This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thowtes
Explorer
‎2023-04-13 12:27 PM
Jump to solution

ipsec latency smb1570

Hello,

i have a problem (probably) with high latency over IPSec (Site2Site) between SMB1570 (remote) and Mikrotik RB1100 (central).

When i try to add esxi host on remote site to vcenter on central branch, it always fails. Only host behind SMB1570 have this issue, so i think it is related to Checkpoint and/or this IPSec.

I tried some configurations with MTU, but no success.

Any idea, please?

Thank you.

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-04-13 05:55 PM
Jump to solution

As @PhoneBoy suggests you're probably looking at something like the following:

sk121114: "Fragmentation needed" error on dropped packets sent through tunnel on Quantum Spark Appli...

 

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-04-13 05:48 PM
Jump to solution

It's most likely an MTU/fragmentation issue.
For a discussion of this topic in general, see: https://support.checkpoint.com/results/sk/sk98074 
To confirm the issue, I recommend taking some packet captures.

If your SMB appliance is locally managed (i.e. without SmartCenter), not sure it is possible to configure MSS Clamping, which is probably how you'd resolve this.
Recommend engaging with the TAC: https://help.checkpoint.com 

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-04-13 05:55 PM
Jump to solution

As @PhoneBoy suggests you're probably looking at something like the following:

sk121114: "Fragmentation needed" error on dropped packets sent through tunnel on Quantum Spark Appli...

 

CCSM R77/R80/ELITE
0 Kudos
Thowtes
Explorer
‎2023-04-13 11:27 PM
In response to Chris_Atkinson
Jump to solution

Thank you,

but i found first issue on 2nd step - no .conf file in dir:

 

[Expert@fw]# cp -v $FWDIR/modules/fwkern.conf{,_BKP}
cp: can't stat '/opt/fw1/modules/fwkern.conf': No such file or directory
[Expert@fw]# pwd
/opt/fw1/modules
[Expert@fw]# ls -la
drwxr-xr-x    2 root     root          4096 Feb 23 14:19 .
drwxr-xr-x    3 root     root          4096 Feb 23 14:19 ..
-rw-r--r--    1 105      80          500440 Nov 22 09:58 adp.o
-rw-r--r--    1 105      80        49280288 Nov 22 09:58 fw.o
-rw-r--r--    1 105      80        46326416 Nov 22 09:58 fwv6.o
-rw-r--r--    1 105      80        13251656 Nov 22 09:58 sim.o
-rw-r--r--    1 105      80        13049208 Nov 22 09:58 simv6.o
-rw-r--r--    1 105      80           25984 Nov 22 09:58 vpnt.o

 

 Running version:

The current firmware version is R81.10 (996000575)
 
I've found also this cmd in some topic, but not working:

 

[Expert@fw]# fw ctl get int fw_clamp_tcp_mss
fw_clamp_tcp_mss = 0
[Expert@fw]# fw ctl set int fw_clamp_tcp_mss 1
 Set operation failed: failed to get parameter fw_clamp_tcp_mss​

Thank you for help.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-04-14 07:46 AM
In response to Thowtes
Jump to solution

Sounds like fw_clamp_tcp_mss can not be set "on the fly" meaning the only way is by specifying it in fwkern.conf.
If this file does not exist, it must be created.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events