Thank you!

1. Only firewall, QoS and Monitoring is enabled on both gateways. I enabled monitoring later to potentially find something out.

2. CPUs are highly utilized in both GW-GW and PC-GW scenarios. Here they are:

GW-GW (GW1 is server, cpview from it)

PC-GW (GW1 is again server)

The values are pretty close. All machines are vanilla installations, except GW1 has Take 76 and GW2 is without any JHF. But I'm not sure if that's the issue. I'm now updating that as well anyway.

It's a VMware environment. I still have RAM and CPU left on the host. Both GWs have 4GB RAM with 8 cores, and PCs 2GB RAM and 4 cores.

Please ask for more information 🙂 

I know in the "old days" of CP, lots of people would fix this by simply disabling corexl from cpconfig, rebooting, re-enable corexl, reboot again.

Not sure that necessarily might be needed in newer versions, but just wondering, can you maybe run top and ps -auxw commands, so we can see what exactly could be causing cpu problem?

Andy

Hi @kamilazat 

The 4 GB memory is not few a little bit? What does free -m say?

Akos

I agree with @AkosBakos , 4 GB ram is NOT nearly enough, even if you had 8, I would say that is barely enough...

Yes, run below and send the output.

Andy

[Expert@CP-GW:0]# free -h
total used free shared buff/cache available
Mem: 22G 5.9G 11G 31M 5.6G 15G
Swap: 8.0G 0B 8.0G
[Expert@CP-GW:0]#

Sure.

GW1
[Expert@GW1:0]# free -h
total used free shared buff/cache available
Mem: 3.6G 2.0G 283M 30M 1.3G 721M
Swap: 7.7G 4.2M 7.7G

GW2

[Expert@GW3:0]# free -h
total used free shared buff/cache available
Mem: 3.6G 2.0G 230M 20M 1.4G 782M
Swap: 8.0G 1.2M 8.0G

And still I don't understand why I can get 1gbps when I initiate the test from PC, while between GWs it's 300mbps. Just updated the other GW as well btw, still the same.

Less than 1 GB free memory? I hate to say this, but thats not nearly enough my friend : - (

I completely agree with you. Increased both machines to 10GB and redid the test.

Here's the free -h:

[Expert@GW1:0]# free -h
total used free shared buff/cache available
Mem: 9.5G 2.2G 4.4G 20M 2.9G 6.3G
Swap: 7.7G 0B 7.7G

Both machines show the same numbers. 

I did watch -n 1 "ps -auxww" during the test and it didn't change. 

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
admin 1 0.0 0.0 2632 704 ? Ss 21:58 0:01 init [3]
admin 2 0.0 0.0 0 0 ? S 21:58 0:00 [kthreadd]
admin 3 0.0 0.0 0 0 ? S 21:58 0:00 [kworker/0:0]
admin 4 0.0 0.0 0 0 ? S< 21:58 0:00 [kworker/0:0H]
admin 6 1.9 0.0 0 0 ? S 21:58 0:28 [ksoftirqd/0]
admin 7 0.0 0.0 0 0 ? S 21:58 0:00 [migration/0]
admin 8 0.0 0.0 0 0 ? S 21:58 0:00 [rcu_bh]
admin 9 0.2 0.0 0 0 ? S 21:58 0:03 [rcu_sched]
admin 10 0.0 0.0 0 0 ? S 21:58 0:00 [rcuob/0]
admin 11 0.0 0.0 0 0 ? S 21:58 0:00 [rcuos/0]
admin 12 0.0 0.0 0 0 ? S< 21:58 0:00 [lru-add-drain
]
admin 13 0.0 0.0 0 0 ? S 21:58 0:00 [watchdog/0]
admin 14 0.0 0.0 0 0 ? S 21:58 0:00 [watchdog/1]
admin 15 0.0 0.0 0 0 ? S 21:58 0:00 [migration/1]
admin 16 0.0 0.0 0 0 ? S 21:58 0:00 [ksoftirqd/1]
admin 18 0.0 0.0 0 0 ? S< 21:58 0:00 [kworker/1:0H]
admin 19 0.0 0.0 0 0 ? S 21:58 0:00 [rcuob/1]
admin 20 0.0 0.0 0 0 ? S 21:58 0:00 [rcuos/1]
admin 21 0.0 0.0 0 0 ? S 21:58 0:00 [watchdog/2]
admin 22 0.0 0.0 0 0 ? S 21:58 0:00 [migration/2]

And top showed:

It looks like all the traffic goes to f2f, which is understandable. iperf uses TCP traffic unless UDP is specified with -u. But with -u the bandwidth goes even lower (played with it to increase the rate but to no avail).

On the other hand, when PC is the iperf client the bandwidth is still close to 1gbps. I don't understand what changes.

What are the outputs of this commads?

fwaccel stats -s

fwaccel stat

fw ctl affinity -l -r

Akos

[Expert@GW1:0]# fwaccel stats -s
Accelerated conns/Total conns : 9/9 (100%)
LightSpeed conns/Total conns : 0/9 (0%)
Accelerated pkts/Total pkts : 3670/10364 (35%)
LightSpeed pkts/Total pkts : 0/10364 (0%)
F2Fed pkts/Total pkts : 6694/10364 (64%)
F2V pkts/Total pkts : 142/10364 (1%)
CPASXL pkts/Total pkts : 0/10364 (0%)
PSLXL pkts/Total pkts : 0/10364 (0%)
CPAS pipeline pkts/Total pkts : 0/10364 (0%)
PSL pipeline pkts/Total pkts : 0/10364 (0%)
QOS inbound pkts/Total pkts : 5779/10364 (55%)
QOS outbound pkts/Total pkts : 5046/10364 (48%)
Corrected pkts/Total pkts : 0/10364 (0%)

[Expert@GW1:0]# fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled |eth0,eth1 |Acceleration,Cryptography |
| | | | | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled
LightSpeed Accel : disabled

[Expert@GW1:0]# fw ctl affinity -l -r
CPU 0:
CPU 1:
CPU 2:
CPU 3: fw_4 (active)
cprid lpd mpdaemon fwd core_uploader fgd50 in.asessiond rtmd cprid cpd msgd
CPU 4: fw_3 (active)
cprid lpd mpdaemon fwd core_uploader fgd50 in.asessiond rtmd cprid cpd msgd
CPU 5: fw_2 (active)
cprid lpd mpdaemon fwd core_uploader fgd50 in.asessiond rtmd cprid cpd msgd
CPU 6: fw_1 (active)
cprid lpd mpdaemon fwd core_uploader fgd50 in.asessiond rtmd cprid cpd msgd
CPU 7: fw_0 (active)
cprid lpd mpdaemon fwd core_uploader fgd50 in.asessiond rtmd cprid cpd msgd
All:
Interface eth0: has multi queue enabled
Interface eth1: has multi queue enabled

Just increased the SND cores to test, but still the same.

You are saying even with more ram, though now it shows much more free memory, result is the same?

Andy

True..

What does cpview show now? Anything different than before you added the ram?

Andy

RAM doesn't change while doing the test. And CPU goes crazy as before. At this point I started thinking that it's a VMWare issue. Maybe it calculates the traffic in a different way when it comes to different machines, despite PC having only 2GB RAM and 4 cores. I wouldn't be surprised. I'll try rebooting the host.

I agree, thats probably a good idea.

I couldn't find anything related to VMware either. Rebooted the host, restarted VMWare NAT service. Tomorrow I will use the lab in the company esxi and try cranking up the specs on my machines there. I will update when I get anything new. 

Thank you for your prompt reaction. I appreciate it!

No worries mate, we are here to help. Yes, please let us know how the testing goes and what results you get.

Andy

Hi @kamilazat 

Change the core and the memory

4 Cores, 8 GB. 

Akos

Personally, I would bump it to 6 cores/ at least 12 GB ram (16 if possible) 

🙂

Andy

Hi @PhoneBoy,

I attached the s7 output from both GWs. 

@the_rock I tried the test at work just now, it's esxi and has more resources, I cranked up the specs but the difference between PC initiated traffic and other-GW initiated traffic is still there.

I'm testing the load using this command:
On PC: iperf3 -c 192.168.1.254 -P 9 -t 60

On GW2: ./iperf3-i386 -c 192.168.1.254 -P 9 -t 60

I noticed that when GW initiates iperf, the load on SND cores are not balanced.

But when the PC initiates it, the load becomes more balanced.

Maybe it's because I downloaded iperf3 to PC from https://files.budman.pw/ (the first link that comes when you google), and for GWs I used the link Tim Hall provided here. Although I doubt that there is much of a difference in traffic generation algorithm on these different versions for PC and linux, but I stand corrected.

Let me review those files, but it seems like even cpview output would not differ much...

Andy

You can see this in the Super Seven output for GW2:

F2Fed pkts/Total pkts            : 395146/395146 (100%)

SecureXL does not accelerate traffic originating from the gateway.
Which is why you're seeing all the traffic on one core.
This is expected behavior.

I completely agree. But I'm still puzzled by the fact that that's not the case when I initiate the traffic from PC. Just created a Linux Mint machine to try with, and it also can see 1gbps speeds. 

F2F only happens when iperf traffic is initiated from the other GW.

Why do you think could this be?

I'm not 100%  sure, but only transitive traffic can be accelerated as I know.
@the_rock @PhoneBoy will correct me if I'm wrong.

yup

https://support.checkpoint.com/results/sk/sk32578

Ok, I read the whole article twice and the closest candidate that may imply 'transitive traffic' is:
"All packets that match a rule, whose source or destination is the Security Gateway itself."

When I initiate an iperf test from one GW to the other, the source and the destination are both GWs. Although I have only one any-any-accept rule, that traffic hits this rule and since the src and dst are both GWs, SecureXL gets disabled, because an entry is created in the connections table that has GW addresses on both src and dst positions.

And when I initiate iperf traffic from a non-GW machine (PC or Linux Mint in my case) traffic gets accelerated without problems, which results in high bandwidth.

Am I correct in my understanding? 

And if yes, is there a way to bypass this (maybe adding this connection manually to fastaccel connections table or something)?

SecureXL was designed to accelerate traffic traversing the gateway only.
It was not designed to nor will it accelerate traffic that directly originates from or terminates on the gateway.