Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CheckPointerXL
Advisor
Jump to solution

R81.20 T26 - Traffic disruption during policy installation and random connections are dropped

Hello team,

fresh hw upgrade with 81.10 to new 7000 with r81.20

lot of problem raised up:

- during policy installation it happens that telnet/vnc sessions are dropped

- randomly some connections are dropped during the day

- first packet isn't syn is on fire (TCP Flag is ACK), no asymmetric routing

 

"keep all connections" is flagged

 

any feedback about it?

ticket is ongoing

dynamic splitting it seems to work not good too.....

0 Kudos
1 Solution

Accepted Solutions
kvdocp
Explorer

The fix is now included in the latest (not yet recommended) take 54: https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/Take_54.htm?tocpath=_____6

PRJ-50761,

PRHF-31092

Security Gateway

On Security Gateways with enabled Hyper Flow feature, during policy installation and re-offload process of the connections, accelerated connections may be interrupted.

View solution in original post

(1)
16 Replies
the_rock
Legend
Legend

Had not seen it myself. We have 3 customers on this take and no issues so far. 

Andy

0 Kudos
the_rock
Legend
Legend

Make sure this is enabled

Andy

 

Screenshot_1.png

0 Kudos
CheckPointerXL
Advisor

yes it is, and from hcp report i got:

Description

Drop templates are enabled but SecureXL drops show 0 packets dropped due to templates

Suggested Solution

Solution #1

Consult with TAC for further assistance

0 Kudos
the_rock
Legend
Legend

I installed jumbo 41 in the lab the other day and Im super impressed with it. I know its not recommended yet, but something to think about. Btw, what did TAC say? Also, the approach I would take if I had this sort is issue is "parse" through the logs and see if specific IPs are dropped the most.

Best regards,

Andy

0 Kudos
Martijn
Advisor
Advisor

Hi,

Had one customer on R81.20 take 24 with this issue. VDI connections got disconnected during a policy installation.

We got a custom fix for this problem we needed to install on top of take 26.
Installed take 26 and the custom fix and problem was solved.

From support we got this fix ID: PRHF-31092.  Fix will be included in future HFA's. ETA unknown.

Regards,
Martijn

Matt_Taber
Contributor

TAC confirmed that PRHF-31092 is included in JHF41.  Although, I don't see the PRHF listed here:  https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/Take_41.htm

TAC sent me the individual fix to install over JHF26, I reviewed that and found the PRHF noted.

Probably waiting until the new year to go to JHF41.

0 Kudos
the_rock
Legend
Legend

I definitely recommend take 41, I find it super stable, very impressed with it.

Andy

0 Kudos
kvdocp
Explorer

We are running take 41 here and faced the same issue. We observed ldaps connections being interrupted during every policy install, even with "keep all connections" enabled. Workaround was to disable acceleration "fwaccel off" (which you should only do for troubleshooting!).

TAC also provided the hotfix with ID PRHF-31092 which solved the issue. Still cannot find it in the release notes yet for any upcoming take, so I'll keep observing https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/R81.20-List-of-all-Resolved-Issues.htm

Apart from that, take 41 is running fine.

Regards
Thomas

0 Kudos
Matt_Taber
Contributor

Good to know PRHF-31092 hotfix resolved your issue.  PRHF-31092  was noted in JHF43 last I looked, but now it's gone....weird.(released 1/8, was not the recommended release, JHF41 is still recommended).   JHF45 is now latest, so - we'll probably need to install at least JHF43 to resolve or get clarification about PRHF-31092 to see where it went.

0 Kudos
CheckPointerXL
Advisor

I asked to TAC and this is the answer:

The fix,  PRHF-31092 is yet to be integrated in T41 of R81.20. (Which is currently the recommended take).

For future reference, you could simply look for ID of the fix in the "list of resolved issues", which I'll attach below. 

 

Anyway, if i go to list of resolved issue there is no mention related to PRHF-31092. Any idea?

the_rock
Legend
Legend

It was mentioned take 45 should be recommended soon, so hopefully all this will be included.

Best,

Andy

0 Kudos
kvdocp
Explorer

The fix is now included in the latest (not yet recommended) take 54: https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/Take_54.htm?tocpath=_____6

PRJ-50761,

PRHF-31092

Security Gateway

On Security Gateways with enabled Hyper Flow feature, during policy installation and re-offload process of the connections, accelerated connections may be interrupted.

(1)
the_rock
Legend
Legend

I think take 45 will be recommended take soon.

Andy

0 Kudos
AkosBakos
Advisor

Hi kvdocp,

We found your article today. Let's say, same here. (we have MAESTRO)

Do we know the exact solution? We got a hotfix from TAC (fw1_wrapper_HOTFIX_R81_20_JHF_T41_844_MAIN_GA_FULL.tar) and we will install it tonight.

Does it solve the policy install problem?

Br

Ako

0 Kudos
AmitShmuel
Employee
Employee

Can you pls elaborate per dynamic splitting? feel free to contact me offline via amitshm@checkpoint.com with the details.

0 Kudos
CheckPointerXL
Advisor

Hello Amit,

sorry but i forgot the problem on the customer, lot of months are gone.... anyway with latest hotfix everything seems to work good

i will ping you if the light bulb goes on in my head

thank you

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events