05-27-2024 03:37 AM
I'm getting little confused with Tunnel Bandwidth statement,
I have an IPsec Tunnel its relies on Port-Channel which based on two physical tenGig interfaces, overall BW is 20G,
My tunnel shows:
Tunnel20 is up, line protocol is up
Hardware is Tunnel
MTU 9938 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 255/255, rxload 255/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1438 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
=====================================
Do we need to manually change BW or BW Transmit/Receive speed manually or it will appropriate that speed from the port-channel>physical interface?
-----------------------------
Second thing is that my Cisco router has this Tunnel with Palo FW, and Im getting (removed IP's):
SA receives anti-replay error, DP Handle 5, src_addr , , SPI 0xb6402c
*May 27 10:18:11.384: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:197 TS:00020273535147710078 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 5, src_addr , , SPI 0xb6402c
*May 27 10:19:57.741: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:079 TS:00020273641510399470 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 5, src_addr , dest_addr , SPI 0xb6402c
*May 27 10:21:15.735: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:053 TS:00020273719508144710 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 5, src_addr , dest_addr , SPI 0xb6402c
On Palo Alto side I have Anti-replay Windows size set 1024, Do I need to assign it on Cisco router with "crypto ipsec security-association replay window-size 1024" ?
05-27-2024 05:19 AM
The "bandwidth" is a purely logical property of the tunnel which is used to calculate metric for dynamic routing protocols, etc. It doesn't impact transmission over the tunnel whatsoever.
Yes, if you see anti-replay errors, it's recommended to increase anti-replay window size or disable anti-replay check completely.
05-27-2024 05:28 AM
Hi, should I apply tunnel bandwidth transmit and tunnel bandwidth receive commands for real traffic on IPsec tunnel?
05-27-2024 05:49 AM
No.
05-27-2024 05:56 AM
Does it mean Tunnel aligns on physical interfaces or port-channel bw's ? cause as I mentioned I see 8000 kbps/s on Tunnel
05-27-2024 08:13 AM
Correct. Currently your bandwidth is not limited to 8k. Tunnel bandwidth is limited by the speed of physical interfaces which form the port-channel and device CPU / crypto accelerator. You don't need to configure "bandwidth" explicitly, unless you gonna use dynamic routing over the tunnel or QoS.
05-27-2024 11:25 AM
Thanks a lot for your answer
05-27-2024 06:44 AM
Yes you can apply QoS on VTI tunnel.
And for anti-reply' after you add
crypto ipsec security-association replay window-size 1024
Are issue solved?
MHM
05-27-2024 06:50 AM
If I won't add QoS and just use that specific tunnel BW configs will it increase it ?
For Anti-reply, didn't test it yet
05-27-2024 08:17 AM
This speed is so low' the link is 10 gig and you use PO and tunnel is 100.
I will check in lab and update you
Thanks
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide