This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Tom_Cripps
Advisor
‎2020-06-18 02:49 AM

Observing Broadcast CCP messages when CCP mode is Multicast

I am seeing Broadcast packets for CCP from my active gateway on two interfaces even though my CCP method is multicast? Has anyone seen this at all before? 

I'm also seeing RX_DRP and RX_OVR increase the same amount appearing to be in a "lockstep" as described in @Timothy_Hall's books. 

I suspect this may be causing us problems when our current standby member becomes active, as we see irregular behavior when it is handling traffic.

0 Kudos
6 Replies
Timothy_Hall
Champion
Champion
‎2020-06-18 04:50 AM

Gateway code & kernel version? 

What CCP mode does cphaprob -a if show?

If you are getting RX-DRP/RX-OVR lockstep it usually means to need to add more SND cores and then possibly enable Multi-Queue, but this is version dependent.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Tom_Cripps
Advisor
‎2020-06-18 05:00 AM
In response to Timothy_Hall

Hi Tim,

We're running R80.10 on these still and kernel version will still be 2.6

 

cphaprob -a if shows:


Required interfaces: 8
Required secured interfaces: 1

Sync UP sync(secured), multicast
Mgmt Disconnected non sync(non secured), multicast
eth2-01 UP non sync(non secured), multicast
eth1-01 UP non sync(non secured), multicast
eth1-03 UP non sync(non secured), multicast
eth3-07 UP non sync(non secured), multicast
eth3-03 UP non sync(non secured), multicast
bond0 UP non sync(non secured), multicast, bond Load Sharing
bond1 UP non sync(non secured), multicast, bond Load Sharing

Virtual cluster interfaces: 7

eth2-01 xxxx 
eth1-01 xxxx 
eth1-03 xxxx 
eth3-07 xxxx 
eth3-03 xxxx
bond0 xxxx
bond1 xxxx

 

These interfaces are not under load though so surely multi-queue or more SND cores won't help? 

 

 

 

0 Kudos
Timothy_Hall
Champion
Champion
‎2020-06-18 07:51 AM
In response to Tom_Cripps

Tough to say, please provide output of "Super Seven" commands and enabled_blades.

https://community.checkpoint.com/t5/General-Topics/Super-Seven-Performance-Assessment-Commands-s7pac...

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Tom_Cripps
Advisor
‎2020-06-18 08:10 AM
In response to Timothy_Hall

Enabled Blades:

[Expert@XXXX:0]# enabled_blades
fw vpn mon vpn

 

Super Seven output is attached Tim. This is from our current standby member also.

 

 

Preview file
17 KB
0 Kudos
Timothy_Hall
Champion
Champion
‎2020-06-19 05:50 AM
In response to Tom_Cripps

Please provide the Super Seven run on the active member, I can tell it was run on the standby due to the 100% F2F.

In regards to the high RX-DRP, it may be skewed by the fact that it is a standby member, and you are seeing unknown protocols in your network as mentioned here: https://community.checkpoint.com/t5/General-Topics/core-affinity-R80-40-two-cores/m-p/88834/highligh...

 

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Tom_Cripps
Advisor
‎2020-06-19 07:48 AM
In response to Timothy_Hall

Hi Tim,

Thank you getting back in touch, we have identified this being an with the Hardware module we are using. Changing the interface into a new module has resolved this. I suspect there is a problem with the NIC on that module, we are not seeing errors anymore, but are still seeing FWHA_IFCONF_REQ and FWHA_IF_PROBE_REQ requests on the second interface which was erroring, not anymore though.