- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- SNX hangs at policy install
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SNX hangs at policy install
We have an interesting situation here. We have been using the SSL Network Extender (SNX) client with the Mobile Access Portal on our R80.20 cluster. Clients report that their network applications (mostly RDP) hang for 60-180 seconds several times a day. In the case of RDP, the RDP client loses connection to the remote Windows PC and goes into recovery mode (trying to reconnect pop-up window for 2 to 5 reconnect periods).
We have traced these "hangs" to policy installs on the firewall cluster. And what users notice as one long hang is actually two shorter ones, one that happens as the active firewall starts to receive the push, and a second much shorter one that happens during the clean up phase of the push. The issue is totally reproducible during policy push; it happens every time.
Has anyone else seen anything like this? Or is it normal and just live with it? It's inconvenient, but not debilitating.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you check this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have not; I currently have rematch connections selected.
Are there any repercussions that I need to be aware of that result from changing this setting? Does it affect SmartEvent reactions in any way?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably a good idea to review this SK: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
One slight inaccuracy in the SK for R80.20+: a policy install in previous releases required flushing and rebuilding the SecureXL connections table which meant everything went F2F during a policy install.
This is not necessarily the case in R80.20+.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dameon and all,
sk103598 is now updated. The following was added:
IPSO Flows / SecureXL connections table
During Policy installation, IPSO Flows / SecureXL connections table will be cleared and re-created, irrespective of connection persistence settings. This clearing and re-creating are very expensive depending on the active connections in the table at that point. Also, all the packets will be F2F (Forwarded to FireWall in slowpath) until IPSO flows are created again.
Notes:
- Since R80.20, the SecureXL connections table is not cleared during policy installation.
- In addition, Check Point does not support IPSO in R80.10 and higher.
---------------------
Thanks for reporting the issue.