Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dilian_Chernev
Collaborator

Slow HTTP connection is eating 80-90% of CPU core

Hello mates,

I have an issue with some FW overloads, while not so much traffic and connections are passing trough.

We have identified several heavy connections coming from S2S VPN taking about 80 % of a CPU core.
After some analysis with tcpdump/wireshark it appears that this connection bandwidth is about 162kbit/s for about 10 min capture (7mb file).
This is pretty slow connection for me, but is eating a lot of resources. 

Devices are powerful enough - Supermicro equivalent of CP 5900, three devices with R80.30 running in a HA Cluster.
About 300Mb/s overall bandwidth and 65k connections according to CPview. TP blades are activated with IA and AppCtrl. (no HTTPS inspection)

Could you give me some hints how to find out if this connection is accelerated or is passing through F2F path.

Also tried to add to fast_accel table, but there are no hits and suppose traffic from VPN cannot be passed to fast_accel.

Thanks

0 Kudos
2 Replies
Benedikt_Weissl
Advisor

You could try to look at the output of "fwaccel conns" (https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_PerformanceTuning_AdminGuide...). Its really strange a single connection is using so much CPU time, maybe something else contributes to the problem? VPN Encryption like 3DES or a custom application with a complex regex maybe?

0 Kudos
Timothy_Hall
Legend Legend
Legend

In R80.30 all connections except those that are F2F should show up in the output of fwaccel conns.  The only official way to see F2F connections is fw ctl multik gconn, although there is the undocumented fw_mux all command which will show you the state of all connections regardless of acceleration status as it relates to the multiplexing of a stream across multiple worker cores.  See here:

fw ctl fast_accel - some traffic still going slow

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events