cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
TheRealDiZ
Nickel

SecureXL R80.20 - Issue on ALL High TCP Ports

Hey guys,

 

After upgrade from R77.30 to R80.20, I notice that I got issue on all connections with high TCP ports passing through a VPN tunnel.

That was huuuge... Fortunately after the upgrade I have immediately tried to disable SecureXL acceleration as per https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... and solved the issue.

 

Anyone has experienced this issue before?

 

I know that in R80.20 SecureXL was moved to Fw_Worker.

Anyone can explain to me the difference from R77.30 in detail?

I think that probably this mechanism change is causing issue on all connections with high tcp ports.

 

BR

Luca

 

Tags (2)
0 Kudos
5 Replies
Admin
Admin

Re: SecureXL R80.20 - Issue on ALL High TCP Ports

First I'll make my standard statement for these situations: if disabling SecureXL solves the problem, open a TAC case.

Not sure what knowing the differences in SecureXL will help in terms of solving the issue at hand, which is most likely a bug.
The changes in SecureXL were made to improve performance and support more than 40 cores.

What rule/service is the relevant traffic matching on?
TheRealDiZ
Nickel

Re: SecureXL R80.20 - Issue on ALL High TCP Ports

Hi @PhoneBoy ,

 

Yessir TAC case already opened.

The traffic is passing through the same VPN tunnel and matching same rule as with the previous installed version R77.30.

No changes were made (SecureXL was always enabled).

 

I'll keep you posted with TAC updates in order to understand if there is a major issue on R80.20.

 

RealD!Z

0 Kudos

Re: SecureXL R80.20 - Issue on ALL High TCP Ports

Note that in R80.20 Jumbo HFA Take 47 and later, a new command called vpn accel was added that allows switching off SecureXL acceleration just for VPN traffic (similar to sim vpn off;fwaccel off;fwaccel on in R80.10 and earlier), which is different from the f2f_addresses mechanism you used:

sk151114: "fwaccel off" does not affect disabling acceleration of VPN tunnels in R80.20 and above

This new command was not available in R80.20 vanilla.  Still as Dameon mentioned it is very important to figure out why SecureXL needs to be disabled in the first place, regardless of the mechanism you use to disable it.  🙂

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Admin
Admin

Re: SecureXL R80.20 - Issue on ALL High TCP Ports

As I don't know what the rule was on R77.30, please share the details of it.

TheRealDiZ
Nickel

Re: SecureXL R80.20 - Issue on ALL High TCP Ports

Hi @PhoneBoy

It seems the problem is related to VPN, because the traffic is passing (NATted) through a VPN S2S.
Before the upgrade there were no issues at all.. I'm investigating it with the TAC.. I'll keep you posted because I think this will be helpful for a lot of people.

By the way this is the fw ctl zdebug error when we got the issue:

"[cpu_0];[SIM-206945184];sim_pkt_send_drop_notification: (0,0) received drop, reason: general reason, conn:"
0 Kudos