04-14-2010 11:38 AM - edited 03-04-2019 08:09 AM
Posted this in the VPN section - apologize in advance for cross posting, but I'm kind of in a bind.
We've been pushing tons of replication traffic lately through a VPN, and have been using a route map to direct that traffic specifically to an OC3 (before that, it completely saturated one of our DS3's) . We have 4 tunnels total, and only the tunnel used for replication across the OC3 seems to be having issues. It's been sporadic, but when it drops the only way to fix it is to clear the SA. It's possible that the OC3 might actually be throttled down (when it's hammered, BW charts show it flatlining at around 85-90mb but never anything higher).
I'm thinking, though, if maybe UDP/500 is caught up somewhere during congestion while trying to rekey & causing the tunnel to drop. What are your thoughts on creating another route-map & directing only UDP/500 across a known good link, while still riding ESP across the bigger OC3?
04-14-2010 11:41 AM
droeun141 wrote:
Posted this in the VPN section - apologize in advance for cross posting, but I'm kind of in a bind.
We've been pushing tons of replication traffic lately through a VPN, and have been using a route map to direct that traffic specifically to an OC3 (before that, it completely saturated one of our DS3's) . We have 4 tunnels total, and only the tunnel used for replication across the OC3 seems to be having issues. It's been sporadic, but when it drops the only way to fix it is to clear the SA. It's possible that the OC3 might actually be throttled down (when it's hammered, BW charts show it flatlining at around 85-90mb but never anything higher).
I'm thinking, though, if maybe UDP/500 is caught up somewhere during congestion while trying to rekey & causing the tunnel to drop. What are your thoughts on creating another route-map & directing only UDP/500 across a known good link, while still riding ESP across the bigger OC3?
Well it's worth a try. It's not going to break anything as long as the 2 endpoints are still the same and they will be. The only other thing you could is look to use QOS to prioritise the UDP 500 traffic but if you have another link that can be used i would try that first. Obviously make sure you apply the PBR on the other end as well so the same link is used for return traffic on the UDP 500 port.
Jon
04-14-2010 11:48 AM
Will give it a go... thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide