Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RoyA
Explorer

heavy connection Elephant Flows on VSX use tool connstat - sk85780

hello Checkmates

yesterday my end customer complain on have connection flow 

i use some of tool to try investigation the traffic that make that Elephant flow with some success to rich the problem i have to tell 

my question is when i use 

i see  a lot of hits on rule 604 and i want to recommend to my customer to move that rule to lower number on the access rules 

to ‏reduce cpu load 

now how can i be sure that rule is been accelerated or not by use these tool  

and how can i know that rule belong to the relevant VS * i use these commend from the VS-DMZ  tcpdump -i  any -w /var/log/capture.cap

 

thank you all! 

 

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

It would help if you share a screenshot of the relevant rule with version/JHF level.
Also, what blades are active?
If the issue is truly an elephant flow, moving the rule won’t necessarily solve the issue, but it could mitigate the risk.

0 Kudos
RoyA
Explorer

hi 

Rule number 602 have hits of 13936, and i would like to recommend to my end customer to remove it to lower number on the access rule layer 

version R80.30 VSX gaia user space FW 

 

screenshot :

 

how can i be sure that rule is been accelerated or not by use these tool  ?

0 Kudos
Chris_Atkinson
Employee
Employee

CLI commands such as the following will assist you in determining where in the policy acceleration stops:

[Expert@FW]# fwaccel stat

Accelerator Status : on
Accept Templates : disabled by Firewall
disabled from rule #179

0 Kudos
Christian_Koehl
Contributor

Dear RoyA,

you wrote "...and i want to recommend to my customer to move that rule to lower number on the access rules to ‏reduce cpu load..".

As far as I know, moving the most used rules to top is no more necessary since R80.x (due to the new column based matching).

0 Kudos
RoyA
Explorer

hello Christian 

i think it is dependent if the rule is been accelerated if yes then no necessary to remove to the Top of the access layer

0 Kudos
RoyA
Explorer

hello Chris 

in case these rule is been accelerated  and i disabled by FW i think it could be lead to Impact 

There is another way to know? 

0 Kudos
Chris_Atkinson
Employee
Employee

You can review the policy logic against that  described in sk32578.

For example rules with RPC / DCOM / DCE services would be a give away.

0 Kudos