PIX IpSec VPN with "ip load-sharing per-packet" NxT1

Unanswered Question
Oct 23rd, 2008
User Badges:

Looking to add another T1 to an exsiting 2600Xm router. We use IPSEC tunnels over the internet to connect offices.


Will using "ip load-sharing per-packet" interfere with the IPSEC Site-to-Site tunnel between my Pix 506e and other Pix's?


Is there something here on the Cisco site that states not to use "ip load-sharing per-packet" with IPSEC Tunnels?


thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
alexandre.joanelli Tue, 10/28/2008 - 12:13
User Badges:

I think that you will have no problem with that, once the splited ipsec sessions will be reassembled before reach the PIX through the router LAN interface.

Im not sure if an unordered flow os packets could originate some kind of problem, as errors or even performance issues.

Try use "per-session" to mitigate the impacts to the production environment.

dmooreami Tue, 10/28/2008 - 13:25
User Badges:

TAC informed me that can't use T1 load sharing.


" Even if you're doing the load balancing on the routers and the IPsec endpoint is not the router itself, you'll have out-of-order packets due to the nature of load-sharing so the anti-replay feature will bring the tunnel down."



So solution is to go Multilink (mlpp).

Actions

This Discussion