Hello Eduardo,

RE: Hide NAT failure

Based on our recent conversation, you can find more information on this issue "NAT
hide failure - there are currently no available ports for hide operation" detailed
in sk103656 - Dynamic Port Allocation Feature.

In order to solve the problem I would recommend to first install jumbo take 205
for R77.30, since we already verified that there is not any jumbo hotfix installed
at this time on any of the gateways. The jumbo hotfix includes several improvements
for this particular scenario and several other features as well. The jumbo hotfix
needs to be installed on both cluster gateways. This will also match the jumbo
hotfix version that is currently installed for your Multi Domain Management Servers
which will also improve general performance for the environment.

Additional information on Jumbo Hotfix for R77.30 is detailed in sk106162, you

will also find the download links for take 205 here (MD5 for this hotfix is
1bd029f637b7ace70e19af6c3a4b4028).

As a side note, this particular issue may be seen on different versions of code,
specially older versions. The issue will manifest whenever there is exhaustion of
NAT ports for high traffic due to the way NAT port allocation is performed. If your
NAT traffic increases at any given time then it will be more likely that you will
see this behaviour while traffic is high. The new versions of code and jumbo hotfix
should help to alleviate this problem.

Here's the action plan that I suggest:

1- Upgrade CPUSE agent to version 1130 to match the current version being used for
other HSBC environments (this is the agent that performs
installation/uninstallation of hotfixes for the gateway) is needed to be able to
install new hotfixes). I've included the file in your SFTP folder under this SR's
number.

Steps:

- Move the file to a directory on the appliance:

- Run the following commands:
[Expert@HostName:0]# tar -zxvf DeploymentAgent_<build>.tgz
[Expert@HostName:0]# rpm -Uhv --force CPda-00-00.i386.rpm

[Expert@HostName:0]# killall -v clish clishd

Important Note: If your default shell is CLISH (/etc/cli.sh), then after issuing
this command, you will be disconnected / logged out from all active sessions.

Restart the ConfD daemon:

[Expert@HostName:0]# tellpm process:confd

[Expert@HostName:0]# tellpm process:confd t

Start the CPUSE Agent manually:

[Expert@HostName:0]# $DADIR/bin/dastart

VERIFY THE NEW VERSION FROM CLISH (it should be 1130)

 HostName:0> show installer status build

2- Install Jumbo take 205 for Gaia R77.30 (Requires Reboot)

Steps:

- Run these commands on the standby member, after reboot you can failover traffic
to the now upgraded member, and perform installation of the jumbo hotfix on the
second gateway.
- Move the file to a directory on the appliance (i.e. /home/admin/)
- Make sure no clients are logged into any GUI applications at this time.

From clish run:

HostName:0> lock database override
HostName:0> installer import local /home/admin/CPxxxxx.tgz_or_tar
HostName:0> show installer packages imported

HostName:0> installer verify <packageNumber>

To find out the package number, you can hit <TAB> after "installer verify " and it
will list the available packages for verification, then just use the ID (#) for
that package (for instance "installer verify 5")

HostName:0> installer install <packageNumber>

To find out the package number, you can hit <TAB> after "installer install " and
it will list the available packages for installation, then just use the ID (#) for
that package (for instance "installer install 5")

After both members have been upgraded/rebooted you can failover traffic back to
the previous active member if needed.

Please let me know if you have any questions or concerns at this time.

Thank you.

You may reply to this email or if you have difficulty responding via e-mail, you
may login to the User Center:
https://usercenter.checkpoint.com/usercenter/index.jsp

Click on the Support -> My Service Requests -> 1-9402990231