Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Stan_Mazur
Participant

VSX FW1_dev 140% cpu.

Is there a way to not accelerate service on SecureXL on VSX. The issue is I have a admin in VM team that kick's

off replication jobs(8-10 of them) and it pumping between 100 to 400 Mbps on service port ideafarm-door (902), which

seems to stay with FWK1-DEV. When I push policy to that device it fails, because it times out. So I have to reach

out to the admin to pause his jobs, so I can push policy. Everything else work fine. Is this VSX bug?

7 Replies
_Val_
Admin
Admin

Firstly, yes, you can disable SecureXL on per VS basis using CLI "fwaccell off" command from a VS content. However, this will only add to your current issue, instead of resolving it. 

0 Kudos
Kaspars_Zibarts
Authority
Authority

Hi. It's not a bug, you just need to tweak CoreXL and SXL to meet traffic requirements. It could well be that system will be underpowered to deal with such traffic volume. Therefore, can you share top command output showing all 16 individual core utilisation when it happens? Just to see which cores are maxed out.

As Valeri said SXL is actually your friend in high volume traffic, it should help free up CPU usage.

0 Kudos
Vladimir
Champion
Champion

Could it be an interface buffer size issue?

0 Kudos
Kaspars_Zibarts
Authority
Authority

Don't think so but can't tell from logs provided. CoreXL allocation is not exactly right as cores 2 and 3 seems to be used for SXL and generic firewall tasks (except fwk). We need to see detailed CPU usage to make correct call 

0 Kudos
JanVC
Collaborator

fwk1_dev is the combination of the 4 cores allocated to this vs

while in top, press shift+h to show the individual threads (worker cores)

148% means 1.5 of the 4 assigned cores being used

0 Kudos
Stan_Mazur
Participant

Check Point support conclusion is related MTU size on vs 1 interfaces. Where running 10g interface with MTU size 9000,according,to CP they our working 

on Hotfix." The recommended hotfix was not yet ported to Take_317, the latest version was for Take_302. I tested this version and it is not compatible

with 317"

HeikoAnkenbrand
Champion
Champion

SecureXL "fwaccel off" does not have to be disabled on R80.20 to run "fw monitor". This is good for performance, so "fw monitor" does not affect performance any more.

More see here: R80.x Performance Tuning and Debug Tips – fw monitor 

Regards

Heiko

0 Kudos