- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello,
I am new in Checkpoint firewalls (well I configured a couple of rules 20 years ago in Solaris based one, but this does not count) and I have inherited a VSX HA cluster running on HP DL380 Gen10 Openserver with 3 quad tg3 based (broadcom) 1G NICs and a couple of dual Intel 10G NICs. The box has 2x10 cores, the first 8 of them are licensed.
I have read a lot of documents and skXXXXX in the last days, many forum posts and have done several experiments. I still have some issues with setting up the affinity of the interfaces properly.
Long story short, it looks like each tg3 interface is serviced by 5 IRQs
eg:
Now, when I setup the affinity of the interface eth0 to CPU 0, this is what I get:
Now if I go a bit deeper:
Notice also that in the output of fw ctl affinity -l -r -v -a, eth1 seems to use the same IRQ with eth12.
While, in reality:
So, my question is... does it look the same in other installations using tg3 driver in r80.40 / is it expected behaviour or should I look for something else?
Thanks!
John
`
This looks similar sk171526: Output of 'fw ctl affinity' does not show FWK affinity to CPU core after upgrade of R80.30...
The issue you have should be fixed in R80.40 sk166356: 'fw ctl affinity' and "sim affinity" commands showing wrong data
thanks for the pointers!
sk166356 looks similar but a bit different case. Now that I look closer, I believe I can emulate the way that fw ctl affinity matches the interfaces to interrupts (maybe it is the "last resort" method):
# grep eth1 /proc/interrupts | tail -1 | awk ' { print $1 } '
267:
# grep eth12 /proc/interrupts | tail -1 | awk ' { print $1 } '
267:
for sk171526, I believe this installation started with a clean r80.40. Also this relates to FWK affinity, I don't see a problem there:
# fw ctl affinity -l -v
Interface eth0 (irq 222): CPU 0 1 2 3 4 5 6 7 8 9
Interface eth1 (irq 267): CPU 1
Interface eth2 (irq 242): CPU 1
Interface eth3 (irq 247): CPU 1
Interface eth4 (irq 237): CPU 0
Interface eth5 (irq 227): CPU 0 1 2 3 4 5 6 7 8 9
Interface eth6 (irq 217): CPU 1
Interface eth7 (irq 257): CPU 1
Interface eth11 (irq 212): CPU 1
Interface eth12 (irq 267): CPU 1
Interface eth13 (irq 232): CPU 1
Interface eth14 (irq 252): CPU 1
VS_0: CPU 2 3 4 5 6 7
VS_0 fwk: CPU 2 3 4 5 6 7
VS_1: CPU 2 3 4 5 6 7
VS_1 fwk: CPU 2 3 4 5 6 7
VS_5: CPU 2 3 4 5 6 7
VS_5 fwk: CPU 2 3 4 5 6 7
VS_8: CPU 2 3 4 5 6 7
VS_8 fwk: CPU 2 3 4 5 6 7
The current license permits the use of CPUs 0, 1, 2, 3, 4, 5, 6, 7 only.
Interface eth8: has multi queue enabled
Interface eth9: has multi queue enabled
# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 2-7 | 26 | 212
1 | Yes | 2-7 | 20 | 212
2 | Yes | 2-7 | 23 | 212
3 | Yes | 2-7 | 24 | 213
4 | Yes | 2-7 | 26 | 212
5 | Yes | 2-7 | 24 | 213
@jkougoulos one more thing to observe.... disable your unlicensed cores in the BIOS of your open server hardware. There are some known strange problems if more cores active then licensed.
@Wolfgangthanks for this hint. I saw somewhere that tg3 may enable more channels depending on number of cores, but if I want to reduce the cores to 8 in Bios, probably this would mean to switch to 2x4 cores - moving the load between the 2 processors which might have some performance impact.
I will start with ethtool tuning first and if it plays any role and see if I need to resort to reducing the number of cores. I guess I could also set the affinity manually using commands to /proc/irq/xxx/smp_affinity
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY