Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MrDazana
Contributor
Jump to solution

apple devices unable to update behind a quautem spark 1530

Hello folks, 

 

I have a weird issue . Anything apple related ( appletv, iphone ipad) are unable to install their updates when connected behind a checkpoint firewall. If I swap out the firewall with a DSR500AC, it works just fine no issues. 

 

on the checkpoint I'm running R80.20.35, no threat protection what's so ever, just firewall blade in standard mode, remote access and site to site . 

 

Nothing in logs showing up as anything getting blocked. 

 

thoughts?

 

thanks

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

No, but it might mean you're actually experiencing MTU issues or similar.
It's probably worth a TAC case to investigate this.

View solution in original post

0 Kudos
(1)
13 Replies
MrDazana
Contributor

found this in the firewall logs 

received SYN packet with data, packet dropped. 

Resource
icloud.com

 

found this https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

will try solution and repost back here soon 

 

0 Kudos
MrDazana
Contributor

that didn't work

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

That can not work, this is for GAiA only, not Embedded GAiA from Quantum Spark ! You have to use the Advanced Settings and search for statefull protections to set this like in the cited SK.

What fails for you works behind my 1550 - but OS X images fail to download after 3.6GB. 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
MrDazana
Contributor

Wish I had another one to test your answer, found Stateful Inspection > Drop Out of state TCP Packets set to 0. would it be best to set this to 1 anyway ?

0 Kudos
PhoneBoy
Admin
Admin

What is the precise behavior on the iOS devices?
If you do fw ctl zdebug +drop on the command line, what if anything shows?

0 Kudos
MrDazana
Contributor

Hi PhoneBoy,

On the iphone, it downloads the update package. after the download, i click install, it'll verify and stay there for like 5-10 mins and then says it fails because i am no longer connected to the internet. 

Same deal on the ipad

On the Apple tv, it'll download update, then switch to stage 1 of 2 preparing update for 10 mins, and then fails and says to try again. 

 

I ran your command then tried again until it failed. here the output

Defaulting all kernel debugging options
Debug state was reset to default.
Initialized kernel debugging buffer to size 1023K
Updated kernel's debug variable for module fw
Kernel debugging buffer size: 1023KB
HOST:
Module: kiss
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: kissflow
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: fw
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: h323
Enabled Kernel debugging options: error
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: cpcode
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: upconv
Enabled Kernel debugging options: error warning info
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: WS_SIP
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: multik
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: PSL
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: CPAS
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: seqvalid
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: synatk
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: MUX
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: accel_pm_mgr
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: accel_apps
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: fg
Enabled Kernel debugging options: error
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: UC
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: dlpk
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: dlpuk
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: gtp
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: VPN
Enabled Kernel debugging options: err
Messaging threshold set to type=Info freq=Common

-----------------------------------------------------
HOST:
Module: WSIS
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: UPIS
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: BOA
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: cmi_loader
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: NRB
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: SGEN
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: RAD_KERNEL
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: WS
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: CI
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: SFT
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: APPI
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: UP
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: MALWARE
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: FILEAPP
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: dlpda
Enabled Kernel debugging options: None

-----------------------------------------------------
HOST:
Module: IDAPI
Enabled Kernel debugging options: None

-----------------------------------------------------
@;0;kiss_debug_report: start
@;0;kiss_debug_report: start
@;0;kiss_debug_report: start
@;668770;[cpu_0];[fw4_0];fw_kmalloc_impl: fwkdebug_ioctl_handle: allocates 0 byt es;
@;668770;[cpu_0];[fw4_1];fw_kmalloc_impl: fwkdebug_ioctl_handle: allocates 0 byt es;
@;668770;[cpu_0];[fw4_2];fw_kmalloc_impl: fwkdebug_ioctl_handle: allocates 0 byt es;

 

 

0 Kudos
Amir_Ayalon
Employee
Employee
0 Kudos
MrDazana
Contributor

My WAN interface is connected via PPPOE. would that be considered bridge mode ?

 

0 Kudos
PhoneBoy
Admin
Admin

No, but it might mean you're actually experiencing MTU issues or similar.
It's probably worth a TAC case to investigate this.

0 Kudos
(1)
MrDazana
Contributor

Tried setting MTU to 1492 and still a no go. I'm gonna reset it to factory and see what happens. I don't have a support contract for it, i'm only field testing it.

0 Kudos
the_rock
Legend
Legend

Does same issue happen even if policy allows everything? Is this locally or centrally managed appliance? Can you do fw monitor capture when this is happening, so we can see where traffic gets "stuck"? I looked at that debug you provided and searching for those errors, nothing comes up...

 

Andy

0 Kudos
MrDazana
Contributor

Going with what you said here, I switched my wan port to DHCP instead of PPPoE. Without doing anything else, my test apple device updated no problem.

Switching to DHCP resolved 2 issues I had and I hope the devs will pick this up. The second issue I had was slow internet and high cpu usage within the checkpoint. When I would download files and max out my internet connection,  the check point would never do more than 650mb @1492MTU and 750mb @1500MTU. All security features off

switching to dhcp, I still get high cpu usage in the checkpoint but I get 900mbs

 

0 Kudos
PhoneBoy
Admin
Admin

On a 1530 that might be expected behavior as that's about the top end of what the appliance will do, particularly with a single connection.
https://www.checkpoint.com/downloads/products/1500-security-gateway-datasheet.pdf

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events