Good evening CheckMates,
I am looking for some advice on how I can improve the number of accelerated connections on our perimeter gateway. Here is the output from the gateway:
[Expert@:0]# fwaccel stats -s
Accelerated conns/Total conns : 2846/16335 (17%)
Accelerated pkts/Total pkts : 513956107/533355811 (96%)
F2Fed pkts/Total pkts : 19399704/533355811 (3%)
F2V pkts/Total pkts : 4110751/533355811 (0%)
CPASXL pkts/Total pkts : 7421495/533355811 (1%)
PSLXL pkts/Total pkts : 332024567/533355811 (62%)
CPAS pipeline pkts/Total pkts : 0/533355811 (0%)
PSL pipeline pkts/Total pkts : 0/533355811 (0%)
CPAS inline pkts/Total pkts : 0/533355811 (0%)
PSL inline pkts/Total pkts : 0/533355811 (0%)
QOS inbound pkts/Total pkts : 0/533355811 (0%)
QOS outbound pkts/Total pkts : 0/533355811 (0%)
Corrected pkts/Total pkts : 0/533355811 (0%)
[Expert@:0]# fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |SND |enabled |Mgmt,eth1-03,eth2-01, |
| | | |eth1-06,eth1-07,eth1-08, |
| | | |eth2-02,eth2-03,eth2-04 |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,AES-128, |
| | | | |AES-256,ESP,LinkSelection, |
| | | | |DynamicVPN,NatTraversal, |
| | | | |AES-XCBC,SHA256,SHA384 |
+---------------------------------------------------------------------------------+
Accept Templates : disabled by Firewall
Layer Trust to Walled Garden disables template offloads from rule #9
Throughput acceleration still enabled.
Drop Templates : enabled
NAT Templates : disabled by Firewall
Layer Trust to Walled Garden disables template offloads from rule #9
Throughput acceleration still enabled.
The accelerated packets is at 96%, with the F2F packets at 3% - but I'm wondering if focussing on increasing the number of accelerated connections would improve the performance at all? The second output shows that templates are being offloaded from rule 9, however that isn't entirely accurate. I am using inline layers in the ruleset and the "Trust to Walled Garden" inline layer is right above the clean-up rule. The rule XXX.9 is a rule for our Linux NFS servers and I believe the NFS services are known to impact on SecureXL templating, however I thought with this rule being so close to the bottom of the ruleset that it wouldn't have this impact on the connection templating.
We are running R80.40 T158 on a 15000 appliance. It is has 32 cores, 4 of which are assigned to SND. Given the gateway is accelerating 96% of the packets, would it be a good idea to increase the number of SND cores?
Any advice would be appreciated, as always! 😊
Thanks,
Aaron.