NGAI R55 HFA18

On Tue, 24 Oct 2006, sin wrote:

> Hugo van der Kooij wrote:
> > On Tue, 24 Oct 2006, Mark Pace Balzan wrote:
> > 
> >> Im running R55 on a splat box, currently with
an older HFA.
> >>
> >> Im considering applying HFA18 to be up to
date, but a search on the web
> >> shows that some people had crashes and other
issues after appying HFA18
> >>
> >>
> >> Anyone using it in a stable production
environment who can comment ?
> > 
> > We got several customers who are not yet ready to
move to NGX that are 
> > currently at R55 + HFA-18
> > 
> > Frankly R60 scares dozen of time more then R55.
> 
> why wouldn't they upgrade and why is R60 scary ?

Because you just don't upgrade a full set of firewalls
overnight. Most 
certainly not if the newer version has no benefits for those
customers.

And while we never had an issue with crashing R55 firewalls
we have 
several customers with R60 firewalls crashing even with
Check Point and 
all working on the firewalls themselves to find the bugs.

And there is the CPU usage which seems to increase with each
and every 
firewall upgrade.

So I am becoming more and more conservative where it
involves Check Point 
upgrades.

Hugo.

-- 
	hvdkooijvanderkooij.org	http://hvdkooij.xs4all.nl/

	    This message is using 100% recycled electrons.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hugo van der Kooij wrote:
> On Tue, 24 Oct 2006, sin wrote:
> 

>> why wouldn't they upgrade and why is R60 scary ?
> 
> Because you just don't upgrade a full set of firewalls
overnight. Most 
> certainly not if the newer version has no benefits for
those customers.

true (maybe just for any new SmartDefense updates that are
only
available in NGX)

> 
> And while we never had an issue with crashing R55
firewalls we have 
> several customers with R60 firewalls crashing even with
Check Point and 
> all working on the firewalls themselves to find the
bugs.

can you give a little bit more detail on what bugs you found
? maybe it
could help some of us to not bang our heads in the all for
nothing and
call directly check point.

> 
> And there is the CPU usage which seems to increase with
each and every 
> firewall upgrade.

the hardware vendors also have to make a living, no ? 

> 
> So I am becoming more and more conservative where it
involves Check Point 
> upgrades.
> 
> Hugo.
> 

sin

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On Tue, 24 Oct 2006, sin wrote:

> Hugo van der Kooij wrote:

> > And while we never had an issue with crashing R55
firewalls we have 
> > several customers with R60 firewalls crashing even
with Check Point and 
> > all working on the firewalls themselves to find
the bugs.
> 
> can you give a little bit more detail on what bugs you
found ? maybe it
> could help some of us to not bang our heads in the all
for nothing and
> call directly check point.

No. At this point there is no clear sign what is causing the
issue. There 
are fixes in HFA-04 which should prevent some crashes. But
HFA-04 did not 
fix that much in these cases.

The verdict is still out but all crashes happen on Linux
based 
installations (SPLAT, RHEL, Resilience).

After Nokia fixed a memory leak in IPSO I have not yet seen
issues there.

But in order to get a fix you need to open a case anyway.

Hugo.

-- 
	hvdkooijvanderkooij.org	http://hvdkooij.xs4all.nl/

	    This message is using 100% recycled electrons.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hugo van der Kooij wrote:
> On Tue, 24 Oct 2006, sin wrote:
> 
>> Hugo van der Kooij wrote:
> 
>>> And while we never had an issue with crashing
R55 firewalls we have 
>>> several customers with R60 firewalls crashing
even with Check Point and 
>>> all working on the firewalls themselves to find
the bugs.
>> can you give a little bit more detail on what bugs
you found ? maybe it
>> could help some of us to not bang our heads in the
all for nothing and
>> call directly check point.
> 
> No. At this point there is no clear sign what is
causing the issue. There 
> are fixes in HFA-04 which should prevent some crashes.
But HFA-04 did not 
> fix that much in these cases.
> 
> The verdict is still out but all crashes happen on
Linux based 
> installations (SPLAT, RHEL, Resilience).
> 
> After Nokia fixed a memory leak in IPSO I have not yet
seen issues there.
> 
> But in order to get a fix you need to open a case
anyway.

I know that, I was just thinking that if you would put out a
small
description people on this list might have a faster response
time from
Check Point knowing that there might be a patch available
for the issue.


> 
> Hugo.
> 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On Tue, 24 Oct 2006, sin wrote:

> Hugo van der Kooij wrote:
> > On Tue, 24 Oct 2006, sin wrote:
> > 
> >> Hugo van der Kooij wrote:
> > 
> >>> And while we never had an issue with
crashing R55 firewalls we have 
> >>> several customers with R60 firewalls
crashing even with Check Point and 
> >>> all working on the firewalls themselves to
find the bugs.
> >> can you give a little bit more detail on what
bugs you found ? maybe it
> >> could help some of us to not bang our heads in
the all for nothing and
> >> call directly check point.
> > 
> > No. At this point there is no clear sign what is
causing the issue. There 
> > are fixes in HFA-04 which should prevent some
crashes. But HFA-04 did not 
> > fix that much in these cases.
> > 
> > The verdict is still out but all crashes happen on
Linux based 
> > installations (SPLAT, RHEL, Resilience).
> > 
> > After Nokia fixed a memory leak in IPSO I have not
yet seen issues there.
> > 
> > But in order to get a fix you need to open a case
anyway.
> 
> I know that, I was just thinking that if you would put
out a small
> description people on this list might have a faster
response time from
> Check Point knowing that there might be a patch
available for the issue.

It just happens that Check Point support does not work that
way.

If you have a crash. Open a case. Go over the details on how
to gather the 
crash info and then see what is causing the crash based on
those details.

At this point I only have an inkling that it only happens on
SMP systems 
and it might be just be clusters only.

But the first R60 crash was a Dell specific issue on a
single CPU system. 
As the patch was allready present it only took 15 minute
from opening the 
case to downloading the fix. (It is also part of HFA-01)

In fact not all of these fixes are listed explicitly in the
HFA release 
notes. So in case of trouble applying a HFA may solve issues
unlisted in 
the release notes.

Hugo.

-- 
	hvdkooijvanderkooij.org	http://hvdkooij.xs4all.nl/

	    This message is using 100% recycled electrons.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hugo,

Do you have a little more information about this IPSO memory
leak?

Regards,

Werner 

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Hugo
van der Kooij
Sent: Tuesday, October 24, 2006 22:01
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] NGAI R55 HFA18

On Tue, 24 Oct 2006, sin wrote:

> Hugo van der Kooij wrote:

> > And while we never had an issue with crashing R55
firewalls we have 
> > several customers with R60 firewalls crashing even
with Check Point
and 
> > all working on the firewalls themselves to find
the bugs.
> 
> can you give a little bit more detail on what bugs you
found ? maybe
it
> could help some of us to not bang our heads in the all
for nothing and
> call directly check point.

No. At this point there is no clear sign what is causing the
issue.
There 
are fixes in HFA-04 which should prevent some crashes. But
HFA-04 did
not 
fix that much in these cases.

The verdict is still out but all crashes happen on Linux
based 
installations (SPLAT, RHEL, Resilience).

After Nokia fixed a memory leak in IPSO I have not yet seen
issues
there.

But in order to get a fix you need to open a case anyway.

Hugo.

-- 
	hvdkooijvanderkooij.org	http://hvdkooij.xs4all.nl/

	    This message is using 100% recycled electrons.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hugo van der Kooij wrote:


> 
> At this point I only have an inkling that it only
happens on SMP systems 
> and it might be just be clusters only.
> 
> But the first R60 crash was a Dell specific issue on a
single CPU system. 
> As the patch was allready present it only took 15
minute from opening the 
> case to downloading the fix. (It is also part of
HFA-01)

I got bitten by that one too. Disabling Hyperthreading was
the only way
to make the machine to stop crashing on a Dell.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Nokia released new builds of IPSO near the end of September
that fixed a 
very slow memory leak. We noticed that SecureClient logons
were taking 
longer than normal. When we looked at the box running IPSO
3.9 build 41 (or 
thereabouts), we found our memory in use went from its
normal 30% to 85% and 
the long term Voyager graph showed a slow increase over the
past six months. 
A reboot took it back to 30%. When we went to Nokia's site,
we saw the new 
build and its release notes.

We upgraded IPSO to 3.9 build 56 and it's been holding
steady at 30% for the 
past three weeks.

Ray


>From: "Brockhoven, Werner"
<Werner.BrockhovenHP.COM>
>Reply-To: Mailing list for discussion of Firewall-1     
        
><FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
>To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
>Subject: Re: [FW-1] NGAI R55 HFA18
>Date: Wed, 25 Oct 2006 08:10:55 +0200
>
>Hugo,
>
>Do you have a little more information about this IPSO
memory leak?
>
>Regards,
>
>Werner
>

____________________________________________________________
_____
Find a local pizza place, music store, museum and more…then
map the best 
route!  http://local.live.c
om?FORM=MGA001

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Ray,

Ah thanks for the info.  It indeed sounds like a familiar
problem.

Regards,

Werner

-----Original Message-----
From: Ray   [mailto:sixsigma44hotmail.com] 
Sent: Wednesday, October 25, 2006 12:57
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Cc: Brockhoven, Werner
Subject: Re: [FW-1] IPSO memory leak

Nokia released new builds of IPSO near the end of September
that fixed a 
very slow memory leak. We noticed that SecureClient logons
were taking 
longer than normal. When we looked at the box running IPSO
3.9 build 41 (or 
thereabouts), we found our memory in use went from its
normal 30% to 85% and 
the long term Voyager graph showed a slow increase over the
past six months. 
A reboot took it back to 30%. When we went to Nokia's site,
we saw the new 
build and its release notes.

We upgraded IPSO to 3.9 build 56 and it's been holding
steady at 30% for the 
past three weeks.

Ray


>From: "Brockhoven, Werner"
<Werner.BrockhovenHP.COM>
>Reply-To: Mailing list for discussion of Firewall-1     
        
><FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
>To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
>Subject: Re: [FW-1] NGAI R55 HFA18
>Date: Wed, 25 Oct 2006 08:10:55 +0200
>
>Hugo,
>
>Do you have a little more information about this IPSO
memory leak?
>
>Regards,
>
>Werner
>

____________________________________________________________
_____
Find a local pizza place, music store, museum and
more...then map the best 
route!  http://local.live.c
om?FORM=MGA001

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On Wed, 25 Oct 2006, Brockhoven, Werner wrote:

> Do you have a little more information about this IPSO
memory leak?

Latest IPSO 4.1 should solve it. It is fixed in build 19.

Crashes and other calamities aside I always read the release
notes of each 
IPSO and Check Point version as soon as I learn about them.

Sometimes I start calling customers a wee bit later to ask
them to plan a 
maintenance window to roll in the fix.

Hugo.

-- 
	hvdkooijvanderkooij.org	http://hvdkooij.xs4all.nl/

	    This message is using 100% recycled electrons.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================