This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Zia
Explorer
‎2019-09-02 10:23 AM

Performance issues : Loss of packets

 

Hi everyone,

I would like the help of the experts here.

We have 2 firewall (5400 model) HA configured and a HP server that acts as the SMS. All of them run under Gaia R80.10.

Here are my main issues:

-We have severe case of packet loss in all of the interfaces of the active firewall and as a result the network is very slow. 

Thank you in advance for all of your suggestions and helpful tips.

 

 

*********************************************************************

[Expert@Firewall-1:0]# enabled_blades
fw vpn cvpn urlf av appi ips identityServer anti_bot vpn

*********************************************************************

[Expert@Firewall-1:0]# fwaccel stats -s
Accelerated conns/Total conns : 2/1574 (0%)
Accelerated pkts/Total pkts : 118218/167295927 (0%)
F2Fed pkts/Total pkts : 6917099/167295927 (4%)
PXL pkts/Total pkts : 160260610/167295927 (95%)
QXL pkts/Total pkts : 0/167295927 (0%)
*********************************************************************

[Expert@Firewall-1:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 1 | 823 | 11716
1 | Yes | 0 | 766 | 11359

*********************************************************************

[Expert@Firewall-1:0]# free -m
total used free shared buffers cached
Mem: 7744 7160 584 0 449 3521
-/+ buffers/cache: 3188 4555
Swap: 18394 19 18375

*********************************************************************

[Expert@Firewall-2]# fwaccel stats -s
Accelerated conns/Total conns : 0/32 (0%)
Accelerated pkts/Total pkts : 0/2924244 (0%)
F2Fed pkts/Total pkts : 2924244/2924244 (100%)
PXL pkts/Total pkts : 0/2924244 (0%)
QXL pkts/Total pkts : 0/2924244 (0%)

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2019-09-02 10:46 AM

I think the output of the "Super Seven" commands would be helpful.
See: https://community.checkpoint.com/t5/General-Topics/Super-Seven-Performance-Assessment-Commands-s7pac...

With most of your traffic hitting PXL (expected because of App Control, IPS, and Anti-Bot being active), some policy optimization may be required.
0 Kudos
Ilya_Yusupov
Employee
Employee
‎2019-09-02 11:43 AM

according to your fw ctl multik stat you have only 2 FW instances, can you increase it?

 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-09-02 12:33 PM

Need to see the "Super Seven" outputs as Dameon suggested, especially netstat -ni; my guess is your packet loss can be attributed to RX-DRPs. Also please identify which interface name is used for cluster sync. 

The 5400 is a 2-core system which puts it between a rock and a hard place to some degree, the only possible CoreXL adjustment is to disable it thus producing a 1/1 split of SND/IRQ cores vs. Firewall Worker cores as opposed to your current default 2/2 split which causes cache thrashing on the cores under load due to overlapping functions.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2019-09-02 01:34 PM

Hi @Zia,

Could you see RX errors?

# netstat -in

Could you see CPU performance issues (software interruts or hw interrupts)?

# top + key 1

Which network card drivers are you use?

# ethtool -i ethX 

On firewall 1 I can see 95% PXL traffic on firewall 2 I can see only 0% and heavy F2F traffic (100%). I think SecureXL is disabled on firewall 2.  Check SecureXL on FW 2.

# fwaccel stat

Are deamons to be visible they generating high load?

# top

(More see here: Check Point Processes and Daemons)

Regards
Heiko

 

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2019-09-02 01:41 PM
In response to HeikoAnkenbrand

If you use R80.20+ check this:

# fw ctl multik utilize   > shows the CoreXL queue utilization for each CoreXL FW instance

# fw ctl multik print_heavy_conn   > shows the table with heavy connections

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-09-02 03:43 PM
In response to HeikoAnkenbrand

> On firewall 1 I can see 95% PXL traffic on firewall 2 I can see only 0% and heavy F2F traffic (100%). I think SecureXL is disabled on firewall 2. Check SecureXL on FW 2.

Actually Heiko if Firewall-2 is the standby member in a ClusterXL HA cluster it is normal to see 100% F2F, as all traffic on that system is to and from the standby firewall itself which always goes F2F.  So SecureXL is probably enabled on Firewall-2.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2019-09-03 03:19 AM
In response to Timothy_Hall

👍

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events