Hello Jignesh, Thanks a lot for your reply. Actually my customer has his firewall modules running over Solaris boxes, not Nokias, but although those are very robust machines, they are also kind of old already, I'm actually waiting for my customer to provide me with details regarding the actual features (CPU, RAM, etc), as well as the exact level of OS version and parches, but for what you have described, most likely those machines are actually short in memory for what NGX requires and they have a kind of long and complicated configuration, which most likely are making things worst.
I'll wait and see what comes out after checking those hardware features and I will post here anything I find. Thanks again. Regards On 8/21/06, Jignesh Joshi <[EMAIL PROTECTED]> wrote:
Hi, I had faced same issue in our environment, we have also upgraded our Smart center console to NGX on Windows 2003 server, we have Nokia IP 300 series in Cluster High Availability. We had opened ticket with Checkpoint and Nokia but didn't not received any proper answer, Nokia came back to us saying that you have to many NAT rules and database size it big but that is not true we have tried fresh setup with minimum object and rules we faced same problem. After proper troubleshooting we have come to conclusion that Nokia IP 330,350 and 530 series have problem with Checkpoint NGX. Nokia has recommended us to upgrade memory but most of the IP 300 series box can't be upgrade more then 512 MB. We have Nokia IP 380 at one of our Gateway there we have upgrade memory to 1 GB and its working fine. Regards, Jignesh Joshi ITIMD Tel # 2829-1454 ext 5290 Link Line ext: 601-397 -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Alvarez Sent: Saturday, August 19, 2006 6:17 AM To: [email protected] Subject: [FW-1] Problems with ARP and CPU usage after R60HFA03 upgrade Hello, I currently have a customer with a HA (active/standby) pair of fw modules running over Solaris 9 and his Smartcenter running over Windows 2003 Server. About 3 months ago we upgraded all that from R55 HFA18 to R60 HFA03 and everything seem ok for quite a while. After that upgrade my customer started having conectivity issues from time to time, with a third party that connects with them via one their DMZ interfaces, they worked on the issue but never found anything they could consider a problem with the cluster, so they had always blamed the other guys, but recently they found out that everytime they install the CheckPoint security policy, both firewall modules get their CPU usage all the way to 100% (even the one in standby mode). This situation lead to an investigation and gathering of data from both machines at a platform level, and today they found logs on both machines like this: Proxy ARP problem? Hardware Address "XX:XX:XX:XX:XX:XX" thinks it is YY.YY.YY.YY Where XX.XX... is the MAC address of the machine that was in standby at the moment and YY.YY.... any of the IP addresses the firewall is supposed to put on the ARP table because is used on any of the automatic NAT rules. Remember this logs were seen at the Solaris platform level in both firewall modules, Check Point logs show nothing we could relate to this incidents and the time stamps of the logs seem to indicate these events started occuring from time to time after the R60 HFA03 upgrade. The first important detail here is that several switches between active and standby states occured for no apparent reason, although it does not seem to happen very often and it is still dificult to relate in time those events with the connectivity failures. The second interesting detail here is that at some point which ever module was running in standby module, attempted to put entries in the ARP table with its MAC address. Somehting else my customer reported and I'm not quite sure if it is related or not with all this issues, is that on the CheckPoint logs he sees that from time to time a single log originated by which ever module is in standby mode, shows it made a blocking (valid according to the policy), but less than a second later, again the active module continues generating the rest of the logs, is like for less than a second the standby module processed traffic and then returned to its standby state. I'm saying that I'm not sure if it is related with the other issues because I have never noticed such behavior before on a HA environment but it could be considered normal by someone else. Sounds to me the high CPU usage and the ARP issues could be related with some sort of bug, as none of them was experimented by my customer before migrating from R55 to R60 HFA03, but does anybody know anything about that? I would really appreciate any help with this as SecureKnowledge has not been very helpful so far. Regards -- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= http://www.patni.com World-Wide Partnerships. World-Class Solutions. _____________________________________________________________________ This e-mail message may contain proprietary, confidential or legally privileged information for the sole use of the person or entity to whom this message was originally addressed. Any review, e-transmission dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this e-mail in error kindly delete this e-mail from your records. If it appears that this mail has been forwarded to you without proper authority, please notify us immediately at [EMAIL PROTECTED] and delete this mail. _____________________________________________________________________ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
-- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
