Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thowtes
Explorer
Jump to solution

ipsec latency smb1570

Hello,

i have a problem (probably) with high latency over IPSec (Site2Site) between SMB1570 (remote) and Mikrotik RB1100 (central).

When i try to add esxi host on remote site to vcenter on central branch, it always fails. Only host behind SMB1570 have this issue, so i think it is related to Checkpoint and/or this IPSec.

I tried some configurations with MTU, but no success.

Any idea, please?

Thank you.

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee

As @PhoneBoy suggests you're probably looking at something like the following:

sk121114: "Fragmentation needed" error on dropped packets sent through tunnel on Quantum Spark Appli...

 

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

It's most likely an MTU/fragmentation issue.
For a discussion of this topic in general, see: https://support.checkpoint.com/results/sk/sk98074 
To confirm the issue, I recommend taking some packet captures.

If your SMB appliance is locally managed (i.e. without SmartCenter), not sure it is possible to configure MSS Clamping, which is probably how you'd resolve this.
Recommend engaging with the TAC: https://help.checkpoint.com 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

As @PhoneBoy suggests you're probably looking at something like the following:

sk121114: "Fragmentation needed" error on dropped packets sent through tunnel on Quantum Spark Appli...

 

CCSM R77/R80/ELITE
0 Kudos
Thowtes
Explorer

Thank you,

but i found first issue on 2nd step - no .conf file in dir:

 

[Expert@fw]# cp -v $FWDIR/modules/fwkern.conf{,_BKP}
cp: can't stat '/opt/fw1/modules/fwkern.conf': No such file or directory
[Expert@fw]# pwd
/opt/fw1/modules
[Expert@fw]# ls -la
drwxr-xr-x    2 root     root          4096 Feb 23 14:19 .
drwxr-xr-x    3 root     root          4096 Feb 23 14:19 ..
-rw-r--r--    1 105      80          500440 Nov 22 09:58 adp.o
-rw-r--r--    1 105      80        49280288 Nov 22 09:58 fw.o
-rw-r--r--    1 105      80        46326416 Nov 22 09:58 fwv6.o
-rw-r--r--    1 105      80        13251656 Nov 22 09:58 sim.o
-rw-r--r--    1 105      80        13049208 Nov 22 09:58 simv6.o
-rw-r--r--    1 105      80           25984 Nov 22 09:58 vpnt.o

 

 Running version:

The current firmware version is R81.10 (996000575)
 
I've found also this cmd in some topic, but not working:

 

[Expert@fw]# fw ctl get int fw_clamp_tcp_mss
fw_clamp_tcp_mss = 0
[Expert@fw]# fw ctl set int fw_clamp_tcp_mss 1
 Set operation failed: failed to get parameter fw_clamp_tcp_mss​

Thank you for help.

 

0 Kudos
PhoneBoy
Admin
Admin

Sounds like fw_clamp_tcp_mss can not be set "on the fly" meaning the only way is by specifying it in fwkern.conf.
If this file does not exist, it must be created.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events