Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Performance SNX client, built in Windows 10? Visitor mode limitation?

Jump to solution

Hi Group,

Is anybody using SNX client (Windows 10 built-in) client widely (200+ users) ?? (R80.20+) 

I know there is limitation about visitor mode that it shouldn't be used for several hunderd users (Best Practices - VPN Performance). Also from experience COVID-19 I notice that disable Visitor Mode makes the difference.

Is SNX/Windows bult-in client is technology that same as Visitor Mode? Is that limitation and CPU utilization also true for SNX??

 

From Best Practices - VPN Performance:

Each packet in Visitor Mode is processed in user space, which causes a load on CPU on Security Gateway (only several hundred Visitor Mode clients can be handled by the Security Gateway)

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Highlighted

Yeah that's I thought.  Your Windows 10 VPN clients are not using Visitor Mode as that doesn't make sense.  I trust the output of  vpn show_tcpt in this case more than vpn tu, since the former command is talking straight to the vpnd process that handles Visitor Mode sessions and it says it doesn't have any.  On the other hand, I believe vpn tu is querying kernel tables and it appears that any VPN connection utilizing SSL/TLS as a transport such as SNX is being marked as "Visitor Mode" in those tables that vpn tu is reading, which I don't think is completely accurate. 

You don't currently have Visitor Mode disabled do you?

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

0 Kudos
10 Replies
Highlighted
Admin
Admin
What's built into Windows 10 is not SNX, it's a regular IPsec client.
This limitation shouldn't apply.
0 Kudos
Highlighted

Thanks!

What I meant writing built into Win10 client it was Capsule from Microsoft Store client. Sorry for confusion.

When I list clients connected to GW i have that entry for SNX/Win-10 clients:
Methods: SSL Tunnel 3DES MD5
Visitor Mode: 5

Regular client:
Methods: ESP Tunnel AES-256 SHA256
NAT-T

Can I somehow disable Visitor Mode for that SNX/Win-10 Bult-In client??
Do you familiar with installation where bulit-in client in Win10 is used for more then 200-300 Users??

0 Kudos
Highlighted
Admin
Admin
I guess it does use SSL (confirmed in sk67820), which means you can't disable Visitor Mode.
And I assume that performance limitation also applies.
My mistake there.

I'm assuming if you have a large enough appliance, you should be able to support 200+ users.
I'm aware of at least one customer doing this.
0 Kudos
Highlighted

If you run command vpn show_tcpt do the Windows 10 Capsule VPN clients show up in the output?

My impression is that Visitor Mode is for IPSec VPN remote access clients that are not also capable of SSL/TLS, and cannot pass traffic directly over ESP (IP proto 50) or UDP 4500 (NAT-T) due to an intervening enforcement device, so they pass traffic over TCP 443 instead.  This specially-encapsulated Visitor Mode traffic would then have to be handled in process space by vpnd which has various performance and file descriptor limitations. 

Clients that use SSL/TLS natively like SNX shouldn't need to use Visitor Mode at all, at least that's what I thought: sk159372: Visitor Mode in Remote Access clients.  Pretty sure use of SSL/TLS as a VPN transport does not automatically equate to Visitor Mode and all its inherent limitations.

I suppose some VPN clients might try connectivity options in the following order until they find one that works, but if they get to the third one and are capable of SSL/TLS natively, why not just go straight to the fourth one:

  • IPSec ESP
  • IPSec ESP w/ NAT-T
  • IPSec ESP w/ Visitor Mode
  • SSL/TLS

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
Highlighted

Output is:

[Expert]# vpn show_tcpt
Showing all users connected in Visitor Mode:
Total number of users: 352, SNX users : 275, Visitor mode users: 0

All users connected this Capsue/Windows Store client have output for vpn tu tlist:

| Methods: SSL Tunnel 3DES MD5 | | |
| My TS: 0.0.0.0/0 | | |
| Peer TS: 10.10.x.x | | |
| User: test.test | Visitor Mode: 181 | |
| MSPI: 240009f (i: 4, p: - ) | No outbound SA | |

I have network outages at this installation (10-40s seconds, several time a day) during working hours and TAC can't find out what can cause that. I starting to suspect it is related with this type of client and remote work during COVID-19. When it happening there isn't so much traffic 300-500Mbps but all CPUs dedicated to fw_workers are 100% usage.

 

R80.30 take 155, open Servers (HPE 360 gen 10 8Core lic), NIC Broadcom!!, 3.10.0-693cpx86_64

 

Best regards,

Rafal

 

0 Kudos
Highlighted

Yeah that's I thought.  Your Windows 10 VPN clients are not using Visitor Mode as that doesn't make sense.  I trust the output of  vpn show_tcpt in this case more than vpn tu, since the former command is talking straight to the vpnd process that handles Visitor Mode sessions and it says it doesn't have any.  On the other hand, I believe vpn tu is querying kernel tables and it appears that any VPN connection utilizing SSL/TLS as a transport such as SNX is being marked as "Visitor Mode" in those tables that vpn tu is reading, which I don't think is completely accurate. 

You don't currently have Visitor Mode disabled do you?

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

0 Kudos
Highlighted
I have done some tests and I was trying to disable Visitor Mode but it automatically remove SNX client from allowed clients. I add https accept to gateway with disable Visitor Mode Capsule from Microsoft Store can not connect.

Do You know installation where SNX - Network Mode/Capsue form Windows Store is used widely?? I asked local presales but it looks like bigger installation are stick with CheckPoint Mobile/Endpoint Security with NAT-T.
0 Kudos
Highlighted
Admin
Admin
Obviously can't name names, but I'm aware of at least one customer using Capsule VPN on Windows 10 as they were asking me some pointed questions out-of-band the other day.
0 Kudos
Highlighted

Just for there record it looks like SNX doesn't have limitation of Visitor Mode. High load CPU was not related with that. When we move VPNs on other gateway 200-300 SNX/Windows Capsule Client generate about 3-5% CPU load.

 

Rafal

0 Kudos
Highlighted

Right, SNX uses SSL/TLS natively which does not require the use of Visitor Mode. 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos