Traffic latency on VSX Gateway if MTU larger than 4096 (Jumbo Frames) is configured on an interface

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk110351
Technical Level
Product	VSX
Version	R77.20, R77.30 (EOL), R80.10 (EOL)
OS	Gaia
Date Created	17-Mar-2016
Last Modified	23-Jul-2019

Symptoms

Traffic latency on VSX Gateway if MTU larger than 4096 (for Jumbo Frames) is configured on an interface.
CPU cores that run CoreXL Secure Network Dispatchers (SND) are loaded at 100% CPU without any apparent cause.
Kernel debug "fw ctl debug -m fw + drop" shows that CoreXL FW drops traffic with
Reason: Instance is currently fully utilized

Output of the "fw ctl pstat -u" command in the context of the affected Virtual System shows large number(s) in the "alloc non zeco skb buffers" section.

Example output:

alloc zeco skb buffers:
data size under 256: 99970298
data size under 2048: 1399
data size under 4096: 0
data size above 4097: 0

alloc non zeco skb buffers:
data size under 256: 506997
data size under 2048: 1
data size under 4096: 0
data size above 4097: 0

In some cases, it was found that the issue occurs ONLY during policy installation.

Cause

Packets do not go through the ZeCo Buffer when MTU larger than 4096 (for Jumbo Frames) is configured on VSX interface(s) with the "set interface IFNAME mtu VALUE" command.

Solution

This problem was fixed. The fix is included in:

Check Point R80.20

For other supported versions, Check Point Support can supply a Hotfix.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification, please collect CPInfo files from the Security Management Server and Security Gateways involved in the case.

Hotfix installation instructions:

Hotfix has to be installed on VSX Gateway running on Gaia OS.

Notes:
- In cluster environment, this procedure must be performed on all members of the cluster.
- The hotfixes must be installed in the given order - 1) SecurePlatform, 2) FW1
- The hotfixes must be uninstalled in the given order - 1) FW1, 2) SecurePlatform
Install the hotfix packages using Legacy CLI:

Note: On these versions of VSX, the CPUSE does not support installation of hotfixes (refer to sk92449 - section "(2)" - "VSX Gateways").
1. Transfer the two hotfix packages to the machine into two separate directories:
  - FW1 package (fw1_wrapper_<HOTFIX_NAME>.tgz) into e.g., /path_to_FW1_fix/
  - OS package (SecurePlatform_<HOTFIX_NAME>.tgz) into e.g., /path_to_OS_fix/
2. Unpack and install the OS hotfix (must install the "OS hotfix" before the "FW1 hotfix"):
  
  [Expert@HostName]# cd /path_to_OS_fix/
  [Expert@HostName]# tar -zxvf SecurePlatform_<HOTFIX_NAME>.tgz
  [Expert@HostName]# ./SecurePlatform_<HOTFIX_NAME>
  Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
3. Do NOT reboot yet.
4. Unpack and install the FW1 hotfix package (must install the "FW1 hotfix" only after the "OS hotfix"):
  
  [Expert@HostName]# cd /path_to_FW1_fix/
  [Expert@HostName]# tar -zxvf fw1_wrapper_<HOTFIX_NAME>.tgz
  [Expert@HostName]# ./fw1_wrapper_<HOTFIX_NAME>
  Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
5. Reboot the machine.

Applies To:

01657585 , 01860570 , 01917226 , 01680274 , 02363044 , 02344528 , 02311159 , 01956929 , 01678564 , 02503000 , 02479929 , 02351065 , 01872075 , 01862924 , 02413573 , 02380897 , 01868068 , 02491066

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating