- CheckMates
- :
- Products
- :
- General Topics
- :
- R81.20 T26 - Traffic disruption during policy inst...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R81.20 T26 - Traffic disruption during policy installation and random connections are dropped
Hello team,
fresh hw upgrade with 81.10 to new 7000 with r81.20
lot of problem raised up:
- during policy installation it happens that telnet/vnc sessions are dropped
- randomly some connections are dropped during the day
- first packet isn't syn is on fire (TCP Flag is ACK), no asymmetric routing
"keep all connections" is flagged
any feedback about it?
ticket is ongoing
dynamic splitting it seems to work not good too.....
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The fix is now included in the latest (not yet recommended) take 54: https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/Take_54.htm?tocpath=_____6
PRJ-50761, PRHF-31092 | Security Gateway | On Security Gateways with enabled Hyper Flow feature, during policy installation and re-offload process of the connections, accelerated connections may be interrupted. |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Had not seen it myself. We have 3 customers on this take and no issues so far.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure this is enabled
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes it is, and from hcp report i got:
Description
Drop templates are enabled but SecureXL drops show 0 packets dropped due to templates
Suggested Solution
Solution #1
Consult with TAC for further assistance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I installed jumbo 41 in the lab the other day and Im super impressed with it. I know its not recommended yet, but something to think about. Btw, what did TAC say? Also, the approach I would take if I had this sort is issue is "parse" through the logs and see if specific IPs are dropped the most.
Best regards,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Had one customer on R81.20 take 24 with this issue. VDI connections got disconnected during a policy installation.
We got a custom fix for this problem we needed to install on top of take 26.
Installed take 26 and the custom fix and problem was solved.
From support we got this fix ID: PRHF-31092. Fix will be included in future HFA's. ETA unknown.
Regards,
Martijn
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TAC confirmed that PRHF-31092 is included in JHF41. Although, I don't see the PRHF listed here: https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/Take_41.htm
TAC sent me the individual fix to install over JHF26, I reviewed that and found the PRHF noted.
Probably waiting until the new year to go to JHF41.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I definitely recommend take 41, I find it super stable, very impressed with it.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are running take 41 here and faced the same issue. We observed ldaps connections being interrupted during every policy install, even with "keep all connections" enabled. Workaround was to disable acceleration "fwaccel off" (which you should only do for troubleshooting!).
TAC also provided the hotfix with ID PRHF-31092 which solved the issue. Still cannot find it in the release notes yet for any upcoming take, so I'll keep observing https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/R81.20-List-of-all-Resolved-Issues.htm
Apart from that, take 41 is running fine.
Regards
Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good to know PRHF-31092 hotfix resolved your issue. PRHF-31092 was noted in JHF43 last I looked, but now it's gone....weird.(released 1/8, was not the recommended release, JHF41 is still recommended). JHF45 is now latest, so - we'll probably need to install at least JHF43 to resolve or get clarification about PRHF-31092 to see where it went.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I asked to TAC and this is the answer:
The fix, PRHF-31092 is yet to be integrated in T41 of R81.20. (Which is currently the recommended take).
For future reference, you could simply look for ID of the fix in the "list of resolved issues", which I'll attach below.
Anyway, if i go to list of resolved issue there is no mention related to PRHF-31092. Any idea?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It was mentioned take 45 should be recommended soon, so hopefully all this will be included.
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The fix is now included in the latest (not yet recommended) take 54: https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/Take_54.htm?tocpath=_____6
PRJ-50761, PRHF-31092 | Security Gateway | On Security Gateways with enabled Hyper Flow feature, during policy installation and re-offload process of the connections, accelerated connections may be interrupted. |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think take 45 will be recommended take soon.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kvdocp,
We found your article today. Let's say, same here. (we have MAESTRO)
Do we know the exact solution? We got a hotfix from TAC (fw1_wrapper_HOTFIX_R81_20_JHF_T41_844_MAIN_GA_FULL.tar) and we will install it tonight.
Does it solve the policy install problem?
Br
Ako
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you pls elaborate per dynamic splitting? feel free to contact me offline via amitshm@checkpoint.com with the details.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Amit,
sorry but i forgot the problem on the customer, lot of months are gone.... anyway with latest hotfix everything seems to work good
i will ping you if the light bulb goes on in my head
thank you
