Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dale_Lobb
Collaborator

SNX hangs at policy install

  We have an interesting situation here.  We have been using the SSL Network Extender (SNX) client with the Mobile Access Portal on our R80.20 cluster.  Clients report that their network applications (mostly RDP) hang for 60-180 seconds several times a day. In the case of RDP, the RDP client loses connection to the remote Windows PC and goes into recovery mode (trying to reconnect pop-up window for 2 to 5 reconnect periods).

  We have traced these "hangs" to policy installs on the firewall cluster.  And what users notice as one long hang is actually two shorter ones, one that happens as the active firewall starts to receive the push, and a second much shorter one that happens during the clean up phase of the push.  The issue is totally reproducible during policy push; it happens every time.

  Has anyone else seen anything like this?  Or is it normal and just live with it?  It's inconvenient, but not debilitating.

0 Kudos
4 Replies
MartinTzvetanov
Collaborator

Have you check this?

Capture.JPG

0 Kudos
Dale_Lobb
Collaborator

  I have not;  I currently have rematch connections selected.

  Are there any repercussions that I need to be aware of that result from changing this setting?  Does it affect SmartEvent reactions in any way?

0 Kudos
PhoneBoy
Admin
Admin

Probably a good idea to review this SK: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

One slight inaccuracy in the SK for R80.20+: a policy install in previous releases required flushing and rebuilding the SecureXL connections table which meant everything went F2F during a policy install.
This is not necessarily the case in R80.20+.

0 Kudos
Ronen_Zel
Mod
Mod

Hi Dameon and all,

sk103598 is now updated. The following was added:

IPSO Flows / SecureXL connections table

During Policy installation, IPSO Flows / SecureXL connections table will be cleared and re-created, irrespective of connection persistence settings. This clearing and re-creating are very expensive depending on the active connections in the table at that point. Also, all the packets will be F2F (Forwarded to FireWall in slowpath) until IPSO flows are created again.

Notes:

  • Since R80.20, the SecureXL connections table is not cleared during policy installation.
  • In addition, Check Point does not support IPSO in R80.10 and higher.

---------------------

Thanks for reporting the issue.

 

0 Kudos