[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Problem with CPU too high in Solaris!

To: [email protected]
Subject: Re: [FW-1] Problem with CPU too high in Solaris!
From: Bernd Zimmermann <[email protected]>
Date: Wed, 2 Oct 2002 12:53:20 +0200
References: <[email protected]>
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-DE; rv:1.0rc2) Gecko/20020512 Netscape/7.0b1

Hi,

a) check your configuration - filter.nat / filter-nat.conf vs.  FW-NAT
Rulebase
b) check your rulebase - set frequently matched rules to the top
c)  check FW-connection table size (NAT) and perhaps increase
d)  check your routing - especially are there any ICMP-packets
(echo-request) passing the firewall and  running into a TTL-Loop between
outgoing NIC (firewall) and next hop router, if so - fix your routing
(some simple ICMP-TTL-Loops can kill your HA-FW - high cpu load/node not
reachable)

bernd







we had a problem with a

Alvarez-Garc�a, Ricardo-Jos� schrieb:

>   Hi!
>
>   We have a problem with a two Ultra 10 Solaris 7 FW-1 4.1 Sp5 nodes from a
>configuration with Stonebeat HA 2.1.3.
>
>   The problem is that the online node always has the CPU near 100% (and
>most of CPU is used by firewall processes). If I put the second node online,
>everything goes ok, but in an hour the CPU of the second node reaches 100%
>of use of CPU.
>
>   Any suggestions about it??
>
>   Thanks in advance!!
>
>
>           ...................................
>           Un saludo,
>           Ricardo J. Alvarez Garc�a
>           Siemens S.A.
>           ICN Empresas
>           Ingenier�a y Soporte a Ventas
>           Avda. de la Innovaci�n, Edificio Arena 3
>           41020  Sevilla
>           Espa�a
>           Tlf: +34  95 503 7501
>           Fax: +34  95 503 7520
>           E-mail: [email protected]
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>
>
>
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- [FW-1] quick ... and .. shame question ... lincense ...
  - From: Taufik Kurniawan <[email protected]>

Prev by Date: [FW-1] Microsoft PPTP protocol via Checkpoint.
Next by Date: [FW-1] quick ... and .. shame question ... lincense ...
Prev by thread: [FW-1] Microsoft PPTP protocol via Checkpoint.
Next by thread: [FW-1] quick ... and .. shame question ... lincense ...
Index(es):
- Date
- Thread