Ladies and Gentleman,
due to corona crisis we have build up a secondary backup VPN gateway in our infrastructure with an CP4800 appliance. This gateway should only be used when the primary VPN Gateway CP5800 is overloaded.
Actually we know that the primary GW can handle up to 4000 VPN C2S Session on R77.30 - but the backup GW with R80.10 is only for VPN GW which routes all traffic to the primary GW.
In direct comparison the CP4800 GW with the newer R80.10 and only 10 VPN user is much slower (direct comparison between two gw - 4800 10-15mbit slower) than the primary GW with R77.30 and 3000 Users. We already tried alot of checks and configuration setting.
Any body out there who can give some tipps/tricks or hints for performance tweeks?
4800 does not support AES-NI so this SK will not work for us.
Active Blades: FW, NAT, VPN
Internet Interface (incoming traffic) = eth4
xxx1:TACP-0> fw ctl affinity -l
eth5: CPU 0
eth1: CPU 0
eth2: CPU 0
eth3: CPU 0
eth4: CPU 0
Kernel fw_0: CPU 3
Kernel fw_1: CPU 2
Kernel fw_2: CPU 1
Daemon mpdaemon: CPU 1 2 3
Daemon fwd: CPU 1 2 3
Daemon lpd: CPU 1 2 3
Daemon wsdnsd: CPU 1 2 3
Daemon cpd: CPU 1 2 3
Daemon cprid: CPU 1 2 3
xxx1:TACP-0> fwaccel stat
Accelerator Status : on
Accept Templates : disabled by Firewall
Security disables template offloads from rule #15
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by user
NMR Templates : enabled
NMT Templates : enabled
Accelerator Features : Accounting, NAT, Cryptography, Routing,
HasClock, Templates, Synchronous, IdleDetection,
Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
WireMode, DropTemplates, NatTemplates,
Streaming, MultiFW, AntiSpoofing, Nac,
ViolationStats, AsychronicNotif, ERDOS,
McastRoutingV2, NMR, NMT, NAT64, GTPAcceleration,
SCTPAcceleration
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, CAST, CAST-40, AES-128, AES-256,
ESP, LinkSelection, DynamicVPN, NatTraversal,
EncRouting, AES-XCBC, SHA256
xxx1:TACP-0> fw ver
This is Check Point's software version R80.10 - Build 083
It will be great if somebody has some tuning tipps for us.
Br. Sub7