This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Saranya_0305
Collaborator
3 weeks ago

SMB Appliance Disk and Memory

Dear Team,
 
I have SMB appliance model 1530 which was managed centrally where Management Server and SMB appliance at located in different locations.
 
They both have connected by Static routing initially, later we changed to OSPF configuration.
 
Later, when we try to install policy on the device, the below errors triggers at differently at different times.
 
- SIC is not communicating, GeneralSIC error:148
- The IP:xx.xx.xx.xx gateway is not available.-
- Policy timeout.
 
We have reset the SIC multiple times, at that time sometimes able to install the policy but sometime not able to install the policy.
 
We are able to telnet from Gateway to Management Server by ports 18191,18200.
 
But using 18211 Connection refused.
 
We have raised OEMTAC case for this,
 
- Initially they also did reset the SIC and same thing happened on that time its working, after some time it is not working.
- They have collected he Policy debug logs from the Management Server and DrSpark file from the appliance.
 
Line 9740016:  [FW_LOADER 9653 4145583936]@MGMT[23 May 15:05:36] SIC Error for InstallPolicy: timeout elapsed during authentication protocol.
Line 9740115:  [FW_LOADER 9653 4145583936]@MGMT[23 May 15:05:36] opsec_auth_client_connected: SIC Error for InstallPolicy: timeout elapsed during authentication protocol.
Line 9740370:  [FW_LOADER 9653 4145583936]@MGMT[23 May 15:05:36] CPTA_InstallFailReasonTranslate: error number 3048     Ip = 10.0.6.154: Resource temporarily unavailable
Line 9740392:   Installation failed. Reason: SIC General Failure [ SIC error no. 148 ].
 
Based on their analysis, there are several factors.
 
-Insufficient system resources (CPU, memory, disk space)
-High load on the gateway at the time of policy installation
-Temporary network issues between the Management Server and the Gateway
-Too many concurrent operations (e.g., multiple policy installations, upgrades, or other heavy tasks) - # no tasks are running during policy installation.
 
 
Same verified over the logs as well, there is an issue with Peak connections which is causing issue with Memory.
====================================================================================================
 
 
For the temporary network issue, there is slight chance mostly because for the Same Management Server we are able to install the policy for different locations.
 
Before going to investigate network side, I want to know, what is the minimum or maximum memory and disk space utilization is required for running smoothly.
 
If the disk space don't have enough space what are all files can we remove so it doesn't have impact on production. 
 
Peak connections was set to 150000 in SmartConsole.
 
For reference screenshot attached.
 
Regards,
Saranya
Preview file
16 KB
Preview file
6 KB
Preview file
8 KB
Preview file
11 KB
0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee
3 weeks ago

Which version of SMB firmware is used, something older than R81.10.17?

This script from the SK below can be helpful especially for the lower end Spark appliances.

https://support.checkpoint.com/results/sk/sk183290

CCSM R77/R80/ELITE
0 Kudos
Saranya_0305
Collaborator
3 weeks ago
In response to Chris_Atkinson

Hi,

The firmware version is R81.10.15.

 

Regards,

Saranya

0 Kudos
G_W_Albrecht
Legend Legend
Legend
2 weeks ago
In response to Saranya_0305

So try sk183290 - also see the discussion here: https://community.checkpoint.com/t5/SMB-Gateways-Spark/Spark-Embedded-physical-memory-high/m-p/24748...

@PhoneBoy  - can we put this in SMB ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
Wednesday

I would suggest to contact CP TAC to resolve this issue!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Lesley
Mentor Mentor
Mentor
Wednesday

The admin guide states it can do:

Concurrent Connections 500,000

I would not recommend 500.000 conc connections but the limit is set to 150.000

You peak towards the 8000 connections so to increase this value has no purpose. 

The guide also says:

Connections per Second 10,500 

This you can see via CLI: cpview -> overview -> under network

Second tip: Doctor Spark shows if there are to many hosts connected, does it give this warning / error? 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events