We've been pushing tons of replication traffic lately through a VPN, and have been using a route map to direct that traffic specifically to an OC3 (before that, it completely saturated one of our DS3's) . We have 4 tunnels total, and only the tunnel used for replication across the OC3 seems to be having issues. It's been sporadic, but when it drops the only way to fix it is to clear the SA. It's possible that the OC3 might actually be throttled down (when it's hammered, BW charts show it flatlining at around 85-90mb but never anything higher).
I'm thinking, though, if maybe UDP/500 is caught up in congestion somewhere during a rekey & causing the tunnel to drop. What are your thoughts on creating another route-map & directing UDP/500 across a known good link, while still riding ESP across the OC3?
When you establish an IPsec tunnel, the tunnel itself establishes over UDP 500 and then all the encrypted traffic travels using ESP.
You cannot separate both protocols over different paths.
Interesting point. As all packets both the UDP 500 and the ESP packets are contained within IP headers i would have thought the packets could take any path they want ie. they are not tied to any particular path as the whole point of IP is that each packet is routed independently.
The VPN connection can take different paths since they are IP packets (as you said). What I meant is that if you route the ESP packets over a different path than all the UDP 500 packets, the VPN might not establish as smoothly as it should, or packets can get out of order. Unless there is control on how the packets reach the destination, I believe there could be more problems than benefits.
Anyway, I have not really tried it and perhaps I'm wrong.
But what do you think? It makes sense, or it should not matter?
One has to always be honest ;-)
My gut feeling is it shouldn't matter because on the internet there is no guarantee your packets are all taking the same path anyway. If an ESP packet arrived before the tunnel has actually been setup it should just be dropped.
We have 3 circuits, none of which are point to point links to where we're replicating. The latency on the OC3 is noticibly higher than the 2 DS3's. My take is, and I might be wrong as well: if we send both ESP & UDP/500 over a single link, it may very well already split once it hits the PE & take different paths throughout the cloud. With directing UDP/500 through a lower latency link, we can at least control traffic up to a certain point.
The utilization was less than 50% when the tunnel dropped, would QOS still help? Our gateway router is managed by another team unfortunately and they don't have QOS implemented. I sniffed the traffic leaving our edge & could see our router trying to re-establish itself on UDP/500 but didn't see any replies. Clearing the SA on our end does no good, the router was ignoring 'delete notify' send requests because it couldn't build the new SA. The only way it recovers is when it's cleared from the remote side, so somewhere along the way UDP from us is getting blocked, or it isn't making it there at all, even though other tunnels we have are up & operational.
I've never used DPD - if the remote side has it configured, will it automatically force them to build a new SA with us?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :