This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dilian_Chernev
Collaborator
‎2021-05-07 12:09 AM

Slow HTTP connection is eating 80-90% of CPU core

Hello mates,

I have an issue with some FW overloads, while not so much traffic and connections are passing trough.

We have identified several heavy connections coming from S2S VPN taking about 80 % of a CPU core.
After some analysis with tcpdump/wireshark it appears that this connection bandwidth is about 162kbit/s for about 10 min capture (7mb file).
This is pretty slow connection for me, but is eating a lot of resources. 

Devices are powerful enough - Supermicro equivalent of CP 5900, three devices with R80.30 running in a HA Cluster.
About 300Mb/s overall bandwidth and 65k connections according to CPview. TP blades are activated with IA and AppCtrl. (no HTTPS inspection)

Could you give me some hints how to find out if this connection is accelerated or is passing through F2F path.

Also tried to add to fast_accel table, but there are no hits and suppose traffic from VPN cannot be passed to fast_accel.

Thanks

0 Kudos
2 Replies
Benedikt_Weissl
Advisor
‎2021-05-07 01:35 AM

You could try to look at the output of "fwaccel conns" (https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_PerformanceTuning_AdminGuide...). Its really strange a single connection is using so much CPU time, maybe something else contributes to the problem? VPN Encryption like 3DES or a custom application with a complex regex maybe?

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-05-08 06:37 AM

In R80.30 all connections except those that are F2F should show up in the output of fwaccel conns.  The only official way to see F2F connections is fw ctl multik gconn, although there is the undocumented fw_mux all command which will show you the state of all connections regardless of acceleration status as it relates to the multiplexing of a stream across multiple worker cores.  See here:

fw ctl fast_accel - some traffic still going slow

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events