|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] slow network connection to slave firewall
Yes when it happended to me, everything ran slow, push pulls of the policy, ls, logins... -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of <Aaron Reynolds> Sent: 02 January 2003 21:12 To: [email protected] Subject: Re: [FW-1] slow network connection to slave firewall I believe you, but I am just telling you what I see on the primary and secondary firewall. When I ssh into the boxes, I get a password prompt, but tcpdump shows no dns traffic for the reverse lookup. Only after I successfully authenticate does it send the reverse lookup. Also, if this was a reverse lookup issue would it be causing problems with a policy fetch/push, as well as SSL voyager connections. It is not just ssh, it seems to be everything. Right now I can't test turning off DNS, because it is not happening right now. I am more than willing to see if that is the cause the next time it occurs. Thanks for your help. -Aaron -----Original Message----- From: Norris, William [mailto:[email protected]] Sent: Thursday, January 02, 2003 1:44 PM To: [email protected] Subject: Re: [FW-1] slow network connection to slave firewall OpenSSH uses the reverse DNS lookup to gather entropy for the encrypted session to the client. This occurs before the password prompt is displayed. dean. > -----Original Message----- > From: jim parker [mailto:[email protected]] > Sent: Thursday, January 02, 2003 11:53 > To: [email protected] > Subject: Re: [FW-1] slow network connection to slave firewall > > > Humour me, turn off dns, how does it behave then? > > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]] On Behalf Of > <Aaron > Reynolds> > Sent: 01 January 2003 08:26 > To: [email protected] > Subject: Re: [FW-1] slow network connection to slave firewall > > > A reverse lookup doesn't happen until after the password is sent, not > before the initial authentication prompt is given. I don't even get > the password > prompt for 1-2 minutes. This would tell me that it has > nothing to do with > reverse lookups. Also, it was not just affecting ssh logins, > but policy > pushes/fetches as well. It seemed to be affecting all > network traffic to > the box, although regular fw1 logging to the management > console was still > working. Also, this has only occured twice (that I am aware > of), on a box > that has been in production for over two years, and on the > current release > for roughly 5 months. > > -----Original Message----- > From: Ham, MichaelX [mailto:[email protected]] > Sent: Tuesday, December 31, 2002 11:16 AM > To: [email protected] > Subject: Re: [FW-1] slow network connection to slave firewall > > > I have seen reverse lookups cause this exact login delay before. The > 2 minute or so delay is some process that is getting to a > timeout state before > it lets you continue. Finding the cause of the timeout will > solve the > problem. > > Hope this helps, > > Happy New Year All > > -Michael > > > -----Original Message----- > From: <Aaron Reynolds> [mailto:[email protected]] > Sent: Tuesday, December 31, 2002 9:37 AM > To: [email protected] > Subject: Re: [FW-1] slow network connection to slave firewall > > It is not reverse lookups, because I don't even get my password prompt > for 2 minutes. Watch a tcp dump on your firewall when you connect. > The reverse > lookup doesn't happen until after you enter your password. Slowness > continues even after I log in. It may be a hard drive > problem, but I don't > see any errors indicating such. Thanks for the help. > > -Aaron > > -----Original Message----- > From: Ham, MichaelX [mailto:[email protected]] > Sent: Tuesday, December 31, 2002 9:18 AM > To: [email protected] > Subject: Re: [FW-1] slow network connection to slave firewall > > > Aaron, > > I was going to say basically the same thing. Check your reverse > lookups on the network, sounds like it could be a DNS/lookup problem. > > The other thing to look at is a failing hard drive. This would > account for the slow ls commands. If the drive is having trouble > reading a portion of > it but after then is able to read it you won't get a failed > drive message. > If it is possible run a linear verify test do that. > > -Michael > > > -----Original Message----- > From: jimbo [mailto:[email protected]] > Sent: Monday, December 30, 2002 5:30 PM > To: [email protected] > Subject: Re: [FW-1] slow network connection to slave firewall > Importance: High > > have you got DNS defined on the Nokia? Turn it off! > If IP's are inserted into the DNS entries on newer IPSO's but can't do > lookups, you get hangups like this, i've seen it a few times... > > jp > > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]]On > Behalf Of <Aaron > Reynolds> > Sent: 30 December 2002 23:27 > To: [email protected] > Subject: [FW-1] slow network connection to slave firewall > > > This has happened twice now, that I have noticed. Once on Dec 18, for > about 2 hours, and once today (Dec. 30) for about 1-2 hours. The > problem is as > follows: > > IPSO 3.5 FCS8 / 4.1 SP6 (HA pair) > > Policy pushing and fetching fail on the secondary, but work on > primary. User database updates fail, but work on primary. However, > FW1 logging to management console seems to continue through the > problem. ssh connections > take up to 2 minutes for a password prompt to come back, and then once > authentication is entered, sometimes timeout, never getting a > prompt. Once > logged into the box, things are very slow. "ls" commands > will hang for a > few seconds, sometimes you wait for typing, as if on a serial > connection. > Here is the strange thing. I see no collisions on the > firewall or next hop > switch on our LAN. Load is about 2% on the firewall. There > is next to no > traffic. Meanwhile, my primary firewall is working fine, > taking all the > load. ssh connections are quick, getting immediate > responses. This rules > out a problem with a router/switch on our LAN. It seems to > be either the > firewall, or the next hop switch inside the firewall. I tried > rebooting the > firewall as a last resort, and it didn't fix anything. Then, > in both cases > it will just start working again without me doing anything. > Any help is > greatly appreciated. Let me know if you need more info. Thanks. > > -Aaron > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
