This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Svante_Oskarsso
Participant
‎2019-05-10 06:17 AM

PCoIP connectivity issues when installing policy, R80.20

Hi,
We have a newly upgraded 15000 Appliance Cluster to R80.20 T47, only Firewall and IA blades are activated on this cluster.
We did not have this issues before with r77.30, 

Now when we install policy, all VDI (PCoIP) connections are disrupted, some close totally and some reconnects but still gets disconnected. It seems to happen when it has been longer than about 1h after the latest install, if an installation is done in 20-30 minutes since the last one we don´t seem to get the issue.

I've tested to increase the "end timeout R80" global setting from 5 to 20 as it was before but still the same issue is occurring. I cannot see anything unusual in the logs och anything with a zdebug drop. 

I'll troubleshoot with TAC on monday but wanted to see if anyone has any ideas on what this could be caused by and what more to check?

Regards
Svante

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2019-05-10 04:23 PM

TCP End Timeout is for connections that terminate gracefully.
Normally the gateway forces connections to "re-establish" after a policy install, though it depends on the Global Policy settings.
If you want to set this on a per-service basis, you can create/edit the relevant service and use the "keep connections open" option shown below:

Screen Shot 2019-05-10 at 4.22.04 PM.png

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-05-10 06:22 PM

> It seems to happen when it has been longer than about 1h after the latest install, if an installation is done in 20-30 minutes since the last one we don´t seem to get the issue.

Whenever I hear about odd timing issues such as these, I tend to suspect SecureXL because it has its own separate rules about connection timers and such.  Try disabling SecureXL (fwaccel off) then start new VDI connections (very important as only new connections are not accelerated after running fwaccel off in R80.20 and later) then install policy after an hour or two and see if the new connections started since SecureXL was disabled are affected.

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Svante_Oskarsso
Participant
‎2019-05-13 03:56 AM
In response to Timothy_Hall

"keep connections open" is not an option for us since we want to get the new policy enforced on all connections.

I opened a case with CheckPoint and it is the new design of SecureXL that caused this since a queue went full and then packets were dropped. We could see "simi_reorder_enqueue_packet: reached the limit of maximum enqueued packets for conn" in var/log/messages

This is resolved with a hotfix provided from CheckPoint, more about the cause and solution in sk148432.
Hope this HF will be included in upcoming Jumbos.. 

Regards
Svante

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top