topic Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections) in General Topics

R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

HeikoAnkenbrand — Tue, 03 Dec 2019 07:14:25 GMT

Elephant Flow (Heavy Connections)

In computer networking, an elephant flow (heavy connection) is an extremely large in total bytes continuous flow set up by a TCP or other protocol flow measured over a network link. Elephant flows, though not numerous, can occupy a disproportionate share of the total bandwidth over a period of time. When the observations were made that a small number of flows carry the majority of Internet traffic and the remainder consists of a large number of flows that carry very little Internet traffic (mice flows).

All packets associated with that elephant flow must be handled by the same firewall worker core (CoreXL instance). Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type.

What typically produces heavy connections:

System backups
Database backups
VMWare sync.

Chapter

More interesting articles:

- R80.x Architecture and Performance Tuning - Link Collection
- Article list (Heiko Ankenbrand)

Evaluation of heavy connections

The big question is, how do you found elephat flows on an R80 gateway?

Tip 1
Evaluation of heavy connections (epehant flows)

A first indication is a high CPU load on a core if all other cores have a normal CPU load. This can be displayed very nicely with "top". Ok, now a core has 100% CPU usage. What can we do now? For this there is a SK105762 to activate "Firewall Priority Queues". This feature allows the administrator to monitor the heavy connections that consume the most CPU resources without interrupting the normal operation of the Firewall. After enabling this feature, the relevant information is available in CPView Utility. The system saves heavy connection data for the last 24 hours and CPDiag has a matching collector which uploads this data for diagnosis purposes.

Heavy connection flow system definition on Check Point gateways:

Specific instance CPU is over 60%
Suspected connection lasts more than 10s
Suspected connection utilizes more than 50% of the total work the instance does. In other words, connection CPU utilization must be > 30%

CLI Commands

Tip 2
Enable the monitoring of heavy connections.

To enable the monitoring of heavy connections that consume high CPU resources:

# fw ctl multik prioq 1

# reboot

Tip 3
Found heavy connection on the gateway with „print_heavy connections“

On the system itself, heavy connection data is accessible using the command:

# fw ctl multik print_heavy_conn

Tip 4
Found heavy connection on the gateway with cpview

# cpview CPU > Top-Connection > InstancesX

Links

sk105762 - Firewall Priority Queues in R77.30 / R80.10 and above

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Josef_Pecher — Tue, 03 Dec 2019 10:09:29 GMT

Hi @HeikoAnkenbrand,

Thank you for all the interesting articles about Performance Tuning you wrote.

You could write a book out of this link collection 😀.

R80.x Architecture and Performance Tuning - Link Collection

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Paul_Erez — Tue, 03 Dec 2019 16:08:50 GMT

Hi @HeikoAnkenbrand,

This article has helped me very well.

I followed the steps and actually found a database backup connection. The connection caused about 70% CPU load on one core. We have now limited the bandwidth of the connection via QoS.

Best Regards

Paul

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Niroyec_Yerusha — Wed, 04 Dec 2019 14:57:14 GMT

We were able to identify a very similar problem.

thx

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Patricia_OSulli — Thu, 05 Dec 2019 13:47:12 GMT

We also had the problem with the elephant flows. This is a good way to find them quickly and easily.

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

HeikoAnkenbrand — Fri, 06 Dec 2019 07:18:41 GMT

In the past years I had always been looking for a solution to find elephant flows. Check Point has built in a good solution.

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Gaurav_B_ — Wed, 11 Dec 2019 07:38:25 GMT

I just tried that. This is a very interesting solution. A way to find elefant flows.

Thanks

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Delia_Pele — Fri, 13 Dec 2019 17:55:47 GMT

👌

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Dirk_Wisbey — Wed, 08 Jan 2020 06:40:46 GMT

We have several connections with 5-7% utilization.

What can we do here?

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Timothy_Hall — Wed, 08 Jan 2020 13:48:25 GMT

So glad you asked this question. 🙂

I will be speaking at CPX New Orleans and Vienna on the CheckMates track with a presentation called "Big Game Hunting: Elephant Flows" that will go through how to track down elephant flows (a.k.a. heavy connections), all the different remediation options, and the pros and cons of each. PhoneBoy will be delivering this presentation for me at CPX Bangkok because I'll be very busy that week, with, uh, something else...

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Igor_Szkaradkie — Wed, 15 Jan 2020 20:55:16 GMT

This is an interesting approach to detect heavy connections. I had checked this after this article and could identify some systems that were causing problems. We have now created QoS rules to limit the bandwidth. That worked well.

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Martin_Raska — Thu, 16 Jan 2020 08:50:01 GMT

Guys,

if you have a problem with elephant flow you may try this

SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above - sk156672

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Josh_Dillig — Tue, 21 Jan 2020 17:16:28 GMT

Do we have to enable PrioQ to support the "fw ctl multik print_heavy_conn" command? The article suggests it, but the Tip# list isn't execution step#.

Also is this supported on R77.30 and R76SP.50?

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Timothy_Hall — Tue, 21 Jan 2020 17:26:29 GMT

Priority Queues must be in mode 1 (Eviluator-only) to use that command; mode 1 is the default on a firewall that does not have USFW enabled. I'll be speaking about this very topic in detail at CPX New Orleans and Vienna.

Support for fw ctl multik print_heavy_conn was added in R80.20; I doubt it can be backported into earlier releases since I'm pretty sure it relies on the major changes introduced to SecureXL in R80.20.

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

uror — Tue, 03 Mar 2020 18:01:23 GMT

This does not work with R80.40.

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

HeikoAnkenbrand — Tue, 03 Mar 2020 18:06:19 GMT

R80.40 gateways use USFW by default.

Unfortunately this is no longer possible with R80.40 in USFW. @Timothy_Hall has already described this well for R80.20.

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Martin_Raska — Wed, 04 Mar 2020 09:13:06 GMT

Could someone explain why FW was moved from kernel space to user space by default? What is the benefit except alocation more memory when you have more cores? What will be impacted, what is behind? Thanks

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

_Val_ — Wed, 04 Mar 2020 09:31:27 GMT

That was discussed here in several posts, I think.

In a nutshell, with more than 48 cores, kernel mode cannot utilise them all. To allow CoreXL use more cores on high performance boxes, User Mode is the only option. Plus, user mode add stability. If FWK instance crashes, it does not affect the whole machine.

VSX is running User Mode FWK instances for ages, actually.

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

HeikoAnkenbrand — Wed, 04 Mar 2020 18:30:52 GMT

Hi @Martin_Raska,

In “Kernel Mode Firewall” KMFW, the maximum number of running cores is limited to 40 because of the Linux/Intel limitation of 2GB kernel memory, and because CoreXL architecture needs to load a large driver (~42MB) dozens of times (according to the CPU number, and up to 40 times). Newer platforms that contain more than 40 cores e.g., 23900 or open server are not fully utilized.

The solution of the problem is a firewall in the user mode of the Linux operating system.

GAIA version/ Kernel/ Cores	Firewall mode	Check
R80.30 kernel 3.10 more then 35* cores	UMFW is enabled	checked on HP DL 380 G10 2 * Platinum 8180MProcessor 28 cores = 56 cores
R80.30 kernel 3.10 less then 35* cores	KMFW is enabled	checked on HP DL 380 G10 1 * Platinum 8180MProcessor 28 cores
R80.30 kernel 2.6	KMFW is enabled	checked on VMWare with 30 cores and with 46 cores
R80.40 (default 3.10 kernel)	UMFW is enabled by default	checked on VMWare with 4 cores

To make sure that UMFW is activated, run the following command:

# cpprod_util FwIsUsermode

1 = User Mode Firewall
0 = Kernel Mode Firewall

For more information or to change the mode, read more in my article here:

R80.x - Performance Tuning Tip – User Mode Firewall vs. Kernel Mode Firewall

Re: R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Martin_Raska — Thu, 05 Mar 2020 13:58:23 GMT

Thanks Heiko, I will ask differently, what is a difference when FW code is running in kernel mode or user mode except for memory allocation.