Support Center > Search Results > SecureKnowledge Details
Path MTU Discovery (PMTUD) issues with Check Point Active Streaming (CPAS)
Symptoms
  • Connectivity issues might occur for connections that require Check Point Active Streaming (CPAS) processing (see the list below of the Software Blades that use CPAS infrastructure) and the connections also pass via device with an MTU lower than the external interface of the Security Gateway.

  • Software Blades/ Features that use Check Point Active Streaming (CPAS):
    • Multi-Portal (WebUI, User Check portal, DLP portal, Identity Awareness portal)
    • Mobile Access
    • Client Control Channel
    • VPN Visitor Mode
    • HTTPS inspection
    • IPS protection "Header Spoofing"
    • HTTP Proxy
    • VoIP
Cause

TCP stack of Check Point Active Streaming (CPAS) infrastructure in R77 does not obey the ICMP "Fragmentation Needed" messages to lower the size of the packets and breaks the Path MTU Discovery (PMTUD) mechanism.

It also does not fall back to a minimum MTU as it should in case the ICMP "Fragmentation Needed" messages are dropped on the way (PMTUD "black hole" connection).

As a result, the Security Gateway keeps retransmitting big segments and they never reach the client (since DF flag is set and router on the way can't fragment it).


Solution

This problem was fixed. The fix is included in:

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade Security Management Server / upgrade Multi-Domain Security Management Server).

 

For R77, Check Point offers a hotfix for this issue.

  • Show / Hide hotfix installation instructions - Gaia OS using CPUSE (Check Point Update Service Engine)

    We recommend using CPUSE to install this hotfix.

    Note: Hotfix has to be installed on Security Gateway / each cluster member.

    • In Gaia Portal:

      Important Note for VSX mode: Gaia Portal is not supported on Security Gateway in VSX mode. Users must use the Clish.

      1. Connect to the Gaia Portal on your machine.

      2. Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out').

      3. Navigate to the 'Software Updates' - 'Status and Actions' pane.

      4. Go to the 'Updates' tab to see the published hotfixes available for download.

      5. Select the Check_Point_R77_Hotfix_sk96124.tgz package - right-click on it - click on 'Download' (this will download the hotfix to your machine).

      6. Right-click on the Check_Point_R77_Hotfix_sk96124.tgz package - click on 'Install' (this will install the hotfix on the machine and display the installation status).

      7. When prompted for reboot (a pop up window appears), confirm to reboot the machine.


    • In Clish:

      Important Note for VSX mode: Gaia Portal is not supported on Security Gateway in VSX mode. Users must use the Clish.

      1. Connect to Gaia command line (over SSH, or console).

      2. Log in to Clish shell.

      3. See the list of available packages for download:

        HostName> show installer available_packages

      4. Download this hotfix:

        HostName> installer download Check_Point_R77_Hotfix_sk96124.tgz

      5. Check the download progress by repeatedly running this command:

        HostName> show installer package_status
        Outputs for example:
        Check_Point_R77_Hotfix_sk96124.tgz - Downloading (2.95 MB/s)   - Progress: 6%
        Check_Point_R77_Hotfix_sk96124.tgz - Available for install
        
      6. See the list of available packages for install:

        HostName> show installer available_local_packages

      7. Install this hotfix:

        HostName> installer install Check_Point_R77_Hotfix_sk96124.tgz

      8. Check the installation progress by repeatedly running this command:

        HostName> show installer package_status
        Outputs for example:
        Check_Point_R77_Hotfix_sk96124.tgz - Installing                - Progress: 3%
        Check_Point_R77_Hotfix_sk96124.tgz - installed
        
      9. Machine will be rebooted automatically.

    Contact Check Point Support for any assistance.



  • Show / Hide hotfix installation instructions - Gaia / SecurePlatform / Linux OS

    Contact Check Point Support for any assistance.

    1. Hotfix has to be installed on Security Gateway / each cluster member.

    2. Download the relevant hotfix package:

      Platform R77
      Gaia / SecurePlatform / Linux (TGZ)


    3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).

    4. Unpack the hotfix package:

      [Expert@HostName]# cd /some_path_to_fix/
      [Expert@HostName]# tar -zxvf Check_Point_R77_Hotfix_sk96124_Unix.tgz

    5. Install the hotfix:

      [Expert@HostName]# ./fw1_wrapper_HOTFIX_NAME

      Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.

    6. Reboot the machine.


  • Show / Hide hotfix installation instructions - IPSO OS

    Contact Check Point Support for any assistance.

    1. Hotfix has to be installed on Security Gateway / each cluster member.

    2. Download the relevant hotfix package:

      Platform R77
      IPSO (TGZ)


    3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).

    4. Unpack the hotfix package:

      [Expert@HostName]# cd /some_path_to_fix/
      [Expert@HostName]# tar -zxvf Check_Point_R77_Hotfix_sk96124_IPSO.tgz

    5. Install the hotfix:

      [Expert@HostName]# ./fw1_wrapper_HOTFIX_NAME

      Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.

    6. Reboot the machine.


  • Show / Hide hotfix installation instructions - Windows OS

    Contact Check Point Support for any assistance.

    1. Hotfix has to be installed on Security Gateway / each cluster member.

    2. Download the relevant hotfix package:

      Platform R77
      Windows (EXE)


    3. Transfer the hotfix package to the machine (into some directory, e.g., C:\some_path_to_fix\).

    4. Install the hotfix:

      Right-click on the Check_Point_R77_Hotfix_sk96124_Win.exe file - click on 'Run as administrator'.

      Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.

    5. Reboot the machine.

 


 

Possible workarounds:

  • For the common case: Verify the MTU of the next hop router and configure the same MTU on the external interface of Security Gateway.
    MTU of the next hop router can be found by looking up the "next hop MTU" value inside the ICMP "Fragmentation Needed" message.
    Note: It is a best practice in general to configure the same MTU on the external interface of the Security Gateway as the MTU of the next hop router.

  • If the networking device that has a smaller MTU is internal, then configure the MTU on the corresponding interface of the Security Gateway to match the smaller MTU of the internal networking device. This should be considered carefully as it can impact the performance and cause network overhead.
    In most cases, lowering the MTU of an Ethernet interface to 1460 should suffice.

  • Consider removing or replacing the internal networking device that has a smaller MTU with a networking device that can support carrying IP datagram of 1500 bytes (Ethernet standard payload).
    Relevant article: http://en.wikipedia.org/wiki/Ethernet_frame 

Applies To:
  • 01274537 , 01284439 , 01306528 , 01322112 , 01335684 , 01346424

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment