Each VPN connection is handled by a specific CPU, Secure Network Distributor (SND) allocates the connection to the relevant CPU.
The distribution of SND is based on the hash function that uses connection tuple, making it not equally distributed in different kinds of Network Topologies and VPN configurations.
This problem was fixed. It is now possible to leave the connection on the same CPU, based on the inbound distribution of the Network Interface Card, and it will handle all VPN connections that need to be encrypted.
The fix is included in:
This fix adds a new kernel parameter
: This kernel parameter is disabled by default.
To verify the value of the parameter
# fw ctl get int cphwd_medium_path_qid_by_cpu_id
cphwd_medium_path_qid_by_cpu_id = 0
When the feature is disabled, SNDs may not be balanced.
cphwd_medium_path_qid_by_cpu_id = 1
When the feature is enabled, there is a better balance between SNDs.To activate the feature on the fly
[Expert@HostName:0]# fw ctl set int cphwd_medium_path_qid_by_cpu_id 1To disable the parameter on the fly
[Expert@HostName:0]# fw ctl set int cphwd_medium_path_qid_by_cpu_id 0Note
: Changing the value of
on the fly may cause connectivity issues. Refer to sk26202
to set the parameter permanently.
For other versions, Check Point can supply a Hotfix. Contact Check Point Support to get a Hotfix for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways involved in the case.
Hotfix installation instructions:
Refer to sk168597 - How to install a Hotfix.