ESP & UDP/500 Across Seperate Links

Unanswered Question
Apr 14th, 2010

Posted this in the VPN section - apologize in advance for cross posting, but I'm kind of in a bind.

We've been pushing tons of  replication traffic lately through a VPN, and have been using a route  map to direct that traffic specifically to an OC3 (before that, it  completely saturated one of our DS3's) .  We have 4 tunnels total, and  only the tunnel used for replication across the OC3 seems to be having  issues.  It's been sporadic, but when it drops the only way to fix it is  to clear the SA.  It's possible that the OC3 might actually be  throttled down (when it's hammered, BW charts show it flatlining at  around 85-90mb but never anything higher).

I'm thinking, though, if maybe  UDP/500 is caught up somewhere during congestion while trying to rekey &  causing the tunnel to drop.  What are your thoughts on creating another  route-map & directing only UDP/500 across a known good link, while still  riding ESP across the bigger OC3?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 04/14/2010 - 11:41

droeun141 wrote:

Posted this in the VPN section - apologize in advance for cross posting, but I'm kind of in a bind.

We've been pushing tons of  replication traffic lately through a VPN, and have been using a route  map to direct that traffic specifically to an OC3 (before that, it  completely saturated one of our DS3's) .  We have 4 tunnels total, and  only the tunnel used for replication across the OC3 seems to be having  issues.  It's been sporadic, but when it drops the only way to fix it is  to clear the SA.  It's possible that the OC3 might actually be  throttled down (when it's hammered, BW charts show it flatlining at  around 85-90mb but never anything higher).

I'm thinking, though, if maybe  UDP/500 is caught up somewhere during congestion while trying to rekey &  causing the tunnel to drop.  What are your thoughts on creating another  route-map & directing only UDP/500 across a known good link, while still  riding ESP across the bigger OC3?

Well it's worth a try. It's not going to break anything as long as the 2 endpoints are still the same and they will be. The only other thing you could is look to use QOS to prioritise the UDP 500 traffic but if you have another link that can be used i would try that first. Obviously make sure you apply the PBR on the other end as well so the same link is used for return traffic on the UDP 500 port.

Jon

Actions

This Discussion