I haven't seen this posted anywhere (yet) but wanted to reach out to the community to see if anyone has seen this in their environments, or if this is something anyone has successfully implemented. Long and short, I'm trying to build two separate tunnels between the same two locations, over two different ISP's. Getting the VTI's up was easy enough, and I have BGP running over them without any real issues. Routing is fine as well. The only issue I'm having is with TCP State Bypass on the VTI's specifically. In the event of traffic ingressing / egressing a secondary VTI, or in the event of wanting to ECMP across the two VTI's, I would need to leverage TCP state bypass. Only problem is, there doesn't seem to be a way to attach a policy-map (service-policy) to a VTI. Likewise, when I attempted to perform this functionality within the global policy, the result was the same; dropped traffic due to the first packet not being a SYN, etc.
Has anyone seen this type of deployment done before, or should I just chalk this up to a platform limitation for the time being? One other thing I thought of trying was to just drop those interfaces into traffic zones, but you can't apply the command under the VTI unfortunately.
I have seen this in working couple of months back and TCP state bypass was resolving the given that the match policy for class map is using VPN subnets for IN-to-OUT and another one which matches VPN traffic (ESP Traffic) OUT-to-IN.