This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MarcuzShinz
Contributor
Contributor
14 hours ago

Traffic sync between 2 AIX servers is slow when handled by checkpoint 9400

Dear Guy,

Have a nice day!

We are currently deploying Check Point 9400 and encountering issues with the synchronization traffic of AIX servers. These servers synchronize using the ssh_v2 service. Let me describe the previous situation:

  1. Previously, the customer used Check Point 4800 with only the Firewall Blade enabled. They had two systems in DC and DR, each containing AIX servers that synchronized data daily. When this traffic was processed by Check Point 4800, it reached approximately 200Mb/s.
  2. After replacing Check Point 4800 with Check Point 9400, also with only the Firewall Blade enabled, the synchronization traffic between AIX servers across the DC and DR sites dropped to 20~30Mb/s.

Has anyone encountered this issue before? please see the image attached

Preview file
69 KB
Preview file
75 KB
Preview file
84 KB
Preview file
263 KB
0 Kudos
6 Replies
PhoneBoy
Admin
Admin
11 hours ago

What was the version running on the 4800 versus what is running on the 9400?
Sounds like the traffic might be hitting F2F path for some reason.
You might try to use fast_accel to ensure the flow is accelerated: https://support.checkpoint.com/results/sk/sk156672

0 Kudos
MarcuzShinz
Contributor
Contributor
11 hours ago
In response to PhoneBoy

Dear PhoneBoy,

Version on cp4800 is R77.30, on cp9400 is R81.20.

I have checked on cp4800 with command fwaccel stat, securexl stopped the first rule.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
10 hours ago
In response to MarcuzShinz

Open an SR# with CP TAC to get this resolved asap.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
MarcuzShinz
Contributor
Contributor
10 hours ago
In response to G_W_Albrecht

Sure, I opened case with TAC but they response very slow, two week but they cannot resolved the issue.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
11 hours ago

When SecureXL works in the User Mode (UPPAK), the Security Gateway performance for the Slow Path traffic (F2F) is lower compared to the Kernel Mode (KPPAK).

Suggest ensuring the policy is constructed / optimized in a manner to avoid scenarios impacting SecureXL.

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
Legend Legend
Legend
10 hours ago

We need to know what path your replication connection is operating in.  Start a replication connection and make sure it is alive by running fw ctl multik gconn.  If you can't see the connection here it is not alive.

Next run the following while the connection is alive:

fw tab -t connections -z

fwaccel conns

netstat -ni

If you see the replication connection in the output of the first command, the traffic is slowpath and a reason will be provided.  fast_accel will not work for this traffic.

If you can't find the connection in the output of the first command it will be shown by the second one which means medium or fastpath. 

Please post the output of wherever you find the connection, along with the third command.  If fwaccel stat is complaining about stopping on rule #1 it is referring to accept templating which has nothing do with which path the connection ends up in.  With just the firewall blade enabled it should be fastpath but Core Activations & Inspection Settings can interfere with this.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events