topic Re: IPsec packet drop , once the ecmp is enabled in General Topics

IPsec packet drop , once the ecmp is enabled

Rameshwar — Tue, 10 Jul 2018 09:20:17 GMT

Hi Team

we are facing packet drop issue on ipsec traffic once the ecmp is enabled .

we have two ISP and wish to balance the traffic and using balanced round robbin for the same , once this is enabled ipsec packet drop occurs and if we disable ecmp everything is fine .

The first internet line is lease line on which the ipsec is terminated and the other line is ADSL i.e. dynamic IP .

i am suspecting , since the ecmp is enabled the traffic is going from adsl line and the return traffic is coming on lease line and getting dropped by FW .

please advise if there is any solution for this senario... if i ebale IP modulo or IP hash for ECMP will this resolve the issue or PBF for symetric return ??

Re: IPsec packet drop , once the ecmp is enabled

reaper — Tue, 10 Jul 2018 12:47:38 GMT

hi @Rameshwar

how did you configure the vpn exactly? is it bound to a loopback or the physical interfaces

IP modulo/hash should help the connection be 'sticky' to a single link and only switch when the link goes down

PBF will not be an option as you can't control system sourced connections through pbf

Re: IPsec packet drop , once the ecmp is enabled

Rameshwar — Tue, 10 Jul 2018 12:51:13 GMT

hi @reaper

the ipsec is configured to use the tunnel interface and terminated on the physical interface of 1st IP i.e. the lease line.

i guess ip modulo\hash should help is resolving this issue ...any more suggestions on this senario

Re: IPsec packet drop , once the ecmp is enabled

reaper — Tue, 10 Jul 2018 13:05:56 GMT

if the VPN is bound to the physical interface of the leased line, you should also be able to add a static route for the remote peer pointed to the next hop on the leased line (metric 1)

Re: IPsec packet drop , once the ecmp is enabled

santonic — Tue, 10 Jul 2018 13:06:48 GMT

If VPN is bound to IP of first ISP then it should never go over 2nd interface. As you will always receive return packets on first.

However if you choose something else of phase 1 identification (or seperate IP for ID and transport IP for phase 1) you can setup tunnel with dynamic IPs.

Re: IPsec packet drop , once the ecmp is enabled

Rameshwar — Tue, 10 Jul 2018 13:12:26 GMT

Hi @santonic

Sorry for th typo ... it is first isp ... the change in the ipsec config will not be the option as this is production fw .

Re: IPsec packet drop , once the ecmp is enabled

santonic — Tue, 10 Jul 2018 13:18:25 GMT

Then this IPSEC traffic must stick to first ISP cause reply will always come over that one.

Re: IPsec packet drop , once the ecmp is enabled

Rameshwar — Tue, 10 Jul 2018 13:18:29 GMT

Hi @reaper

So what I understand is to add the static route for ipsec traffic as a next hop i.e the router ip of first isp with metric 1......but we already added proxy id that shuld add the route but may be not with metric 1 ... but if i add the route as next hop router ip then the traffic will go to the internet n not through the tunnel or shuld i select tunnel interface while adding the route?

Re: IPsec packet drop , once the ecmp is enabled

Rameshwar — Tue, 10 Jul 2018 13:22:03 GMT

Hi @santonic

I agree but we are using the ecmp balanced round robbin in this i guess fw is sending to adsl line n the return is coming to lease line .. since lease line doesnt know abut it it is dropping .

Re: IPsec packet drop , once the ecmp is enabled

reaper — Tue, 10 Jul 2018 13:33:10 GMT

proxy IDs are routing _inside_ the tunnel, this has no impact whatsoever in regards to the physical route the tunnel takes

Re: IPsec packet drop , once the ecmp is enabled

Rameshwar — Tue, 10 Jul 2018 13:38:04 GMT

thank you ..but m kind of confuse here.. when you say...if the VPN is bound to the physical interface of the leased line, you should also be able to add a static route for the remote peer pointed to the next hop on the leased line (metric 1)...

the destination is private IP or public ip of remote peer ? ...the next hope will be the ISP router IP of lease line ?

Re: IPsec packet drop , once the ecmp is enabled

reaper — Tue, 10 Jul 2018 13:43:29 GMT

The public IP of the remote vpn peer , pointed to the router of the leased line

This will ensure outgoing vpn connections always go out the ISP1 interface

Re: IPsec packet drop , once the ecmp is enabled

Rameshwar — Tue, 10 Jul 2018 13:46:26 GMT

Thank you for the clarification ...i will try the same and let you know if this helps ...