02-26-2018 09:50 AM - edited 03-12-2019 05:03 AM
Hi all,
I haven't seen this posted anywhere (yet) but wanted to reach out to the community to see if anyone has seen this in their environments, or if this is something anyone has successfully implemented. Long and short, I'm trying to build two separate tunnels between the same two locations, over two different ISP's. Getting the VTI's up was easy enough, and I have BGP running over them without any real issues. Routing is fine as well. The only issue I'm having is with TCP State Bypass on the VTI's specifically. In the event of traffic ingressing / egressing a secondary VTI, or in the event of wanting to ECMP across the two VTI's, I would need to leverage TCP state bypass. Only problem is, there doesn't seem to be a way to attach a policy-map (service-policy) to a VTI. Likewise, when I attempted to perform this functionality within the global policy, the result was the same; dropped traffic due to the first packet not being a SYN, etc.
Has anyone seen this type of deployment done before, or should I just chalk this up to a platform limitation for the time being? One other thing I thought of trying was to just drop those interfaces into traffic zones, but you can't apply the command under the VTI unfortunately.
Thanks for any input you may have!
Zach
02-26-2018 11:58 PM
Hi Zach,
I have seen this in working couple of months back and TCP state bypass was resolving the given that the match policy for class map is using VPN subnets for IN-to-OUT and another one which matches VPN traffic (ESP Traffic) OUT-to-IN.
./Adesh
03-05-2018 01:06 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide