SecureXL & CoreXL on SMB devices

Document created by Guenther W. Albrecht on Feb 5, 2018Last modified by Guenther W. Albrecht on Feb 14, 2018
Version 5Show Document
  • View in full screen mode

SecureXL & CoreXL on SMB devices is very poorly documented, so i have collected corresponding information to present it here:

 

1. SecureXL

The 1400/1100/1200R/700/600 series supports SecureXL and it is activated by default. SecureXL Drop Templates are disabled and not supported, Accept Templates are on, but NAT Templates are off by default – to enable them, you have to add two lines to .pfrm2.0/opt/fw1/boot/modules/fwkern.conf  (see sk71200):

 

cphwd_nat_templates_support=1 
cphwd_nat_templates_enabled=1

VPN traffic may be slow or show the error:  "Virtual defragmentation error: Timeout". With SecureXL inactive, the ipsec_dont_fragment parameter is on by default and this behaviour does not occur. If the GW receives a packet of (nearly) MTU size, it discards the packet and sends the ICMP "packet too big" message instead of fragmenting it. With SecureXL active you would have to enable the sim_keep_DF_flag SecureXL kernel parameter in $PPKDIR/boot/modules/simkern.conf (see sk92465 Slow Site-to-Site VPN affected by Virtual Defragmentation):

 

[Expert@Appliance]# touch $PPKDIR/boot/modules/simkern.conf
[Expert@Appliance]# echo 'sim_keep_DF_flag=1' >> $PPKDIR/boot/modules/simkern.conf
[Expert@Appliance]# cat $PPKDIR/boot/modules/simkern.conf
[Expert@Appliance]# reboot

SecureXL should never be disabled except when doing debugs. There is no way to disable SecureXL in the WebGUI, but sk65015 shows how it can be achieved on CLI:

GW-620> fwaccel off 

This command switches off SecureXL until the next reboot and can be used to set it on again. To disable SecureXL permanently (only when beiing instructed by CP TAC to do so), you would have to follow these steps (see also sk52520):

 

On the 1400/1100/1200R/700/600 appliance, go to /pfrm2.0/etc/ directory:

[Expert@Appliance]# cd /pfrm2.0/etc/

Create the special file:

[Expert@Appliance]# touch userScript

(Note: the name contains Captial 'S'.)

Edit the file in Vi editor:

[Expert@Appliance]# vi userScript

userScript must be in shell script format:

#!/bin/sh

Add the full path to the command 'fwaccel off':

/opt/fw1/bin/fwaccel off

Set the file permissions:

[Expert@Appliance]# chmod 777 userScript

Reboot the appliance. SecureXL should be off now - check with 'fwaccel stat' command.

 

2. CoreXL

The 7x0/14x0 appliances have two cores and can use the 'sim affinity' command to assign interfaces to cores. But this setting should be tried very carefully only !

 

Command 'sim affinity -l'  lists the interfaces that can be assigned to one of two cores. As that command on SMB devices does not survive reboot, you have to add a line to userScript:

printf '\n1\n' | sim affinity –s

This sets the first IF listed to the default and the second to 1. On 14x0 units only, CoreXL is supported (check with fw ctl mutik stat), and so two SNDs and two fw_worker processes exist (a 7x0 only has one fw_worker process, regardless of using the same hardware). It usually makes no sense to manually configure CoreXL on two-core-systems like the 14x0, but sk98737 ATRG: CoreXL is partly usable (although its supported OSs do not list GAiA Embedded).

2 people found this helpful

Attachments

    Outcomes