IPsec Tunnel Bandwidth confusion and Anti-replay IPsec error

Kamran Mustafayev · ‎05-27-2024

I'm getting little confused with Tunnel Bandwidth statement,

I have an IPsec Tunnel its relies on Port-Channel which based on two physical tenGig interfaces, overall BW is 20G,

My tunnel shows:

Tunnel20 is up, line protocol is up
Hardware is Tunnel
MTU 9938 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 255/255, rxload 255/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1438 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)

=====================================

Do we need to manually change BW or BW Transmit/Receive speed manually or it will appropriate that speed from the port-channel>physical interface?

-----------------------------

Second thing is that my Cisco router has this Tunnel with Palo FW, and Im getting (removed IP's):

SA receives anti-replay error, DP Handle 5, src_addr , , SPI 0xb6402c
*May 27 10:18:11.384: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:197 TS:00020273535147710078 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 5, src_addr , , SPI 0xb6402c
*May 27 10:19:57.741: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:079 TS:00020273641510399470 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 5, src_addr , dest_addr , SPI 0xb6402c
*May 27 10:21:15.735: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:053 TS:00020273719508144710 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 5, src_addr , dest_addr , SPI 0xb6402c

On Palo Alto side I have Anti-replay Windows size set 1024, Do I need to assign it on Cisco router with "crypto ipsec security-association replay window-size 1024" ?

tvotna · ‎05-27-2024

The "bandwidth" is a purely logical property of the tunnel which is used to calculate metric for dynamic routing protocols, etc. It doesn't impact transmission over the tunnel whatsoever.

Yes, if you see anti-replay errors, it's recommended to increase anti-replay window size or disable anti-replay check completely.

Kamran Mustafayev · ‎05-27-2024

Hi, should I apply tunnel bandwidth transmit and tunnel bandwidth receive commands for real traffic on IPsec tunnel?

tvotna · ‎05-27-2024

No.

Kamran Mustafayev · ‎05-27-2024

Does it mean Tunnel aligns on physical interfaces or port-channel bw's ? cause as I mentioned I see 8000 kbps/s on Tunnel

tvotna · ‎05-27-2024

Correct. Currently your bandwidth is not limited to 8k. Tunnel bandwidth is limited by the speed of physical interfaces which form the port-channel and device CPU / crypto accelerator. You don't need to configure "bandwidth" explicitly, unless you gonna use dynamic routing over the tunnel or QoS.

Kamran Mustafayev · ‎05-27-2024

Thanks a lot for your answer

MHM Cisco World · ‎05-27-2024

Yes you can apply QoS on VTI tunnel.

And for anti-reply' after you add

crypto ipsec security-association replay window-size 1024

Are issue solved?

MHM

Kamran Mustafayev · ‎05-27-2024

If I won't add QoS and just use that specific tunnel BW configs will it increase it ?

For Anti-reply, didn't test it yet

MHM Cisco World · ‎05-27-2024

This speed is so low' the link is 10 gig and you use PO and tunnel is 100.

I will check in lab and update you

Thanks

MHM