Known Limitations

Limitations that apply to 100G Ports:

Category

Limitation

Applies to

KPPAK?

Applies to

UPPAK?

Reported

In

Resolved

In

Jumbo Hotfix Accumulator

Jumbo Hotfix Accumulator

Warning - It is not supported to uninstall the Jumbo Hotfix Accumulator from an appliance and reboot.

You can only install a higher Take of the Jumbo Hotfix Accumulator.

R81.10

Software Blades

Firewall

LightSpeed Appliances QLS and MLS with 100G Ports are shipped with a license that supports only the Firewall Software Blade.

You can purchase licenses for additional Software Blades.

However, the 100G Ports accelerate the traffic only for the Firewall Software Blade.

R81.10

QoS

QoS Software Blade not supported.

R81.10

Features

IPv6

IPv6 traffic is not supported (do not enable the IPv6 support in Gaia OS).

R81.10

R81.20

Cluster

Cluster is not supported in these modes:

  • ClusterXL Load Sharing (Unicast and Multicast).

  • ClusterXL Active-Active.

  • Multi-Version Cluster (MVC).

  • VRRP Cluster.

R81.10

MVC in R81.20

VSX

VSX mode is not supported.

R81.10

R81.20

NAT

These NAT features are not supported:

  • NAT64.

  • NAT46.

R81.10

R81.20

IP Reachability Detection

IP Reachability Detection (Bidirectional Forwarding Detection, BFD) is not supported.

R81.10

Policy Based Routing

Policy Based Routing (PBR) is not supported.

R81.10

R81.20

IoC

It is not supported to use the Threat Prevention Custom Intelligence Feeds feature (sk132193) to import IP Address lists to a blacklist.

R81.10

SecureXL

Note - The User Mode (UPPAK) mode is available from:

R81.20 Jumbo Hotfix Accumulator Take 38

R81.10 Jumbo Hotfix Accumulator Take 81

Drop Templates

SecureXL Drop Templates (see sk153832) are not supported.

R81.10

R81.20

Rate Limiting rules

SecureXL Rate Limiting rules for DoS Mitigation (see sk112454) configured with these commands are not supported:

  • fwaccel dos deny

  • fwaccel dos allow

  • fwaccel dos rate

R81.10

Expired connections

When SecureXL works in the User Mode (UPPAK), it might take the Security Gateway an additional maximum of 60 seconds to delete expired connections that are accelerated in hardware from the Security Gateway's Connections table.

This is by design, to prevent the overhead of reading the hardware too frequently.

Example: If you configured the Session Timeout of a service to 40 seconds, it might take the Security Gateway a maximum of 40 seconds + 60 seconds = 100 seconds to delete the expired connections for this service.

R81.10

Traffic statistics

When SecureXL works in the User Mode (UPPAK), traffic statistics on the Security Gateway do not contain packets and bytes for connections that are accelerated in hardware.

This applies to:

  • CPView > Network > Interfaces > Traffic.

  • Output of the "fwaccel stats -s" command.

Traffic statistics for the physical interface contains packets and bytes for connections that are accelerated in hardware for all VLAN interfaces configured on this physical interface.

R81.10

CPU utilization

Output of the "top" and "ps" commands may show that SecureXL user space processes consume the CPU at 100% (see sk180299).

This is because the SecureXL processes are constantly polling the network interface drivers.

This does not trigger inspection bypass because of a high CPU load.

To see the actual CPU utilization, use one of these:

  • The CPView tool (sk101878) on the Security Gateway (click CPU > Overview > Host).

  • SNMP query on the Security Gateway (the OID tree 1.3.6.1.4.1.2620.1.6.7.5).

  • SmartConsole:

    1. From the left navigation panel, click Gateways & Servers.

    2. Right-click the Security Gateway object > click Monitor.

    3. From the left, open System Counters and click System.

R81.10

CPU affinities

It is not supported to change the CPU affinities of SecureXL user space processes.

R81.10

USFW and KSFW

If you change the Firewall mode from User Mode (USFW) to Kernel Mode (KSFW), then SecureXL mode changes from the User Mode (UPPAK) to the Kernel Mode (KPPAK).

R81.10

Slow Path (F2F)

When SecureXL works in the User Mode (UPPAK), the Security Gateway performance for the Slow Path traffic is lower compared to the Kernel Mode (KPPAK).

Firewall path, or Slow Path (F2F) is a packet flow when the SecureXL cannot accelerate the packet.

In such case, SecureXL forwards the packet to the CoreXL layer, and one of the CoreXL Firewall instances performs full inspection.

R81.10

MDPS

MDPS (sk138672) is supported only when SecureXL works in the Kernel Mode (KPPAK) mode.

R81.10

R81.20 Jumbo Hotfix Accumulator, Take 38

Interfaces

When SecureXL works in the User Mode (UPPAK), the Security Gateway shows additional interfaces (compared to the Kernel Mode (KPPAK) mode).

This is by design.

R81.10

GTP

SecureXL does not accelerate the GTP (GPRS Tunneling Protocol) traffic.

R81.10

SCTP

SecureXL does not accelerate the SCTP (Stream Control Transmission ‎Protocol) traffic.

R81.10

CoreXL

Dynamic Balancing

Dynamic Balancing of CoreXL Firewall Instances is not supported.

On LightSpeed Appliances, this feature is disabled by default.

R81.10

R81.20

IPv4 CoreXL Firewall Instances

When you change the default CoreXL configuration in the "cpconfig" menu, configure the number of IPv4 CoreXL Firewall Instances based on this formula:

63 ≥ (Number of IPv4 CoreXL Firewall Instances) ≥ ((Total Number of CPU Cores in the Appliance) - 36)

If you configure 36 or more IPv4 CoreXL SND Instances, then the 100G Cards use a maximum of 36 IPv4 CoreXL SND Instances.

R81.10

IPv4 CoreXL Firewall Instances

When SecureXL works in the User Mode (UPPAK), the maximum supported number of IPv4 CoreXL Firewall Instances is 63.

63 ≥ (Number of IPv4 CoreXL Firewall Instances)

R81.10

Multi-Queue

Multi-Queue configuration

When you change the CoreXL configuration in the "cpconfig" menu, the Multi-Queue configuration changes to its default settings.

R81.10

Multi-Queue configuration

After you change the default Multi-Queue configuration in the "mq_mng" command, you must reboot the appliance.

R81.10

Interfaces / Ports

Speed

100G Card does not support the 25 Gbps speed.

R81.10

R81.20

Link

If you change the configuration of one 100G Card port (link up/down, MTU, and so on), it causes the link to go down and then up on the other 100G Card port.

Therefore, schedule a maintenance window to make the required changes in the configuration of the 100G Ports.

R81.10

802.1ad

802.1ad (QinQ) is not supported.

R81.10

Jumbo Frames

Jumbo Frames are not supported.

In addition, see sk111407.

R81.10

R81.20

VxLAN

VxLAN interfaces are not supported.

SecureXL does not accelerate traffic that passes through these interfaces.

R81.10

GRE

GRE interfaces are not supported.

SecureXL does not accelerate traffic that passes through these interfaces.

R81.10

Monitor Mode

Monitor Mode is not supported.

R81.10

Bond

Gaia Portal can possibly log out an administrator when configuring Bond interfaces on the 100G Ports.

The configuration is saved.

The administrator must log in again to continue.

R81.10

Bond

To create a Bond Interface that accelerates traffic, you must use the physical ports of the same 100G Card.

R81.10

Bond

When you change the state of one physical port in a Bond Interface to down / up, the other physical port in the Bond Interface also changes its state to down / up.

R81.10

Bond

Bond may become unstable because of LACP packet losses (on the network or in the interface).

Workaround - Configure the LACP "slow" rate for this Bond on each side:

  • On the host appliance - see the Gaia Administration Guide for your version > Chapter "Network Management" > Section "Network Interfaces" > Section "Bond Interfaces (Link Aggregation)".

  • On the corresponding switch - see the vendor documentation.

R81.10

R81.20

Bridge

If you configure a Bridge interface on the 100G Ports, the Bridge does not support hardware acceleration for connections.

R81.10

Breakout Cables

100G Ports do not support copper or fiber breakout cables.

R81.10

mlx<Number>

Ignore the interfaces with the names "mlx<Number>" (for example, "mlx1-01").

These are shadow interfaces for the Poll Mode Driver (PMD) the 100G Ports use.

R81.10

cpfifo<Number>

Ignore the interfaces with the names "cpfifo<Number>" (for example, "cpfifo1_0").

These are control-plane interfaces.

You cannot configure these interfaces.

R81.10

gre0

and

gretap0

Ignore the interfaces with the names "gre0" and "gretap0".

By default, Gaia OS loads the GRE kernel driver.

Therefore, Gaia OS has these interfaces in the administratively down state.

R81.10

Traffic outage

In a very rare case, the 100G Ports might stop receiving and transmitting packets.

Workaround:

  1. Shut down the appliance (in Gaia Portal or Gaia Clish).

  2. Disconnect the power cables from the appliance.

  3. Connect the power cables from the appliance.

  4. Power on the appliance.

R81.10

R81.20

Transceivers

Link

Link may not come up automatically in the 2-Port 40G/100G NIC, 4-Port 10G/25G NIC, and 10G/25G Sync Port. See sk181487.

R81.20

Traffic Capture

VLAN

To capture traffic on a VLAN interface that is configured on a 100G Port, you must specify the VLAN ID in the TCPdump syntax.

R81.10

Bond

To capture traffic that is accelerated in a Bond interface that is configured on 100G Ports, you must run the TCPdump directly on the 100G Ports.

R81.10

Direction

The TCPdump option "-Q {in | out | inout}" is not supported on the 100G Ports.

If you use this option in the syntax, the TCPdump tool shows an error.

Example:

[Expert@HostName:0]# tcpdump -eni eth3-01 -Q out

Translating Check Point pseudo interface eth3-01 to RDMA sniffer interface mlx5_0 for packet capture

tcpdump: mlx5_0: pcap_setdirection() failed: Setting direction is not implemented on this platform

[Expert@HostName:0]#

R81.10

Command Line

ethtool

There are differences in using the "ethtool" command when SecureXL works in the Kernel Mode (KPPAK) and in the User Mode (UPPAK). See sk181564.

R81.10

ethtool -i

By design, output of the "ethtool -i <Name of Interface>" command shows different drivers when SecureXL works in the Kernel Mode (KPPAK) and in the User Mode (UPPAK).

R81.10

ethtool -G

If you change the RX / TX ring sizes with the "ethool -G" command, then you must configure:

  • The values that are multiples of 32 for interfaces that use Intel drivers

  • The values that are multiples of 2 for interfaces that use Mellanox drivers

R81.10

ethtool -S

Immediately after the appliance boot, the output of this command in the Expert mode:

ethtool -S <Name of 100G Port>

can show non-zero values in the counters rx_phy_crc_errors and rx_phy_symbol_errors.

This is a cosmetic issue only.

Example:

[Expert@QLS-800:0]# ethtool -S eth1-01 | grep -E "rx_phy_crc_errors|rx_phy_symbol_errors"
rx_phy_crc_errors: 4294963909
rx_phy_symbol_errors: 4294963909
[Expert@QLS-800:0]#

R81.10

smartctl

The output of the "smartctl -a /dev/sda1" command in the Expert mode shows:

Device is: Not in smartctl database

This is a cosmetic issue only.

R81.10

dmesg

The output of the "dmesg" command in the Expert mode shows these errors on the appliance:

pci 0000:XX:00.X: BAR <NUMBER>: failed to assign [mem size 0x<NUMBER> 64bit pref]

You can safely ignore these messages.

R81.10

Maestro Configuration

Ports

You must use only the 100G Ports to connect to Quantum Maestro Orchestrators.

You must disconnect cables between Quantum Maestro Orchestrators and all other line cards and ports on the appliance.

R81.10

SD-WAN Configuration

Ports

SD-WAN does not support the 10/25/40/100G QSFP28 Ports.

R81.20

HW Diagnostics

"HW Diagnostics" menu

Below the "HW Diagnostics" menu, messages about "LOM module" and "LOM" can possibly appear in this scenario:

  1. A LOM Card is installed in the appliance.

  2. You connect your computer to the Console port on the appliance.

  3. During the appliance boot, you press any key to enter the Boot Menu.

  4. In the Boot Menu, you select "HW Diagnostics" and press the Enter key (see sk97251).

Example messages:

  • LOM module not updated with system date and time

  • Unable to communicate with LOM

R81.10

"HW Diagnostics" log file

The log file from the "HW Diagnostics" > "Networking Test" shows incorrect names of interfaces in this scenario:

  1. You connect your computer to the Console port on the appliance.

  2. During the appliance boot, you press any key to enter the Boot Menu.

  3. In the Boot Menu, you select "HW Diagnostics" and press the Enter key (see sk97251).

  4. In the "HW Diagnostics" menu, you select "Diagnostics" (or "Custom" > "Networking Test") and press the Enter key.

  5. In the "HW Diagnostics" menu, you select "Save Logs".

  6. You examine the "NETWORK_TEST_<Date>_<Time>.log" file.

This is a cosmetic issue only.

R81.10