Hello List,
I wanted to add some extra info I got from my customer. As explained, all
his firewall modules run over Solaris boxes and I'm concerned with the
posibility of those machines getting short in resources for what R60 HFA03
requires since all problems started right after we upgraded from R55 HFA18.
During normal operation and handling regular network traffic, CPU and memory
don't seem to run high at all, but when installing the CP policy, CPU goes
all the way to 100%.
This is info obtained from the machines (they are identical):
unamne -a
SunOS XXXX 5.9 Generic_118558-17 sun4u sparc SUNW,Ultra-250
[EMAIL PROTECTED]:/#cat /etc/release
Solaris 9 9/02 s9s_u1wos_08b SPARC
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 09 August 2002
[EMAIL PROTECTED]:/#psrinfo -v
Status of processor 0 as of: 08/24/2006 16:40:27
Processor has been on-line since 05/04/2006 17:45:07.
The sparcv9 processor operates at 400 MHz,
and has a sparcv9 floating point processor.
[EMAIL PROTECTED]:/#prtconf
System Configuration: Sun Microsystems sun4u
Memory size: 512 Megabytes
System Peripherals (Software Nodes):
I believe these features should be enough to cover minimal requirements, but
this customer has a configuration with around 360 rules and 740 objects,
which I would not consired a minimal installation.
Could anybody tell me if maybe those machines should be replaced for
something newer or if there is documentarion anywhere were I could find
information to determine that?
Thanks a lot in advance.
Regards
On 8/21/06, Sergio Alvarez <[EMAIL PROTECTED]> wrote:
Hello Jignesh,
Thanks a lot for your reply.
Actually my customer has his firewall modules running over Solaris boxes,
not Nokias, but although those are very robust machines, they are also kind
of old already, I'm actually waiting for my customer to provide me with
details regarding the actual features (CPU, RAM, etc), as well as the exact
level of OS version and parches, but for what you have described, most
likely those machines are actually short in memory for what NGX requires and
they have a kind of long and complicated configuration, which most likely
are making things worst.
I'll wait and see what comes out after checking those hardware features
and I will post here anything I find.
Thanks again.
Regards
On 8/21/06, Jignesh Joshi <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> I had faced same issue in our environment, we have also upgraded our
> Smart
> center console to NGX on Windows 2003 server, we have Nokia IP 300
> series in
> Cluster High Availability. We had opened ticket with Checkpoint and
> Nokia
> but didn't not received any proper answer, Nokia came back to us saying
> that
> you have to many NAT rules and database size it big but that is not true
> we
> have tried fresh setup with minimum object and rules we faced same
> problem.
>
> After proper troubleshooting we have come to conclusion that Nokia IP
> 330,350 and 530 series have problem with Checkpoint NGX. Nokia has
> recommended us to upgrade memory but most of the IP 300 series box can't
> be
> upgrade more then 512 MB. We have Nokia IP 380 at one of our Gateway
> there
> we have upgrade memory to 1 GB and its working fine.
>
> Regards,
>
> Jignesh Joshi
> ITIMD
> Tel # 2829-1454 ext 5290
> Link Line ext: 601-397
>
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[EMAIL PROTECTED] On Behalf Of Sergio
> Alvarez
> Sent: Saturday, August 19, 2006 6:17 AM
> To: [email protected]
> Subject: [FW-1] Problems with ARP and CPU usage after R60HFA03 upgrade
>
> Hello,
>
> I currently have a customer with a HA (active/standby) pair of fw
> modules
> running over Solaris 9 and his Smartcenter running over Windows 2003
> Server.
> About 3 months ago we upgraded all that from R55 HFA18 to R60 HFA03 and
> everything seem ok for quite a while. After that upgrade my customer
> started
> having conectivity issues from time to time, with a third party that
> connects with them via one their DMZ interfaces, they worked on the
> issue
> but never found anything they could consider a problem with the cluster,
> so
> they had always blamed the other guys, but recently they found out that
> everytime they install the CheckPoint security policy, both firewall
> modules
> get their CPU usage all the way to 100% (even the one in standby mode).
> This situation lead to an investigation and gathering of data from both
> machines at a platform level, and today they found logs on both machines
>
> like this:
>
> Proxy ARP problem? Hardware Address "XX:XX:XX:XX:XX:XX" thinks it is
> YY.YY.YY.YY
>
> Where XX.XX... is the MAC address of the machine that was in standby at
> the
> moment and YY.YY... . any of the IP addresses the firewall is supposed
> to put
> on the ARP table because is used on any of the automatic NAT rules.
>
> Remember this logs were seen at the Solaris platform level in both
> firewall
> modules, Check Point logs show nothing we could relate to this incidents
> and
> the time stamps of the logs seem to indicate these events started
> occuring
> from time to time after the R60 HFA03 upgrade.
>
> The first important detail here is that several switches between active
> and
> standby states occured for no apparent reason, although it does not seem
> to
> happen very often and it is still dificult to relate in time those
> events
> with the connectivity failures. The second interesting detail here is
> that
> at some point which ever module was running in standby module, attempted
> to
> put entries in the ARP table with its MAC address.
>
> Somehting else my customer reported and I'm not quite sure if it is
> related
> or not with all this issues, is that on the CheckPoint logs he sees that
> from time to time a single log originated by which ever module is in
> standby
> mode, shows it made a blocking (valid according to the policy), but less
> than a second later, again the active module continues generating the
> rest
> of the logs, is like for less than a second the standby module processed
>
> traffic and then returned to its standby state. I'm saying that I'm not
> sure
> if it is related with the other issues because I have never noticed such
> behavior before on a HA environment but it could be considered normal by
>
> someone else.
>
> Sounds to me the high CPU usage and the ARP issues could be related with
> some sort of bug, as none of them was experimented by my customer before
> migrating from R55 to R60 HFA03, but does anybody know anything about
> that?
>
> I would really appreciate any help with this as SecureKnowledge has not
> been
> very helpful so far.
>
> Regards
>
> --
> Sergio Alvarez
> (506)8301342
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
>
> http://www.patni.com
> World-Wide Partnerships. World-Class Solutions.
> _____________________________________________________________________
>
> This e-mail message may contain proprietary, confidential or legally
> privileged information for the sole use of the person or entity to
> whom this message was originally addressed. Any review, e-transmission
> dissemination or other use of or taking of any action in reliance upon
> this information by persons or entities other than the intended
> recipient is prohibited. If you have received this e-mail in error
> kindly delete this e-mail from your records. If it appears that this
> mail has been forwarded to you without proper authority, please notify
> us immediately at [EMAIL PROTECTED] and delete this mail.
> _____________________________________________________________________
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
>
--
Sergio Alvarez
(506)8301342
--
Sergio Alvarez
(506)8301342
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
