When SecureXL is enabled, Encrypt-Decrypt actions usually take place on SecureXL level (on CPU cores running as CoreXL SND). All VPN traffic will be handled on the CPU cores running as CoreXL SND under the following conditions:
- Only "Firewall" and "IPSec VPN" software blades are enabled
- There are no fragmented packets
- SecureXL acceleration is not disabled by any of the security rules (refer to sk32578)
- VPN features that are disqualified from SecureXL (see below) are disabled
If all the above conditions are met, all VPN traffic will be handled on CPU cores running as CoreXL SND with minimum traffic being forwarded to the CoreXL FW instances, resulting in multi-core processing of VPN traffic (depending on the number of CPU cores running as CoreXL SND).
The following VPN features are handled by CPU cores running as CoreXL FW instances:
- Fragmented VPN packets
- Any compression algorithms (go to IPSec VPN Community properties - "Advanced Settings" pane - "Advanced VPN Properties")
- Using HMAC-SHA384 for data integrity and authentication (refer to sk104578)
- Any transport mode SA (used in L2TP clients and GRE tunnels)
- Multicast IPsec (GDOI)
- Monitoring Software Blade - if in addition to "System Counters", also "Traffic" counters are enabled in Security Gateway object (in such a case, connections are flagged with "Accounting" flag in the output of "fwaccel conns" command)
- Any Software Blades other than "Firewall" are used
Note:
With R80.20 fragmented packets do not necessarily have to run over the F2F path. With fragmented VPN packets under R80.20 I'm not sure which way they go.
More see here: Best Practices - VPN Performance
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips