This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Atle
Participant
‎2024-08-07 04:09 AM

Core XL cpu type

Hi.

I have some issues with vpn instability in p2 re-key, between a cluster and a gateway in Azure. Cluster and azure gateway are both running R81.20

If I disable CoreXL on the Azure gateway, the site to site tunnel is stable.

In cpview, under cpu -> overview I see the workers, but the SND isn't listed, instead I just see the cpu as "other", just as described in sk181241. However setting the affinity and rebooting does not resolve this issue. I was expecting to see "CoreXL_SND" for one of the cpu's

fwctl.png

cpview.png

 

Any ideas on why the SND isn't being assigned?

 

 

 

 

0 Kudos
17 Replies
AkosBakos
Mentor Mentor
Mentor
‎2024-08-07 06:51 AM

Hi @Atle 

You use R81.20, but you didn't mention the JHF take number.

Now take 76 is recommended, first install it before the further investigation.

Dou you use IKEv1 or IKEv2? 

Did you try to change something on both side? Eg.: DH group or something else?

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Atle
Participant
‎2024-08-07 11:25 PM
In response to AkosBakos

Hi. It's pretty recent, and I have not seen anything in the documentation that suggest hfa 76 would resolve this. I had the same issue on R81.10, and therefore upgraded to R81.20  I get the same results if I use ikev1 or Ikev2, different Dh versions, etc. In my experience ipsec between to Check Point gateways just works, regardless of version. Disabling core xl resolves it, so I believe it is related to that.

 

Atle

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-08-07 07:09 AM

What did / do you see with "show dynamic-balancing state" on the Azure GW?

CCSM R77/R80/ELITE
0 Kudos
Atle
Participant
‎2024-08-07 10:56 PM
In response to Chris_Atkinson

thought it could be related to dynamic balancing too, but it isn't supported on virtual gateways. So I just get the"Dynamic Balancing is currently Off" message.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-08-11 06:52 PM
In response to Atle

Which JHF take is installed on this Gateway?

JHF70 and above adds multi-queue support for Microsoft Azure Network Adapter accelerated network interfaces further to Amit's comments. 

CCSM R77/R80/ELITE
0 Kudos
Atle
Participant
‎2024-08-12 03:47 AM
In response to Chris_Atkinson

Hi.

I have installed hfa 76 now.

 

Lesley
Authority Authority
Authority
‎2024-08-07 07:52 AM

Is this VSX? Please share: fw ctl affinity -l -v -a

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Atle
Participant
‎2024-08-07 11:10 PM
In response to Lesley

No, it is a single gateway running in Azure.affinity2.png

0 Kudos
Lesley
Authority Authority
Authority
‎2024-08-11 11:49 AM
In response to Atle

As long as the SND and the fwkern are not shared by the same CPU you are good. Then you can get performance issues. 

If it shows other and the other config shows it is good, it is a cosmetic issue. I had the same on a VSX setup. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
AmitShmuel
Employee
Employee
‎2024-08-11 10:00 AM

Are you using Multi-Queue? Pls share 'mq_mng -o' output, it could be that CPView does not recognize the interfaces (as this is an Azure GW)

If not, pls share 'sim affinity -l' output, we would want to see that each interface is affined to a single CPU.

0 Kudos
Atle
Participant
‎2024-08-12 01:23 AM
In response to AmitShmuel

 

Yes, mq is in use:

mq.png

0 Kudos
AmitShmuel
Employee
Employee
‎2024-08-12 01:48 AM
In response to Atle

Pls run "cat /proc/interrupts | grep eth0"
I would like to see what is the name of the irq, and if the code handles it correctly.

Alternatively, we can debug cpview and look for any related errors/warnings:

  1. Stop cpview daemon using cp watchdog
    1. cpwd_admin stop -name CPVIEWD
  2. Run cpview daemon with debugs and output them to cpview.dbg file
    1. TDERROR_ALL_ALL=5 cpviewd > cpview.dbg 2>&1
  3. Check for any errors related to interface parsing in the file (e.g. "no interrupt for interface eth0")
  4. Start cpview daemon using cp watchdog
    1. cpwd_admin start -name CPVIEWD -path $CPDIR/bin/cpviewd -command cpviewd
0 Kudos
Atle
Participant
‎2024-08-12 03:31 AM
In response to AmitShmuel

I resized the azure vm to a 4 core VM. After that, SND and workers appear correct. However, the vpn issue remains.

0 Kudos
Wolfgang
Authority
Authority
‎2024-08-11 01:25 PM

@Atle  do you have a license for 8 cores ?

How are you disableddisable CoreXL ?

0 Kudos
Atle
Participant
‎2024-08-12 12:30 AM
In response to Wolfgang

Hi.

It's licensed for 7 cores. I have configured Core XL for 6+1

I disabled Core XL in cpconfig.

 

 

0 Kudos
Wolfgang
Authority
Authority
‎2024-08-12 01:17 AM
In response to Atle

In the past we could observe some strange problems if the licensed cores does not match the existing. Your Azure gateway shows 8 cores, you need a license for 8 cores. Maybe you can try to set the core count of your gateway to the same or less then the license includes.

0 Kudos
Atle
Participant
‎2024-08-12 02:28 AM
In response to Wolfgang

I resized it down to 4 cores now, but the vpn issue still persists.

But at least cpview shows the SND and workers correct now. 🙂

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events