@the_rock can you please provide the output of ethtool -i eth0 and ethtool -S eth0 on the Azure system that is reporting the 9362 RX ring size?  The somewhat odd value (9362) makes me think it may be dynamically allocated or scaled.

Its a lab, so that would make sense.

Andy

[Expert@azurefw:0]# ethtool -i eth0
driver: hv_netvsc
version:
firmware-version: N/A
expansion-rom-version:
bus-info:
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: no
[Expert@azurefw:0]# ethtool -S eth0
NIC statistics:
tx_scattered: 0
tx_no_memory: 0
tx_no_space: 0
tx_too_big: 0
tx_busy: 0
tx_send_full: 0
rx_comp_busy: 0
rx_no_memory: 0
stop_queue: 0
wake_queue: 0
vf_rx_packets: 5402818
vf_rx_bytes: 5051231197
vf_tx_packets: 45000650
vf_tx_bytes: 4863385021
vf_tx_dropped: 0
tx_queue_0_packets: 0
tx_queue_0_bytes: 0
rx_queue_0_packets: 40119764
rx_queue_0_bytes: 8056670503
[Expert@azurefw:0]#

Not sure about the source. But I have seen 40 Gbps QLS cards get 512 or even 256 size buffers. And that seems to contradict this source. So this is definitly something that needs attention along with better information on what other steps should be taken.

At the moment I have a ticket open with TAC and they have on with R&D and it is yet no clear how it should be configured and where the issue might be.

But for this customer trouble started with going from R81.20 with Jumbo take 26 to Jumbo Take 41. And it still persists in Jumbo Take 45.

Let us know what they say Hugo.

Best,

Andy

Hi Hugo,

You are reporting performance problems in the later releases and surmising that the RX ring buffer size is the cause, are you seeing an RX-DRP rate in excess of 0.1% on any interfaces?  Unfortunately in Gaia 3.10 RX-DRP can now also be incremented upon receipt of a undesirable Ethertype (like IPv6) or an improperly pruned VLAN tag (what I call "trash traffic" that we can't handle anyway), not just due to a full ring buffer which causes loss of frames that we want to process.  In Gaia 2.6.18 this trash traffic was silently discarded and did not increment RX-DRP. 

To compute the true RX-DRP rate for ring buffer misses you'll have to do some further investigation with ethtool -S.  See sk166424: Number of RX packet drops on interfaces increases on a Security Gateway R80.30 and higher ....  As long as the true RX-DRP rate is below 0.1% you shouldn't worry about it.  I know this can be difficult to accept but not all packet loss is bad; TCP's congestion control algorithm is actually counting on it.

On every system I've seen the ring buffer sizes are: 1GBit (256), 10Gbit (512), 40-100Gbit (1024).  Are you sure you are not looking at the TX ring buffer setting?  Those are sometimes smaller.  Generally it is not a good idea to increase ring buffer sizes beyond the default unless true RX-DRPs are >0.1%, (and you have allocated all the SNDs you can) as doing so will increase jitter, possibly confusing TCP's congestion control algorithm and causing Bufferbloat, which actually makes performance worse under heavy load.

As to the ring buffer size of 9368 for the hv_netvsc driver in Azure reported by @the_rock, it is my impression that Azure (or perhaps the current kernel version used by Gaia) does not support vRSS which means multi-queue is not supported either.  Therefore no matter how many SND cores you have only one of them can empty a particular interface's ring buffer.  I'd surmise that the strangely large 9368 RX ring buffer size is an attempt to compensate for this limitation, and it may even increase itself automatically as load demands.  This has already been discussed to some degree here: distribution SNDs in hyper-v environment

But it may not matter since traditionally the ring buffer was used as a bit of a "shock absorber" to absorb the impact of a flood of frames making the transition across the bus from a hardware-driven buffer (on the NIC card itself) to a software-driven RX ring buffer in RAM.  But in Azure everything is software and there is no physical NIC, at least that is exposed to the VM.  That is why there can probably never be interface errors like RX-ERR or possibly even RX-OVR so the size of the ring buffer may not really matter either.

Once again if the "true" RX-DRP rate is <0.1% I'd leave the RX ring buffer size at the default for physical interfaces.  Read the Bufferbloat article for a good explanation of why. 

Wow, what an excellent expanation @Timothy_Hall , thanks for that.

Andy

Actually increasing Rx buffers to 1024 had the most impact. But it did not resolve the isssue.

However as was explained by Check Point increasing Rx buffers in a number of steps is about as logical to R&D as a doctor who listens to your complaints and prescribes antibiotics. EN as a good docter they even double the dose in a few days if the desired effect is not reached.

So at this moment I think your comments have yet to be noted by R&D.

Today it seems we may have a match to an issue under investigation. For this there is a custom hotfix that will be portfixed for the customer and tested in the setup they have replicated for us. So we hope this will fix the issue at hand.

Increasing Rx buffers to 4096 did resolve RxDrops on the physical interfaces but now we see them on the Warp interfaces.

Which pretty much tells us that the first action by R&D was not the best approach.

Playing with Ring Buffers is much more complicated these days but that message is not yet part of R&D doctrine.

Any word from TAC on it?

Andy

It seems we have a match on https://support.checkpoint.com/results/sk/sk181860 and we are waiting for the portfix and a maintenance window to implement.

Thanks for the update.

Andy

I wonder what is behind "a high number of interfaces" as mentioned in the SK. I've gateways with 10's of VLAN on R81, .10, .20 and haven't encountered this situation.

Totally logical point @Alex- 

Would also be curious to know how many is too many.  @Hugo_vd_Kooij how many total interfaces are being reported by fw ctl iflist on the system with the issue?  

Based on the function name I'd speculate there is an issue with the code that maps interface numbers (shown by fw ctl iflist) to the raw device names, which would be needed for just about every packet passing through.  Perhaps there is some kind of index or hash function that allows fast searching of this cache, but it breaks down with too many interfaces present and has to go back to linear searching?  The threshold is probably some power of two such as 256, 512, etc.  The overall maximum number of supported interfaces for a standard gateway is 1024 (VSX is 4096), so I'll go out on a limb and guess that Hugo's gateway has more that 512 interfaces.

I recall from the last call this was something in the order of 120 interfaces.

But as I don't manage it I have no actual figure as that informaton went straight from customer to TAC.

The thing to look out for if you run perftop is if the following process is on the top:

get_dev2ifn_hash

By now I know that to be a big red flag.

The hotfix for this is schedule in the next jumbo Hotfix after take 53. 

The issue in SK181860  issue is now also addressed in Jumbo Hotfix Take 54.

On WRP interface it is stated as 'cosmetic'

https://support.checkpoint.com/results/sk/sk178547

The source is Check Point Professional Services - Health Check Report. The screenshot is from Timothy Hall.

There are still important notes on Jumbo Take 45 that are addressed in Take 53: https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/Important-Notes.htm

Yes, this is a known issue with the Intel igb/ixgbe/ice drivers.  If you have a large number of VPN tunnels terminating on an interface (presumably the external, Internet-facing one) using any of these drivers, they do not support Multi-Queue traffic balancing by SPIs on the SND cores.  This will result in ring buffer overflows.  Here is an excerpt from my Gateway Performance Optimization course discussing it:

IGB/IXGBE/ICE Driver Issues Balancing IPSec Traffic on SNDs

If possible, try to avoid terminating a large number of IPSec VPNs on an Ethernet interface that is utilizing Intel’s igb, ixgbe, or ice driver.  Generally, for most organizations, all VPN tunnels terminate on the External (Internet-facing) interface. These older drivers do not support the balancing of IPSec traffic by SPI, and may cause severe SND load imbalances if a large number of IPSec tunnels are in use: sk180678: Improved Multi-Queue distribution of IPsec SPI traffic & sk183525: High CPU usage on one SND core.