Were facing a strange problem on our VSX Gateways. Maybe some of you also faced the same problem and found a way to deal with it.
We are using a 13xxx appliance running on Gaia 77.30 with take 292. We are using HTTPS Inspection with IPS on a specific VS and host a website behind the VSX gateway which are protected via Inbound HTTPS Inspection + IPS.
To test the performance and response times of the website (with both blades enabled) we are using a bench testing tool that simulates 10 concurrent connections per second to the specific website.
While running the tool for about 3 hours we experiencing a lot of SSL handshake errors (525) at random moments. We discovered that if we disabled IPS we are not seeing this behavior. So our thoughts was that it had something to do with performance problems.
After some discussion with Check Point TAC we tweaked our IPS policy to better reflect our specific situation so only the relevant signatures are active. While monitoring the specific VS with top & cpview i don't think this problem is performance related.
Also a 13xxx is a 40 core system which we configured in a way that the relevant VS has 8 cores assigned to it.
My suspicion is that is has something to do with the user mode processes running under the VS0 context but my knowledge regarding VSX is not as good as it is in a distributed environment. As of my understanding because we use R77.30 on our Gateways, the Virtual Systems configured are 32-Bit and not 64-Bit am i correct?
Only VS0 runs under 64-Bit and is able to run 64-Bit processes.
Also with HTTPS inspection some processes are running in 64-Bit mode which means they can only run under the VS0 context right?
We are focusing on the problematic VS right now but i have my questions with that. Maybe some of you guys could point me in the right direction troubleshooting this problem.