I installed NGx R60 with HFA_04 on a Nokia IP130 running IPSO 4.1 build 016.
This enforcement module is being managed by a SPLAT SmartCenter. I have two
VPN tunnels between the IP130 and two cisco devices, VPN concentrator and Pix
firewall. The only traffics going through the tunnel is icmp. I have
continous
ping going through the tunnel for testing purposes. By the way, I have a
very
small policy with less than 4 rules including the vpn rules.
The problem is that everytime I make changes to the policy and push it to the
Nokia enforcement module, I keep getting errors telling me that resource is
not available to accept the policy and it timing out. This happens about 70%
of
the time. Even when the policy is successfully installed, my ping is timing
out
for about 30 seconds before resuming. I check the cpu status on the nokia via
"vmstat 1" and the cpu is maxing out at 100% utilization. WTF!
Now if I am running the checkpoint on the Nokia as a standalone firewall, it
gets
worse. Everytime I have to push the policy, it takes about 10 minutes for
the policy
to get pushed and if I even have active vpn tunnels, even without traffics,
the policy
installed will fail.
I look on Nokia site and it stated that ipso 4.1 is supported on IP130
platform.
I think Nokia should be honest and informed end users that the performance
will be
very poor when you have vpn even with little or no traffics at all if one
decide to run
Checkpoint NGx on IP130 appliance.
I tested the IP130 with ipso 3.7.1 and NG with AI R55w and the performance is
about
20 times faster than NGx. My VPN tunnels still work during the policy push.
I guess what I am trying to say here is that whatever Nokia SE or TAC is
telling
you, take it with a grain of salt. Just because it will work with NGx does
not mean
it will work well.
cisco4ng
---------------------------------
All-new Yahoo! Mail - Fire up a more powerful email and get things done faster.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
