Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Carlos_Caraball
Participant

Upgrade to R81 SecureXL and Other Issues

Hello,

We recently upgraded from R80.40 to R81 and are still experiencing some issues.  Here's our environment information:

- Cluster of two 5800 appliances running VSX

- A total of 10 vs systems

- Upgrade from R80.40 old kernel to R81 new kernel (3.10). Had to run a fresh install, vsx util upgrade, vsx util reconfigure

After upgrade was completed over the weekend, noticed on Monday internet traffic gradually slowing down until it totally stopped.  After thorough analysis with the checkpoint professional services, we disabled securexl on the vs handling traffic out to the internet and that fixed the problem.  Tried enabling securexl after increasing ws_max_sessions_per_conn and  ws_max_timestamped_sessions_per_conn params but still experienced the same problem.  Also noticed we are not able to run the cipher_util command.   It comes back with a "Cannot access features configuration directory" message.  

Without securexl on we are experiencing higher than usual cpu usage than normal on our perimeter web traffic gateway and cannot enable disable ciphers not being able to issue the ciphers_util command.

 

Summary:

- Can't run acceleration on web gateway traffic which hinders cpu usage

- Can't run ciphers_util command

 

I have created tickets with the TAC for each of these problems.

Want to know if anyone has experience similar issues. 

 

Thanks!

0 Kudos
22 Replies
the_rock
Authority
Authority

Just curious...whats is CPU % difference when you have sxl on/off? Is it really significant?

Carlos_Caraball
Participant

It used to be 30-35 % during high use times before.  Now we hit 90% during high usage times.  Almost constantly over 50%.  

0 Kudos
the_rock
Authority
Authority

That sounds pretty serious to me. What did TAC suggest so far?

Carlos_Caraball
Participant

No suggestions so far.  Re-creating environment on their lab.  Will most likely escalate the securexl issue.

the_rock
Authority
Authority

Good idea.

Hari
Explorer

issue has been resolved ? we are also planning to upgrade VSX from R80.40 to R81, bit worried after i seeing this post.

0 Kudos
Carlos_Caraball
Participant

Issue has not been resolved yet. TAC is working on a fix for us and was supposed to be ready by past Thursday Sept 30th but haven't heard back from them.  Will contact today to find out and get a status update.

0 Kudos
Naama_Specktor
Employee
Employee

Hello Carlos ,

 

We are not familiar with this issue , I will appreciate it if you share the SR # (you can also in PM). 

0 Kudos
Carlos_Caraball
Participant

SR#6-0002981704

0 Kudos
PhoneBoy
Admin
Admin

Just so you know, the new(er) kernel was in R80.40 also.
TAC is definitely going to have to dig into the issue with SecureXL.

0 Kudos
Hari
Explorer

looks like still R81 is not recommended for VSX 🙄

0 Kudos
PhoneBoy
Admin
Admin

Where precisely are you seeing a declaration that R81 is NOT recommended for VSX?
It's not clear, on the surface anyway, the issue in this thread has anything to do with VSX. 

0 Kudos
Hari
Explorer

yes his environment similar to our setup and don't want to take any unnecessary risk related to production traffic. 

0 Kudos
Carlos_Caraball
Participant

TAC was supposed to deliver a fix last Thursday and they're still working on the fix.  I'm also having issues with memory.  VSX running web perimeter gateway handling https inspection and the one consuming the most CPU cycles have run out of memory twice now.  Monitoring memory now.  If it runs out of memory again will have to open another case with TAC for this memory issue.

0 Kudos
Ilya_Yusupov
Employee
Employee

Hi @Carlos_Caraball ,

 

I will take it offline with you for further investigation.

 

Thanks,

Ilya 

0 Kudos
Hari
Explorer

please let us know the progress of the SR.

0 Kudos
Carlos_Caraball
Participant

TAC produced a fix on 10/7/2021.  I installed it early 10/8/2021 and so far it has fixed all issues.  Currently running securexl with no problems reported thus far.  

0 Kudos
Hari
Explorer

thanks for the update 

0 Kudos
genisis__
Advisor

Do we know if this will be integrated into the next R81 and R81.10 Jumbos?  If so when?

0 Kudos
Ilya_Yusupov
Employee
Employee

Hi @genisis__ ,

 

Yes the fix will be part of next Jumbo release of both versions, i will update the thread once it will be released.

The ETA is very depend on testing cycles etc... so i can't give accurate estimation at the moment.

Thanks,

Ilya 

0 Kudos
genisis__
Advisor

thanks, hopefully it will be out soon.

0 Kudos
Djo
Explorer

Hi, should we can get a fix from TAC before the next GA of R81 Take XX ?

0 Kudos