cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
731
Views
0
Helpful
2
Replies
Highlighted
Beginner

Multi-VTI connections and TCP-State-Bypass availability

Hi all,

 

I haven't seen this posted anywhere (yet) but wanted to reach out to the community to see if anyone has seen this in their environments, or if this is something anyone has successfully implemented. Long and short, I'm trying to build two separate tunnels between the same two locations, over two different ISP's. Getting the VTI's up was easy enough, and I have BGP running over them without any real issues. Routing is fine as well. The only issue I'm having is with TCP State Bypass on the VTI's specifically. In the event of traffic ingressing / egressing a secondary VTI, or in the event of wanting to ECMP across the two VTI's, I would need to leverage TCP state bypass. Only problem is, there doesn't seem to be a way to attach a policy-map (service-policy) to a VTI. Likewise, when I attempted to perform this functionality within the global policy, the result was the same; dropped traffic due to the first packet not being a SYN, etc.

 

Has anyone seen this type of deployment done before, or should I just chalk this up to a platform limitation for the time being? One other thing I thought of trying was to just drop those interfaces into traffic zones, but you can't apply the command under the VTI unfortunately.

 

Thanks for any input you may have!

Zach

2 REPLIES 2
Highlighted
Beginner

Hi Zach,

 

I have seen this in working couple of months back and TCP state bypass was resolving the given that the match policy for class map is using VPN subnets for IN-to-OUT and another one which matches VPN traffic (ESP Traffic) OUT-to-IN.

 

./Adesh

Highlighted

Thanks for the response, Adesh.

In my scenario, I even used a broad ACL with a permit ip any any and applied it at the global and interface levels. Even this did not solve my problem unfortunately.
Content for Community-Ad