This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
MVP Diamond
MVP Diamond
‎2022-03-10 09:18 AM

Re: Max latency on gateway

I will toss in my 2 cents here, but lets see what @Chris_Atkinson will give you...

1) I find this to be a bit of a grey area...personally, I would only worry about latency if users are complaining.

2) Yes, there are logs you can look at...if you navigate to $FWDIR/log dir, there are ike.elg and vpnd.elg* files that would give you that information.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
9 Replies
pnobels
Explorer
‎2022-03-10 12:01 AM

Hi,

was debugging an issue with a (1430) gateway recently which was uplinked through a satellite.  Latency of around 1000 ms.

I was just wondering, is it somewhere documented what the max latency is which is allowed?

Also in this case, we noticed the tunnel between the gateway and the management server sometimes going from green to red.  But it was unclear how many times this happened, and how long this lasted everytime.  Is this logged somewhere?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2022-03-10 06:42 AM
In response to pnobels

Not aware this is documented anywhere, but that sounds pretty bad latency. Did it just start happening recently? Is it locally managed or central? Can you check to see if there any relevant system / traffic logs related to this?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-03-10 07:35 AM
In response to pnobels

Can you please share some specifics of the issue that you were investigating ?

Certainly from a user experience perspective where cloud services are involved it's reasonable that this latency could adversley impact the user experience somewhat and perhaps some tailored tuning may be required.

CCSM R77/R80/ELITE
0 Kudos
pnobels
Explorer
‎2022-03-10 08:46 AM
In response to Chris_Atkinson

Actually the problem was put in our queue as following.  There was a 1430 gateway (centrally managed) which basically did nothing else then provide internet access for some different vlans.  The site was a joint-venture and thus at that moment no tunnels were active between the gateway and the corporate headoffice.  Only the sic trust was established.  Then came the request to have one specific server sync to a server at the corporate headoffice.  So we had to add some rules, add gateway to vpn domain, etc...).  However we never could get the tunnel stable.  Yesterday evening we actually reset the sic trust.  Since then the situation seems to have improved.  When i looked this morning the tunnel was still up, and the sync between the two servers was still working.  So we 'might' have solved the issue by resetting the sic.  But unfortunately i haven't had the time to keep an eye on it today.  So hence my questions out of curiosity : 

1. is there a certain latency where we could say, if you have this you can basically forget to ever have a stable tunnel...

2. is there a logfile where we can trace back the tunnel between the gateway and headoffice goes down or up (basically the alternative for smartconsole showing me the green and red status)?  I can ping the public ip of the gateway using a tool like prtg for example, and i could perhaps also write something which tests the sync status between the servers (altough that is basically somebody else's job) but i would suspect something basic like this could be traced in a log on the CP management server for example?

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-03-10 07:54 PM
In response to pnobels

From a VPN perspective this would just follow standard VPN troubleshooting e.g. verifying time settings e.g. NTP etc and working from there.

Presumably also the 1430 is running a recent version i.e. R77.20.87 build ??

CCSM R77/R80/ELITE
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-03-11 04:26 AM
In response to pnobels

This is available in the local security logs as well as on SMS - search VPN

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2022-03-10 11:15 AM
In response to pnobels

You’re doing a VPN over a satellite link, correct?
Not aware of any specific issues with this.
You’ll probably need to troubleshoot this like any other VPN issue.

pnobels
Explorer
‎2022-03-11 01:01 AM
In response to PhoneBoy

Had a look and can find a vpnd.elg but there's nothing interesting in there.  Lot's of : 

Unable to open '/vs7/dev/fw6v0': Connection refused

No ike.log.  I'm guessing these only get filled when debugging is enabled?

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2022-03-11 03:03 AM
In response to pnobels

Its actually ike.elg...they rotate when you do vpn debug trunc command. So run vpn debug ikeon, generate traffic, then vpn debug ikeoff

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events