04-14-2010 11:07 AM
We've been pushing tons of replication traffic lately through a VPN, and have been using a route map to direct that traffic specifically to an OC3 (before that, it completely saturated one of our DS3's) . We have 4 tunnels total, and only the tunnel used for replication across the OC3 seems to be having issues. It's been sporadic, but when it drops the only way to fix it is to clear the SA. It's possible that the OC3 might actually be throttled down (when it's hammered, BW charts show it flatlining at around 85-90mb but never anything higher).
I'm thinking, though, if maybe UDP/500 is caught up in congestion somewhere during a rekey & causing the tunnel to drop. What are your thoughts on creating another route-map & directing UDP/500 across a known good link, while still riding ESP across the OC3?
04-15-2010 01:57 PM
Hi,
Please correct me if I'm wrong, but I would not try to split ESP traffic from UDP 500.
When you establish an IPsec tunnel, the tunnel itself establishes over UDP 500 and then all the encrypted traffic travels using ESP.
You cannot separate both protocols over different paths.
A better way will be to check if all traffic is legitimate traffic and if so, consider either QoS or using another link as well for VPN traffic (increasing bandwidth).
Federico.
04-15-2010 02:29 PM
Federico
When you establish an IPsec tunnel, the tunnel itself establishes over UDP 500 and then all the encrypted traffic travels using ESP.
You cannot separate both protocols over different paths.
Interesting point. As all packets both the UDP 500 and the ESP packets are contained within IP headers i would have thought the packets could take any path they want ie. they are not tied to any particular path as the whole point of IP is that each packet is routed independently.
Jon
04-15-2010 02:37 PM
Yes.
The VPN connection can take different paths since they are IP packets (as you said).
What I meant is that if you route the ESP packets over a different path than all the UDP 500 packets,
the VPN might not establish as smoothly as it should, or packets can get out of order.
Unless there is control on how the packets reach the destination, I believe there could be more problems
than benefits.
Anyway, I have not really tried it and perhaps I'm wrong.
Federico.
04-15-2010 02:41 PM
Federico
I haven't tried it either, i was just wondering if you had to be honest
I could just as easily be wrong.
Jon
04-15-2010 02:43 PM
Jon,
But what do you think? It makes sense, or it should not matter?
One has to always be honest ;-)
Federico.
04-15-2010 02:48 PM
coto.fusionet wrote:
Jon,
But what do you think? It makes sense, or it should not matter?
One has to always be honest ;-)
Federico.
Federico
My gut feeling is it shouldn't matter because on the internet there is no guarantee your packets are all taking the same path anyway. If an ESP packet arrived before the tunnel has actually been setup it should just be dropped.
Jon
04-15-2010 02:51 PM
04-16-2010 04:10 AM
I guess I'll be the lab rat here
We have 3 circuits, none of which are point to point links to where we're replicating. The latency on the OC3 is noticibly higher than the 2 DS3's. My take is, and I might be wrong as well: if we send both ESP & UDP/500 over a single link, it may very well already split once it hits the PE & take different paths throughout the cloud. With directing UDP/500 through a lower latency link, we can at least control traffic up to a certain point.
The utilization was less than 50% when the tunnel dropped, would QOS still help? Our gateway router is managed by another team unfortunately and they don't have QOS implemented. I sniffed the traffic leaving our edge & could see our router trying to re-establish itself on UDP/500 but didn't see any replies. Clearing the SA on our end does no good, the router was ignoring 'delete notify' send requests because it couldn't build the new SA. The only way it recovers is when it's cleared from the remote side, so somewhere along the way UDP from us is getting blocked, or it isn't making it there at all, even though other tunnels we have are up & operational.
I've never used DPD - if the remote side has it configured, will it automatically force them to build a new SA with us?
Once tested - will let everyone know how it goes.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: