Hi,

Thanks for the reply!

I ran this command for the peer-address we are haveing troubles establishing a tunnel for (we dont have a valid SA for it):

[Expert@ffw-vsxnode-1:16]# vpn iked calculate 1.2.3.4
vpn: Address '1.2.3.4' is not handled by any IKED daemon
[Expert@fw-vsxnode-1:16]#

Looks like this, and the other VS (that have a tunnel for the same peer) doesnt have any iked-processes running.

Very confusing as the documentation for R81.20 doesnt mention anything about cores, but that S2S is not being handled by iked in R81.20 (while other documentation says it is). 

Hi,

Thanks for the reply!

Does this mean that this is not related to R81.20 where the documentation states that its not handled by iked ?
Couldt find any information about this being related to number of virtual cores but this could also match (as VS 13 & 16 have 1 Core).

On VS13 we do have working Ipsec VPN tunnels and one core is enough to handle all the limited traffic we do have on these VS`es.
Cant find any limitations that we cant run Ipsec VPN with 1 core only, so does this mean its handled by "vpnd" and that we have to perform
a full vpnd-debug (maintenance window) to get the ike-debugs ?

This finding was discovered just recently. Check Point just wrote it is like it is even despite the fact there is no sk article nor written anything related to this issue in any admin guide / ATRG.

We never modified default number of CoreXL for any VS, since we didnt run to any issue with performance.

Just an update,

We were able to get a quick maintenance window and increased the number of virtual cores from 1->2 on this VS and now we do have "iked" running so you were correct 🙂

Expert@fw-vsxnode-1:16]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
-----------------------------------------------
0 | Yes | 2-15+ | 341 | 353
1 | Yes | 2-15+ | 187 | 189
[Expert@fw-vsxnode-1:16]# vpn iked status
vpn: 'iked' is enabled.
vpn: 'iked' is configured for 1 instances.
vpn: The 'iked0' process is currently running.
[Expert@fw-vsxnode-1:16]#

I remember a discussion with PS a while back that since R80+, the minimum amount of cores for any system is 2 to meet architectural requirements. For instance, a VM with just one core will fail at the FTS indicating at least 2 cores are needed. 

In the case of VSX, they advised 2 virtual cores even for small VS, to ensures all OS functions work optimally since there it allows you indeed to create a VS with the default of 1 core.

In case of VSX, changing CoreXL for specific VS will cause outage for that VS. This "feature" is no go in production. If Check Point is able to change this "feature", I am OK changing coreXL to higher numbers.

Correct.

I was pointing the fact that any new VS we create has a minimum of two virtual cores so processes of that VS work in an environment with supported core allocation.

Good approach 🙂 

I wish I had crystal ball back in old times where VSX was created (on R77.30), so I knew Check Point is changing VPN architecture starting from R81.10 and more cores will be needed 😛

In old R77.30 times, everything related to VPN was handled by vpnd only (and even within CoreXL FW instance #0).

Good ol' R77.30 🙂

For some reason, I have fond memories of R75.47 version, always treted me well lol

Andy