Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Participant

Excessive traffic between digicert IP's and checkpoint gateway

We are working on an issue with one of our remote office. The site has two 5600 appliances in a cluster, the issue occurring is in regards to a sudden spike of traffic from the checkpoint gateway's external interface talking out to digicert over port 80. The return traffic tends to be excessive enough to cause the cisco edge switch to start dropping packets. This causes the sslvpn to go down causing disconnections for the remote workforce out there.

 

Not really sure why the gateway would be receiving so much traffic from digicert.  Anyone seen this behavior before?

5 Replies
Admin
Admin

If you have HTTPS Inspection enabled and/or the gateway is R80.40, I suspect it’s because we are validating certificates in flight.
That is done out-of-band.

0 Kudos
Reply
Participant

Hello Dameon,

No https inspection and running 80.10. It looks like the IP resolves to ocsp.digicert.com

So i am guessing this is something going wrong with ocsp every few hours. The issue lasts for about 5 to 10 minutes before going away. It seems to happen approximately every 4 hours but sometimes misses the 4 hour mark.

Regards,

Nandhu

0 Kudos
Reply
Admin
Admin

That’s definitely CRL validation.
I recommend a TAC case to assist in investigation.

0 Kudos
Reply
Leader
Leader

Are you sure traffic source is your gateway, not something behind from the internal network which will be NATed?

Maybee some suspicious clients they do excessive CRL validations.

Wolfgang

Participant

Hello Dameon and Wolfgang,

We are looking at some of the automation scripts that the QA teams use. But the timing of their requests and traffic on the firewall does not match up.

We do have a TAC case open and I am in the process of collecting debugs.

 

Nandhu

 

0 Kudos
Reply