Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HristoGrigorov
Jump to solution

High CPU use on SND cores and Aggressive Aging

How do you understand sk167358 ? Does it say that one SGs with majority of traffic accelerated through SecureXL, Aggressive Aging may actually impact performance in negative way because of constant timeout calculations ?

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

 

sk35990:

Aggressive Aging is activated in IPS profile, or new connections may be dropped for the reason that the Connections Table is full when a given CoreXL Firewall instance has far fewer connection entries than the Connections Table limit, or the 80% threshold to activate Aggressive Aging as seen in the output of 'fw ctl multik stat' command. It is enabled by default in R80.10 and above.

sk167358:

High (90% to 100%) CPU use on SND cores after a Security Gateway upgrade from R77.x to R80.x (with the same load and same configurations). The protection impacts SecureXL performance because it works in FW and requires SecureXL to calculate timeouts per packet and to update the FW instance every few packets. This may result in an added load on the system.

We can choose between CPU and connection tabel dead😀.

I had some problems with AA in the past. I also observed that with heavy AA usage the CPU loaded is approximately 10% higher.  I this cases I usually turn it off.

It would be nice if there would be a SK that describes which mode (AA on/off) would be better in which situation.

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

2 Replies
Kaspars_Zibarts
Employee Employee
Employee

I'm not able to comment on SK but in real life we saw some really odd problems whilst AA was on. For example we had some RDP running over HTTPS and that simply stopped working and as soon as AA was resolved, it started working again

HeikoAnkenbrand
Champion Champion
Champion

 

sk35990:

Aggressive Aging is activated in IPS profile, or new connections may be dropped for the reason that the Connections Table is full when a given CoreXL Firewall instance has far fewer connection entries than the Connections Table limit, or the 80% threshold to activate Aggressive Aging as seen in the output of 'fw ctl multik stat' command. It is enabled by default in R80.10 and above.

sk167358:

High (90% to 100%) CPU use on SND cores after a Security Gateway upgrade from R77.x to R80.x (with the same load and same configurations). The protection impacts SecureXL performance because it works in FW and requires SecureXL to calculate timeouts per packet and to update the FW instance every few packets. This may result in an added load on the system.

We can choose between CPU and connection tabel dead😀.

I had some problems with AA in the past. I also observed that with heavy AA usage the CPU loaded is approximately 10% higher.  I this cases I usually turn it off.

It would be nice if there would be a SK that describes which mode (AA on/off) would be better in which situation.

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events