[VPN] IPSEC over load-shared T1s (per packet)

Jean-Francois Dive jef at linuxbe.org
Fri Sep 19 03:45:35 EDT 2003


This is a classic (well, as much as it could be).

In general, load balancing per packet is not a good idea: protocols do
not like out of order packets. Yes, it still work, but you see the price
now. For exemple, TCP will drop it's sending rate when out of order
packet / acks come backs. 

IPSec use a replay counter for each SADB entry and will drop too late or
too early packets. If this is the case, you should see the replay window
check fail counter on your GW increases. 

If this is not the case, then the inner tcp packets still get in out of
order with drops --> significant drop of perfs.

The out of order can be explained in your scenarion because probably
that the 2 IP endpoints of the line are quite distant and maybe goes
trough a whatever_WAN_network. As well, the queues on the router and
potential QoS rules may explains this.

Solutions:

- Extend the replaywindow size, but this is classically not an option in
most vendor implementation (they implement it as a 32 bit fixed
u_int32_t value).

- Do your load balancing on a per flow basis (pair of IP's) and you will
see your perf goes up; the way to achieve it is very dependant on the
router vendors.

JeF

On Thu, 2003-09-18 at 15:07, TSimons at Delphi-Tech.com wrote:
> Hello All
> 
> Recently we doubled our internet bandwith to two T1s from the same provider
> that terminate on in the same router on the NOC side.
> 
> We setup IP LOAD-SHARING PER-PACKET on each of the serial links on both
> sides (NOC and Us) in order to get an aggregate 3.0mbit. PER-PACKET routing
> alternates usage of the T1s, one for one...
> 
> Since then, VPN performance has taken a dive.  Sniffing out traffic, ESP
> packets are sent 3-4 times before they can be properly decrypted. 
> 
> Someone along the way said that using PER-PACKET routing changes the CRC
> value of the packets.  Is this correct, has anyone else seen this issue?  I
> can't see how the CRC is changed, the hop count isn't changing, the lines
> are identical, and they terminate in the same router, so the last hop is the
> F0/0 interface of the router before getting to the firewall.
> 
> Thanks,
> ~Todd
> 
> __________________________________
> Todd M. Simons
> Senior MIS Engineer
> Dell Tier 1 PA Technician 
> Delphi Technology, Inc.
> New Brunswick, NJ
> 
> Note: The contents of this email do not constitute a legally binding
> commitment.
> 
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
-- 

-> Jean-Francois Dive
--> jef at linuxbe.org

I think that God in creating Man somewhat overestimated his ability.
-- Oscar Wilde




More information about the VPN mailing list