Hello,
We are having performance issues on one machine, and we beliave that it´s due to high CPU utilization of one of the core:
1.- CPU 3 vary between 80-100% in a normal situation
| CPU: |
| |
| Num of CPUs: 4 |
| |
| CPU Used |
| 3 99% | <<<<<<<<<<<<<<<<
| 1 47% |
| 0 36%
[Expert@fw-extra-jc-02:0]# cpstat -f multi_cpu os
Processors load
---------------------------------------------------------------------------------
|CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec|
---------------------------------------------------------------------------------
| 1| 4| 10| 85| 15| ?| 49|
| 2| 3| 2| 95| 5| ?| 49|
| 3| 3| 2| 96| 4| ?| 49|
| 4| 0| 94| 6| 94| ?| 49| <<<<<<<<<<
---------------------------------------------------------------------------------
2.- We can se how the FW drops traffic due to the high CPU utilization:
Drops: |
| |
| Software Blades 2,121,406,315 |
| Interface incoming drops 5,107 |
| Instance high CPU 293,267 | <<<<<<<<<<<<<<<<<<<<<<<<<
| Rulebase 26,058,776 |
| Capacity 0 |
| SecureXL 0 |
| Drop out of state TCP enabled
3.- The affinity is as follow:
[Expert@fw-extra-jc-02:0]# fw ctl affinity -l -r
CPU 0: eth2 eth3 eth6 eth7 eth8 eth12 eth13
CPU 1: fw_2
CPU 2: fw_1
CPU 3: fw_0
All: fwpushd rtmd mpdaemon fwd vpnd cprid cpd
4.- The output of the fwaccel is as follow
[Expert@fw-extra-jc-02:0]# fwaccel stat
Accelerator Status : on
Accept Templates : disabled by Firewall
disabled from rule #1427 <<<<<<<<<<<<<<<<<<<<<<<<<<<
Drop Templates : disabled
NAT Templates : disabled by user <<<<<<<<<<<<<<<<<<<<<<<<<<<
Accelerator Features : Accounting, NAT, Cryptography, Routing,
HasClock, Templates, Synchronous, IdleDetection,
Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
WireMode, DropTemplates, NatTemplates,
Streaming, MultiFW, AntiSpoofing, Nac,
ViolationStats, AsychronicNotif, ERDOS,
NAT64, GTPAcceleration, SCTPAcceleration,
McastRoutingV2
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, CAST, CAST-40, AES-128, AES-256,
ESP, LinkSelection, DynamicVPN, NatTraversal,
EncRouting, AES-XCBC, SHA256
<<< I can´t not understand why it sais that the "Accept Templates" are disabled by the rule 1427, bacause we don´t have so many rules defined.
<<< Is it recomendable to enabled NAT Templates?
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
5.- Most part of the packets that the FW receives goes to the slow path. Is that percentage normal?
[Expert@fw-extra-jc-02:0]# fwaccel stats -s
Accelerated conns/Total conns : 357/4899 (7%)
Accelerated pkts/Total pkts : 60146117/347837617 (17%)
F2Fed pkts/Total pkts : 286984245/347837617 (82%) <<<<<<<<<<<
PXL pkts/Total pkts : 707255/347837617 (0%)
QXL pkts/Total pkts : 0/347837617 (0%)
Thank´s a lot in advance.
Regards,
Enrique.