William, I think you should step down a bit and do some basic analysis. Sometime we look to high for the bad problem and overlook the obviuos. Check patches, configs, etc on the systems. Check the network and make sure everything is as you _assume_ it to be. Check for half duplex/full duplex issues. Check network speeds - it really stinks to find that one of your primary net connections is at a lower speed(10Mb) when you thought you were completely 1Gb. Do this from end to end - pick one of you users and step all the way through to the fw. Best of Luck! Robert - - Robert P. MacDonald, Network Engineer e-Business Infrastructure G o r d o n F o o d S e r v i c e Voice: +1.616.261.7987 email: [EMAIL PROTECTED] >>> William J Husler <[EMAIL PROTECTED]> 7/18/00 1:03:52 AM >>> > >I checked. We have two processors and 1GB RAM in this box. SAR indicates >that we are using 60% or less, but throughput still sucks and we have >occasional packet loss. The packet loss is not predictable or reliably >reproducible. None of our other firewalls are exhibiting these problems, but >then each firewall implementation serves a different purpose. The problem >box is one of two similarly configured boxes that we have tried for this >implementation. Both exhibit the same problem. >Bill > >> From: "Scheidel, Greg" <[EMAIL PROTECTED]> >> Date: Mon, 17 Jul 2000 10:13:24 -0400 >> To: 'William J Husler' <[EMAIL PROTECTED]>, >> [EMAIL PROTECTED] >> Subject: RE: [FW1] too many interfaces (was: Large number of Static Routes ) >> on a Sun box >> >> We had performance problems on a Sun box running two QFE cards until we >> upgraded to two processors and 1GB RAM. Our hardware guy said this was a >> known issue with the CPU getting pinned trying to handle the requests from >> the QFE cards. Sorry I don't have more details. >> >> Greg S. >> >> -----Original Message----- >> From: William J Husler [mailto:[EMAIL PROTECTED]] >> Sent: Monday, July 17, 2000 2:28 AM >> To: [EMAIL PROTECTED] >> Subject: Re: [FW1] too many interfaces (was: Large number of Static >> Routes) on a Sun box >> >> >> OK, so having eliminated a Large number of Routes, could it be a large >> number of interfaces? This box also had two QFE cards (total of 8 100M >> ethernet ports) and all ports are in use. >> Bill >> >>> From: Mystery Guest <[EMAIL PROTECTED]> >>> Date: Sun, 16 Jul 2000 21:49:56 -0700 (PDT) >>> To: [EMAIL PROTECTED], [EMAIL PROTECTED] >>> Subject: Re: [FW1] Large number of Static Routes on a Sun box >>> >>> >>> At one point we were running with ~600-700 static routes (and that is with >>> using route summarization) on our Sun U10 and we didn't notice any great >>> problems. We got fed up with adding and deleting static routes that we >>> changed the Sun box into a FW + router by adding gated. The biggest >> problem >>> is identifying internal networks in rules. It sure would be nice if FW-1 >>> allowed rules to be put on interfaces or if it was smart enough to >>> dynamically figure out what subnets are located internally so we didn't >> have >>> to muck about with adding and deleting networks to the internal networks >>> FW-1 group. <sigh> >>> >>> Cheers, >>> >>> ./CK >>> >>> >>>> From: William J Husler <[EMAIL PROTECTED]> >>> >>>> Date: Sun, 16 Jul 2000 10:32:58 -0700 >>>> >>>> >>>> We have a firewall (FW-1 v4) running on a Sun ES450 that connects >> numerous >>>> subsidiary networks. As a result of the divergent networks involved (as >>>> well >>>> as address translation in some cases), we have add a number of static >>>> network routes (and static host routes) to the firewall. We are currently >>>> up >>>> to almost 200 lines in the routing table. This firewall is experiencing >>>> through-put problems (at least everyone is pointing fingers at it) and >> the >>>> vendor (Sun) tech support has stated that it could be caused by this >> large >>>> number of static routes. Has anyone else experienced this scenerio or >> have >>>> experience with a large routing table on a Sun box? One comment I >>>> particularly did not like was "It's not a router you know". Just what do >>>> they think a firewall does anyway? >>>> Bill ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
