Hello Experts,

The 23800 firewall is on the  take R80.20 take :173

For testing we are using iperf3 but our requirement is to copy data from one ISILION server to another

We have observed, with single session we are are getting around 5 Gbps for the data transfer and 2 Gbps for other traffic but as soon as we increase number of session data transfer decreases to 2.5 Gbps

Pawan Shukla 

1) I would use R80.30 or R80.40 with the latest JHF.

2) Enable multi queueing with 10 GBit/s interfaces. Without MQ a throughput of 3-5 GBit/s is possible with one interface. More read here: R80.x - Performance Tuning Tip - Multi Queue

3) Which paths (more here R80.x - Security Gateway Architecture (Logical Packet Flow))  do the packages use? Show us the output of the following commands:

# fwaccel stats -s

# top     -> press 1 for all cores

4) You use 4 SND's (eth1-01, eth1-02, eth1-03, eth1-04) and 40 CoreXL instances.

   -> If you strongly use the accelaration path, you should use more SND's

Hello,

Kindly find the below details, provide some solution. In my architecture, I have used 4*10Gb fiber interface. So I a

#fwaccel stats -s

Accelerated conns/Total conns : 7026/39238 (17%)
Accelerated pkts/Total pkts : 34463719650/35911020948 (95%)
F2Fed pkts/Total pkts : 1447301298/35911020948 (4%)
F2V pkts/Total pkts : 98202672/35911020948 (0%)
CPASXL pkts/Total pkts : 0/35911020948 (0%)
PSLXL pkts/Total pkts : 23921876122/35911020948 (66%)
CPAS inline pkts/Total pkts : 0/35911020948 (0%)
PSL inline pkts/Total pkts : 0/35911020948 (0%)
QOS inbound pkts/Total pkts : 0/35911020948 (0%)
QOS outbound pkts/Total pkts : 0/35911020948 (0%)
Corrected pkts/Total pkts : 0/35911020948 (0%)

#top

top - 22:28:34 up 3 days, 2:29, 1 user, load average: 2.17, 2.81, 2.76
Tasks: 615 total, 2 running, 613 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.1%us, 0.6%sy, 0.0%ni, 93.4%id, 0.0%wa, 0.0%hi, 5.9%si, 0.0%st
Mem: 65746320k total, 13848148k used, 51898172k free, 329668k buffers
Swap: 33551672k total, 0k used, 33551672k free, 1946612k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
5095 admin 15 0 0 0 0 S 22 0.0 60:18.99 fw_worker_24
5077 admin 15 0 0 0 0 S 19 0.0 85:41.38 fw_worker_6
5108 admin 15 0 0 0 0 S 19 0.0 220:31.43 fw_worker_37
5092 admin 15 0 0 0 0 S 18 0.0 279:32.86 fw_worker_21
5107 admin 15 0 0 0 0 S 16 0.0 364:14.04 fw_worker_36
8856 admin 15 0 862m 184m 39m S 14 0.3 235:20.76 fw_full
5078 admin 15 0 0 0 0 S 10 0.0 326:44.01 fw_worker_7
5072 admin 15 0 0 0 0 S 8 0.0 256:41.55 fw_worker_1
5110 admin 15 0 0 0 0 S 8 0.0 105:03.55 fw_worker_39
5096 admin 15 0 0 0 0 S 7 0.0 284:17.59 fw_worker_25
5098 admin 15 0 0 0 0 S 6 0.0 261:08.10 fw_worker_27
5103 admin 15 0 0 0 0 S 6 0.0 198:56.70 fw_worker_32
5086 admin 15 0 0 0 0 S 6 0.0 370:28.17 fw_worker_15
5088 admin 15 0 0 0 0 S 6 0.0 401:48.28 fw_worker_17
5080 admin 15 0 0 0 0 S 5 0.0 140:41.30 fw_worker_9
5090 admin 16 0 0 0 0 S 5 0.0 245:51.60 fw_worker_19
5094 admin 15 0 0 0 0 S 5 0.0 199:11.30 fw_worker_23
5074 admin 15 0 0 0 0 S 5 0.0 260:30.67 fw_worker_3
5081 admin 15 0 0 0 0 S 4 0.0 59:37.76 fw_worker_10
5082 admin 15 0 0 0 0 S 4 0.0 138:25.71 fw_worker_11
5083 admin 15 0 0 0 0 S 4 0.0 148:08.63 fw_worker_12
5084 admin 15 0 0 0 0 S 4 0.0 149:37.41 fw_worker_13
5076 admin 15 0 0 0 0 S 4 0.0 241:35.83 fw_worker_5
5099 admin 15 0 0 0 0 S 4 0.0 51:30.35 fw_worker_28
5100 admin 15 0 0 0 0 S 4 0.0 133:52.08 fw_worker_29
5105 admin 15 0 0 0 0 S 4 0.0 205:21.42 fw_worker_34
5085 admin 15 0 0 0 0 S 3 0.0 151:12.51 fw_worker_14
5097 admin 15 0 0 0 0 S 3 0.0 52:58.49 fw_worker_26
5075 admin 15 0 0 0 0 S 3 0.0 63:02.47 fw_worker_4
5091 admin 15 0 0 0 0 S 3 0.0 135:33.92 fw_worker_20
5104 admin 15 0 0 0 0 S 3 0.0 84:22.19 fw_worker_33
5106 admin 15 0 0 0 0 S 3 0.0 225:49.28 fw_worker_35
5071 admin 15 0 0 0 0 S 2 0.0 147:40.42 fw_worker_0
5073 admin 15 0 0 0 0 S 2 0.0 146:38.35 fw_worker_2
5079 admin 15 0 0 0 0 S 2 0.0 142:34.09 fw_worker_8
5089 admin 15 0 0 0 0 S 2 0.0 53:42.59 fw_worker_18
5093 admin 15 0 0 0 0 S 2 0.0 215:51.19 fw_worker_22

# cpmq get -a

Active ixgbe interfaces:
eth1-01 [Off]
eth1-02 [Off]
eth1-03 [Off]
eth1-04 [Off]

Non-Active ixgbe interfaces:
eth3-01 [Off]
eth3-02 [Off]
eth4-01 [Off]
eth4-02 [Off]
eth4-03 [Off]
eth4-04 [Off]

Active igb interfaces:
Mgmt [Off]
Sync [Off]

Non-Active igb interfaces:
eth2-01 [Off]
eth2-02 [Off]
eth2-03 [Off]
eth2-04 [Off]
eth2-05 [Off]
eth2-06 [Off]
eth2-07 [Off]
eth2-08 [Off]

Pawan Shukla

For a single connection, 5Gbps is rather good, considering you are using 10G interfaces in the first place. 

You can increase connection's throughput it by applying FAST_ACCEL bypass for the specific IP addresses on both sides, as described in sk156672. 

As @PhoneBoy said already, this is the case of a heavy connection, a.k.a. "elephan flow", which cannot be addressed by balancing FW inspection to multiple cores. The only solution is to use fast_accell feature for the IP addresses involved. Mind, you will not reach the wire speed, but throughput should be better than through Medium Path

As @HeikoAnkenbrand suggested - you must enable MQ on those interfaces:

eth1-01: CPU 2
eth1-02: CPU 3
eth1-03: CPU 24
eth1-04: CPU 25

Without it you won't get more than 2-3Gbps per interface.

Plus upgrade - R80.20 was not such a great release. If you want the best performance on interface, go with R80.40 as you will get 3.10 kernel that has much newer drivers for multi queue.

We are in process of upgrading our 23800 just for that - to eliminate RX-DRPs on interfaces when traffic is very "bursty", it can jump from 10Gbps to 20Gbps suddenly so we see a lot of RX buffer overflows

Hi @Pawan_Shukla,

I agree with @Kaspars_Zibarts.

Here's what I would do in this case:

First enable MQ:
By default, each network interface has one traffic queue handled by one CPU. You cannot use more CPU cores for acceleration than the number of interfaces handling traffic. Multi-Queue lets you configure more than one traffic queue for each network interface. For each interface, more than one CPU core is used for acceleration. Multi-Queue is relevant only if SecureXL is enabled.

More read here:
- R80.x - Performance Tuning Tip - Multi Queue
- Performance Tuning R80.30 Administration Guide – Multi-Queue

Ennable MQ in this interfaces:

eth1-01: CPU 2
eth1-02: CPU 3
eth1-03: CPU 24
eth1-04: CPU 25

Second:

Use "Fast Accel Rules" for internal networks. So you have less traffic on the PSLXL path or use IPS only for traffic to and from the internet on the external interface.

More read here:
- R80.x - Performance Tuning Tip - SecureXL Fast Accelerator (fw ctl fast_accel)
- sk156672 - SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above

Third:

Check RX errors:
# netstat -in

RX-ERR: Should be zero.  Caused by cabling problem, electrical interference, or a bad port.  Examples: framing errors, short frames/runts, late collisions caused by duplex mismatch.
       Tip:  First and easy check duplex mismatch 

RX-OVR: Should be zero.  Overrun in NIC hardware buffering.  Solved by using a higher-speed NIC, bonding multiple interfaces, or enabling Ethernet Flow Control (controversial). 

       Tip:  Use higher speed NIC's or bond interfaces

RX-DRP: Should be less than 0.1% of RX-OK.  Caused by a network ring buffer overflow in the Gaia kernel due to the inability of SoftIRQ to empty the ring buffer fast enough.  Solved by allocating more SND/IRQ cores in CoreXL (always the first step), enabling Multi-Queue, or as a last resort increasing the ring buffer size.

More tips read here:
- R80.x Architecture and Performance Tuning - Link Collection