He is running a cluster of 2 21400 with R80.20 JHF Take 91 (Distributed deployment). Deactivating SecureXL and increasing fragmented table size did not helped at all, we had to perform failovers.

We opened an SR with the TAC and pointed them to this thread asking for the fix, the assigned engenieer told us that it was included on JHF Take 118 even though is not specified in the release notes.

The issue did not repeeat after the installation of the mentioned take.

____________
https://www.linkedin.com/in/federicomeiners/
Yifat_Chen
Employee Alumnus
Employee Alumnus

Fix exist since take 103 and it is documented in R80.20 SK:

 " In some scenarios, when a connection is accelerated and ICMP packet is sent from a server to a client, it is being dropped by Security gateway. "

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events