Support Center > Search Results > SecureKnowledge Details
Various entities experience disconnections or high latency when connecting to Security Gateway, VPND consumes high CPU Technical Level
Symptoms
  • Various entities experience disconnections or high latency when connecting to the Security Gateway using SSL/TLS on port 443, and VPND consumes high CPU. These entities include:
    • Remote Access clients
    • Identity Agent clients
    • User-Check portal clients,
    • Mobile Access clients, including browsers and Capsule Workspace
    • Gaia Admin UI (when configured to work on port 443)

  • The FWDIR/log/fwd.elg file on the VPN Security Gateway contains this message:
    "fwd: restarting vpnd"
    The message may appear more than once.

  • Output of the "top -H | grep vpnd" command on the VPN Security Gateway shows that only one thread of VPND is fully utilized while the rest of the threads are idle.
  • Output of the "ps auxw | grep vpnd" command on the VPN Security Gateway shows that the PID of the vpnd process changed comparing to the PID before the issue occurred.
  • The $FWDIR/log/vpnd.elg file on the VPN Security Gateway contains "blocked handler" messages.
Cause
RSA signature calculations for ECDHE cipher suites are done in one thread of vpnd
instead of all threads until it gets fully utilized.


Solution

This problem was fixed. The fix is included in:

If you choose not to upgrade, Check Point can supply a Hotfix. Contact Check Point Support to get a Hotfix for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways involved in the case.

Hotfix installation instructions:
Refer to sk168597 - How to install a Hotfix.

The solution causes RSA signature calculation for ECDHE cipher suites to be done in all vpnd threads in an equally distributed manner. This allows for scalability in the number of SSL handshakes with the Security Gateway portals.

As an immediate workaround, it is possible to disable the ECDHE ciphers until the fix is installed. Once the fix is installed, enable the ECDHE ciphers. See sk126613 - Cipher configuration tool for Security Gateways.

Workaround procedure:

  1. Connect to the command line on the Security Gateway (each Cluster Member).

  2. Log in to the Expert mode.

  3. Run:

    cipher_util

    This output appears:

    Which blade would you like to configure?
    
    (1)               Multi Portal
    (2)               SSL Inspection
    
  4. Enter 1 for the Multi Portal option.

    This output appears:

    Which list would you like to edit?
    
    (1)               TLS 1.2 Ciphers
    
  5. Enter 1 for the TLS 1.2 Ciphers option.

    This output appears:

    **********     Select Option     **********
    
    (1)               Print Configuration By Priority
    (2)               Enable Ciphers
    (3)               Disable Ciphers
    (4)               Re-Order Enabled Ciphers Priority
    
    (Q)               Quit
    
    *******************************************
    
  6. Enter 3 for the Disable Ciphers option.

    This output appears:

    Enabled:
    
    (1) TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    (2) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    (3) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    (4) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (5) TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    (6) TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    (7) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    (8) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    (9) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    (10) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    (11) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    (12) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    (13) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    (14) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    (15) TLS_RSA_WITH_AES_128_GCM_SHA256
    (16) TLS_RSA_WITH_AES_256_GCM_SHA384
    (17) TLS_RSA_WITH_AES_128_CBC_SHA256
    (18) TLS_RSA_WITH_AES_256_CBC_SHA256
    (19) TLS_RSA_WITH_AES_128_CBC_SHA
    (20) TLS_RSA_WITH_AES_256_CBC_SHA
    (21) TLS_RSA_WITH_3DES_EDE_CBC_SHA
    (22) TLS_RSA_WITH_RC4_128_SHA
    (23) TLS_RSA_WITH_RC4_128_MD5
    
    Enter ciphers to disable (Example: 1,2,4) or 'Q' to cancel:
  7. Enter the numbers corresponding to the ciphers that include the string "ECDHE" and press Enter.

    This output appears:

    **********     Select Option     **********
    
    (1)               Print Configuration By Priority
    (2)               Enable Ciphers
    (3)               Disable Ciphers
    (4)               Re-Order Enabled Ciphers Priority
    
    (Q)               Quit
    
    *******************************************
    
  8. Enter 1 for the Print Configuration By Priority option.

    This output appears:

    Enabled:
    <List of enabled ciphers>
    
    Disabled:
    <List of disabled ciphers>
    
    **********     Select Option     **********
    
    (1)               Print Configuration By Priority
    (2)               Enable Ciphers
    (3)               Disable Ciphers
    (4)               Re-Order Enabled Ciphers Priority
    
    (Q)               Quit
    
    *******************************************
    
  9. Enter Q to quit.

    This output appears:

    *******************************************
    
    Would you like to save configuration? [y/N]
    
    *******************************************
    
  10. Enter y to confirm.

    This output appears:

    Successfuly reconfigured
    
    Exiting cipher tool...
    
  11. In SmartConsole, install the Access Control policy on this Security Gateway.

    Alternatively, load the local policy on the Security Gateway with the "fw fetch local" command.

  12. Make sure the configuration changes were applied on the Security Gateway.

    1. Run:

      cipher_util

      This output appears:

      Which blade would you like to configure?
      
      (1)               Multi Portal
      (2)               SSL Inspection
      
    2. Enter 1.

      This output appears:

      ******************************************
      Which list would you like to edit?
      
      (1)               TLS 1.2 Ciphers
      
      ******************************************
      
    3. Enter 1.

      This output appears:

      **********     Select Option     **********
      
      (1)               Print Configuration By Priority
      (2)               Enable Ciphers
      (3)               Disable Ciphers
      (4)               Re-Order Enabled Ciphers Priority
      
      (Q)               Quit
      
      *******************************************
      
    4. Enter 1.

      This output appears:

      Enabled:
      <List of enabled ciphers>
      
      Disabled:
      <List of disabled ciphers>
      
      **********     Select Option     **********
      
      (1)               Print Configuration By Priority
      (2)               Enable Ciphers
      (3)               Disable Ciphers
      (4)               Re-Order Enabled Ciphers Priority
      
      (Q)               Quit
      
      *******************************************
      
    5. Enter Q.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment