This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MKIT_NMG
Participant
‎2019-07-22 12:39 PM

Getting error “dropped by fwpslglue_chain Reason: PSL Drop: internal - streaming;"

Hi Team,

We are having 5800 box with R80.20 in Cluster-HA mode.

We are facing the issue with some slowness traffic/hang in our organization. When we checked the logs on Firewall found a drop message- “dropped by fwpslglue_chain Reason: PSL Drop: internal - streaming;"

We logged a case in Tac but they are asking for Kernal level multiple debugs which requires scheduled downtime.

We are not in the condition of providing any downtime. Can anyone please help us with this. Let us know if any additional information is required.

Thanks in advance.

 

Regards,

Chandan Singh Rathore

0 Kudos
10 Replies
FedericoMeiners
Advisor
‎2019-07-22 01:31 PM

Hello,

By chance are you using Domain Objects or FQDN in your rulebase? From R80.10 + they do not cause serious performanace issue, however I have seen many times that they are set up as *.yyy.com, If you do try to make them as specific as possible.

Also, the traffic slowness is for every web page and service?

Federico Meiners

____________
https://www.linkedin.com/in/federicomeiners/
MKIT_NMG
Participant
‎2019-07-22 01:40 PM
In response to FedericoMeiners

Thanks Fedrico for your reply.

The traffic slowness is not for every web page and service. We are facing this issue with 2 Specific URLs where users logon on Citrix servers and work on. It's an intermittent issue where whole Citrix session goes in Hung state and users are unable to access any files/application for all the users at the same time. Sometimes it happens for a few minutes and sometimes it takes up to 30 minutes where the whole Citrix screen is frozen. When I checked the logs when the issue was reported, I found these drops for the destination IP- “dropped by fwpslglue_chain Reason: PSL Drop: internal - streaming;".

We don't get any drops when there is no issue and Citrix session runs smoothly.

Please help us with this.

 

Thanks,

CSR

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-23 09:06 PM
In response to FedericoMeiners

PSL generally means App Control and/or Threat Prevention blades are in use.
What does the rule look like that accepts the traffic?
What bladed are active?
MKIT_NMG
Participant
‎2019-07-24 12:23 AM
In response to PhoneBoy

Hi PhoneBoy,

 

Below the Blades currently active on my Firewall :

# enabled_blades
fw vpn ips identityServer qos mon vpn

 

Also, Recently we have renew/change the Licence from NGTP to NGFW, Will that be possible reason because we face this issue after the Licence change.

 

Any Thoughts ?

 

Regards

CSR

0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-24 11:22 AM
In response to MKIT_NMG

At least in terms of blades used, the license/contract change shouldn't have made any difference.
It's likely related to IPS.
Who has access to this Citrix server from where?
0 Kudos
MKIT_NMG
Participant
‎2019-07-24 11:27 AM
In response to PhoneBoy

Hi PhoneBoy,

We are at the user (Client) side, and we access the Citrix servers hosted at our partner location in the US through S2S VPN.

We also added both sides IP subnets in IPS exception and disabled the IPS as well but still, the issue remains the same.

Any thoughts?

 

Regards,

CSR

0 Kudos
Manoj_Kumar2
Contributor
‎2019-07-24 11:52 AM
In response to MKIT_NMG

Did you applied any Sk? What about sk150933?

0 Kudos
MKIT_NMG
Participant
‎2019-07-24 12:11 PM
In response to Manoj_Kumar2

Yes, @Manoj_Kumar2  @PhoneBoy 

Changes were made by TAC according to SK150933 but the error messages are different from the error which we are getting. Even, they changed the value to 32772 from its default value 4096 but still, the issue remains the same.

->Error Logs- SK150933: dropped by cphwd_pslglue_handle_packet Reason: PSL Drop: internal – streaming.

But actually, we are getting the drop Logs "-> “dropped by fwpslglue_chain Reason: PSL Drop: internal - streaming;”.

is there anything else we can try to resolve this issue.

 

Regards,

CSR

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2019-09-24 05:40 AM
In response to MKIT_NMG

Hi

Was a resolution to your symptoms found in consultation with CP TAC?

Regards,

Chris

CCSM R77/R80/ELITE
0 Kudos
MKIT_NMG
Participant
‎2019-09-25 03:42 AM
In response to Chris_Atkinson

Yes @Chris_Atkinson  issue got resolved after Checkpoint TAC suggested some changes to be done on Gateways for increasing the PSL input Queue Value to higher as per requirement.

 

# fw ctl get int psl_max_stream_segments
16386 (default)
# fw ctl set int psl_max_stream_segments ***********
--------------------------------------------------
 
# fw ctl get int psl_max_strip_window
8390108 (default)
# fw ctl set int psl_max_strip_window  **************
------------------------------------------------------
 
fw -i k ctl get int fwmultik_input_queue_len
2048 (default)
fw -i k ctl set int fwmultik_input_queue_len *******

During the whole progress, open other SSH to monitor CPU usage and memory usage.
 
We would recommend the change windows for about 2 hours; if there are any issues upon enabling the kernel parameters, it can be easily reverted back to their default values.

 

Regards,

Chandan

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events