site to site. Meshed Community

 I have disabled almost all blades on my site. Now I have fw, vpn, anti_bot

Try to move away from md5 and 3des not secure and cpu intens. Then test again. Could also be software bug what is cpinfo -y all output?

Hi

Here is my cpinfo -y all

[Expert@pl-fw-1:0]# cpinfo -y all

This is Check Point CPinfo Build 914000248 for GAIA
[MGMT]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 89
[IDA]
No hotfixes..
[CPFC]
No hotfixes..
[FW1]
HOTFIX_R81_20_JHF_T89_721_MAIN
HOTFIX_INEXT_NANO_EGG_AUTOUPDATE
HOTFIX_R81_20_JHF_T54_BLOCK_PORTAL_MAIN Take: 2
HOTFIX_R80_40_MAAS_TUNNEL_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 89
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE

FW1 build number:
This is Check Point's software version R81.20 - Build 039
kernel: R81.20 - Build 001
[SecurePlatform]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 89
HOTFIX_ENDER_V17_AUTOUPDATE
[CPinfo]
No hotfixes..
[PPACK]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 89
[AutoUpdater]
HOTFIX_INFRA_CONFIG_AUTOUPDATE
[DIAG]
No hotfixes..
[CVPN]
HOTFIX_ESOD_SWS_AUTOUPDATE
HOTFIX_ESOD_SCANNER_AUTOUPDATE
HOTFIX_ESOD_CSHELL_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 89
[CPUpdates]
BUNDLE_INEXT_NANO_EGG_AUTOUPDATE Take: 13
BUNDLE_R81_20_JHF_T54_BLOCK_PORTAL_MAIN Take: 2
BUNDLE_INFRA_CONFIG_AUTOUPDATE Take: 5
BUNDLE_CPOTLPAGENT_AUTOUPDATE Take: 50
BUNDLE_QUID_AUTOUPDATE Take: 14
BUNDLE_R80_40_MAAS_TUNNEL_AUTOUPDATE Take: 60
BUNDLE_CORE_FILE_UPLOADER_AUTOUPDATE Take: 23
BUNDLE_GOT_TPCONF_AUTOUPDATE Take: 128
BUNDLE_ESOD_SWS_AUTOUPDATE Take: 14
BUNDLE_ESOD_SCANNER_AUTOUPDATE Take: 10
BUNDLE_GENERAL_AUTOUPDATE Take: 21
BUNDLE_INFRA_AUTOUPDATE Take: 67
BUNDLE_DEP_INSTALLER_AUTOUPDATE Take: 27
BUNDLE_ESOD_CSHELL_AUTOUPDATE Take: 20
BUNDLE_ENDER_V17_AUTOUPDATE Take: 26
BUNDLE_CPVIEWEXPORTER_AUTOUPDATE Take: 40
BUNDLE_CPOTELCOL_AUTOUPDATE Take: 129
BUNDLE_R81_20_JUMBO_HF_MAIN Take: 89
BUNDLE_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE Take: 21
BUNDLE_HCP_AUTOUPDATE Take: 76
BUNDLE_CPSDC_AUTOUPDATE Take: 34
[cpsdc_wrapper]
HOTFIX_CPSDC_AUTOUPDATE
[hcp_wrapper]
HOTFIX_HCP_AUTOUPDATE
[CPDepInst]
No hotfixes..
[CPotelcol]
HOTFIX_OTLP_GA
[CPviewExporter]
HOTFIX_OTLP_GA
[core_uploader]
HOTFIX_CHARON_HF
[CPquid]
HOTFIX_QUID_AUTOUPDATE
[CPotlpAgent]
HOTFIX_OTLP_GA

I changed my configuration to the one recommended by @Timothy_Hall

Now uploading is better - up to 100MB/s but downloading from 3MB/s to 30Mb/s - sine wave

but from another place it is much better - about 50MB

Would recommend to change the md5 to something more secure and performing 

I did tracepath but i got no reply from all hops

tracepath 10.2.0.240
1?: [LOCALHOST] pmtu 1500
1: no reply
2: no reply
3: no reply
4: no reply
5: no reply
6: no reply
7: no reply
8: no reply
9: no reply
10: no reply
11: no reply
12: no reply
13: no reply
14: no reply
15: no reply
16: no reply
17: no reply
18: no reply
19: no reply
20: no reply
21: no reply
22: no reply
23: no reply
24: no reply
25: no reply
26: no reply
27: no reply
28: no reply
29: no reply
30: no reply
31: no reply
Too many hops: pmtu 1500
Resume: pmtu 1500

Can you please list all the things you tried so far, so we can at least eliminate those as being possibilities for this issue?

Andy

Hi

I checked at first netstat -ni and found Rx dropped and RX overruns on eth1 and eth5

I increased rx-ringsize first to 2048 and then to 4096.

Now there are no drops but it did not helped

second - I run fwaccel stats -s

I tried to reduce the F2F traffic - now there is about 12%

third - I disabled almost all blades.

fourth - Changed encryption settings

fifth - increased /decreased MTU ( try 1410,1480, 9000)

 I also checked sk165853 but it looks ok

I also use this manual - sk61221 - Issues requiring adjustment of the Maximum Segment Size (MSS) of TCP SYN and TCP SYN-ACK p... 

Now 

fw_clamp_tcp_mss=1

no improvement in sight or only upload

I decided to order an MTR test between these two sites from ISP

Tomek

Good to see you take the advise serious.

one question for this site to site you have 2 gateways right? Are both in control by you? If not maybe the other gateway needs to be checked. 

Hi Lesley.

Yes, I will check the gateway on the second site today or tomorrow evening

Let’s see what is outcome from that gateway maybe that is the (new) bottleneck

So is it any better now after all those changes or more less the same?

Andy

Hi Andy 

Download more less the same but upload to Sweden is better

Hi i run tracepath but I got no reply from all hops

Too many hoops: pmtu 1500

Resume: pmtu 1500

Is it different if you change mtu size to something else?

Andy

@Tomas3miasto Here is something to consider though when changing MTU. So, as Im sure you might be aware, smaller MTU size means more smaller packats, but bigger mtu size means less amount of bigger packets. 

In general, a larger MTU size is better because it reduces overhead and improves throughput. However, there are some cases where a smaller MTU size is better, such as for high speed interfaces.

Andy