Each VPN connection is handled by a specific CPU, Secure Network Distributor (SND) allocates the connection to the relevant CPU.
The distribution of SND is based on the hash function that uses connection tuple, making it not equally distributed in different kinds of Network Topologies and VPN configurations.
This problem was fixed. It is now possible to leave the connection on the same CPU, based on the inbound distribution of the Network Interface Card, and it will handle all VPN connections that need to be encrypted.
The fix is included in:
This fix adds a new kernel parameter
cphwd_medium_path_qid_by_cpu_id.Note: This kernel parameter is disabled by default.
To verify the value of the parameter:
cphwd_medium_path_qid_by_cpu_id with:
# fw ctl get int cphwd_medium_path_qid_by_cpu_idvalueFeature status
cphwd_medium_path_qid_by_cpu_id = 0 When the feature is disabled, SNDs may not be balanced.
cphwd_medium_path_qid_by_cpu_id = 1When the feature is enabled, there is a better balance between SNDs.
To activate the feature on the fly, run:
[Expert@HostName:0]# fw ctl set int cphwd_medium_path_qid_by_cpu_id 1
To disable the parameter on the fly:
[Expert@HostName:0]# fw ctl set int cphwd_medium_path_qid_by_cpu_id 0
Note: Changing the value of
cphwd_medium_path_qid_by_cpu_id on the fly may cause connectivity issues. Refer to
sk26202 to set the parameter permanently.
For other versions, Check Point can supply a Hotfix. Contact Check Point Support to get a Hotfix for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways involved in the case.
Hotfix installation instructions:
Refer to sk168597 - How to install a Hotfix.
