"fwaccel off" does not have an effect on disabling acceleration of VPN tunnels in R80.20 and above

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk151114
Technical Level
Product	IPSec VPN
Version	R80.20, R80.30, R80.40, R81, R81.10
Platform / Model	All
Date Created	16-Apr-2019
Last Modified	12-Aug-2021

Symptoms

Disabling acceleration by running the fwaccel off does not have an immediate effect on IPsec acceleration, as it did before R80.20.
Using fwaccel off causes every existing VPN connection to continue to be processed by the acceleration module (SecureXL), and only new connections are not offloaded to the acceleration module.
As long as there are accelerated VPN connections associated with the IPsec tunnel, all decryption/encryption operations will continue to be handled by the acceleration module.

Cause

Before R80.20, VPN connections could be migrated between acceleration module and Firewall-1 instances due to synchronous communication between those modules.

Since R80.20, fwaccel off does not stop the SecureXL device, and the communication between SecureXL and Firewall-1 is now asynchronous. All connections that were accelerated will continue to be handled by PPAK.

Furthermore, when new decryption/encryption keys are generated, the decision whether to accelerate the tunnel or not depends on whether there are accelerated connections associated with the tunnel.

As a result, to disable VPN tunnel acceleration, all outstanding related connections should be terminated.

This behavior prevents disabling acceleration of tunnels as long as accelerated connections are associated with those tunnels.

VPN acceleration is mandatory and should be disabled only for debugging purpose.

Solution

Note: To view this solution you need to Sign In .