it shows the same thing, once the memory reaches close to the total the firewall stops passing traffic and cant ssh to it have to reboot it screenshot attached

what i'm seeing is f2f is high

# fwaccel stats -s
Accelerated conns/Total conns : 0/0 (0%)
LightSpeed conns/Total conns : 0/0 (0%)
Accelerated pkts/Total pkts : 0/35313407 (0%)
LightSpeed pkts/Total pkts : 0/35313407 (0%)
F2Fed pkts/Total pkts : 35313407/35313407 (100%)
F2V pkts/Total pkts : 0/35313407 (0%)

yea we have been troubleshooting this with TAC for I think 3 months with running debugs and updating hotfixes, no luck

we did follow that sk and gave info for TAC like two times no luck still

Did you escalate the case? Beccause this sounds pretty serious issue to me...

Andy

yea, any reason why it would be using f2f at 100%? we only have fw as enabled blades.

# enabled_blades

# fwaccel stats -s
Accelerated conns/Total conns : 0/0 (0%)
LightSpeed conns/Total conns : 0/0 (0%)
Accelerated pkts/Total pkts : 0/35313407 (0%)
LightSpeed pkts/Total pkts : 0/35313407 (0%)
F2Fed pkts/Total pkts : 35313407/35313407 (100%)
F2V pkts/Total pkts : 0/35313407 (0%
fw

I agree. Hey, see if below might be related. I really hope we can help you fix this problem. Having case opened for something this for 3 months has to feel frustrating.

Andy

https://community.checkpoint.com/t5/General-Topics/SecureXL-100-F2Fed-80-30/td-p/95704

https://community.checkpoint.com/t5/General-Topics/Finding-root-cause-for-all-the-F2F-traffic/td-p/5...

What does "fwaccel stat" show by comparison and what model/hardware is this gateway (16200)??

it is a 16k turbo, it is VSX so on VS0 (management VS) it is showing 100% f2f is this normal? on the other VS's I see a variation some are low on f2f some are high over 60%

# fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled |eth4-03,eth4-04,Mgmt, |Acceleration,Cryptography |
| | | |eth3-01,eth3-02,eth1-01, | |
| | | |eth1-02,eth2-01,eth2-02 |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates : enabled
NAT Templates : enabled
LightSpeed Accel : disabled

Indeed, under normal circumstances you can largely ignore f2f for VS0 and focus on the other VS with the same cmd.(Presumably you don't route traffic for other Virtual Systems via VS0.)

sk32578 talks to the common reasons for f2f traffic further to the hints given by this command where those causes are policy related, how this would relate to a memory leak remains to be seen.

yes on the other VS's we do have f2f over 30%, in one of the VS's it is at 98%

I agree with @Chris_Atkinson , you can ignore those for VS0, its probably not relevant. Now, if you see if on other VS's, then yes, should be concerned.

Andy

yes on the other VS's we do have f2f over 30%, in one of the VS's it is at 98%

Did you run the fwaccel stat cmd in the context of that VS, what was the output and is the VS active or standby?

here is the output, it is the active VS

# fwaccel stats -s
Accelerated conns/Total conns : 4/4 (100%)
LightSpeed conns/Total conns : 0/4 (0%)
Accelerated pkts/Total pkts : 77545/5273486 (1%)
LightSpeed pkts/Total pkts : 0/5273486 (0%)
F2Fed pkts/Total pkts : 5195941/5273486 (98%)
F2V pkts/Total pkts : 57/5273486 (0%)
CPASXL pkts/Total pkts : 0/5273486 (0%)
PSLXL pkts/Total pkts : 44/5273486 (0%)
CPAS pipeline pkts/Total pkts : 0/5273486 (0%)
PSL pipeline pkts/Total pkts : 0/5273486 (0%)
QOS inbound pkts/Total pkts : 0/5273486 (0%)
QOS outbound pkts/Total pkts : 0/5273486 (0%)
Corrected pkts/Total pkts : 0/5273486 (0%)
[Expert@idboinfw009:7]#
[Expert@idboinfw009:7]#
[Expert@idboinfw009:7]#
[Expert@idboinfw009:7]# fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled | |Acceleration,Cryptography |
| | | | | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates : enabled
NAT Templates : enabled
LightSpeed Accel : disabled

Do other VSs show the same? Just VS0 is different?

Andy

other VS's some of them are showing very high on the f2f others are operating in below 30% here is one of the outputs below of one of the VS's where we have traffic

here is the output, it is the active VS

# fwaccel stats -s
Accelerated conns/Total conns : 4/4 (100%)
LightSpeed conns/Total conns : 0/4 (0%)
Accelerated pkts/Total pkts : 77545/5273486 (1%)
LightSpeed pkts/Total pkts : 0/5273486 (0%)
F2Fed pkts/Total pkts : 5195941/5273486 (98%)
F2V pkts/Total pkts : 57/5273486 (0%)
CPASXL pkts/Total pkts : 0/5273486 (0%)
PSLXL pkts/Total pkts : 44/5273486 (0%)
CPAS pipeline pkts/Total pkts : 0/5273486 (0%)
PSL pipeline pkts/Total pkts : 0/5273486 (0%)
QOS inbound pkts/Total pkts : 0/5273486 (0%)
QOS outbound pkts/Total pkts : 0/5273486 (0%)
Corrected pkts/Total pkts : 0/5273486 (0%)
[Expert@idboinfw009:7]#
[Expert@idboinfw009:7]#
[Expert@idboinfw009:7]#
[Expert@idboinfw009:7]# fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled | |Acceleration,Cryptography |
| | | | | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates : enabled
NAT Templates : enabled
LightSpeed Accel : disabled

Ok, if its not too much to ask here and if you are allowed to post it, can you list things done so far in TAC case?

Andy

not sure if because those VS's have not a lot of traffic the firewall is just choosing to go via f2f, what we did in TAC we followed that SK for memory leak that I attached 'memleak3.png' and we upgraded the firewalls to the latest takes and ran the sk memory leak procedure again and we still face the issue, we are on R81.20 T89 currently.

Hey, quick question...are you able/allowed to send me the debugs you did for TAC? Im more than happy to review them myself and see if I can assist. If yes, please be free to message me offline and we can connect.

Best,

Andy

Hi @knassif,

can you please share with me the tac case number? i will review and will try to assist.

Thanks,

Ilya 

@knassif I can tell you and I feel very good about this, as @Ilya_Yusupov helped me before with ISPR issue for a customer, he is amazing and will always follow up until issue is solved. You are 100% in good hands mate.

Andy

the case # is SR#6-0004045311

I have no ounce of doubt that @Ilya_Yusupov will help you fix this issue. I dealt with him before and you can tell he truly CARES, 100%. He is a good person.

Andy

yes give some time i'll upload those

No rush, take your time. As soon as you send them, I will download and review. I may message you directly for some details beforehand.

Andy