topic Re: CoreXL: only one SND core is busy in General Topics

CoreXL: only one SND core is busy

Di_Junior — Thu, 11 Apr 2019 14:07:07 GMT

Dear Mates

I have one of my clients that uses Check Point firewalls with 20 Cores. The cores configuration are as follow:

18 SND, and 2 CoreXL. This is a follow up thread for the discussion we are having at the end of this thread: https://community.checkpoint.com/t5/General-Topics/Eliminating-Routing-Asymmetry-between-Two-Different-Physical/m-p/50597#M10006

@Timothy_Hall see the output of the requested commands in the attached picture.

Thanks in advance

Re: CoreXL: only one SND core is busy

Di_Junior — Thu, 11 Apr 2019 14:07:58 GMT

Hi @Timothy_Hall

I attach some more interesting command output.

Thanks

Re: CoreXL: only one SND core is busy

G_W_Albrecht — Thu, 11 Apr 2019 14:29:21 GMT

Maybe you can again state again the issue you have ? This is a very cryptic follow-up discussion that sems to be between two people only...

Re: CoreXL: only one SND core is busy

Di_Junior — Thu, 11 Apr 2019 14:34:27 GMT

Hi there

Bellow is the issue:

Another question is about CoreXL. I have a client who has a 20 cores Check Point firewall (all licensed), but the system has only 2 CoreXL cores, the other ones are SND. Is this a good scenario? if yes, why, if not why?

Sorry about that

Re: CoreXL: only one SND core is busy

Timothy_Hall — Thu, 11 Apr 2019 14:53:30 GMT

Gah, that is one messed up configuration. I think someone meant to assign 2 SND/IRQ cores but assigned 2 Firewall Worker instances instead. SecureXL is off, so everything is going F2F on just the two worker cores. Looks like there may have been some manual interface affinity adjustments as well. Not sure why SecureXL is off, perhaps using Traditional Mode VPNs? The performance has got to be terrible on this firewall. What does netstat -ni show?

Re: CoreXL: only one SND core is busy

Di_Junior — Thu, 11 Apr 2019 17:00:53 GMT

Hi Tim

As far as I can tell one of the reason why SecureXL is off is because they are using Load-sharing.

In this situation what would you recommend?

How can automatic affinity be configured?

see the attached picture for the output of netstat -ni.

Thanks

Re: CoreXL: only one SND core is busy

Daniel_Taney — Thu, 11 Apr 2019 18:35:58 GMT

Do you know which method of Load-sharing they are using? As Mr. @Timothy_Hall kindly pointed out to me in prior conversations, you can use SecureXL in Load-Sharing Unicast mode. I had definitely misunderstood that and thought any use of Load-sharing precluded you from enabling SecureXL.

I would suggest starting by going into cpconfig and changing the allocation of SND's / FWK's. If it is a 20 core box, the default configuration would have been 18 FWK Instances and 2 SND's. (So enter 18 at the prompt in cpconfig).

If you find you are able to enable SecureXL, you may want to consider monitoring usage with SecureXL on and considering changing it to 16 FWK instances and 4 SND's. If SecureXL isn't an option for sure, you probably want as many FWK instances as possible since that's where all your traffic is being processed.

Re: CoreXL: only one SND core is busy

Timothy_Hall — Fri, 12 Apr 2019 00:50:38 GMT

Given the large number of things wrong, I'd strongly recommend downloading and running the healthcheck script located here and engaging with TAC:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121447

Trying to solve all the problems with that system in this thread will cause it to become epic in length for all the wrong reasons. 🙂

Re: CoreXL: only one SND core is busy

_Val_ — Fri, 12 Apr 2019 07:49:22 GMT

Why on earth are you using load sharing? Go for HA mode and tune your 20 cores properly, that will give you more performance than LS.