Re: SecureXL and SSH

mickkel2179 · ‎2022-10-11

We migrated to a pair of 16Ks running VSX. When we created the new VS and launched it successfully, everything works fine but one issue, a user can't ssh to his server when SecureXL is enabled. When it's disabled (fwaccel off) it works and they can SSH. MTU is currently set to 1500.

AaronCP · ‎2022-10-11

Hey @mickkel2179,

You can bypass SecureXL for specific connections or ports by following SK104468

I know this doesn't address the underlying issue, but may act as a temporary workaround whilst you troubleshoot the problem.

mickkel2179 · ‎2022-10-12

Hey Aaron,

Thanks for the response, really appreciate it! The client has to many IPs to list in order to use this feature. Right now we have a ticket in with R&D .. let's see how that unravels.

the_rock · ‎2022-10-12

I agree with @AaronCP , but as you said, if there are too many IP addresses, then see what R&D says.

Chris_Atkinson · ‎2022-10-11

Which version & JHF is used?

If disabling secureXL resolves a symptom it's typically a bug and needs to be investigated with TAC.

CCSM R77/R80/ELITE

mickkel2179 · ‎2022-10-12

Hey Chris,

The client is on 81.10 335 build and JHF Take 66

PhoneBoy · ‎2022-10-12

You can disable SecureXL (or more accurately prevent templating) for a specific service.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Specifically, you'll add the SSH port (22) to the tcp_f2f_ports table.

However, as stated by others on this thread, if disabling SecureXL "solves" a problem, it's likely a bug and the TAC should be engaged.

Are you a member of CheckMates?

SecureXL and SSH