This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Firewallteam_DE
Explorer
‎2019-10-09 03:03 AM

What "set vsx on/off" actually does under hood?

Hello Guys

I am having trouble finding what does turning on/off vsx mode does to firewall cluster.

 

I have 2 members fully configured in cluster VSLS mode, running coreXL, few virtual-systems on it and soon in production. In many guides theres suggestion to turn off vsx mode before applying some commands which otherwise cannot be accepted. I only understand that vsx mode is "interface and routes configuration protection". But is there anything beyond human factor protection in CLI?

 

Subsequently, I have this problem:

automatic affinity on one cluster member is working fine, and it doesn't on another:

A:

eth1-01 : 8
eth1-02 : 8
eth1-03 : 0
eth1-04 : 8
eth2-01 : 0
eth2-04 : 8
eth2-05 : 0
eth2-08 : 8
eth3-01 : 0
eth3-02 : 0

 

B:

eth1-01 : 0
eth1-02 : 0
eth1-03 : 0
eth1-04 : 0
eth2-01 : 0
eth2-04 : 0
eth2-05 : 0
eth2-08 : 0
eth3-01 : 0
eth3-02 : 0

some CP article suggests checking "fw ctl multik get_mode" to see if dynamic dispatcher is on, but this command cannot be run in vsx mode:

Option not supported in VSX mode.

Edit: (there are 2 cores for vs:0 in my setup) after restarting and re-entering default affinity mode (automatic) all interfaces are assigned core 0 (I expected even distribution between cores 0, 8). There is no traffic passing interfaces yet.

Thank you

Tomas

0 Kudos
4 Replies
G_W_Albrecht
Legend
Legend
‎2019-10-09 07:07 AM

Before risking my VSX VSLS configuration i would rather involve TAC !

CCSE CCTE SMB Specialist
0 Kudos
Kaspars_Zibarts
Authority
Authority
‎2019-11-06 02:00 PM
In response to G_W_Albrecht

Here's link to my cpx presentation on the subject of VSX optimisation

https://community.checkpoint.com/t5/Member-Exclusive-Content/VSX-performance-optimisation-pdf/m-p/41...

Hard to answer without having full details of the system.

As for vsx off - yes it's mainly to protect system from making silly mistakes in areas that are owned my management i.e routing and interfaces. You will learn to survive without it 🙂 can't remember last time I turned vsx off 

0 Kudos
Chris_Atkinson
Employee
Employee
‎2019-11-06 03:06 PM

Which GW version are you utilising?
Dynamic dispatcher is available only from R80.20 and above for VSX mode.
0 Kudos
Kaspars_Zibarts
Authority
Authority
‎2019-11-06 09:20 PM
In response to Chris_Atkinson

And be careful not to mix up two things - affinity for SXL or interfaces and affinity for for fw workers. Your original post mixed two together. Try printing both types with fw ctl affinity -l and we can take it from there