This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maarten_Sjouw
Champion
Champion
‎2019-05-29 03:33 PM

12600 with VSX low on memory

Ran into a problem with the upgrade of a 12600 for a customer that was asked to assist. The setup of this customer was pretty simple, 2 management servers on R80.20 in HA. 2 x 12600 with R80.10 running VSX.

One piece of giveaway, one of the 12600's has 12GB memory the other (the backup) has 6GB memory

Now the challenge was to upgrade to R80.20 to be able to use the dynamic objects for Office 365.

So we start with the backup unit, there are 5 VS's and 55 virtual switches.

When done with the upgrade which went well (cpuse upgrade) we reboot the box and let it do it's things to see where we are I check with vsx stat -v and get a list of 39 problems like this:

Unable to open '/vs2/dev/fw0': Connection refused

Unable to open '/vs4/dev/fw0': Connection refused

Unable to open '/vs6/dev/fw0': Connection refused

Unable to open '/vs7/dev/fw0': Connection refused

Unable to open '/vs9/dev/fw0': Connection refused

Unable to open '/vs12/dev/fw0': Connection refused

Unable to open '/vs14/dev/fw0': Connection refused

On the console there were messages about SIC problems, we ended up doing a reinstall of the box with a USB stick and a clean R80.20, then ran a vsx_util reconfigure (after the base interface config) however the number of errors remains the same. Opened a TAC case, but nobody could find the cause of the messages and errors.

We decided to add more memory, so we sent 3 x 4GB onsite, but as the box has 2 physical CPU's it needs a even number of memory banks, so we put in 2 x 4GB to see if it would improve, it sure did, The number of problems went back to 20 with the added 2GB. 

One other thing that was bothering me was the 55 Virtual Switches. The engineer that helped this customer during the first setup told the customer to create a vSwitch for each VLAN they use...  🤔

All these switches ended up in 1 trunk port and terminated a VLAN, out of the 55 there were 19 vSwitches that had no connection to any VS, so I tried to delete 1 that was all ok in SmartConsole, this went ok and got removed from both boxes. I continued to remove all the ones that had no issues. After a reboot the box came back without any of the previous errors. Then I could remove the last couple of unused vSwitches. 

Then the local contact came back with 6 x 4GB DIMM's and put them all in, now the box is happily running with 24GB, why CP says it only supports 12 GB, I don't know.

 

We will see tomorrow that we upgrade the other box from R80.10 to R80.20 and also put more memory in them.

Regards, Maarten
0 Kudos
10 Replies
Maarten_Sjouw
Champion
Champion
‎2019-05-30 07:45 AM

Second box was upgraded without any problems at all. Customer decided not to upgrade the memory on that unit.
Regards, Maarten
0 Kudos
Lari_Luoma
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2019-05-30 06:30 PM

Hi!

55 Virtual Switches definitely seems like a very ineffective architecture. There are two reasons to configure a Virtual Switch.

- When you want to share an interface/VLAN between several Virtual Systems

- When you want Virtual Systems to communicate directly (in this case no physical interface required for the VSW)

So, whoever told to create a virtual switch for every VLAN was wrong. 🙂 Especially if you have only 5 VSs, there is no reason that all VLANs would be shared between all VSs. If there was such a requirement, why to have a VSX in the first place. You could have simply used a security gateway with x number of VLAN-interfaces.

For the error you are seeing I'm not sure, but it could be related to the lack of memory. I've seen this error message before and reboot fixed it, so don't have the root cause.

Good luck!

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-05-31 06:42 AM
In response to Lari_Luoma

There were console messages about SIC and other errors in other places/moments.
I have added all the info into the case. I found in the end there were 36 vlan's used and out of them only 4 were used on multiple vs's.
So yeah there is a lot of work still to be done.
Regards, Maarten
0 Kudos
Lari_Luoma
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2019-05-31 10:20 AM
In response to Maarten_Sjouw

Indeed, a lot of work. So those four VLANs would potentially require a VSW, but the rest no. 🙂

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-06-12 02:01 AM
In response to Lari_Luoma

I saw the same approach with someone else here on forums when we took discussion offline.. Virtual switch for each VLAN! And it came from partner or CP themselves.. Someone is spreading a lot of b*#¤%&t! Sorry for swearing 🙂 I thought it would have been one off case but obviously not..

G_W_Albrecht
MVP Silver
MVP Silver
‎2019-06-12 02:13 AM
In response to Kaspars_Zibarts

I also saw that live with a customer who was doing his own VSX design 😉 - only that vSwitches cost too much RAM he only found out later the hard way as some VSs could not work !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-06-12 02:34 AM
In response to G_W_Albrecht

Last week on the CPX NL I ran into a guy (from the same company that installed this system) who has one that has 200 V-Switches, he told me in the period this was installed there was a freelancer hired by the company, he had the advice to creata a switch for each VLAN, as you might run into the point that you need that VLAN on more than 1 VS.... 😞
Regards, Maarten
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-06-23 11:59 PM
In response to Maarten_Sjouw

To continue this story, last week I tried to install the ongoing take 80, due to some issues we saw that were resolved with take 80. On the system that now has 24GB no problems at all, but the system with 12GB (the max according the specs) out of the 40, 12 Virtual Systems/Switches did not come in the ready state. Reverted the system to Take 47 and turned of Priority Queuing, as this was one of the reasons to install Take 80.
Looked at memory usage for VSX in cpview, this shows a per VS (system and switch) usage of 750MB per vs with Take 47 and 825MB per VS in Take 80. Due to the total of 40 VS's this makes the 12GB box run out of memory while starting each VS.
Regards, Maarten
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-06-24 05:33 AM
In response to G_W_Albrecht

Today another colleague told me this was propagated by Check Point in those days.
Regards, Maarten
0 Kudos
Kenie634
Explorer
‎2019-06-12 10:06 PM

Customer decided not to upgrade the memory on that unit. Second box was upgraded without any problems at all. 

mcdvoice
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events