Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nandhu
Participant

Excessive traffic between digicert IP's and checkpoint gateway

We are working on an issue with one of our remote office. The site has two 5600 appliances in a cluster, the issue occurring is in regards to a sudden spike of traffic from the checkpoint gateway's external interface talking out to digicert over port 80. The return traffic tends to be excessive enough to cause the cisco edge switch to start dropping packets. This causes the sslvpn to go down causing disconnections for the remote workforce out there.

 

Not really sure why the gateway would be receiving so much traffic from digicert.  Anyone seen this behavior before?

7 Replies
PhoneBoy
Admin
Admin

If you have HTTPS Inspection enabled and/or the gateway is R80.40, I suspect it’s because we are validating certificates in flight.
That is done out-of-band.

0 Kudos
Nandhu
Participant

Hello Dameon,

No https inspection and running 80.10. It looks like the IP resolves to ocsp.digicert.com

So i am guessing this is something going wrong with ocsp every few hours. The issue lasts for about 5 to 10 minutes before going away. It seems to happen approximately every 4 hours but sometimes misses the 4 hour mark.

Regards,

Nandhu

0 Kudos
PhoneBoy
Admin
Admin

That’s definitely CRL validation.
I recommend a TAC case to assist in investigation.

0 Kudos
Wolfgang
Authority
Authority

Are you sure traffic source is your gateway, not something behind from the internal network which will be NATed?

Maybee some suspicious clients they do excessive CRL validations.

Wolfgang

Nandhu
Participant

Hello Dameon and Wolfgang,

We are looking at some of the automation scripts that the QA teams use. But the timing of their requests and traffic on the firewall does not match up.

We do have a TAC case open and I am in the process of collecting debugs.

 

Nandhu

 

0 Kudos
krit
Participant

Dear Nandhu,

How did it go with this case? We face something similar here, yet it seems that the connection is initiated by the firewall itself and not something internal and NATted to it, because of the curl_cli that is related.

[Expert@fw1:0]# lsof -n -i :80

COMMAND    PID   USER   FD   TYPE   DEVICE SIZE NODE NAME

curl_cli  2343  admin   10u  IPv4 33694501       TCP <fwIP>:47426->93.184.220.29:http (ESTABLISHED) ( ---> ocsp.digicert.com )

 

Any updates regarding this?

Thank you.

Best Regards,

0 Kudos
Nandhu
Participant

Good Morning,

We pulled digicert certs from the firewall, followed by a jumbo and reboot. Seems to have cleared out the issue on our end. We added back the cert for one of our sslvpn firewalls and are not seeing the behavior anymore.

 

The problem now is that we do not know which of the 3 things we did solved the issue. I wish I could have been more helpful.

 

Regards,

Nandhu

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events