Re: Upgrade to R81 SecureXL and Other Issues

Carlos_Caraball · ‎2021-09-21

Hello,

We recently upgraded from R80.40 to R81 and are still experiencing some issues. Here's our environment information:

- Cluster of two 5800 appliances running VSX

- A total of 10 vs systems

- Upgrade from R80.40 old kernel to R81 new kernel (3.10). Had to run a fresh install, vsx util upgrade, vsx util reconfigure

After upgrade was completed over the weekend, noticed on Monday internet traffic gradually slowing down until it totally stopped. After thorough analysis with the checkpoint professional services, we disabled securexl on the vs handling traffic out to the internet and that fixed the problem. Tried enabling securexl after increasing ws_max_sessions_per_conn and ws_max_timestamped_sessions_per_conn params but still experienced the same problem. Also noticed we are not able to run the cipher_util command. It comes back with a "Cannot access features configuration directory" message.

Without securexl on we are experiencing higher than usual cpu usage than normal on our perimeter web traffic gateway and cannot enable disable ciphers not being able to issue the ciphers_util command.

Summary:

- Can't run acceleration on web gateway traffic which hinders cpu usage

- Can't run ciphers_util command

I have created tickets with the TAC for each of these problems.

Want to know if anyone has experience similar issues.

Thanks!

the_rock · ‎2021-09-21

Just curious...whats is CPU % difference when you have sxl on/off? Is it really significant?

Carlos_Caraball · ‎2021-09-21

It used to be 30-35 % during high use times before. Now we hit 90% during high usage times. Almost constantly over 50%.

the_rock · ‎2021-09-21

That sounds pretty serious to me. What did TAC suggest so far?

Carlos_Caraball · ‎2021-09-21

No suggestions so far. Re-creating environment on their lab. Will most likely escalate the securexl issue.

the_rock · ‎2021-09-21

Good idea.

Hari · ‎2021-10-03

issue has been resolved ? we are also planning to upgrade VSX from R80.40 to R81, bit worried after i seeing this post.

Carlos_Caraball · ‎2021-10-04

Issue has not been resolved yet. TAC is working on a fix for us and was supposed to be ready by past Thursday Sept 30th but haven't heard back from them. Will contact today to find out and get a status update.

Naama_Specktor · ‎2021-10-04

Hello Carlos ,

We are not familiar with this issue , I will appreciate it if you share the SR # (you can also in PM).

Carlos_Caraball · ‎2021-10-04

SR#6-0002981704

PhoneBoy · ‎2021-10-03

Just so you know, the new(er) kernel was in R80.40 also.
TAC is definitely going to have to dig into the issue with SecureXL.

Hari · ‎2021-10-04

looks like still R81 is not recommended for VSX 🙄

PhoneBoy · ‎2021-10-04

Where precisely are you seeing a declaration that R81 is NOT recommended for VSX?
It's not clear, on the surface anyway, the issue in this thread has anything to do with VSX.

Hari · ‎2021-10-04

yes his environment similar to our setup and don't want to take any unnecessary risk related to production traffic.

Carlos_Caraball · ‎2021-10-05

TAC was supposed to deliver a fix last Thursday and they're still working on the fix. I'm also having issues with memory. VSX running web perimeter gateway handling https inspection and the one consuming the most CPU cycles have run out of memory twice now. Monitoring memory now. If it runs out of memory again will have to open another case with TAC for this memory issue.

Ilya_Yusupov · ‎2021-10-05

Hi @Carlos_Caraball ,

I will take it offline with you for further investigation.

Thanks,

Ilya

Hari · ‎2021-10-08

please let us know the progress of the SR.

Carlos_Caraball · ‎2021-10-11

TAC produced a fix on 10/7/2021. I installed it early 10/8/2021 and so far it has fixed all issues. Currently running securexl with no problems reported thus far.

Hari · ‎2021-10-16

thanks for the update

genisis__ · ‎2021-10-17

Do we know if this will be integrated into the next R81 and R81.10 Jumbos? If so when?

Ilya_Yusupov · ‎2021-10-17

Hi @genisis__ ,

Yes the fix will be part of next Jumbo release of both versions, i will update the thread once it will be released.

The ETA is very depend on testing cycles etc... so i can't give accurate estimation at the moment.

Thanks,

Ilya

genisis__ · ‎2021-10-17

thanks, hopefully it will be out soon.

Djo · ‎2021-10-18

Hi, should we can get a fix from TAC before the next GA of R81 Take XX ?

Are you a member of CheckMates?

Upgrade to R81 SecureXL and Other Issues