Support Center > Search Results > SecureKnowledge Details
SND connection outbound distribution issue when running VPN Technical Level
  • When there is a lot of VPN traffic, some SND CPUs may be highly utilized while other SND CPUs are not.
  • In CPView, "Advanced -> SecureXL -> Network-per-CPU" shows unequal outbound bps distribution.

Each VPN connection is handled by a specific CPU, Secure Network Distributor (SND) allocates the connection to the relevant CPU.
The distribution of SND is based on the hash function that uses connection tuple, making it not equally distributed in different kinds of Network Topologies and VPN configurations.


This problem was fixed. It is now possible to leave the connection on the same CPU, based on the inbound distribution of the Network Interface Card, and it will handle all VPN connections that need to be encrypted.

The fix is included in:

This fix adds a new kernel parameter cphwd_medium_path_qid_by_cpu_id.
Note: This kernel parameter is disabled by default.

To verify the value of the parameter

cphwd_medium_path_qid_by_cpu_id with: 
# fw ctl get int cphwd_medium_path_qid_by_cpu_id

Feature status

cphwd_medium_path_qid_by_cpu_id = 0 
When the feature is disabled, SNDs may not be balanced.

cphwd_medium_path_qid_by_cpu_id = 1
When the feature is enabled, there is a better balance between SNDs.

To activate the feature on the fly, run:   
[Expert@HostName:0]# fw ctl set int cphwd_medium_path_qid_by_cpu_id 1

To disable the parameter on the fly:
[Expert@HostName:0]# fw ctl set int cphwd_medium_path_qid_by_cpu_id 0

Note: Changing the value of cphwd_medium_path_qid_by_cpu_id on the fly may cause connectivity issues. Refer to sk26202 to set the parameter permanently.

For other versions, Check Point can supply a Hotfix. Contact Check Point Support to get a Hotfix for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways involved in the case.

Hotfix installation instructions:
Refer to sk168597 - How to install a Hotfix.

Give us Feedback
Please rate this document