Support Center > Search Results > SecureKnowledge Details
CoreXL FW Instance #0 is processing most of the traffic when VPN blade was enabled, but VPN encryption domain was not defined Technical Level
Symptoms
  • Output of "top" command shows that lowest CoreXL FW Instance #0 (fw_worker_0) consumes the CPU at much higher level than other CoreXL FW Instances (fw_worker_1, fw_worker_2, etc.)

  • Output of "fw ctl multik stat" command shows that CoreXL FW Instance #0 (fw_worker_0) processed much more connections that than other CoreXL FW Instances.

    Example:
    ID | Active  | CPU    | Connections | Peak
    ----------------------------------------------
     0 | Yes     | 2-15+  |      109064 |   114892
     1 | Yes     | 2-15+  |         404 |      452
     2 | Yes     | 2-15+  |         432 |      525
     3 | Yes     | 2-15+  |         370 |      467
     4 | Yes     | 2-15+  |         430 |      515
     5 | Yes     | 2-15+  |         363 |      438
     6 | Yes     | 2-15+  |         321 |      369
     7 | Yes     | 2-15+  |         243 |      297
     8 | Yes     | 2-15+  |         535 |      629
     9 | Yes     | 2-15+  |         432 |      538
    
  • VPN kernel debug in CoreXL ('fw ctl debug -m VPN + multik tagging cluster') shows that much traffic is forwarded to the lowest CoreXL FW Instance #0, which is the only one that processed the VPN traffic (by design in R77.30 and lower):

    ;vpnk_multik_forward (in): checking if packet is vpn and should be forwarded to vpn instance
    ... ...
    ;vpnk_multik_forward (in): packet is forwarded to vpn instance (enc 0, decision 3, ipp XXX, sport XXX, dport XXX);
    ... ...
    ;vpn_get_peerGW_for_stickyDF_key_cpip: Clear packet that will encrypted at the outbound to the peer: X.X.X.X;
    ... ...
    ;vpn_inbound_tagging_ex:  AFTER considering comm-based domains, client location: 'Other GW encdom', server location: 'Other GW encdom'
Cause

IPSec VPN blade was enabled in the Security Gateway's object (and policy was installed), but VPN encryption domain was not defined in the Security Gateway's object.


Solution
Note: To view this solution you need to Sign In .