cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Scalable Platforms (41k/44k/61k/64k)

Discussion on Check Point's High Performance Scalable Platforms, i.e. the 41000, 44000, 61000, and 64000 Appliances.

Adding second SSM to 41k fails

Case is going in tomorrow but I just wondered if anyone had actually gone through process of adding second SSM to 41/61k? There's no need to point out that CP always recommends to buy two SSMs from start. Sometimes $$ are not there. We followed the process described in admin guide. What happens is that chassis internal network interface eth2-CIN seems to "loose" mask setting on SGM. Before adding SSM eth2-CIN is correctly turned off and has correct IP with /25 mask. After running add command and SGM reboot, interface state is active but mask is gone! So SGM is unable to communicate to anything on that CIN.                                  Eth1-CIN still works as expected. As pointed out before it looks all good before we start:

non-interactive version of asg profile

Is there a way to run a static, non-interactive command for the 61K command "asg profile -p?"

New to use 64k Chassis command asg_***

Interested to know what asg stands for on these 64k chassis.

R80.20 issue with fw monitor - all the buffers are full

Under R80.20 with the latest jumbo hotfix the following error occurs if I start fw monitor: fwmonitor_kiss_add_to_global_buf: all the buffers are full System 12000 appliance: - 8 coreXl instances - approximatly 25000 connections - enough free memory      

Dynamic NAT port allocation on SP systems?

Does anybody use Dynamic NAT port allocation on SP systems ? ( R76SP50 JHFA Take 180 ) We have been using this since Jan 2017 and it is apparently no longer supported!! It is still enabled because nobody told us it was not supported and we have been experiencing all sorts of problems on the chassis.  Check Point silently removed support ? Does anybody know anything about it? SK103656In the additional notes it says: The feature is not supported on R76SP versions and on R80.20SP.  

R76SP50 Take 205 install issues

just wondering if anyone else has seen any issues with Take 205 installation. We are upgrading from Take 62 which had hotfixes on top of it but those were removed successfully prior upgrade very bizarre behavior: trying to install Take to whole standby chassis, SGM-1 goes into continuous reboot cycle. Restore snapshot to all blades on standby chassis and try to install it blade by blade instad. All succeeds. Failover chassis Attempt to update whole chassis at once - fails again on SGM-1 going into continuous reboot cycle. Restore snapshot to all blades on standby chassis. Install succeeds on SGM-1,3 and 4. SGM-2 fails with the same continuous reboot symptom.  Now in the process of reverting snapshot on SGM-2 and will try again But really weird. Anyone else out there with similar issues on SP take installs? Up until now it's always been OK I have to admit.

FIrewall Documentation Elaboration

What is the full form (expansion) of BFM, its mentioned multiple times in the documentation, but i can't find the full form of it.What does it exactly do?References:https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk139172&partition=Advanced&product=Scalablehttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk157512&partition=Advanced&product=Scalablehttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk157512&partition=Advanced&product=Scalable Please reply soon.

NTP service on scalable platform R76SP.50 doesn't work properly

When configured NTP on R76SP.50 SMO, ntpq CANNOT reach the NTP server and stays in the INIT mode:    

Performance tuning guide for 41K/61K/44K/64K

Is there a performance tuning guide available for 41K/44K/61K/64K systems?

SSM BRIDGE IN CHASSIS 41K

 Hello,  I need know if you can configure bridge between 2 SSMs within the same chassis

Multiple routing domains within VS

I'm wondering if it's possible to have the concept of a VRF or separate routing domain within a VSX virtual system. The virtual system itself is a separate routing domain but I'm talking about multiple routing tables within a single VS. Cisco Nexus has a concept of VDC (Virtual Device Contexts) where multiple VRFs can be created within a single VDC. It's this the kind of functionality that I'm looking for. The platform is 61K chassis (multiple chassis in VSLS with VSX) but perhaps this could be a question for VSX in general.

Tracking Connection Count/limit (asg perf or vsx stat)

Hi Checkmates,I have been stuck determining whether there is a difference in the connection count values (and kernel tables in general). If you run asg perf -vv, you can fetch the concurrent connection of each VS. The output aggregates the connections found across all the blades for that VS If you run "fw vsx stat -l", you can fetch both the connection count and limit. Is fw vsx stat also aggregating all the blades? The values look identical. Is the limit from "fw vsx stat -l" also aggregating the limit of all the blades associated with the VS?

R80.20SP released

As of yesterday (28th of February), R80.20SP has been released.More information can be found here: sk140392Interesting SK's apart from the normal documents that get released upon a new version:- Comparison between R80.20 and R80.20SP - Comparison between R76SP.50 and R80.20SP Note: download is currently not publicly available, but can be requested via: r8020sp_installation@checkpoint.comI wonder tho why it is not publicly available, anybody have an idea why?

Hanging client ports in chassis

Here's a weekend riddle for those running scalable platforms (we're on R76 SP50 T62 with 4 SGMs) 🙂 I need a break now as it took forever to get to the truth. Will be raising case after weekend! In nutshell, we are seeing some connections from a client to domain controller not answered (4 TCP SYNs sent and no response) so we quickly blamed MS/WinOS. But it turned out that chassis was sitting in some strange state regarding some client ports - one SGM thought that connection is idle and correction SGM still had connection in the table. After gigabytes of packet capture we got it - this scenario was created when TCP connection is released from both client and server nearly simultaneously. So somehow connection table update fails on SGMs As always one diagram speaks 1000 words.. thanks as always! I know it's true because after manually deleting connection from blade 1_03 table, all works again on that port.

SP platform issue with NTP status check

When trying to check NTPQ status on Scalable Platform such as R80.20SP getting "refuse".When trying to check from gclish >show ntp current - getting "command not supported".