topic Re: High CPU use on SND cores and Aggressive Aging in Firewall and Security Management

High CPU use on SND cores and Aggressive Aging

HristoGrigorov — Tue, 16 Jun 2020 10:54:52 GMT

How do you understand sk167358 ? Does it say that one SGs with majority of traffic accelerated through SecureXL, Aggressive Aging may actually impact performance in negative way because of constant timeout calculations ?

Re: High CPU use on SND cores and Aggressive Aging

Kaspars_Zibarts — Tue, 16 Jun 2020 17:46:36 GMT

I'm not able to comment on SK but in real life we saw some really odd problems whilst AA was on. For example we had some RDP running over HTTPS and that simply stopped working and as soon as AA was resolved, it started working again

Re: High CPU use on SND cores and Aggressive Aging

HeikoAnkenbrand — Tue, 16 Jun 2020 18:37:34 GMT

sk35990:

Aggressive Aging is activated in IPS profile, or new connections may be dropped for the reason that the Connections Table is full when a given CoreXL Firewall instance has far fewer connection entries than the Connections Table limit, or the 80% threshold to activate Aggressive Aging as seen in the output of 'fw ctl multik stat' command. It is enabled by default in R80.10 and above.

sk167358:

High (90% to 100%) CPU use on SND cores after a Security Gateway upgrade from R77.x to R80.x (with the same load and same configurations). The protection impacts SecureXL performance because it works in FW and requires SecureXL to calculate timeouts per packet and to update the FW instance every few packets. This may result in an added load on the system.

We can choose between CPU and connection tabel dead😀.

I had some problems with AA in the past. I also observed that with heavy AA usage the CPU loaded is approximately 10% higher. I this cases I usually turn it off.

It would be nice if there would be a SK that describes which mode (AA on/off) would be better in which situation.