This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rafal_N
Contributor
‎2020-04-27 05:42 AM
Jump to solution

Performance SNX client, built in Windows 10? Visitor mode limitation?

Hi Group,

Is anybody using SNX client (Windows 10 built-in) client widely (200+ users) ?? (R80.20+) 

I know there is limitation about visitor mode that it shouldn't be used for several hunderd users (Best Practices - VPN Performance). Also from experience COVID-19 I notice that disable Visitor Mode makes the difference.

Is SNX/Windows bult-in client is technology that same as Visitor Mode? Is that limitation and CPU utilization also true for SNX??

 

From Best Practices - VPN Performance:

Each packet in Visitor Mode is processed in user space, which causes a load on CPU on Security Gateway (only several hundred Visitor Mode clients can be handled by the Security Gateway)

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2020-04-29 06:18 AM
In response to Rafal_N
Jump to solution

Yeah that's I thought.  Your Windows 10 VPN clients are not using Visitor Mode as that doesn't make sense.  I trust the output of  vpn show_tcpt in this case more than vpn tu, since the former command is talking straight to the vpnd process that handles Visitor Mode sessions and it says it doesn't have any.  On the other hand, I believe vpn tu is querying kernel tables and it appears that any VPN connection utilizing SSL/TLS as a transport such as SNX is being marked as "Visitor Mode" in those tables that vpn tu is reading, which I don't think is completely accurate. 

You don't currently have Visitor Mode disabled do you?

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2020-04-27 08:07 PM
Jump to solution

What's built into Windows 10 is not SNX, it's a regular IPsec client.
This limitation shouldn't apply.
0 Kudos
Rafal_N
Contributor
‎2020-04-27 09:54 PM
In response to PhoneBoy
Jump to solution

Thanks!

What I meant writing built into Win10 client it was Capsule from Microsoft Store client. Sorry for confusion.

When I list clients connected to GW i have that entry for SNX/Win-10 clients:
Methods: SSL Tunnel 3DES MD5
Visitor Mode: 5

Regular client:
Methods: ESP Tunnel AES-256 SHA256
NAT-T

Can I somehow disable Visitor Mode for that SNX/Win-10 Bult-In client??
Do you familiar with installation where bulit-in client in Win10 is used for more then 200-300 Users??

0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-28 04:27 PM
In response to Rafal_N
Jump to solution

I guess it does use SSL (confirmed in sk67820), which means you can't disable Visitor Mode.
And I assume that performance limitation also applies.
My mistake there.

I'm assuming if you have a large enough appliance, you should be able to support 200+ users.
I'm aware of at least one customer doing this.
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2020-04-28 07:50 PM
In response to Rafal_N
Jump to solution

If you run command vpn show_tcpt do the Windows 10 Capsule VPN clients show up in the output?

My impression is that Visitor Mode is for IPSec VPN remote access clients that are not also capable of SSL/TLS, and cannot pass traffic directly over ESP (IP proto 50) or UDP 4500 (NAT-T) due to an intervening enforcement device, so they pass traffic over TCP 443 instead.  This specially-encapsulated Visitor Mode traffic would then have to be handled in process space by vpnd which has various performance and file descriptor limitations. 

Clients that use SSL/TLS natively like SNX shouldn't need to use Visitor Mode at all, at least that's what I thought: sk159372: Visitor Mode in Remote Access clients.  Pretty sure use of SSL/TLS as a VPN transport does not automatically equate to Visitor Mode and all its inherent limitations.

I suppose some VPN clients might try connectivity options in the following order until they find one that works, but if they get to the third one and are capable of SSL/TLS natively, why not just go straight to the fourth one:

  • IPSec ESP
  • IPSec ESP w/ NAT-T
  • IPSec ESP w/ Visitor Mode
  • SSL/TLS

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Rafal_N
Contributor
‎2020-04-29 12:39 AM
In response to Timothy_Hall
Jump to solution

Output is:

[Expert]# vpn show_tcpt
Showing all users connected in Visitor Mode:
Total number of users: 352, SNX users : 275, Visitor mode users: 0

All users connected this Capsue/Windows Store client have output for vpn tu tlist:

| Methods: SSL Tunnel 3DES MD5 | | |
| My TS: 0.0.0.0/0 | | |
| Peer TS: 10.10.x.x | | |
| User: test.test | Visitor Mode: 181 | |
| MSPI: 240009f (i: 4, p: - ) | No outbound SA | |

I have network outages at this installation (10-40s seconds, several time a day) during working hours and TAC can't find out what can cause that. I starting to suspect it is related with this type of client and remote work during COVID-19. When it happening there isn't so much traffic 300-500Mbps but all CPUs dedicated to fw_workers are 100% usage.

 

R80.30 take 155, open Servers (HPE 360 gen 10 8Core lic), NIC Broadcom!!, 3.10.0-693cpx86_64

 

Best regards,

Rafal

 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2020-04-29 06:18 AM
In response to Rafal_N
Jump to solution

Yeah that's I thought.  Your Windows 10 VPN clients are not using Visitor Mode as that doesn't make sense.  I trust the output of  vpn show_tcpt in this case more than vpn tu, since the former command is talking straight to the vpnd process that handles Visitor Mode sessions and it says it doesn't have any.  On the other hand, I believe vpn tu is querying kernel tables and it appears that any VPN connection utilizing SSL/TLS as a transport such as SNX is being marked as "Visitor Mode" in those tables that vpn tu is reading, which I don't think is completely accurate. 

You don't currently have Visitor Mode disabled do you?

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Rafal_N
Contributor
‎2020-04-29 02:33 PM
In response to Timothy_Hall
Jump to solution

I have done some tests and I was trying to disable Visitor Mode but it automatically remove SNX client from allowed clients. I add https accept to gateway with disable Visitor Mode Capsule from Microsoft Store can not connect.

Do You know installation where SNX - Network Mode/Capsue form Windows Store is used widely?? I asked local presales but it looks like bigger installation are stick with CheckPoint Mobile/Endpoint Security with NAT-T.
0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-29 05:36 PM
In response to Rafal_N
Jump to solution

Obviously can't name names, but I'm aware of at least one customer using Capsule VPN on Windows 10 as they were asking me some pointed questions out-of-band the other day.
0 Kudos
Rafal_N
Contributor
‎2020-05-06 05:37 AM
Jump to solution

Just for there record it looks like SNX doesn't have limitation of Visitor Mode. High load CPU was not related with that. When we move VPNs on other gateway 200-300 SNX/Windows Capsule Client generate about 3-5% CPU load.

 

Rafal

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2020-05-06 06:58 AM
In response to Rafal_N
Jump to solution

Right, SNX uses SSL/TLS natively which does not require the use of Visitor Mode. 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events