Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HristoGrigorov

R77.20.85 performance issue on centrally managed SMB

Guys,

That build is causing significant traffic delays and CPU load is higher than that of R77.20.81. 

Any of you experiencing similar problem ?

123 Replies
Martin_Krolikow
Participant

Hi Hristo,

what do you mean with jumbo hotfix? Did Check Point provide a newer build of R77.20.85? We are experiencing a similar problem with Gaia Embedded and R&D is still investigating.

Cheers,
Martin

0 Kudos
HristoGrigorov

Hello Martin,

Yes, it is new R77.20.85 build.

I notified guys from R&D I worked with about your question. I hope they will reply to you here. 

Keren_Greenblat
Employee
Employee

Hello everyone,

Hristo was helping us during the last days to detect the issue and we provided him a possible fixed image on top R77.20.85 that seems to solve the issue.

We're currently working to make sure this image can be provided to all customers ASAP (QA cycle, automation..).

Thanks,

Keren Greenblat -  

SMB Field Solutions Team Leader.

Naftali_Oziel
Collaborator

Hi Karen can we confirm this fix was also validating the slow GUI response for standalone.  There has been cases reported to this and the two may have correlation due to the high cpu load. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

High CPU load on locally managed SMB devices will cause slow GUI response anyway as the ressources are very small.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Naftali_Oziel
Collaborator

Agreed and simply highlighting to make sure QA covers all validation as the high CPU was not just on cental managed devices but local as well 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I do have the information that one customer got rid of high CPU load on locally managed SMB after upgrade to R77.20.85 - so what is true for one user / one model / one production environment must not be true for others 🙂

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov

I recommend that you open SR about the GUI issues you are experiencing. It is the right way to bring CheckPoint attention on it. This case was exceptional and brought directly to R&D's attention because it was totally preventing us from running the build in production environment. What I call "showstopper" case. Even so most software divisions won't allow this at all. 

Hereby I want to thank R&D for the quick response and being flexible on investigating and fixing this. It was pleasure working with them.  

0 Kudos
Naftali_Oziel
Collaborator

Thank you everyone, I will test the jumbo fix this weekend first and if issue persist than SR will be initiated.  The fact the fix did result positive to a customer on standalone, hoping for the same result.  Plus there is already an SR for this w/other customers. 

0 Kudos
HristoGrigorov

To close this thread:

CheckPoint have already released R77.20.85 build 751 that included fix for the above mentioned performance issue. 

0 Kudos
Naftali_Oziel
Collaborator

Thanks for the info, was hoping to see it updated on the original d/l page as it as still display build 731. I assume you installed this firmware build 751 in your environment and all is good?

0 Kudos
HristoGrigorov

Yes, few days in production already. No problems noticed.

0 Kudos
Naftali_Oziel
Collaborator

Thanks appreciate the info.  I will be updating my prods next weekend and test results.  

0 Kudos
HristoGrigorov

Build is no longer available for download Smiley Happy

0 Kudos
Naftali_Oziel
Collaborator

build 751 is still available and downloadable.  I agree that the firmware upgrade feature on the firewall adds  no value.   I believe CP has no way to distinguish firewalls with valid subscription vs. out of subscription and hence it never prompts you that a new build is available.   That is my two cents, could be wrong.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

New firmware versions are announced in CP UserCenter and in Embedded GAiA WebGUI. CPUSE on GAiA appliances is a very different engine and ecosystem that does not include SMB devices!

To  "believe that CP has no way to distinguish firewalls with valid subscription vs. out of subscription and hence it never prompts you that a new build is available" is both very wrong and building maybe on a great lack of experience - i have seen the message that there is a new firmware available on SMS rather very often during the last years 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Naftali_Oziel
Collaborator

No lack of experience my friend, simply providing facts as it relates to me hence the statement I believe.  I've been with CP since 96 and evolved with there echo-system on different platforms. 

For the rare times SMB displays new firmware, I still have fingers left to count with.  Consistency  for this functionality to alert on new firmware needs to be improved.  Again there may be a reason for this behaviour vs. design.  My devices are still stating build 541 on r77.20.81 is up to date.    Appreciate the feedback and glad to see the firmware functionality is working to your desired expectation.

G_W_Albrecht
Legend Legend
Legend

If you do believe that CP has no way to distinguish firewalls with valid subscription you are just wrong.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov

CheckPoint must have blacklisted me because I cannot see 751 on Downloads page anymore Smiley Happy

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Same to me - maybe some others that still see it did not clear their browser cache 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Pedro_Espindola
Advisor

I can still see it and download it even in a different browser.

I suggest you steer clear of this build until it is actually documented. Remember what happened to me and build 701, which should not have been available.

0 Kudos
HristoGrigorov

That's because you are not blacklisted. May be only EU is Smiley Happy

But you are certainly right. And I wonder how it happens that non-GA build slips through and appears on download page.. second time now.

0 Kudos
Naftali_Oziel
Collaborator

Keren indicated build r77.20.85 build 751 is still going QA cycle and in a few days to be released,  unclear if it's going to be a different build or same?  Keren Greenblat‌ are you able to clarify?,  Appreciate it, as always.

HristoGrigorov

I believe next GA firmware will be R77.20.86

0 Kudos
Naftali_Oziel
Collaborator

I will be just happy to get a straight answer for this firmware before I upgrade.   R77.20.86 I see at EA.

HristoGrigorov

R77.20.85 build 751 is now official although I couldn't spot on the page what else was changed in it.

0 Kudos
Naftali_Oziel
Collaborator

Now that you've been running with build 751, has it been stable for you?  also if you ssh into the box and do the top command do you notice any zombies processes, just curious.   

0 Kudos
HristoGrigorov

Yes, build 751 is very stable for me and also performance is good. I keep an eye on 'top' from time to time and haven't noticed any zombie processes. But notice that my one is centrally managed while I think yours is not.

0 Kudos
Naftali_Oziel
Collaborator

Thanks,appreciate the info.  I can only hope that results will yield the same for standalone. 

0 Kudos
Naftali_Oziel
Collaborator

Noticed today that I have 5 zombies and all are related to HTTPD, looking at the ps aux it shows zero memory/cpu.  Anyone else seeing zombies?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events