SecureXL Accept Templates not created when ISP Redundancy is enabled in Primary/Backup mode

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk104679
Technical Level
Product	SecureXL
Version	R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.40, R80.20 (EOL), R80.30 (EOL)
OS	Gaia, Linux, Gaia Embedded
Platform / Model	All
Date Created	10-Feb-2015
Last Modified	20-Aug-2022

Symptoms

Output of 'top' command on Security Gateway shows high CPU utilization by Soft IRQ, although SecureXL is enabled.
Output of 'fwaccel stats -s' command shows that most of the traffic is "F2Fed".
CPView utility (sk101878) shows that most Forwarded traffic falls into these categories ('I/S' tab - 'SXL' menu - 'F2F-Reasons' menu):
- TCP conn is F2Fed
- UDP conn is F2Fed
- other conn is F2Fed
Output of 'fwaccel stat' command shows that either "Accept Templates" are "enabled", or "disabled" from a very high rule.
Output of 'fwaccel templates' command shows very small number of templates, or none at all.

SecureXL debug ('fwaccel dbg -m general + template') shows:

get_conn_template: <dir 1, Source_IP:Source_Port -> Dest_IP:Dest_Port IPP 6> cannot be offloaded as template
... ... ... 
cphwd_offload_conn: conn handled by ISP redundancy - cannot offload template!;

Disabling the ISP Redundancy resolves the issue - most of the traffic is accelerated.

Cause

By design, SecureXL Accept Templates are not offloaded from Secure Gateway when ISP Redundancy is enabled in Primary/Backup mode.

Solution

Note: To view this solution you need to Sign In .