Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
stuart2020
Contributor
Jump to solution

Checkpooint R77.30 High CPU Slow Performance

We have been experiencing intermittent performance issues that causes connectivity through the firewall to run slow. This particularly impacts accessing systems over Site 2 Site VPNs and Remote Access VPN. We are running CheckPoint 15400 R77.30 in ClusterXL active / standby. The firewall has IPSec VPN, Mobile Access, IPS, Anti-Bot, Anti-Virus, URL Filtering and Application Control features enabled.

Looking at cpview, the CPU spiked on a particular core and stayed high for 6 hours before returning to normal. This time frame correlates with when the issue was reported and resolved. This issue occurred during a low usage period so doesn't seem to be caused due to high traffic / connections on the firewall. 

 
 

cpview.PNGcpview2.PNG

If anyone has any ideas, thoughts to resolve this issue, please let me know. 

Thank you.

 

 

 

0 Kudos
2 Solutions

Accepted Solutions
Timothy_Hall
Legend Legend
Legend

As @Chris_Atkinson said a serious limitation in R77.30 is that only one FW instance/worker can handle all IPSec VPN traffic, usually FW instance #0 which is on the highest-numbered core, which is core #7 in your case. There is not much you can do about this other than upgrade to at least R80.10.  sk118097: MultiCore Support for IPsec VPN in R80.10 and above

If you are stuck on R77.30 for the time being, you could set variable fwmultik_dispatch_skip_global from 0 to 1, which will dedicate the worker instance handling IPSec to performing only that function and not handling any other connections.  Enabling the Dynamic Dispatcher (sk105261: CoreXL Dynamic Dispatcher in R77.30 / R80.10 and above) will help keep the worker cores balanced overall, but will not help at all with the single-core IPSec limitation in R77.30.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

Dorit_Dor
Employee
Employee

Just one comment for any reader who reads this...

By now, upgrading to r80.10 is not the best advise and customers that upgrade now should choose between upgrading to r80.20 or even better r80.30. If someone uses r80.10, they can continue and use it but if not, upgrade to r80.30 is much much better, also resolve future other quality issues and performance challenges 

so yes, multi core is indeed supported from r80.10 but the advised action is upgrade to r80.30 (very widely used, much better quality indicators etc) 

View solution in original post

5 Replies
PBC_Cyber
Contributor

If it happens again take a look at top or ps,  See if it's a fw_worker tread that is maxing out the cpu on that core.  My guess it's  an unaccelerated 'elephant' flow (cifs transfer?) over the vpn tunnel that's maxing out the cpu. 

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Please  also consider upgrading to a supported version such as R80.10 and above with the following improvements:

"VPN multicore performance with CoreXL multicore scalability for VPN traffic inspected by Next Generation Firewall, Next Generation Threat Prevention, and Next Generation Threat Extraction Software Blades."

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
Legend Legend
Legend

As @Chris_Atkinson said a serious limitation in R77.30 is that only one FW instance/worker can handle all IPSec VPN traffic, usually FW instance #0 which is on the highest-numbered core, which is core #7 in your case. There is not much you can do about this other than upgrade to at least R80.10.  sk118097: MultiCore Support for IPsec VPN in R80.10 and above

If you are stuck on R77.30 for the time being, you could set variable fwmultik_dispatch_skip_global from 0 to 1, which will dedicate the worker instance handling IPSec to performing only that function and not handling any other connections.  Enabling the Dynamic Dispatcher (sk105261: CoreXL Dynamic Dispatcher in R77.30 / R80.10 and above) will help keep the worker cores balanced overall, but will not help at all with the single-core IPSec limitation in R77.30.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Dorit_Dor
Employee
Employee

Just one comment for any reader who reads this...

By now, upgrading to r80.10 is not the best advise and customers that upgrade now should choose between upgrading to r80.20 or even better r80.30. If someone uses r80.10, they can continue and use it but if not, upgrade to r80.30 is much much better, also resolve future other quality issues and performance challenges 

so yes, multi core is indeed supported from r80.10 but the advised action is upgrade to r80.30 (very widely used, much better quality indicators etc) 

HeikoAnkenbrand
Champion Champion
Champion

Hi @PBC_Cyber 

I can only confirm the statement of @Dorit_Dor.

Many of our customers use R80.30 with the latest Jumbo Hotfixes.
Overall the performance is better with R80.30 and there are also very interesting new features.

I also do not understand why so many companies still use R77.30.

R77.30 is out of support.

If you want to read more about performance tuning in R80.30 / R80.40 check this out:
R80.x Architecture and Performance Tuning - Link Collection

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events