Routing UDP/500

Unanswered Question
Apr 14th, 2010
User Badges:

We've been pushing tons of replication traffic lately through a VPN, and have been using a route map to direct that traffic specifically to an OC3 (before that, it completely saturated one of our DS3's) .  We have 4 tunnels total, and only the tunnel used for replication across the OC3 seems to be having issues.  It's been sporadic, but when it drops the only way to fix it is to clear the SA.  It's possible that the OC3 might actually be throttled down (when it's hammered, BW charts show it flatlining at around 85-90mb but never anything higher).


I'm thinking, though, if maybe UDP/500 is caught up in congestion somewhere during a rekey & causing the tunnel to drop.  What are your thoughts on creating another route-map & directing UDP/500 across a known good link, while still riding ESP across the OC3?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 04/15/2010 - 13:57
User Badges:
  • Green, 3000 points or more

Hi,


Please correct me if I'm wrong, but I would not try to split ESP traffic from UDP 500.


When you establish an IPsec tunnel, the tunnel itself establishes over UDP 500 and then all the encrypted traffic travels using ESP.

You cannot separate both protocols over different paths.


A better way will be to check if all traffic is legitimate traffic and if so, consider either QoS or using another link as well for VPN traffic (increasing bandwidth).


Federico.

Jon Marshall Thu, 04/15/2010 - 14:29
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Federico


When you establish an IPsec tunnel, the tunnel itself establishes over UDP 500 and then all the encrypted traffic travels using ESP.

You cannot separate both protocols over different paths.


Interesting point. As all packets both the UDP 500 and the ESP packets are contained within IP headers i would have thought the packets could take any path they want ie. they are not tied to any particular path as the whole point of IP is that each packet is routed independently.


Jon

Federico Coto F... Thu, 04/15/2010 - 14:37
User Badges:
  • Green, 3000 points or more

Yes.


The VPN connection can take different paths since they are IP packets (as you said).
What I meant is that if you route the ESP packets over a different path than all the UDP 500 packets,
the VPN might not establish as smoothly as it should, or packets can get out of order.
Unless there is control on how the packets reach the destination, I believe there could be more problems
than benefits.


Anyway, I have not really tried it and perhaps I'm wrong.


Federico.

Jon Marshall Thu, 04/15/2010 - 14:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Federico


I haven't tried it either, i was just wondering if you had to be honest


I could just as easily be wrong.


Jon

Federico Coto F... Thu, 04/15/2010 - 14:43
User Badges:
  • Green, 3000 points or more

Jon,


But what do you think? It makes sense, or it should not matter?


One has to always be honest ;-)


Federico.

Jon Marshall Thu, 04/15/2010 - 14:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

coto.fusionet wrote:


Jon,


But what do you think? It makes sense, or it should not matter?


One has to always be honest ;-)


Federico.


Federico


My gut feeling is it shouldn't matter because on the internet there is no guarantee your packets are all taking the same path anyway. If an ESP packet arrived before the tunnel has actually been setup it should just be dropped.


Jon

Federico Coto F... Thu, 04/15/2010 - 14:51
User Badges:
  • Green, 3000 points or more
droeun141,
If you can give it a try and let us know if it works, I think everybody wins.
Please let us know.
Federico.
droeun141 Fri, 04/16/2010 - 04:10
User Badges:

I guess I'll be the lab rat here


We have 3 circuits, none  of which are point to point links to where we're replicating.  The  latency on the OC3 is noticibly higher than the 2 DS3's.  My take is,  and I might be wrong as well: if we send both ESP & UDP/500 over a  single link, it may very well already split once it hits the PE &  take different paths throughout the cloud.  With directing UDP/500  through a lower latency link, we can at least control traffic up to a  certain point.


The utilization was less than 50% when  the tunnel dropped, would QOS still help?  Our gateway router is managed  by another team unfortunately and they don't have QOS implemented.  I  sniffed the traffic leaving our edge & could see our router trying  to re-establish itself on UDP/500 but didn't see any replies.  Clearing  the SA on our end does no good, the router was ignoring 'delete notify'  send requests because it couldn't build the new SA.  The only way it  recovers is when it's cleared from the remote side, so somewhere along  the way UDP from us is getting blocked, or it isn't making it there at  all, even though other tunnels we have are up & operational.


I've  never used DPD - if the remote side has it configured, will it  automatically force them to build a new SA with us?


Once tested - will let everyone know how it goes.

Actions

This Discussion