512MB would help but the bottleneck is definitely the cpu. I also forgot to mention in the last thread thatSecureXL was enable as well. The situation gets worse if the vpn tunnel uses AES-256/SHA/DH-5 and PFS. As you know, the Nokia onboard encryption card only support 3des. With AES, the encryption/decryption has to be done by the CPU. That makes the situation from bad to worse. The bottom line is that Nokia should have excluded the IP130 from the list for IPSO 4.1. I do not see IP650 on the list and the IP650 platform has at least 450MHz PII and 700Mhz CPU between the low and high end, respectively. cisco4ng
Christian Chiaverini <[EMAIL PROTECTED]> wrote: 300Mhz and 256MB ram I wouldn't expect much from it. Try turning on SecureXL As per Nokia: Supported Platforms: You can run IPSO 4.1 and an application on the following Nokia IP security platforms: IP130,IP260, IP265, IP350, IP355, IP380, IP385, IP390 (disk-based and flash-based), IP530, IP560 (disk-based and flash-based), IP710, IP740, IP1220 (disk-based and flash-based), IP1260 (disk-based and flash-based), IP2250, IP2255. For better performance, Nokia recommends that you have at least 256 MB of memory in your platform. They should recommend 512MB Christian Chiaverini -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of cisco4ng Sent: Friday, September 08, 2006 4:58 PM To: [email protected] Subject: [FW-1] Nokia IP130 is a piece of junk to run NGx I installed NGx R60 with HFA_04 on a Nokia IP130 running IPSO 4.1 build 016. This enforcement module is being managed by a SPLAT SmartCenter. I have two VPN tunnels between the IP130 and two cisco devices, VPN concentrator and Pix firewall. The only traffics going through the tunnel is icmp. I have continous ping going through the tunnel for testing purposes. By the way, I have a very small policy with less than 4 rules including the vpn rules. The problem is that everytime I make changes to the policy and push it to the Nokia enforcement module, I keep getting errors telling me that resource is not available to accept the policy and it timing out. This happens about 70% of the time. Even when the policy is successfully installed, my ping is timing out for about 30 seconds before resuming. I check the cpu status on the nokia via "vmstat 1" and the cpu is maxing out at 100% utilization. WTF! Now if I am running the checkpoint on the Nokia as a standalone firewall, it gets worse. Everytime I have to push the policy, it takes about 10 minutes for the policy to get pushed and if I even have active vpn tunnels, even without traffics, the policy installed will fail. I look on Nokia site and it stated that ipso 4.1 is supported on IP130 platform. I think Nokia should be honest and informed end users that the performance will be very poor when you have vpn even with little or no traffics at all if one decide to run Checkpoint NGx on IP130 appliance. I tested the IP130 with ipso 3.7.1 and NG with AI R55w and the performance is about 20 times faster than NGx. My VPN tunnels still work during the policy push. I guess what I am trying to say here is that whatever Nokia SE or TAC is telling you, take it with a grain of salt. Just because it will work with NGx does not mean it will work well. cisco4ng --------------------------------- All-new Yahoo! Mail - Fire up a more powerful email and get things done faster. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.12.2/442 - Release Date: 9/8/2006 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1ยข/min. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
