The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Traffic latency on VSX Gateway if MTU larger than 4096 (Jumbo Frames) is configured on an interface
| Solution ID |
sk110351 |
| Product |
VSX |
| Version |
R77.20, R77.30, R80.10 |
| OS |
Gaia |
| Date Created |
17-Mar-2016
|
| Last Modified |
27-Mar-2019
|
Symptoms
Traffic latency on VSX Gateway if MTU larger than 4096 (for Jumbo Frames) is configured on an interface.
CPU cores that run CoreXL Secure Network Dispatchers (SND) are loaded at 100% CPU without any apparent cause.
Kernel debug "fw ctl debug -m fw + drop" shows that CoreXL FW drops traffic with
Reason: Instance is currently fully utilized
Output of the "fw ctl pstat -u" command in the context of the affected Virtual System shows large number(s) in the "alloc non zeco skb buffers" section.
Example output:
alloc zeco skb buffers:
data size under 256: 99970298
data size under 2048: 1399
data size under 4096: 0
data size above 4097: 0
alloc non zeco skb buffers:
data size under 256: 506997
data size under 2048: 1
data size under 4096: 0
data size above 4097: 0
- In some cases, it was found that the issue occurs ONLY during policy installation.
Cause
Packets do not go through the ZeCo Buffer when MTU larger than 4096 (for Jumbo Frames) is configured on VSX interface(s) with the "set interface IFNAME mtu VALUE" command.
Solution
Contact Check Point Support to get a Hotfix for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification please collect CPinfo files from the Security Management and Security Gateways involved in the case.
Hotfix installation instructions:
-
Hotfix has to be installed on VSX Gateway running on Gaia OS.
Notes:
- In cluster environment, this procedure must be performed on all members of the cluster.
- The hotfixes must be installed in the given order - 1) SecurePlatform, 2) FW1
- The hotfixes must be uninstalled in the given order - 1) FW1, 2) SecurePlatform
-
Install the hotfix packages using Legacy CLI:
Note: On these versions of VSX, the CPUSE does not support installation of hotfixes (refer to sk92449 - section "(2)" - "VSX Gateways").
-
Transfer the two hotfix packages to the machine into two separate directories:
- FW1 package (fw1_wrapper_<HOTFIX_NAME>.tgz) into e.g., /path_to_FW1_fix/
- OS package (SecurePlatform_<HOTFIX_NAME>.tgz) into e.g., /path_to_OS_fix/
-
Unpack and install the OS hotfix (must install the "OS hotfix" before the "FW1 hotfix"):
[Expert@HostName]# cd /path_to_OS_fix/
[Expert@HostName]# tar -zxvf SecurePlatform_<HOTFIX_NAME>.tgz
[Expert@HostName]# ./SecurePlatform_<HOTFIX_NAME>
Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
-
Do NOT reboot yet.
-
Unpack and install the FW1 hotfix package (must install the "FW1 hotfix" only after the "OS hotfix"):
[Expert@HostName]# cd /path_to_FW1_fix/
[Expert@HostName]# tar -zxvf fw1_wrapper_<HOTFIX_NAME>.tgz
[Expert@HostName]# ./fw1_wrapper_<HOTFIX_NAME>
Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
-
Reboot the machine.
Applies To:
- 01657585 , 01860570 , 01917226 , 01680274 , 02363044 , 02344528 , 02311159 , 01956929 , 01678564 , 02503000 , 02479929 , 02351065 , 01872075 , 01862924 , 02413573 , 02380897 , 01868068 , 02491066
