Re: Please Recommend CEF option for VPN Tunnel

russell.chaudoin · ‎11-09-2005

What is your recommendation for CEF, per packet or per destination when VPN tunnels traverse the circuits?

Our ISP provides 3 T1s. 2 of which are on one router utilizing CEF to load balance. The load sharing option was set at per packet. This we think is Ideal. How ever this is a new setup from our ISP and we utilize these 2 t1s for our VPN traffic. We were experiencing poor performance and opened a service ticket with our ISP. During troubleshooting it was suggested we change the CEF option to per destination. This worked for tunnels established over one circuit and not the other. We had the ISP run extensive testing on the suspect physical circuit and they reported finding no trouble. We plug both circuits back in and all is well, go figure.

I would like to hear opinions on whether I should ask that the CEF option be put back to per packet.

Note: The router is controled by my ISP. I cannot redesign the topology.

Richard Burts · ‎11-09-2005

Russell

I believe that it is best if you leave the cef option at per destination. When you configure per destination it introduces the liklihood of out of order packets. Some protocols can re-order out of order packets. I am pretty sure that IPSec does not do that. IPSec watches sequence numbers in incoming packets (partly as a defence against replay attacks and man-in-the-middle attacks. I suspect that out of order packets cause problems for IPSec though I have never tried to construct a test of this. So I suggest that you leave the cef option at per destination.

HTH

Rick

HTH

Rick