Multi-Queue

In This Section: Introduction to Multiple Traffic Queues Multi-Queue Administration Basic Multi-Queue Configuration Advanced Multi-Queue settings Special Scenarios and Configurations Troubleshooting

Introduction to Multiple Traffic Queues

When most of the traffic is accelerated by the SecureXL, the CPU load from the CoreXL SND instances can be very high, while the CPU load from the CoreXL FW instances can be very low. This is an inefficient utilization of CPU capacity.

By default, the number of CPU cores allocated to CoreXL SND instances is limited by the number of network interfaces that handle the traffic. Because each interface has one traffic queue, only one CPU core can handle each traffic queue at a time. This means that each CoreXL SND instance can use only one CPU core at a time for each network interface.

Check Point Multi-Queue lets you configure more than one traffic queue for each network interface. For each interface, you can use more than one CPU core (that runs CoreXL SND) for traffic acceleration. This balances the load efficiently between the CPU cores that run the CoreXL SND instances and the CPU cores that run CoreXL FW instances.

Important:

• Multi-Queue applies only if SecureXL is enabled (this is the default).
• Multi-Queue on the Falcon Acceleration Cards is enabled and configured automatically.

Multi-Queue Requirements and Limitations

• Multi-Queue is not supported on computers with one CPU core.
• Network interfaces must use the driver that supports Multi-Queue.
• Multi-Queue does not use network interfaces that are currently in the down state.
• The number of queues is limited by the number of CPU cores and the type of interface driver:

  Interface Driver	Interface Speed	Maximal Number of RX Queues
  igb	1 Gb	4
  ixgbe	10 Gb	16
  i40e	40 Gb	14
  mlx5_core	40 Gb	10

• You can configure a maximum of five interfaces with Multi-Queue.
• You must reboot the Security Gateway after all changes in the Multi-Queue configuration.

Deciding Whether to Enable the Multi-Queue

This section helps you decide if you can benefit from the Multi-Queue.

We recommend that you do these steps before you configure the Multi-Queue:

1. Make sure that network interfaces support Multi-Queue.
2. Make sure that SecureXL is enabled.
3. Examine the CPU roles allocation.
4. Examine the CPU cores utilization.
5. Decide if you can allocate more CPU cores to run the CoreXL SND instances.

To make sure that network interfaces support Multi-Queue

Only network cards that use the igb (1Gb), ixgbe (10Gb), i40e (40Gb), or mlx5_core (40Gb) drivers support the Multi-Queue.

Important - Before you upgrade these drivers, make sure that the latest version supports the Multi-Queue.

Gateway Type	Network Interfaces that Support the Multi-Queue
Check Point Appliance	These expansion line cards support the Multi-Queue: CPAC-4-1C CPAC-4-1F CPAC-8-1C CPAC-2-10F CPAC-4-10F CPAC-2-40F CPAC-2-100/25F CPAC-2-10-FSR
Open Server	Network cards that use one of these drivers support the Multi-Queue: igb (1Gb) ixgbe (10Gb) i40e (40Gb) mlx5_core (40Gb)

Notes:

• To view, which driver an interface uses, run this command in the Expert mode:

  ethtool -i <Name of Interface>

• When you install a new interface, you must run these two commands:

  cpmq reconfigure

  reboot

To make sure that SecureXL is enabled

Step	Description
1	Connect to the command line on the Security Gateway.
2	Log in to the Gaia Clish, or the Expert mode.
3	Run: fwaccel stat -t
4	Examine the Status column. Example from a non-VSX Gateway: [Expert@MyGW:0]# fwaccel stat -t +-----------------------------------------------------------------------------+ |Id|Name |Status |Interfaces |Features | +-----------------------------------------------------------------------------+ |0 |SND |enabled |eth0,eth1,eth2,eth3,eth4,| | | | | |eth5,eth6,eth7 |Acceleration,Cryptography | +-----------------------------------------------------------------------------+ [Expert@MyGW:0]#
5	If the SecureXL is disabled, enable it. Run: fwaccel on

To examine the CPU roles allocation

Step	Description
1	Connect to the command line on the Security Gateway.
2	Log in to the Gaia Clish, or the Expert mode.
3	Run: fw ctl affinity -l [-a][-v][-r]

Example - CPU0 and CPU1 run the CoreXL SND instances:

[Expert@GW:0]# fw ctl affinity -l Mgmt: CPU 0 eth1-04: CPU 1 eth1-05: CPU 0 eth1-06: CPU 1 eth1-07: CPU 0 fw_0: CPU 5 fw_1: CPU 4 fw_2: CPU 3 fw_3: CPU 2 [Expert@GW:0]#

To examine the CPU cores utilization

Step	Description
1	Connect to the command line on the Security Gateway.
2	Log in to the Gaia Clish, or the Expert mode.
3	Run: top
4	Press 1 to show all the CPU cores.

Example:

• CPU cores that run CoreXL SND instances (CPU0 and CPU1) are approximately 30% idle.
• CPU cores that run CoreXL Firewall instances are approximately 70% idle.

  top - 18:02:33 up 8 days, 1:18, 1 user, load average: 1.22, 1.38, 1.48 Tasks: 137 total, 3 running, 134 sleeping, 0 stopped, 0 zombie Cpu0 : 2.0%us, 0.0%sy, 0.0%ni, 28.7%id, 5.9%wa, 0.0%hi, 63.4%si, 0.0%st Cpu1 : 0.0%us, 1.0%sy, 0.0%ni, 27.6%id, 0.0%wa, 0.0%hi, 71.4%si, 0.0%st Cpu2 : 2.0%us, 2.0%sy, 0.0%ni, 66.5%id, 0.0%wa, 4.0%hi, 25.5%si, 0.0%st Cpu3 : 1.0%us, 2.0%sy, 0.0%ni, 71.3%id, 0.0%wa, 0.0%hi, 25.7%si, 0.0%st Cpu4 : 5.0%us, 1.0%sy, 0.0%ni, 69.0%id, 0.0%wa, 0.0%hi, 25.0%si, 0.0%st Mem: 12224020k total, 70005820k used, 5218200k free, 273536k buffers Swap: 14707496k total, 0k used, 14707496k free, 484340k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 3301 root 15 0 0 O 0 R 31 0.0 747:04 [fw_worker_3] 3326 root 15 0 0 O 0 R 29 0.0 593:35 [fw_worker_0] ... ... ...

To decide if you can allocate more CPU cores to run the CoreXL SND instances

If you have more active network interfaces than the CPU cores that run CoreXL SND instances, you can allocate more CPU cores to run more CoreXL SND instances.

We recommend to configure the Multi-Queue when:

1. CoreXL SND instances cause high CPU load (idle is less than 20%).
2. CoreXL Firewall instances cause low CPU load (idle is greater than 50%).

Note - You cannot assign more CPU cores to run CoreXL SND instances if you change interface IRQ affinity.