This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
flwsterN
Participant
‎2023-02-17 02:54 PM
Jump to solution

low throughput on some external ip addresses

Hi,

 

I have one external interface, to this interface our ISP is static routing 8 ipv4 addresses /31 mask.

This is over a gigabit link. We have different servers using these addresses behind NAT. 3 ipv4 addresses is working fine and we are getting gbit connection, however on the other 5 ipv4s im getting 1-2mbit download and 200-500mbit upload.

 

Lets say the server is using a internal network of 192.168.100.0/24, if i hide NAT this network behind the "working" ipv4 addresses it gets gbit. Otherwise back to the 1-2mbit down and 200-500 upload. This must be a issue with the ISP right? What could cause a problem like this?

 

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2023-02-18 07:23 AM
Jump to solution

With the blades you have enabled, nothing in your Check Point firewall policy/feature config should be causing the performance effect you are seeing.

Sounds like the subnet mask on your firewall's external interface is not matching what your ISP has for you on their router, a /31 (255.255.255.254) is 2 total addresses not 8.  If you are set for a /31 and your ISP is set for /29 (255.255.255.248), the "good/fast" addresses probably fall within your /31 while the slow ones fall outside that.  In that case the ISP router may be proxy ARPing for every address on the Internet for your slow addresses which will cause some problems.  You may also be stepping on the addresses assigned as the network number (old broadcast - lowest IP address in the range) for your subnet, as well as the broadcast (highest IP address) which may cause a variety of nasty broadcast storm-type effects that impact performance.

Depending on your ISP they may have given you two Internet-routable netblocks: a small WAN/transit netblock (like a /30) that should be implemented between your firewall's external interface and their router, and another larger LAN netblock (like a /29 or /28) that will be routed by the ISP across the WAN netblock for transit to your firewall.  Feel free to PM me the information your ISP gave you as far as Internet-routable addresses they assigned you, and the external interface configuration of your firewall with no redaction.  I wouldn't recommend posting that info publicly.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

(1)
14 Replies
PhoneBoy
Admin
Admin
‎2023-02-17 02:59 PM
Jump to solution

It could be an ISP issue, but we should rule out anything specific with the gateway.
Let’s start with:

  • Version/JHF level of gateway
  • Output of Super Seven commands when attempting access via one of the “bad” IPs
  • Output of enabled_blades commands 

This should help us narrow down the issue.

0 Kudos
flwsterN
Participant
‎2023-02-18 03:41 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy!

R81.10 Take 87
enabled_blades
fw vpn

superseven script output in the txt file!

Preview file
19 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-21 08:43 AM
In response to flwsterN
Jump to solution

The gateway is barely breaking a sweat, so this isn't a performance related issue.
It may be something in the networking configuration with your ISP like @Timothy_Hall said.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-02-21 10:10 AM
In response to PhoneBoy
Jump to solution

I have been in contact with the OP and done some probing from the Shadow Peak lab, and it definitely looks like an upstream ISP issue for his routed /31's.  Helping them assemble an airtight case that the ISP will be unable to dismiss as not their problem.  🙂

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-02-18 07:23 AM
Jump to solution

With the blades you have enabled, nothing in your Check Point firewall policy/feature config should be causing the performance effect you are seeing.

Sounds like the subnet mask on your firewall's external interface is not matching what your ISP has for you on their router, a /31 (255.255.255.254) is 2 total addresses not 8.  If you are set for a /31 and your ISP is set for /29 (255.255.255.248), the "good/fast" addresses probably fall within your /31 while the slow ones fall outside that.  In that case the ISP router may be proxy ARPing for every address on the Internet for your slow addresses which will cause some problems.  You may also be stepping on the addresses assigned as the network number (old broadcast - lowest IP address in the range) for your subnet, as well as the broadcast (highest IP address) which may cause a variety of nasty broadcast storm-type effects that impact performance.

Depending on your ISP they may have given you two Internet-routable netblocks: a small WAN/transit netblock (like a /30) that should be implemented between your firewall's external interface and their router, and another larger LAN netblock (like a /29 or /28) that will be routed by the ISP across the WAN netblock for transit to your firewall.  Feel free to PM me the information your ISP gave you as far as Internet-routable addresses they assigned you, and the external interface configuration of your firewall with no redaction.  I wouldn't recommend posting that info publicly.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
flwsterN
Participant
‎2023-02-19 07:04 AM
In response to Timothy_Hall
Jump to solution

Hi Timothy!

 

Thanks for the reply.

 

I sent you a message!

0 Kudos
flwsterN
Participant
‎2023-02-21 10:59 AM
In response to Timothy_Hall
Jump to solution

Thank you for all the help Timothy!

0 Kudos
the_rock
Legend
Legend
‎2023-02-21 08:58 AM
Jump to solution

I agree with the guys. Based on fact that ONLY vpn blade is on (since fw is always on by default), looking at your superseven output, there is literally no load on your gateway at all, so its highly unlikely its CP issue.

(1)
the_rock
Legend
Legend
‎2023-02-21 09:01 AM
Jump to solution

Forgot to mention, sorry...it might be worth sending us below outputs if you can. Say your external interface is eth1 (just as an example), could you send us below?

ethtool -i eth1

ethtool -S eth1

clish -c "show interface eth1"

ifconfig -a eth1

cpstat os -f all

Cheers,

Andy

0 Kudos
flwsterN
Participant
‎2023-02-21 09:45 AM
In response to the_rock
Jump to solution

I sent you a PM! with some tcpdump on video.

0 Kudos
the_rock
Legend
Legend
‎2023-02-21 09:46 AM
In response to flwsterN
Jump to solution

Let me check : - )

Will respond there.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-02-21 10:53 AM
Jump to solution

Hey guys,

Just to update, Benjamin and I had remote session and we are pretty confident that this ISP issue based on the testing.

-sxl on or off, same problem

-rule is there to alow full communication, same problem

-ICMP enabled globally, no change

-fw up_execute shows traffic allowed for IPs we tested

-fw ctl zdebug does not drop anything on affected IP addresses

-fw monitor -F we ran, shows traffic for icmp requests, but not constant replies

-verified routing, its very basic and definitely no assymetric routing issues

Based on all above, I am positive this is not the CP fw issue.

Andy

0 Kudos
(1)
flwsterN
Participant
‎2023-02-21 10:58 AM
In response to the_rock
Jump to solution

Thank you for all the help Andy.

0 Kudos
the_rock
Legend
Legend
‎2023-02-21 10:59 AM
In response to flwsterN
Jump to solution

No problem. Here comes my corny joke of the century that everyone on this planet is sick of...for you, no charge, except iphone charge ; - )

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events