very slow intervaln communication via checkpoint

[juniorra22]

Hi,

Seeing same behavior transferring files that traverse over firewall is under 20MB/s on a 10G fiber link. I have also looked at APCL/URLF Inspection policy and all destination objects are internet. Anything else I can look at?

Thanks

[juniorra22]

Hi,

Seeing same behavior transferring files that traverse over firewall is under 20MB/s on a 10G fiber link. I have also looked at APCL/URLF Inspection policy and all destination objects are internet. Anything else I can look at?

Thanks

Can anyone help?

Thanks

[ShadowPeak.com]

Can anyone help?

Thanks

What is the slow protocol being used to transfer files? FTP? CIFS? SCP? Are all these transfer protocols equally slow between your networks?

Please post output of the following commands from the active firewall:

enabled_blades
netstat -ni
fwaccel stats -s
fwaccel stat
fw ctl affinity -l -r

[juniorra22]

What is the slow protocol being used to transfer files? FTP? CIFS? SCP? Are all these transfer protocols equally slow between your networks?

Please post output of the following commands from the active firewall:

enabled_blades
netstat -ni
fwaccel stats -s
fwaccel stat
fw ctl affinity -l -r

Hi all transfer protocols are slow.

enabled_blades
fw vpn urlf av appi ips identityServer SSL_INSPECT anti_bot


netstat -ni
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
bond0 1500 0 98536334 0 0 0 60093599 0 0 0 BMmRU
bond0.20 1500 0 85702327 0 0 0 51717823 0 0 0 BMmRU
eth3 1500 0 65119422 0 0 0 20030910 0 0 0 BMsRU
eth4 1500 0 24718597 0 0 0 20030895 0 0 0 BMsRU
eth5 1500 0 8698335 0 0 0 20031832 0 0 0 BMsRU
eth6 1500 0 65239794 0 0 0 102124220 0 0 0 BMRU
eth7 1500 0 17147022 0 16 0 19565550 0 0 0 BMRU
eth9 1500 0 2212202 0 0 0 5549160 0 0 0 BMRU
lo 16436 0 335599 0 0 0 335599 0 0 0 LRU

fwaccel stats -s
No statistics given


fwaccel stat
Accelerator Status : no license for SecureXL

Accelerator Features : Accounting, NAT, Cryptography, HasClock,
Templates, Synchronous, IdleDetection,
Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, WireMode,
DropTemplates, NatTemplates, Streaming,
AntiSpoofing, Nac, ViolationStats, AsychronicNotif,
ERDOS, NAT64, GTPAcceleration, SCTPAcceleration
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, CAST, CAST-40, AES-128, AES-256,
ESP, LinkSelection, DynamicVPN, NatTraversal,
EncRouting, AES-XCBC, SHA256

fw ctl affinity -l -r
CPU 0: eth0 eth1 eth9 eth10 eth2 eth3
fw_1 fw_3 fw_5 fw_7
CPU 1: fw_0 fw_2 fw_4 fw_6
CPU 2:
CPU 3:
CPU 4:
CPU 5:
CPU 6:
CPU 7:
CPU 8:
CPU 9:
CPU 10:
CPU 11:
All: mpdaemon wsdnsd pdpd in.geod stormd rad vpnd in.acapd usrchkd in.msd fwd pepd cprid cpd
The current license permits the use of CPUs 0, 1 only.

[ShadowPeak.com]

Hi all transfer protocols are slow.

enabled_blades
fw vpn urlf av appi ips identityServer SSL_INSPECT anti_bot


netstat -ni
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
bond0 1500 0 98536334 0 0 0 60093599 0 0 0 BMmRU
bond0.20 1500 0 85702327 0 0 0 51717823 0 0 0 BMmRU
eth3 1500 0 65119422 0 0 0 20030910 0 0 0 BMsRU
eth4 1500 0 24718597 0 0 0 20030895 0 0 0 BMsRU
eth5 1500 0 8698335 0 0 0 20031832 0 0 0 BMsRU
eth6 1500 0 65239794 0 0 0 102124220 0 0 0 BMRU
eth7 1500 0 17147022 0 16 0 19565550 0 0 0 BMRU
eth9 1500 0 2212202 0 0 0 5549160 0 0 0 BMRU
lo 16436 0 335599 0 0 0 335599 0 0 0 LRU

fwaccel stats -s
No statistics given


fwaccel stat
Accelerator Status : no license for SecureXL

Accelerator Features : Accounting, NAT, Cryptography, HasClock,
Templates, Synchronous, IdleDetection,
Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, WireMode,
DropTemplates, NatTemplates, Streaming,
AntiSpoofing, Nac, ViolationStats, AsychronicNotif,
ERDOS, NAT64, GTPAcceleration, SCTPAcceleration
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, CAST, CAST-40, AES-128, AES-256,
ESP, LinkSelection, DynamicVPN, NatTraversal,
EncRouting, AES-XCBC, SHA256

fw ctl affinity -l -r
CPU 0: eth0 eth1 eth9 eth10 eth2 eth3
fw_1 fw_3 fw_5 fw_7
CPU 1: fw_0 fw_2 fw_4 fw_6
CPU 2:
CPU 3:
CPU 4:
CPU 5:
CPU 6:
CPU 7:
CPU 8:
CPU 9:
CPU 10:
CPU 11:
All: mpdaemon wsdnsd pdpd in.geod stormd rad vpnd in.acapd usrchkd in.msd fwd pepd cprid cpd
The current license permits the use of CPUs 0, 1 only.

Oh boy, where do I begin...

1) Your firewall's performance is heavily restricted by the license you are using. Please provide the output of "cplic print" but be sure to excise the certificate keys (they start with CK-) before posting it.

2) You have no license for SecureXL so there is zero acceleration occurring. Not sure how the heck your firewall license does not include SecureXL, the output of cplic print requested above should shed some light.

3) You have 12 cores (please provide output of /sbin/cpuinfo so we can see if hyperthreading is enabled which is a no-no and means you are only using one physical core out of 6), but can only use two of them due to license restrictions. Unfortunately CoreXL was initially configured when you were running under the Trial License, so 8 firewall workers were allocated which are all thrashing against each other for cores 0 and 1. We will need to look at your licensing first, but an eventual recommendation will almost certainly be to reduce the number of firewall workers from 8 to 2 via cpconfig.

4) What version of code are you using? Please provide output of "fw ver" and "installed_jumbo_take" commands.

So to summarize, please provide output of the following commands:

cplic print
/sbin/cpuinfo
fw ver
installed_jumbo_take

[juniorra22]

Oh boy, where do I begin...

1) Your firewall's performance is heavily restricted by the license you are using. Please provide the output of "cplic print" but be sure to excise the certificate keys (they start with CK-) before posting it.

2) You have no license for SecureXL so there is zero acceleration occurring. Not sure how the heck your firewall license does not include SecureXL, the output of cplic print requested above should shed some light.

3) You have 12 cores (please provide output of /sbin/cpuinfo so we can see if hyperthreading is enabled which is a no-no and means you are only using one physical core out of 6), but can only use two of them due to license restrictions. Unfortunately CoreXL was initially configured when you were running under the Trial License, so 8 firewall workers were allocated which are all thrashing against each other for cores 0 and 1. We will need to look at your licensing first, but an eventual recommendation will almost certainly be to reduce the number of firewall workers from 8 to 2 via cpconfig.

4) What version of code are you using? Please provide output of "fw ver" and "installed_jumbo_take" commands.

So to summarize, please provide output of the following commands:

cplic print
/sbin/cpuinfo
fw ver
installed_jumbo_take

Issue resolved by move to a new switch port. Old port was bad. Switch will be replace.

[ShadowPeak.com]

Issue resolved by move to a new switch port. Old port was bad. Switch will be replace.

Well I assume you saw errors racking up on the switchport itself because there were basically none on the firewall's interfaces.

[jflemingeds]

Well I assume you saw errors racking up on the switchport itself because there were basically none on the firewall's interfaces.

yeah, i don't see how a switch is going to help fix those license issues.

[ShadowPeak.com]

yeah, i don't see how a switch is going to help fix those license issues.

Yep, after resolving the switch issue another bottleneck will present itself and rather soon I would guess...