Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Di_Junior
Advisor

CoreXL: only one SND core is busy

Dear Mates 

 

I have one of my clients that uses Check Point firewalls with 20 Cores. The cores configuration are as follow:

18 SND, and 2 CoreXL. This is a follow up thread for the discussion we are having at the end of this thread: https://community.checkpoint.com/t5/General-Topics/Eliminating-Routing-Asymmetry-between-Two-Differe...

 

 @Timothy_Hall see the output of the requested commands in the attached picture.

Thanks in advance

0 Kudos
8 Replies
Di_Junior
Advisor

Hi @Timothy_Hall 

I attach some more interesting command output.

Thanks

0 Kudos
G_W_Albrecht
Legend
Legend

Maybe you can again state again the issue you have ? This is a very cryptic follow-up discussion that sems to be between two people only...
CCSE CCTE SMB Specialist
0 Kudos
Di_Junior
Advisor

Hi there

 

Bellow is the issue:

 

"

Another question is about CoreXL. I have a client who has a 20 cores Check Point firewall (all licensed), but the system has only 2 CoreXL cores, the other ones are SND. Is this a good scenario? if yes, why, if not why?

"

 

Sorry about that

0 Kudos
Timothy_Hall
Champion
Champion

Gah, that is one messed up configuration.  I think someone meant to assign 2 SND/IRQ cores but assigned 2 Firewall Worker instances instead.  SecureXL is off, so everything is going F2F on just the two worker cores.  Looks like there may have been some manual interface affinity adjustments as well.  Not sure why SecureXL is off, perhaps using Traditional Mode VPNs?  The performance has got to be terrible on this firewall.  What does netstat -ni show?

 

"Max Capture: Know Your Packets" Self-Guided Video Series
available at http://www.maxpowerfirewalls.com
0 Kudos
Di_Junior
Advisor

Hi Tim

 

As far as I can tell one of the reason why SecureXL is off is because they are using Load-sharing.

In this situation what would you recommend?

How can automatic affinity be configured?

 

see the attached picture for the output of netstat -ni.

 

Thanks

0 Kudos
Daniel_Taney
Advisor

Do you know which method of Load-sharing they are using? As Mr. @Timothy_Hall  kindly pointed out to me in prior conversations, you can use SecureXL in Load-Sharing Unicast mode. I had definitely misunderstood that and thought any use of Load-sharing precluded you from enabling SecureXL.

I would suggest starting by going into cpconfig and changing the allocation of SND's / FWK's. If it is a 20 core box, the default configuration would have been 18 FWK Instances and 2 SND's. (So enter 18 at the prompt in cpconfig). 

If you find you are able to enable SecureXL, you may want to consider monitoring usage with SecureXL on and considering changing it to 16 FWK instances and 4 SND's. If SecureXL isn't an option for sure, you probably want as many FWK instances as possible since that's where all your traffic is being processed.

R80 CCSA / CCSE
Timothy_Hall
Champion
Champion

Given the large number of things wrong, I'd strongly recommend downloading and running the healthcheck script located here and engaging with TAC:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Trying to solve all the problems with that system in this thread will cause it to become epic in length for all the wrong reasons.  🙂

"Max Capture: Know Your Packets" Self-Guided Video Series
available at http://www.maxpowerfirewalls.com
_Val_
Admin
Admin

Why on earth are you using load sharing? Go for HA mode and tune your 20 cores properly, that will give you more performance than LS.

0 Kudos