This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wolfgang
Authority
Authority
‎2019-02-13 09:52 PM

max performance / throughput of site2site-VPN

Dear Checkmates,

I had a question regarding the throughput of one VPN site2site-tunnel.
We did some research with different appliances but did not get more then 900Mb/s for a single connection.

We tested 5600, 5800, 13800 and 15400, all with the same result.
SecureXL is on, all VPN trafic is fully accelerated.
Incoming and outgoing interface are on different SNDs.
We do not see more then 50% CPU utilization on both cores for the SNDs, looks like there are some credits before hitting 100%CPU.
Hardware encryption via AES-NI is on and we use the best IPSEC-parameter following sk73980.

The datasheet for an 5600 appliance shows 6,5GBbs and following sk73980 there should be 429% refer the datasheet possible.
I know this is a marketing value and only relevant if using multiple connections. But I hope there can be more possible.

Has anyone seen more then 1Gb/s throughput on a single VPN-tunnel and a single connection beetween devices behind two CheckPoint devices?

Any ideas are welcome.

regards
Wolfgang

18 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-02-14 06:08 AM

Please consult sk105119: Best Practices - VPN Performance first.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Wolfgang
Authority
Authority
‎2019-02-14 06:23 AM
In response to G_W_Albrecht

Thanks Günther,

we checked these sk twice but with no success.

Wolfgang

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-02-14 02:12 PM
In response to Wolfgang

when using 10Gb interfaces this should be achievable, if however you are using port channels / bonding, that will be your limiting factor. On the 1Gb interfaces even if you combine 5 of them in a port channel/bond, there is still a hashing mechanism that will assign the traffic to a specific port in the channel, this is where you run into the single session limit of the port channel of 1 interface.

Regards, Maarten
Wolfgang
Authority
Authority
‎2019-02-14 10:47 PM
In response to Maarten_Sjouw

You’re right Maarten. A single connection will be run everytime over only one interface and is processed only on one core.

But we are using 10G interfaces. It looks like this is a limitation oft he system, maybee not the hardware but the software.

Wolfgang

PhoneBoy
Admin
Admin
‎2019-02-15 03:58 PM

If it's between a single source to a single destination (independent of VPN), then this is expected behavior.

We call this an "elephant flow."

Steffen_Appel
Advisor
‎2019-08-26 11:27 PM
In response to PhoneBoy

Is this a limitation per tunnel?

So if we are connecting to sites does it make a difference, if we choose one tunnel per GW/network/host?

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-08-27 05:04 AM
In response to Steffen_Appel

It is not a limitation per VPN tunnel specifically, so modifying the VPN Tunnel Sharing value will have no effect on your issue, the limitation is per individual connection (and a single VPN tunnel can carry multiple connections of course).  All the packets of a single connection (TCP or UDP) can only be handled by one core (whether it is a SND/IRQ or Firewall Worker), so in the case of an elephant flow all those packets will hit a single core and cannot be spread around to different cores to relieve the load.   Trying to spread the packets for a single elephant flow connection around to multiple cores raises the specter of out-of-order delivery, which if it happens will cause TCP to sharply curtail its send rate due to the congestion/problems it is seeing in the network flow and is an unmitigated disaster from a performance perspective.

Should this single-core limitation per connection ever be lifted, there would need to be some kind of reordering mechanism on the firewall to ensure packets are delivered in order.  However doing so would bottleneck the flow of a connection's packets down to the speed of the slowest or most congested core handling packets for that connection, as packets that have already been inspected and are ready for transmission get held/queued waiting for earlier packets to clear inspection on the slowest or most congested core.  Ugh.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Steffen_Appel
Advisor
‎2019-08-27 08:09 AM
In response to Timothy_Hall

OK, thanks, that answers my question!

0 Kudos
Checkpoint_GoSe
Explorer
‎2020-07-07 10:53 AM
In response to Timothy_Hall

Do you know if this also applies to upload speeds?

Currently dealing with one site-to-site vpn where officially the speeds should be 200 down and 30 up.

Tests reveal that it's closer to 75 down and 27 up from across the tunnel. Download speeds appear to be more affected than upload.

Does this make sense?

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-07-09 06:33 AM
In response to Checkpoint_GoSe

@Checkpoint_GoSe it might make sense, please provide the output of netstat -ni on your firewall to ensure the underlying network is running clean.  Also while running your speed test execute the top command and hit 1 to show individual core utilization, are any cores topping out at 100% during the upload portion of the test? 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Magnus-Holmberg
Advisor
‎2023-12-13 12:58 PM
In response to PhoneBoy

Is it possible to see updated information on the sk73980
I mean some of the newer versions such as R81.20 states in the improvments.
What is the base numbers in the SK based on for version?
Based on the SK itself i would assume its based on R80.30

Taken from R81.20

"

IPsec VPN

  • Scalable VPN performance - 3 times faster to process simultaneous Remote Access and Site to Site VPN connections.
  • Major performance and stability improvement for Remote Access VPN and Site to Site VPN that delivers a significantly greater capacity for VPN tunnels.
  • Extended Security Gateway certificate validation capabilities for quicker authentication.
  • Resilient VPN architecture - multi-process architecture to handle IKE negotiations in dedicated scalable daemons, providing unprecedented resiliency.

"

Or maybe highlight something in it regarding newer versions?

Regards,
Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-12-13 02:43 PM
In response to Magnus-Holmberg

Feedback was submitted on the SK.

Whilst the enhancements sighted don't necessarily speak to performance improvements in terms of throughout it doesn't exclude their being differences between versions either.

CCSM R77/R80/ELITE
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-02-16 05:16 AM

Hello Wolfgang,

6,5GBbs is total throughput that an appliance can process via VPN. This applies to all summated connections. 

900Mb/s for a "elephant flow". It's a very good value. 

I think the VPN running over an internet interface. This makes runtime problems of the connection critical in the WAN. If you send a TCP packet over the VPN route, there are still runtimes in the WAN to consider. This is related to the windows sizing for TCP connections. This means that you send some packets in one direction and have to wait for the answer packet. It's always slowing you down on the WAN line and it's not a Ckeck Point problem, it's a WAN problem.

If you want to speed up a single connection "elephant flow", you need systems that optimize TCP and optimize protocols. I don't want to advertise for other manufacturers in the Check Point forum, but have a look at Riverbed Steeheadˋs. 

Intel‘s AES New Instructions AES-NI is a encryption instruction set that improves on the Advanced Encryption Standard (AES) algorithm and accelerates the encryption of data in many processor familys. Comprised of seven new instructions, AES-NI gives your environment faster, more affordable data protection and greater security.

 

For more informations about AES-NI see this article:

R80.x Performance Tuning Tip - AES-NI 

You may have other problems on the WAN interface that you can't control:
- fragmentation > check MTU size
- lost VPN packets > and therefore lost TCP packets and therfore TCP retransmissions

- packed in wrong sequence  > and therfore TCP retransmissions

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Wolfgang
Authority
Authority
‎2019-02-24 11:10 AM
In response to HeikoAnkenbrand

Dear Heiko,

thanks for your response.

Our setup has no internet connection, we used leased lines between our gateways. No MTU issues, no fragmentation problems, no CPU 100% utilization and best suggested parameters for the IPSEC-values.

At CPX I had some interesting discussions with CheckPoints R&D guys.

Now I understand, 900Mb/s for one connection is a very good value. But with CheckPoint there is no chance to get more for this type of traffic, this is a really limitation.

With more connections and more then one VPN-tunnel we can get much more throughput. I found out in the last days, CheckPoint is one of the most valuable vendor for this kind of traffic but for the special case with only one connection we have to lock for another. We found one, another then you mentioned Heiko.

Another thing I learned..... CheckPoint is not alone with the problem of a single connection and „elephant flows“, but other vendors are not really better and most of them are much slower.

thanks for all suggestion,

Wolfgang

Steffen_Appel
Advisor
‎2019-08-26 07:37 AM
In response to Wolfgang

Which alternative vendor did you finally use?
0 Kudos
Ave_Joe
Contributor
‎2020-07-08 06:40 AM
In response to HeikoAnkenbrand

So in this elephant scenario would faster CPU cores allow higher throughput results? For instance Open Server may be an option getting better single core performance.
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-07-09 06:36 AM
In response to Ave_Joe

@Ave_Joe  faster cores would allow better performance in your situation, as well as using AES encryption instead of 3DES which is older and much slower.  The Check Point Solutions Center does have a software feature available that can spread the processing of elephant flows across multiple cores, but I don't think it is in the main train of code yet.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
SimonD
Explorer
‎2021-07-15 09:43 AM
In response to Timothy_Hall

Do you have more information about this feature ?

 

SimonD

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events