This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
HristoGrigorov
Mentor
Mentor
‎2020-06-16 03:54 AM

High CPU use on SND cores and Aggressive Aging

Jump to solution

How do you understand sk167358 ? Does it say that one SGs with majority of traffic accelerated through SecureXL, Aggressive Aging may actually impact performance in negative way because of constant timeout calculations ?

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion
Champion
‎2020-06-16 11:34 AM
In response to Kaspars_Zibarts

Jump to solution

 

sk35990:

Aggressive Aging is activated in IPS profile, or new connections may be dropped for the reason that the Connections Table is full when a given CoreXL Firewall instance has far fewer connection entries than the Connections Table limit, or the 80% threshold to activate Aggressive Aging as seen in the output of 'fw ctl multik stat' command. It is enabled by default in R80.10 and above.

sk167358:

High (90% to 100%) CPU use on SND cores after a Security Gateway upgrade from R77.x to R80.x (with the same load and same configurations). The protection impacts SecureXL performance because it works in FW and requires SecureXL to calculate timeouts per packet and to update the FW instance every few packets. This may result in an added load on the system.

We can choose between CPU and connection tabel dead😀.

I had some problems with AA in the past. I also observed that with heavy AA usage the CPU loaded is approximately 10% higher.  I this cases I usually turn it off.

It would be nice if there would be a SK that describes which mode (AA on/off) would be better in which situation.

 

 

View solution in original post

2 Replies
Kaspars_Zibarts
Authority
Authority
‎2020-06-16 10:46 AM

Jump to solution

I'm not able to comment on SK but in real life we saw some really odd problems whilst AA was on. For example we had some RDP running over HTTPS and that simply stopped working and as soon as AA was resolved, it started working again

HeikoAnkenbrand
Champion
Champion
‎2020-06-16 11:34 AM
In response to Kaspars_Zibarts

Jump to solution

 

sk35990:

Aggressive Aging is activated in IPS profile, or new connections may be dropped for the reason that the Connections Table is full when a given CoreXL Firewall instance has far fewer connection entries than the Connections Table limit, or the 80% threshold to activate Aggressive Aging as seen in the output of 'fw ctl multik stat' command. It is enabled by default in R80.10 and above.

sk167358:

High (90% to 100%) CPU use on SND cores after a Security Gateway upgrade from R77.x to R80.x (with the same load and same configurations). The protection impacts SecureXL performance because it works in FW and requires SecureXL to calculate timeouts per packet and to update the FW instance every few packets. This may result in an added load on the system.

We can choose between CPU and connection tabel dead😀.

I had some problems with AA in the past. I also observed that with heavy AA usage the CPU loaded is approximately 10% higher.  I this cases I usually turn it off.

It would be nice if there would be a SK that describes which mode (AA on/off) would be better in which situation.