Hi all,
One of our customers has a VSX cluster running R81.20 Take 26.
Since the upgrade from R81.10 Take 95 they have issues with NFS traffic through the firewall.
This traffic is going through two VS's on the same VSX cluster. 16200 hardware.
In the Data Center there is a storage environment where a lot of VM's get their data from.
The VM's are Jenkins servers they use for deploying and automating projects.
These Jenkins servers rely on the NFS share and when the NFS share is not there, the deployment stops untill the NFS is back.
This has been working OK on R81.10 for two years, but on R81.20 we suddenly see a lot of out-of-state drops for NFS traffic.
One of the ways to solve this, is by restarting the Jenkins servers so they initiate a new connection to the storage.
In order to investigate an solve the issue, the customer has done the following.
1.
Create a custom TCP and UDP service for NFS and configured the time-out to 24 hours and disable Agressive aging for those services.
This was OK for some VM's, but not all of them.
2.
Increased the connection limit on the affected VS's because they where getting close to their limits.
3.
Enable fast accell for port 2049 (NFS).
4.
Disabled Smart Connection Re-use, but this made things worse. So we enabled it again.
5.
Performed a fail-over the other VSX cluster member for both VS's.
6.
Excluded NFS from Threat Prevetion.
All steps above did not solve the issues. We do not see an increase in load on the system. CPU and memory are normal.
Even now we are seeing dropped out-of-state packets for NFS, but at the moment no issues are reported.
In the end, the customer created an extra interface on the storage environment so it is in the same network as the VM's. Bypassing the firewall's.
The customer has a strict security policy and it is not allowd to share site related data to Check Point support.
So our first step is to try the get the help from the CheckMates community.
Why was this working in R81.10 and is causing problems in R81.20? Is there something changed in the code for handling NFS traffic?
Any help is appriciated. Thanks.
Martijn