https://community.checkpoint.com/t5/Firewall-and-Security-Management/Slow-HTTP-connection-is-eating-80-90-of-CPU-core/m-p/117893#M16682 <P>Hello mates,</P><P>I have an issue with some FW overloads, while not so much traffic and connections are passing trough.</P><P>We have identified several heavy connections coming from S2S VPN taking about 80 % of a CPU core.<BR />After some analysis with tcpdump/wireshark it appears that this connection bandwidth is about 162kbit/s for about 10 min capture (7mb file).<BR />This is pretty slow connection for me, but is eating a lot of resources.&nbsp;</P><P>Devices are powerful enough - Supermicro equivalent of CP 5900, three devices with R80.30 running in a HA Cluster.<BR />About 300Mb/s overall bandwidth and 65k connections according to CPview. TP blades are activated with IA and AppCtrl. (no HTTPS inspection)</P><P>Could you give me some hints how to find out if this connection is accelerated or is passing through F2F path.</P><P>Also tried to add to fast_accel table, but there are no hits and suppose traffic from VPN cannot be passed to fast_accel.</P><P>Thanks</P> Fri, 07 May 2021 07:09:38 GMT Dilian_Chernev 2021-05-07T07:09:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Slow-HTTP-connection-is-eating-80-90-of-CPU-core/m-p/117893#M16682 <P>Hello mates,</P><P>I have an issue with some FW overloads, while not so much traffic and connections are passing trough.</P><P>We have identified several heavy connections coming from S2S VPN taking about 80 % of a CPU core.<BR />After some analysis with tcpdump/wireshark it appears that this connection bandwidth is about 162kbit/s for about 10 min capture (7mb file).<BR />This is pretty slow connection for me, but is eating a lot of resources.&nbsp;</P><P>Devices are powerful enough - Supermicro equivalent of CP 5900, three devices with R80.30 running in a HA Cluster.<BR />About 300Mb/s overall bandwidth and 65k connections according to CPview. TP blades are activated with IA and AppCtrl. (no HTTPS inspection)</P><P>Could you give me some hints how to find out if this connection is accelerated or is passing through F2F path.</P><P>Also tried to add to fast_accel table, but there are no hits and suppose traffic from VPN cannot be passed to fast_accel.</P><P>Thanks</P> Fri, 07 May 2021 07:09:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Slow-HTTP-connection-is-eating-80-90-of-CPU-core/m-p/117893#M16682 Dilian_Chernev 2021-05-07T07:09:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Slow-HTTP-connection-is-eating-80-90-of-CPU-core/m-p/117904#M16684 <P>You could try to look at the output of "fwaccel conns" (<A href="https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_PerformanceTuning_AdminGuide/Content/Topics-PTG/CLI/fwaccel-conns.htm" target="_blank">https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_PerformanceTuning_AdminGuide/Content/Topics-PTG/CLI/fwaccel-conns.htm</A>). Its really strange a single connection is using so much CPU time, maybe something else contributes to the problem? VPN Encryption like 3DES or a custom application with a complex regex maybe?</P> Fri, 07 May 2021 08:35:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Slow-HTTP-connection-is-eating-80-90-of-CPU-core/m-p/117904#M16684 Benedikt_Weissl 2021-05-07T08:35:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Slow-HTTP-connection-is-eating-80-90-of-CPU-core/m-p/117969#M16690 <P>In R80.30 all connections except those that are F2F should show up in the output of <STRONG>fwaccel conns</STRONG>.&nbsp; The only official way to see F2F connections is <STRONG>fw ctl multik gconn</STRONG>, although there is the undocumented<STRONG>&nbsp;fw_mux all</STRONG> command which will show you the state of all connections regardless of acceleration status as it relates to the multiplexing of a stream across multiple worker cores.&nbsp; See here:</P> <H2 class="message-subject"><SPAN class="lia-message-unread lia-message-unread-windows"><A id="link_16" class="page-link lia-link-navigation lia-custom-event" href="https://community.checkpoint.com/t5/Security-Gateways/fw-ctl-fast-accel-some-traffic-still-going-slow-path/m-p/105183?search-action-id=25134144699&amp;search-result-uid=105183" target="_blank"><SPAN class="lia-search-match-lithium">fw</SPAN> ctl fast_accel - some traffic still going slow</A></SPAN></H2> <P>&nbsp;</P> Sat, 08 May 2021 13:37:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Slow-HTTP-connection-is-eating-80-90-of-CPU-core/m-p/117969#M16690 Timothy_Hall 2021-05-08T13:37:38Z