This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Darren_Fine
Collaborator
‎2019-05-16 08:48 AM

PBR and SecureXL issues in R80.20

Hi Guys,

Has anyone had any issues with PBR on R80.20 ?

I have tried an upgrade from a working R80.10 to R80.20 twice now and found that the PBR is an issue once upgraded to R80.20.

This is on JHF 33 and now JHF 73 .

One of the troubleshooting steps after seeing sk109741 was to switch off SecureXL - once we did that all worked as it did on R80.10 .

<also tried the PBR route lookup option - it made no difference)

We have opened a TAC case and have had the environment running succesfully without SecureXL for the entire day - but obviously we want to enable SecureXL ultimately .

 

Just thought I would post in case anyone else is having PBR issues on R80.20 ?

(also if you have any ideas on how to fix this - before TAC gets back to me - let me know)

0 Kudos
11 Replies
Darren_Fine
Collaborator
‎2019-06-26 06:19 AM

Hi

 

Just an update on this - We still are experiencing this issue even though TAC has confirmed its a known issue and they did give us a hotfix (to go on top of JHF 47).

 

However this hotfix did not have the desired effect and the issue remains.

 

Is no one else experiencing this issue?

 

Thanks

0 Kudos
Paul_Surgeon
Participant
‎2019-07-29 12:15 AM
In response to Darren_Fine

I'm also seeing PBR routing issues in R80.20 with JHF Take 87 after upgrading from R80.10.

What I'm seeing in my scenario is that the first 3 to 5 SYN packets for a new TCP connection get incorrectly routed out the interface that has the default route before the gateway figures out which is the correct interface to route the packets to.

The fourth or fifth SYN packet gets routed to the correct interface and then the rest of the TCP session is routed correctly. 

Switching SecureXL off in R80.20 fixes it.

0 Kudos
Alex_Lam1
Contributor
‎2019-07-29 01:51 AM
In response to Paul_Surgeon

Hi Paul

 

Did you see the issue when you were on take 47?

We have similar issue. take 87 should fix the secure XL. however, we encounter a peformance issue.

Weird thing is that when we rollback to take 47, we don't see the performance issue anymore. 

 

So you applied take 87 and turn off secure XL and that fixes the issue?

 

Regards

Alex

0 Kudos
Paul_Surgeon
Participant
‎2019-07-29 02:19 AM
In response to Alex_Lam1

Take 87 was applied during the upgrade to R80.20 so I never had a chance to run see if the problem exists in Take 47.

Turning off SecureXL on R80.20 Take 87 fixed the issue in our environment. Fortunately our gateways are not under heavy load (< 40%) and the performance impact of running without SecureXL is negligible (about 5 to 10% higher CPU load).

According to our support partner Check Point are aware of the PBR routing problem and are working on a fix.

0 Kudos
Chinmaya_Naik
Advisor
‎2019-07-29 02:28 AM
In response to Alex_Lam1

Hi Team,


We also face the same issue with PBR after upgrade to R80.20.

Still, we are not install any hotfix because when we try to install take_47 and after installing the HotFix when we run "fw unloadlocal" then suddenly gateway goes reboot so we uninstall the HotFix.

Can you confirm that take_87 resolve the issue with SecureXL enabled ?

We have 21400 appliances with both CoreXl and SecureXL enable.

I had installed take_47 on multiple different appliance but the first time I face an issue with this take_47 with 21400 R80.20 with fresh setup.

So If I disable SecureXL and then install the take_87 the does this resolve this issue because we already face an issue with Take_47.

Thank You


Regards
@Cinmaya NaiK

0 Kudos
Jonne_Hannon
Contributor
‎2019-08-27 07:36 PM

Hi all,

I started getting reports about services using PBR not working the day after upgrading to R80.20 Take 87 from R77.30.  Disabling SecureXL for individual IP addresses having issues resolves their issues, but I don't consider this to be a permanent solution.  I have created a Service Request with Check Point Support for further investigation.  In our case, PBR is not entirely broken, however the routing seems to get messed up during a conversation, not necessarily at the start of a connection.  I was requested to try the solution in sk109741, but that did not resolve our issues.  I will update when I get further information.

Thanks,

 

Jonne.

0 Kudos
colfer
Explorer
‎2020-08-14 03:49 AM
In response to Jonne_Hannon

hi - Did the PBR issue with R80 get fixed eventually ? What was the fixed version ?

0 Kudos
_Val_
Admin
Admin
‎2020-08-14 04:17 AM
In response to colfer

According to sk163252

This problem was fixed. The fix is included in:

0 Kudos
colfer
Explorer
‎2020-08-14 04:20 AM
In response to _Val_

hi - I believe, I have the same issue with R80.40 as well. with TAC now for investigation. 

0 Kudos
_Val_
Admin
Admin
‎2020-08-14 06:53 AM
In response to colfer

Sorry to hear that. Please share the resolution details when you have them with TAC

0 Kudos
Jonne_Hannon
Contributor
‎2020-08-16 08:54 PM
In response to colfer

My particular PBR issue was resolved with a hotfix on top of R80.20 JHFA Take 103.  I haven't been game to touch the gateway since, but I do have some 16200 appliances running R80.40 to replace the old appliances.  It's concerning if the issue is still there in R80.40.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top