Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Please Recommend CEF option for VPN Tunnel

What is your recommendation for CEF, per packet or per destination when VPN tunnels traverse the circuits?

Our ISP provides 3 T1s. 2 of which are on one router utilizing CEF to load balance. The load sharing option was set at per packet. This we think is Ideal. How ever this is a new setup from our ISP and we utilize these 2 t1s for our VPN traffic. We were experiencing poor performance and opened a service ticket with our ISP. During troubleshooting it was suggested we change the CEF option to per destination. This worked for tunnels established over one circuit and not the other. We had the ISP run extensive testing on the suspect physical circuit and they reported finding no trouble. We plug both circuits back in and all is well, go figure.

I would like to hear opinions on whether I should ask that the CEF option be put back to per packet.

Note: The router is controled by my ISP. I cannot redesign the topology.

Hall of Fame Super Silver

Re: Please Recommend CEF option for VPN Tunnel


I believe that it is best if you leave the cef option at per destination. When you configure per destination it introduces the liklihood of out of order packets. Some protocols can re-order out of order packets. I am pretty sure that IPSec does not do that. IPSec watches sequence numbers in incoming packets (partly as a defence against replay attacks and man-in-the-middle attacks. I suspect that out of order packets cause problems for IPSec though I have never tried to construct a test of this. So I suggest that you leave the cef option at per destination.



CreatePlease login to create content