Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Advisor

CoreXL: only one SND core is busy

Dear Mates 

 

I have one of my clients that uses Check Point firewalls with 20 Cores. The cores configuration are as follow:

18 SND, and 2 CoreXL. This is a follow up thread for the discussion we are having at the end of this thread: https://community.checkpoint.com/t5/General-Topics/Eliminating-Routing-Asymmetry-between-Two-Differe...

 

 @Timothy_Hall see the output of the requested commands in the attached picture.

Thanks in advance

0 Kudos
8 Replies
Highlighted
Advisor

Hi @Timothy_Hall 

I attach some more interesting command output.

Thanks

0 Kudos
Highlighted
Champion
Champion

Maybe you can again state again the issue you have ? This is a very cryptic follow-up discussion that sems to be between two people only...
0 Kudos
Highlighted
Advisor

Hi there

 

Bellow is the issue:

 

"

Another question is about CoreXL. I have a client who has a 20 cores Check Point firewall (all licensed), but the system has only 2 CoreXL cores, the other ones are SND. Is this a good scenario? if yes, why, if not why?

"

 

Sorry about that

0 Kudos
Highlighted
Champion
Champion

Gah, that is one messed up configuration.  I think someone meant to assign 2 SND/IRQ cores but assigned 2 Firewall Worker instances instead.  SecureXL is off, so everything is going F2F on just the two worker cores.  Looks like there may have been some manual interface affinity adjustments as well.  Not sure why SecureXL is off, perhaps using Traditional Mode VPNs?  The performance has got to be terrible on this firewall.  What does netstat -ni show?

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos
Highlighted
Advisor

Hi Tim

 

As far as I can tell one of the reason why SecureXL is off is because they are using Load-sharing.

In this situation what would you recommend?

How can automatic affinity be configured?

 

see the attached picture for the output of netstat -ni.

 

Thanks

0 Kudos
Highlighted
Advisor

Do you know which method of Load-sharing they are using? As Mr. @Timothy_Hall  kindly pointed out to me in prior conversations, you can use SecureXL in Load-Sharing Unicast mode. I had definitely misunderstood that and thought any use of Load-sharing precluded you from enabling SecureXL.

I would suggest starting by going into cpconfig and changing the allocation of SND's / FWK's. If it is a 20 core box, the default configuration would have been 18 FWK Instances and 2 SND's. (So enter 18 at the prompt in cpconfig). 

If you find you are able to enable SecureXL, you may want to consider monitoring usage with SecureXL on and considering changing it to 16 FWK instances and 4 SND's. If SecureXL isn't an option for sure, you probably want as many FWK instances as possible since that's where all your traffic is being processed.

R80 CCSA / CCSE
Highlighted
Champion
Champion

Given the large number of things wrong, I'd strongly recommend downloading and running the healthcheck script located here and engaging with TAC:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Trying to solve all the problems with that system in this thread will cause it to become epic in length for all the wrong reasons.  🙂

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
Highlighted
Admin
Admin

Why on earth are you using load sharing? Go for HA mode and tune your 20 cores properly, that will give you more performance than LS.

0 Kudos