Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

Drops on interface with high CPU

Jump to solution

Hardware: 25400

20 cores with 6/14 split.

OS: GAIA R77.30 T216

Uptime: Over 18 months

Bandwidth (typical): 500 Mbps

Concurrent connections: About 18K

Packets/Sec: Under 500K

RX ring-size on interface: 512

 

One 10g (non-bonded) interface has started dropping packets recently. This is tied to CPU core 1, that is running between 75 to 95%. Interface is showing RX drops constantly.

No other errors noticed. zdebug does not show any drops. SecureXL is accelerating 98% packets.

 

Question: This firewall should not be dropping packets, I do not see any reason. As a first step, I would like to reboot the firewall. Any one in support of this? Anyone suggests increasing buffer size on interface?

 

 

0 Kudos
1 Solution

Accepted Solutions
Highlighted

Re: Drops on interface with high CPU

Jump to solution

You almost certainly need to enable Multi Queue on the interface, seems like you have enough SND/IRQ cores.

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

0 Kudos
6 Replies
Highlighted
Nickel

Re: Drops on interface with high CPU

Jump to solution
Forgot to mention that the attached Cisco switch is showing no errors at all, all clean.
0 Kudos
Highlighted
Nickel

Re: Drops on interface with high CPU

Jump to solution

Correction: Hardware is 23500

Question: In the existing 6/14 split, would you recommend adding more SND cores before enabling MQ?

Any changes to SIM affinity, leaving it automatic ok?

0 Kudos
Highlighted

Re: Drops on interface with high CPU

Jump to solution

You would have to look at the load on all CPUs and then make a call - if you need more SXL or FWK cores. Or leave it as is

0 Kudos
Highlighted

Re: Drops on interface with high CPU

Jump to solution

You almost certainly need to enable Multi Queue on the interface, seems like you have enough SND/IRQ cores.

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

0 Kudos

Re: Drops on interface with high CPU

Jump to solution
Definitely, 1 core will struggle with 10Gbps interface from our experience
0 Kudos
Highlighted

Re: Drops on interface with high CPU

Jump to solution

As stated before, you should enable MultiQ on that interface. If you are still seeing errors on the interfaces you may need to liberate the cores assigned to MultiQ.

Regards,

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos