SecureXL & CoreXL on SMB devices

Document created by Günther W. Albrecht on Feb 5, 2018Last modified by Günther W. Albrecht on Jul 2, 2018
Version 9Show Document
  • View in full screen mode

SecureXL & CoreXL on SMB devices is very poorly documented, so i have collected corresponding information to present it here:


1. SecureXL

The 1400/1100/1200R/700/600 series supports SecureXL and it is active by default. The SecureXL Drop Templates Optimization feature and the SecureXL penalty box mechanism are not supported, Accept Templates are on, but NAT Templates are off by default – to enable them, you have to add two lines to .pfrm2.0/opt/fw1/boot/modules/fwkern.conf  (see sk71200):



( Out of my personal experience, enabling these templates may be dangerous - with firmware > R77.20.60, i have experienced autonomous reboots that only stopped after removing the fwkern.conf file... )


VPN traffic may be slow or show the error:  "Virtual defragmentation error: Timeout". With SecureXL inactive, the ipsec_dont_fragment parameter is on by default and this behaviour does not occur. If the GW receives a packet of (nearly) MTU size, it discards the packet and sends the ICMP "packet too big" message instead of fragmenting it. With SecureXL active you would have to enable the sim_keep_DF_flag SecureXL kernel parameter in $PPKDIR/boot/modules/simkern.conf (see sk92465 Slow Site-to-Site VPN affected by Virtual Defragmentation):


[Expert@Appliance]# touch $FWDIR/modules/simkern.conf
[Expert@Appliance]# echo 'sim_keep_DF_flag=1' >> $FWDIR/modules/simkern.conf
[Expert@Appliance]# cat $FWDIR/modules/simkern.conf
[Expert@Appliance]# reboot

SecureXL should never be disabled except when doing debugs. There is no way to disable SecureXL in the WebGUI, but sk65015 shows how it can be achieved on CLI:

GW-620> fwaccel off 

This command switches off SecureXL until the next reboot and can be used to set it to "on again. To disable SecureXL permanently (only when being instructed by CP TAC to do so), you would have to follow these steps (see also sk52520):


On the 1400/1100/1200R/700/600 appliance, go to /pfrm2.0/etc/ directory:

[Expert@Appliance]# cd /pfrm2.0/etc/

Create the special file:

[Expert@Appliance]# touch userScript

(Note: the name contains Captial 'S'.)

Edit the file in Vi editor:

[Expert@Appliance]# vi userScript

userScript must be in shell script format:


Add the full path to the command 'fwaccel off':

/opt/fw1/bin/fwaccel off

Set the file permissions:

[Expert@Appliance]# chmod 777 userScript

Reboot the appliance. SecureXL should be off now - check with 'fwaccel stat' command.


2. CoreXL

The 7x0/14x0 appliances have two cores and can use the 'sim affinity' command to assign interfaces to cores. But this setting should be tried very carefully only !


Command 'sim affinity -l'  lists the interfaces that can be assigned to one of two cores. As that command on SMB devices does not survive reboot, you have to add a line to userScript:

printf '\n1\n' | sim affinity –s

This sets the first IF listed to the default and the second to 1. On 14x0 units only, CoreXL is supported (check with fw ctl mutik stat), and so two SNDs and two fw_worker processes exist (a 7x0 only has one fw_worker process, regardless of using the same hardware). It usually makes no sense to manually configure CoreXL on two-core-systems like the 14x0, but sk98737 ATRG: CoreXL is partly usable (although its supported OSs do not list GAiA Embedded). To change CoreXL settings use the command:

fw ctl affinity
3 people found this helpful