Thank you @G_W_Albrecht !

As per SK the tool seems to be already running.  I see logs generated under /var/log/spike_detective and an entry that seems to correspond to the time of the issue:

spike info: type: cpu, cpu core: 3, top consumer: unknown, start time: 24/07/25 03:01:48, spike duration (sec): 5, initial cpu usage: 82, average cpu usage: 82, perf taken: 1

I don't see any other helpful information, but perhaps I have to enable top_conns_enable and heavy_conns_enable.

Hopefully tomorrow I will have more data.

Other possibility is to fine-tune CUL https://support.checkpoint.com/results/sk/sk92723

Will check -- thank you!

It's not happening during the policy push nor during regular office hours, but only during a specific time at night. I tried to correlate it with the network load and there is a corresponding spike between data centers, so it's clearly some backup job...

Hello @Lesley 

All are green with one error (interface errors) and two warnings:

Time to check the rx buffers follow this

https://support.checkpoint.com/results/sk/sk42181

I recall troubleshooting it when we started noticing those after the migration from R77.30, but we were never nearly close to 0.1% as per the post from Timothy_Hall (I'm sorry, I can't find it anymore), hence the default rx value is used for all 10G interfaces which is 512.

He also recommended to avoid using ixgbe drivers for terminating VPN tunnels which is our case (not a lot of tunnels though).

Either way, we don't really experience any performance or latency issues, I just need to find the backup job that causes cluster failover at 3am. 🙂

Of course, any advice from legend @Timothy_Hall  would be golden!

Andy

The CUL messages are merely a symptom of the problem, not the issue itself.  The CUL state only matters if the active member suffers a catastrophic failover while CUL is active; then that failover will take 8-9 seconds instead of 2-3.

fw ctl multik print_heavy_conn only shows elephant flows over the last 24 hours.  So, if you ran it within the proper window of time and it still shows nothing, that would suggest a large number of smaller connections saturating all CPUs simultaneously, and none of them stand out as a "spike" or elephant. This also explains why you aren't seeing a bunch of spikes logged by the spike detective.  It could even be a burst of new accepted connections from a network monitoring system doing aggressive discovery at that time, check the new connections rate in cpview's history mode for that period, and see if it jumps significantly as that can also drive up the CPUs.

What I would suggest is writing a script that runs the command top_conns every 30 seconds and writes the results to a file.  (sk172229: Top Connections Tool)  Leave it running overnight, and that should help you figure out what is going on, as I assume the regular logs are not providing helpful information.  My guess is that this burst of connections is traversing the slowpath through the gateway, which can easily saturate the CPUs.  fw tab -t connections -z can help you diagnose why these connections are stuck in the slowpath.  See my Be Your Own TAC Part Deux presentation for all the slowpath reasons.  If the connections are not stuck F2F/slowpath, this would be a textbook case for using fast_accel for this spiky traffic, assuming the two communicating systems are reasonably trusted.  sk156672 - SecureXL Fast Accelerator (fw fast_accel)

The RX-DRPs might be related, or they might just be junk traffic the firewall cannot process anyway (IPv6, etc).  We need to understand the properties of these spiky connections before examining these drops/misses.

Thank you @Timothy_Hall ! I think using top_conns is the right direction.

Stupid question 🙂 -- I can't seem to find a way to schedule a cron job to run every XX seconds using clish since it only accepts hh:mm:

Schedule jobs to run on specified time in day. Please specify time in a format <hours>:<minutes>.

Shall I try to place a script using 'crontab -e' and put */30 (every 30 seconds)?  But then it explicitly says not to edit the file directly.

Find the answer here: sk77300: How to create a scheduled job (cron job) in Gaia with frequency of less than a day

Just do this from expert mode and leave it running overnight (it will run every 30 seconds for 8 hours , increase the 960 value for longer):

TMOUT=0; export TMOUT

for run in {1..960}; do date >>outputfile; top_conns >>outputfile; sleep 30; done

Thank you very much @Timothy_Hall !

@Teddy_Brewski 

Something else to check, see what it gives you, you can do below any time from clish.

Andy

CP-MANAGEMENT> show back
backup - Show the status of the latest backup/restore
backup-scheduled - Show the scheduling of backup defined in the system
backups - List of local backups
CP-MANAGEMENT> show backup-sch
CP-MANAGEMENT> show backup-scheduled
CP-MANAGEMENT> show backup-scheduled
Backup of the system configuration.
CP-MANAGEMENT> show backup-scheduled
CLINFR0349 Incomplete command.
CP-MANAGEMENT> show backup-scheduled jovs
NMSCRN0083 Invalid scheduled-backup name.
CP-MANAGEMENT> show cron
CP-MANAGEMENT> show cron
job - Show the scheduling information of the specific job
jobs - Show all scheduled jobs in the system
mailto - Show email address for sending jobs' results
CP-MANAGEMENT> show cron jobs
CP-MANAGEMENT>

I think he means backup traffic from other network components going via the firewall and are inspected 😉 

But it is worth to check if scheduled gaia backup matches CPU spikes of course. 

If you know it is backup traffic then focus on following topics: hyper flow, dynamic balancing and fast accel. 

Definitely all worth checking 🙂

Yep, exactly that. 🙂

The backup of the gateway itself is configured at 2am, lasts ~30 seconds and has no impact on the performance. This is some task that is happening over the network and it's traversing via the firewall.

Hello @the_rock 

'fw ctl multik print_heavy_conn' returns nothing.

Since I like to think about anything in life logically, more I think about this, more Im convinced there must be some sort of backup or cron job going on in the middle of the night causing this. Just my 2 cents.

Andy