This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
EDX616
Participant
‎2020-01-29 03:01 AM

What exactly does "Instance is currently fully utilized" mean?

Hello mates,

in a zdebug the output was "dropped by fwmultik_enqueue_packet_kernel Reason: Instance is currently fully utilized;"

 

The question now is "What exactly does it mean?"

 

Is the Firewall fully utilized or the destination behind the FW?

May the Server can not process more traffic and sends to the FW to drop the packets or is it too much for the Gateway and drops it itself?

 

Thanks

zdebug fully.jpg
Preview file
7 KB
0 Kudos
2 Replies
Chris_Atkinson
Employee Employee
Employee
‎2020-01-29 04:25 AM

It can be a number of things as a search of Secure Knowledge will reveal: CoreXL input queue, sizing, Jumbo frames, bug etc

 

Suggest discussing your specific situation with TAC.

CCSM R77/R80/ELITE
Timothy_Hall
Legend Legend
Legend
‎2020-01-30 11:10 AM

All traffic coming up from the NIC hardware must pass through SND/SecureXL first.  In R80.20+ if that packet is part of an existing connection that is already accelerated by SecureXL, the packet is inspected by SecureXL with no direct assistance from a Firewall Worker.

However in R80.20+ any packets that are not part of an existing accelerated connection or are starting a new connection, must be forwarded to a Firewall Worker instance.  There is an input queue on each Firewall Worker to receive packets sent up by the SND.  If the SND cores and Multi-Queue are well-tuned and the Firewall Worker instance is extremely busy, in some cases the queue can overflow and packets can be lost, particularly if there is a heavy stream of very small packets.

The first course of action is to undertake firewall optimization to ensure that the firewall worker(s) are not so busy in the first place.  While the input queue size can be increased (just as the network ring buffer size can be increased), in general I am not a fan of increasing buffers/queues from their default value unless absolutely necessary as it can actually make things worse due to the extra overhead to manage the increased buffer size, and possibly increasing jitter.

This topic was covered in the third edition of my book, but also see this: sk61143: Traffic is dropped by CoreXL with "fwmultik_inbound_packet_from_dispatcher Reason: Instance....

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top