Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ryan_Ryan
Advisor

CoreXl vs. dynamic dispatcher

Hi mates,

 

can someone explain how we should successfully deploy dynamic dispatcher in R81+ ? We recently built new VE checkpoints R81.10, we had dynamic dispatcher on (which was default) and verified using the command: fw ctl multik dynamic_dispatching get_mode and coreXl off. After policy pushed and blades enabled, the firewall had only one FWD instance! on a 6 cpu box. and that core was running at 100% and dropping traffic. 

 

After enabling CoreXl with 4 cores and rebooting, everything went smooth again, but I suspect we have now lost the "dynamic" scaling of firewall workers by doing so.  The documentation doesn't specify the corexl requirements of dynamic dispatcher whether it should be on or off, its also difficult now with corexl on to understand if dynamic dispatcher is providing any function.

 

 

0 Kudos
9 Replies

Both aforementioned technologies should typically be on by default starting R80.10.

Was the VM deployed with 8-cores at the get go and what license is applied?

Perhaps you are thinking about dynamic balancing (split) which is only supported on CP appliances?

0 Kudos
Ryan_Ryan
Advisor

Yes the number of cores on the VM didnt change after deployment (we built 12 gateways, all same specs), I have never had a vanilla box come with corexl on by default, which is interesting if corexl is a requirement for dynamic dispatcher, that means the out of the box config config is an incompatible config- corexl off and dynamic dispatcher on.

sk105261 mentions how to enable dynamic dispatcher, but it doesn't mention to first enable corexl which is where my confusion came from, it seemed to suggest this replaced the need for it.

 

 

0 Kudos
emmap
Employee
Employee

So, dynamic dispatcher is a technology to dynamically assign incoming connections to CoreXL instances on the gateway, it won't adjust the amount of CoreXL instances. Dynamic balancing is the tech that adjusts between CoreXL and SND cores, only on CP appliances.

 

By the way, FWD is the thread that manages logging and whatnot, it's FWK that is a CoreXL thread. There's always only one FWD.

Ryan_Ryan
Advisor

thank you for that explanation to clear it up. Very helpful. I would still suggest the first step under "Configuration on Security Gateway R80.10 and higher" in sk105261  should be "Enable CoreXL" as that wasn't obvious to us! (just our opinion)

0 Kudos

Can you confirm the hypervisor this is deployed on and the gateway license used?

I'd like to do some further checks... 

0 Kudos
Ryan_Ryan
Advisor

its ESXi 6.7

cores = 6

license is:

CPSG-VE+336

_Val_
Admin
Admin

I respectively disagree, @Ryan_Ryan 

CoreXL is automatically enabled with 4 and more cores. Dynamic Dispatching is a CoreXL feature, so the SK assumes you do have CoreXL on, otherwise it is not applicable. 

0 Kudos
_Val_
Admin
Admin

How many cores on that VM?

0 Kudos
_Val_
Admin
Admin

Hi @Ryan_Ryan 

I have read your original post once more. It seems like you are mixing Dynamic Balancing (sk164155) and Dynamic Dispatching (sk105261). Both are related to CoreXL, but are talking about completely different functionality.

Dynamic Dispatching ensures that all FWKs receive a fairly even amount of connections, but it does not change the amount of active CoreXL instances.

Dynamic Balancing is changing the amount of active CoreXL instances and SNDs, trying to balance automatically the average load of each group of cores. It requires at least 8 cores. 

Hope this clarifies the situation just a bit. 

If you still have unresolved questions about the matter, please let me know.

0 Kudos