Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Neville_Kuo
Advisor

Multiqueue without Secreuxl

Dear all,

Due to some service impact reason we have to disable securexl in our customer production network, to improve network performance we turned on multiqueue on some interfaces, accord to some documents and SK I know multiqueue is only relevant with securexl enabled, but I know multiqueue is linux thing not check point proprietary, so we really don't have any benefit to turn multiqueue on with securexl off?

0 Kudos
10 Replies
Timothy_Hall
Legend Legend
Legend

Gateway version and Jumbo HFA level?  The answer will depend quite a bit on this piece of information...

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Neville_Kuo
Advisor

Hi,

All R80.20 with jumbo hotfix take 118.

0 Kudos
Timothy_Hall
Legend Legend
Legend

In R80.10 and earlier, SecureXL had to be enabled to use Multi-Queue due to the interaction with SecureXL automatic interface affinity, which would poll interface load every 60 seconds and shuffle interfaces around that did not have Multi-Queue enabled on the various SND/IRQ/Dispatcher cores trying to balance the load.

Automatic interface affinity as it was performed in R80.10 and earlier is gone in R80.20 and later due to the big architectural changes in SecureXL, and even when you turn off SecureXL in R80.20 and later, it is not really completely disabled quite like it was in R80.10 and earlier.  If you have SecureXL disabled with fwaccel off in R80.20+ due to your issue, yes you most definitely want to keep using Multi-Queue and it will still work.  If you can disable SecureXL selectively as described in these SKs that is always preferable to just turning it all off:

sk104468: How to disable SecureXL for specific IP addresses

sk151114: "fwaccel off" does not affect disabling acceleration of VPN tunnels in R80.20 and above

Starting in R80.30 with Gaia kernel 3.10, Multi-Queue is enabled by default on all interfaces except the management interface.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Neville_Kuo
Advisor

Hi Mr. Hall,

Thanks for your reply, it really helps, unfortunately sk104468 won't do the trick becasue it's CDN service, we can't not predcit which ip address would be used.

 

0 Kudos
Timothy_Hall
Legend Legend
Legend

Do you know which port(s) the CDN is using?  If so you can use the little-known tcp_f2f_ports directive mentioned in that SK to force certain ports F2F regardless of IP address.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Neville_Kuo
Advisor

Click to Expand
Hi,

It's https connections so I think disable that port is almost equals to disable all traffic get int to securexl.
0 Kudos
PhoneBoy
Admin
Admin

Why must you disable SecureXL?
0 Kudos
Neville_Kuo
Advisor

Hi,

Okay I'll try to explain this with my poor English.

As you can see the below topology:

topology.JPG

Client is using Firewall PBR and transparent proxy for internet access.

All client's http/https traficc will go through core switch->CP15600 then F5, F5 will distribute web service to proxy servers, then proxy will do the internet service for clients.

Most of web pages are ok, except this import one:

https://www.tycc.gov.tw/LiveVideo/history.aspx

It's a live videos history link, you may click on any square to see one of Taiwan parilament live stream backup, from the source code of any video clip, you can see the video was uploaded to the following link:

jwplayer("__CCDNPlayer1081118").setup({

    'width':'100%',

    'height':'100%',

    file: "https://flv.ccdntech.com/vod/_definst_/mp4:vod166/vod166_Live/20191118105959_live_dms.mp4/playlist.m3u8?wowzaplaystart=1795000",

    autostart:true,

With PBR+transparent proxy, most of clients can't replay this videos, they tried so many times only 1 or 2 times can display.

If traffic is not going through F5(No proxy), everything is fine, but that's not allowed.

It client using explicit proxy(Manually configured on browser), everything is fine, but that's not impossible, they claimed former firewall(Fortigate) don't need to do that.

If I turned off securexl, everything is fine, that's what they can accept, but I'm afraid of I/O issue so I turned on multiqueue and give 2 more cores to snd(There are 16 cores on CP15600).

Any better idea would be appreciated.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

As this is a deep SecureXL PBR issue, what is the statement from TAC / R&D here ?

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

Sounds like you should open a TAC case.
Specifically because disabling SecureXL should never be the solution to a problem.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events