Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kaspars_Zibarts
Employee Employee
Employee
Jump to solution

Most traffic taking PXL (medium) path, resulting in high CPU

OK, I'm giving up as I can't understand why would most traffic be pushed via medium path in one of our perimeter GWs.

Setup: GW running R80.40 T139, blades enabled: fw urlf appi ips identityServer.

The only TP blade we have is IPS. Yet running ips off command makes no difference at all. Whilst fw amw unload restores expected state with most traffic being accelerated.

This does not really make sense as AMW unload should only affect TP blades except IPS. But they are not even enabled!

Here are two screenshots: before and after AMW unload:

image.png

image.png 

 

 

When I look at actual connections - it's pretty much everything, even internal network to DNS is being sent to PXL.

I tried adding explicit TP policy to exclude all internal networks:

image.png

 

But still no joy.

What am I missing?? 🙂 

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

Throughput acceleration (pkts) is unaffected by the state of AMW, for you it is the Accept templating rate that is being impacted (conns) as well as causing some traffic to go Medium Path.  Keep in mind that connections can migrate between different paths and be counted more than once, which is why Accelerated pkts/PXL/CPAS/F2F add up to more than 100%.  Let's focus on the templating rate.

ips off only affects new connections, so you can't expect the acceleration percentage to dramatically change immediately.  Try actually unchecking the IPS blade (and ensuring all other TP blades are unchecked) then reinstall the Threat Prevention policy, then reinstall the Access Control policy in a separate operation.  Wait about 30 minutes for most existing connections to decay, how does it look then? 

Usually Anti-bot is responsible for dramatically reducing connection templating rates (I even call this blade the "slayer" of templates in one of my books) and I'm wondering if there are still some Anti-bot hooks involved even when only IPS is enabled.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

5 Replies
Timothy_Hall
Champion
Champion

Throughput acceleration (pkts) is unaffected by the state of AMW, for you it is the Accept templating rate that is being impacted (conns) as well as causing some traffic to go Medium Path.  Keep in mind that connections can migrate between different paths and be counted more than once, which is why Accelerated pkts/PXL/CPAS/F2F add up to more than 100%.  Let's focus on the templating rate.

ips off only affects new connections, so you can't expect the acceleration percentage to dramatically change immediately.  Try actually unchecking the IPS blade (and ensuring all other TP blades are unchecked) then reinstall the Threat Prevention policy, then reinstall the Access Control policy in a separate operation.  Wait about 30 minutes for most existing connections to decay, how does it look then? 

Usually Anti-bot is responsible for dramatically reducing connection templating rates (I even call this blade the "slayer" of templates in one of my books) and I'm wondering if there are still some Anti-bot hooks involved even when only IPS is enabled.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Kaspars_Zibarts
Employee Employee
Employee

i actually run ips off -n which deletes templates, my understanding was that it would help to see effects faster. But lets try with IPS unchecked!

Kaspars_Zibarts
Employee Employee
Employee

Great! Inactivating IPS indeed fixed it too! Ok, job in hand to tweak IPS and maybe get more cores to this VS! Thanks heaps @Timothy_Hall  

Timothy_Hall
Champion
Champion

Yeah it is surprising how often IPS is the culprit in cases like this, but 90% of effective troubleshooting is knowing the right place to look...

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Kaspars_Zibarts
Employee Employee
Employee

Indeed!

image.png

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events