This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
P_Williams
Contributor
‎2025-04-08 08:11 AM
Jump to solution

What do the numbers in vpn tu mstats refer to?

Hi,

When running that command what do the inSPIs and outSPIs numbers relate to?

# vpn tu mstats

 

   Instance#     # of inSPIs    # of outSPIs
           0              36              37
           1              41              41
           2              41              41
           3              36              36
           4              32             240
   -----------------------------------------
   Summary:              186             395

We had a few reports of VPNs (Remote Access and Site to Site) dropping out. I could see that in Smart Console under VPN Capacity Optimization that the maximum concurrent tunnels was configured as 600 and was wondering that as 186+395 = 581 therefore we are often running over that limit?

 

Labels
0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2025-04-09 06:29 AM
Jump to solution

vpn tu mstats refers to the distribution of SPI processing among multiple Firewall Worker Instance cores, and was introduced in R80.10 as "Multicore VPN": sk118097: MultiCore Support for IPsec VPN

Prior to R80.10 a connection's handling and inspection could be performed by any one of the worker cores for that single connection, however any VPN encryption/decryption operations could only be handled by worker instance 0 which was normally the highest-numbered core in the system.  Needless to say this caused a huge bottleneck for IPSec VPN performance.

Starting in R80.10 while a single worker core still handles the inspection of all the packets of a single connection (connection instance), for balancing purposes the IPSec VPN encryption/decryption can be handled by a different worker instance core (not necessarily instance 0) which is referred to a the as the "tunnel instance" (cite: sk104760: ATRG: VPN Core (Site to Site)).  This "outsourcing" of encryption/decryption operations off the connection instance is indicated by the vpn tu mstats command, and also appears as the "e" and "E" capture points in fw monitor as discussed here: fw monitor inspection point e or E

What we would consider a "tunnel" (whether the initial IKE tunnel or the IPSec tunnel) actually consists of two SPIs.  SPI's are unidirectional, so for an IKE SA tunnel there is an inbound SPI and an outbound SPI.  For the IPSec SA tunnel there is also a separate inbound SPI and an outbound SPI.  

I'm not sure where you are getting 600 for the maximum number of concurrent VPN tunnels (unless you are on SMB/Spark) as the default is 10,000 on regular gateways.  I would assume a max of 10,000 tunnels would mean a maximum of 20,000 SPIs.  If you are indeed bumping against some kind of tunnel limit make sure you are not using "pair of hosts" in the VPN tunnel sharing section of your VPN communities, as this will create a crapload of individual tunnels.  

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

0 Kudos
5 Replies
the_rock
Legend
Legend
‎2025-04-08 08:16 AM
Jump to solution

I hope below makes sense? Its from AI copilot.

Andy

vpn tu mstatscommand is used to show the distribution of VPN traffic between CoreXL Firewall instances on a Check Point Security Gateway. The numbers in the output of this command refer to the following:

  • Instance#: The CoreXL Firewall instance number.
  • # of inSPIs: The number of inbound Security Parameter Indexes (SPIs) processed by the instance.
  • # of outSPIs: The number of outbound Security Parameter Indexes (SPIs) processed by the instance.

Here is an example output for better understanding:

[Expert@MyGW:0]# vpn tu mstats
   Instance# # of inSPIs # of outSPIs
           0 182 170
           1 184 176
           2 191 174
           3 215 197
           4 237 227
           5 191 176
           6 180 170
           7 190 166
           8 171 160
           9 199 187
   -----------------------------------------
   Summary: 1940 1803
[Expert@MyGW:0]#

In this example:

  • Instance 0 has processed 182 inbound SPIs and 170 outbound SPIs.
  • Instance 1 has processed 184 inbound SPIs and 176 outbound SPIs.
  • And so on...
0 Kudos
P_Williams
Contributor
‎2025-04-08 08:35 AM
In response to the_rock
Jump to solution

To be honest it doesnt really answer my question.

Lets say a VPN is configured as 'One tunnel per subnet pair' and when you look at the VPN details on vpn tu it shows the below

IKEv2 SA <4378d7c604e579b4,cb977ad6b4664b05>
INBOUND:
1. 0x2e3aee81 (i: 0)
2. 0xaaa9ed69 (i: 0)
3. 0x9423290c (i: 2)
4. 0xcc7d04df (i: 2)
5. 0xc4d08596 (i: 4)
OUTBOUND:
1. 0x76202cce (i: 0)
2. 0x7170fcfa (i: 0)
3. 0xa16aa84 (i: 2)
4. 0xbc5f53b4 (i: 2)
5. 0xb9ee9192 (i: 4)

To me that looks like 5 inbound SPIs and 5 outbound SPIs. But are SPIs equal to tunnels? Is that considered 10 tunnels?

0 Kudos
the_rock
Legend
Legend
‎2025-04-08 08:39 AM
In response to P_Williams
Jump to solution

No, SPI is more tied to security association, not the tunnel itself specifically.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2025-04-09 06:29 AM
Jump to solution

vpn tu mstats refers to the distribution of SPI processing among multiple Firewall Worker Instance cores, and was introduced in R80.10 as "Multicore VPN": sk118097: MultiCore Support for IPsec VPN

Prior to R80.10 a connection's handling and inspection could be performed by any one of the worker cores for that single connection, however any VPN encryption/decryption operations could only be handled by worker instance 0 which was normally the highest-numbered core in the system.  Needless to say this caused a huge bottleneck for IPSec VPN performance.

Starting in R80.10 while a single worker core still handles the inspection of all the packets of a single connection (connection instance), for balancing purposes the IPSec VPN encryption/decryption can be handled by a different worker instance core (not necessarily instance 0) which is referred to a the as the "tunnel instance" (cite: sk104760: ATRG: VPN Core (Site to Site)).  This "outsourcing" of encryption/decryption operations off the connection instance is indicated by the vpn tu mstats command, and also appears as the "e" and "E" capture points in fw monitor as discussed here: fw monitor inspection point e or E

What we would consider a "tunnel" (whether the initial IKE tunnel or the IPSec tunnel) actually consists of two SPIs.  SPI's are unidirectional, so for an IKE SA tunnel there is an inbound SPI and an outbound SPI.  For the IPSec SA tunnel there is also a separate inbound SPI and an outbound SPI.  

I'm not sure where you are getting 600 for the maximum number of concurrent VPN tunnels (unless you are on SMB/Spark) as the default is 10,000 on regular gateways.  I would assume a max of 10,000 tunnels would mean a maximum of 20,000 SPIs.  If you are indeed bumping against some kind of tunnel limit make sure you are not using "pair of hosts" in the VPN tunnel sharing section of your VPN communities, as this will create a crapload of individual tunnels.  

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
P_Williams
Contributor
‎2025-04-22 06:44 AM
In response to Timothy_Hall
Jump to solution

Thanks Timothy, so it sounds like dividing the SPI by 2 gets you to an rough estimate of the number of VPNs.

The 600 number is from the Optimizations window in the SmartConsole Cluster Properties. It was set very low by the PS building the firewalls and we have always just made the number greater in small jumps.

I think our issues were not caused by one IPSec VPN. It was set to route based on our side, policy based on the remote side, and from it being implemented and not working to then removing the config for this one VPN, there was issues with other VPNs. Once deleted and set to policy based on our side everything was fine.

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events