Create a Post
Showing results for 
Search instead for 
Did you mean: 

SNX hangs at policy install

  We have an interesting situation here.  We have been using the SSL Network Extender (SNX) client with the Mobile Access Portal on our R80.20 cluster.  Clients report that their network applications (mostly RDP) hang for 60-180 seconds several times a day. In the case of RDP, the RDP client loses connection to the remote Windows PC and goes into recovery mode (trying to reconnect pop-up window for 2 to 5 reconnect periods).

  We have traced these "hangs" to policy installs on the firewall cluster.  And what users notice as one long hang is actually two shorter ones, one that happens as the active firewall starts to receive the push, and a second much shorter one that happens during the clean up phase of the push.  The issue is totally reproducible during policy push; it happens every time.

  Has anyone else seen anything like this?  Or is it normal and just live with it?  It's inconvenient, but not debilitating.

0 Kudos
4 Replies

Have you check this?


0 Kudos

  I have not;  I currently have rematch connections selected.

  Are there any repercussions that I need to be aware of that result from changing this setting?  Does it affect SmartEvent reactions in any way?

0 Kudos

Probably a good idea to review this SK:

One slight inaccuracy in the SK for R80.20+: a policy install in previous releases required flushing and rebuilding the SecureXL connections table which meant everything went F2F during a policy install.
This is not necessarily the case in R80.20+.

0 Kudos

Hi Dameon and all,

sk103598 is now updated. The following was added:

IPSO Flows / SecureXL connections table

During Policy installation, IPSO Flows / SecureXL connections table will be cleared and re-created, irrespective of connection persistence settings. This clearing and re-creating are very expensive depending on the active connections in the table at that point. Also, all the packets will be F2F (Forwarded to FireWall in slowpath) until IPSO flows are created again.


  • Since R80.20, the SecureXL connections table is not cleared during policy installation.
  • In addition, Check Point does not support IPSO in R80.10 and higher.


Thanks for reporting the issue.


0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events