cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

VSX FW1_dev 140% cpu.

Is there a way to not accelerate service on SecureXL on VSX. The issue is I have a admin in VM team that kick's

off replication jobs(8-10 of them) and it pumping between 100 to 400 Mbps on service port ideafarm-door (902), which

seems to stay with FWK1-DEV. When I push policy to that device it fails, because it times out. So I have to reach

out to the admin to pause his jobs, so I can push policy. Everything else work fine. Is this VSX bug?

7 Replies

Re: VSX FW1_dev 140% cpu.

Firstly, yes, you can disable SecureXL on per VS basis using CLI "fwaccell off" command from a VS content. However, this will only add to your current issue, instead of resolving it. 

0 Kudos

Re: VSX FW1_dev 140% cpu.

Hi. It's not a bug, you just need to tweak CoreXL and SXL to meet traffic requirements. It could well be that system will be underpowered to deal with such traffic volume. Therefore, can you share top command output showing all 16 individual core utilisation when it happens? Just to see which cores are maxed out.

As Valeri said SXL is actually your friend in high volume traffic, it should help free up CPU usage.

0 Kudos
Vladimir
Pearl

Re: VSX FW1_dev 140% cpu.

Could it be an interface buffer size issue?

0 Kudos

Re: VSX FW1_dev 140% cpu.

Don't think so but can't tell from logs provided. CoreXL allocation is not exactly right as cores 2 and 3 seems to be used for SXL and generic firewall tasks (except fwk). We need to see detailed CPU usage to make correct call 

0 Kudos

Re: VSX FW1_dev 140% cpu.

fwk1_dev is the combination of the 4 cores allocated to this vs

while in top, press shift+h to show the individual threads (worker cores)

148% means 1.5 of the 4 assigned cores being used

0 Kudos

Re: VSX FW1_dev 140% cpu.

Check Point support conclusion is related MTU size on vs 1 interfaces. Where running 10g interface with MTU size 9000,according,to CP they our working 

on Hotfix." The recommended hotfix was not yet ported to Take_317, the latest version was for Take_302. I tested this version and it is not compatible

with 317"

Highlighted

Re: VSX FW1_dev 140% cpu.

SecureXL "fwaccel off" does not have to be disabled on R80.20 to run "fw monitor". This is good for performance, so "fw monitor" does not affect performance any more.

More see here: R80.x Performance Tuning and Debug Tips – fw monitor 

Regards

Heiko

0 Kudos