Hello Checkmate Team,

We suddenly see CPU utilization during the morning 5 AM to 8 AM time only.

The multiple fw_worker take high CPU but not impact the SND core utlization

Total Core : 8 core (2 SND and 6 fw_worker)

So we checked the TOP connection by referring CPVIEW utility output

As we get to know that a Auto Backup solution like Backup Server take more CPU because that Auto Backup is start working during the time of issue because during the time it’s take backup file from multiple of devices which connected or like integrated with Backup Server.

This issue we observed when this newly implemented BACKUP Solution is start working

Now find below about Solution :

First we need to know that the TOP connection is going to which path like Accelerated Path , medium Path or Slow Path

For this we run cpkstat Utility during the time of high CPU to know which path that go through.

Few Backup connections are triggered and all are in same Medium Path only (F2P)

Refer : sk103212 (Traffic analysis using the 'CPMonitor' tool) to known the high CPU utlization connection PATH.

The next Solution we planned to implemented that is to put that F2P connection to(SecureXL Fast Accelerator (fw fast_accel)) to reduce the CPU utilisation beacuse in the Fast Accelator no inspection is performed like trusted connections to allow bypassing deep packet inspection

Refer SK : sk156672

Now one query is come that why we put that connection without any Inspection ? : 

Answer : We assured that the connection is legitimate and as its for the backup process only so no need Inspection on this.


If we add the top connections to the SecureXL Fast Accelerator is there going to be any impact on the 2 SND cores, because at the time of High CPU utilization observed the SND cores CPU utilization is around 40-50% ?

Answer : There is going to be no impact on the SNDs due to fastaccel, as there is no inspection for this affected traffic

if some particular connection is already accelerated then can we add those connections in SecureXL Fast Accelerator then is there any impact ?

Answer : No Impact

Hi Team Let me know if some point answer I updated on above is correct or anything wrong ?

My Plan of ACTION :

Base on sk156672 which I refer :

1. fw ctl fast_accel enable (Set feature state to on)

2. fw ctl fast_accel show_table (Display the rules configured by the user)

3. fw ctl fast_accel show_state (Display the current feature state)

4. fw ctl fast_accel add 1.1.1.1 2.2.2.0/24 80 6 (Example IP address and Port number with TCP or UDP protocol)

5. fw ctl fast_accel delete 192.168.0.0/16 any 8080 17 (Example IP address and Port number with TCP or UDP protocol

6. Verify using cpview utility :

So base on our issue I need to add the Backup Server IP address which basically the Destination IP address and also revert the traffic.

Like for example :

Backup Server IP address : x.x.x.x/24
Backup Server Listing PORT : TCP 1667

Command :

fw ctl fast_accel add x.x.x.x/24 1667 6

Kindly suggested that above command is correct or not OR also can I need to add the source IP address also OR source and destination IP address are must be included base on the SK ?

Also I plan to added in only Active gateway for testing so incase if any urganet I will fail-over the gateway so kindly update that is this possible that we can use for Active gateway if we using Cluster then

Also Suggest Any Alternative to resolved the High CPU utlization issue .

Regards

@Chinmaya_Naik