topic Re: Multiqueue without Secreuxl in Firewall and Security Management

Multiqueue without Secreuxl

Neville_Kuo — Sun, 17 Nov 2019 12:33:40 GMT

Dear all,

Due to some service impact reason we have to disable securexl in our customer production network, to improve network performance we turned on multiqueue on some interfaces, accord to some documents and SK I know multiqueue is only relevant with securexl enabled, but I know multiqueue is linux thing not check point proprietary, so we really don't have any benefit to turn multiqueue on with securexl off?

Re: Multiqueue without Secreuxl

Timothy_Hall — Sun, 17 Nov 2019 13:25:03 GMT

Gateway version and Jumbo HFA level? The answer will depend quite a bit on this piece of information...

Re: Multiqueue without Secreuxl

Neville_Kuo — Sun, 17 Nov 2019 13:35:42 GMT

Hi,

All R80.20 with jumbo hotfix take 118.

Re: Multiqueue without Secreuxl

Timothy_Hall — Sun, 17 Nov 2019 14:29:46 GMT

In R80.10 and earlier, SecureXL had to be enabled to use Multi-Queue due to the interaction with SecureXL automatic interface affinity, which would poll interface load every 60 seconds and shuffle interfaces around that did not have Multi-Queue enabled on the various SND/IRQ/Dispatcher cores trying to balance the load.

Automatic interface affinity as it was performed in R80.10 and earlier is gone in R80.20 and later due to the big architectural changes in SecureXL, and even when you turn off SecureXL in R80.20 and later, it is not really completely disabled quite like it was in R80.10 and earlier. If you have SecureXL disabled with fwaccel off in R80.20+ due to your issue, yes you most definitely want to keep using Multi-Queue and it will still work. If you can disable SecureXL selectively as described in these SKs that is always preferable to just turning it all off:

sk104468: How to disable SecureXL for specific IP addresses

sk151114: "fwaccel off" does not affect disabling acceleration of VPN tunnels in R80.20 and above

Starting in R80.30 with Gaia kernel 3.10, Multi-Queue is enabled by default on all interfaces except the management interface.

Re: Multiqueue without Secreuxl

Neville_Kuo — Sun, 17 Nov 2019 14:37:44 GMT

Hi Mr. Hall,

Thanks for your reply, it really helps, unfortunately sk104468 won't do the trick becasue it's CDN service, we can't not predcit which ip address would be used.

Re: Multiqueue without Secreuxl

PhoneBoy — Sun, 17 Nov 2019 21:58:13 GMT

Why must you disable SecureXL?

Re: Multiqueue without Secreuxl

Timothy_Hall — Sun, 17 Nov 2019 22:11:57 GMT

Do you know which port(s) the CDN is using? If so you can use the little-known tcp_f2f_ports directive mentioned in that SK to force certain ports F2F regardless of IP address.

Re: Multiqueue without Secreuxl

Neville_Kuo — Mon, 18 Nov 2019 08:35:04 GMT

Hi,

It's https connections so I think disable that port is almost equals to disable all traffic get int to securexl.

Re: Multiqueue without Secreuxl

Neville_Kuo — Mon, 18 Nov 2019 09:36:55 GMT

Hi,

Okay I'll try to explain this with my poor English.

As you can see the below topology:

Client is using Firewall PBR and transparent proxy for internet access.

All client's http/https traficc will go through core switch->CP15600 then F5, F5 will distribute web service to proxy servers, then proxy will do the internet service for clients.

Most of web pages are ok, except this import one:

https://www.tycc.gov.tw/LiveVideo/history.aspx

It's a live videos history link, you may click on any square to see one of Taiwan parilament live stream backup, from the source code of any video clip, you can see the video was uploaded to the following link:

jwplayer("__CCDNPlayer1081118").setup({

    'width':'100%',

    'height':'100%',

    file: "https://flv.ccdntech.com/vod/_definst_/mp4:vod166/vod166_Live/20191118105959_live_dms.mp4/playlist.m3u8?wowzaplaystart=1795000",

    autostart:true,

With PBR+transparent proxy, most of clients can't replay this videos, they tried so many times only 1 or 2 times can display.

If traffic is not going through F5(No proxy), everything is fine, but that's not allowed.

It client using explicit proxy(Manually configured on browser), everything is fine, but that's not impossible, they claimed former firewall(Fortigate) don't need to do that.

If I turned off securexl, everything is fine, that's what they can accept, but I'm afraid of I/O issue so I turned on multiqueue and give 2 more cores to snd(There are 16 cores on CP15600).

Any better idea would be appreciated.

Re: Multiqueue without Secreuxl

G_W_Albrecht — Mon, 18 Nov 2019 10:02:15 GMT

As this is a deep SecureXL PBR issue, what is the statement from TAC / R&D here ?

Re: Multiqueue without Secreuxl

PhoneBoy — Mon, 18 Nov 2019 16:12:52 GMT

Sounds like you should open a TAC case.
Specifically because disabling SecureXL should never be the solution to a problem.