Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

R80.20 MTU and SecureXL Problem

Jump to solution

Hello,

we have a Ethernet-Link (no VPN from Checkpoint) to a network where the MTU is 1422. If we set the mtu on the interface and disable SecureXL the Clients (with default MTU of 1500) get  the ICMP Fragmentation Packet and start to send packets with smaller MTU.

When we reactivate SecureXL the Clients starts to send 1500 byte packets again and do not get an ICMP Fragmentation paket from the Firewall.

We are using an Checkpoint 5600 Cluster with R80.20 with latest HFA.

Did anybody had the same problem?

 

Jan

35 Replies
Highlighted
Hi,

Thx to Illya we received another hotfix (for the table not freeing up), running since 4 days without issue, i also put back the table size to 2000.

No i can see these kind of logs that i did not see before (meaining its actually freeing up the table).

@;676607171;[vs_2];[tid_3];[fw4_3];fwfrag_expires: IP fragment expiration reached, freeing cookies;

thx, keep you posted if the issue happen again, hope not.
0 Kudos
Highlighted

Great, thanks for the followup.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted
i think that i can confirm that the issue was fixed by the patch :), thx all.
0 Kudos
Highlighted

Hello! In what Jumbo Hotfix Accumulator for R80.20 is the fix included? 

Take_103 GA 26 Aug 2019 or
Take_118 Latest 27 Oct 2019

BR, Kai

0 Kudos
Highlighted

Hi all,

A customer had this exact issue this week. He is running a cluster of 2 21400 with R80.20 JHF Take 91 (Distributed deployment). Deactivating SecureXL and increasing fragmented table size did not helped at all, we had to perform failovers.

We opened an SR with the TAC and pointed them to this thread asking for the fix, the assigned engenieer told us that it was included on JHF Take 118 even though is not specified in the release notes.

The issue did not repeeat after the installation of the mentioned take.

____________
https://www.linkedin.com/in/federicomeiners/
Highlighted
Employee++
Employee++

Fix exist since take 103 and it is documented in R80.20 SK:

 " In some scenarios, when a connection is accelerated and ICMP packet is sent from a server to a client, it is being dropped by Security gateway. "

0 Kudos