07-10-2018 02:20 AM
we are facing packet drop issue on ipsec traffic once the ecmp is enabled .
we have two ISP and wish to balance the traffic and using balanced round robbin for the same , once this is enabled ipsec packet drop occurs and if we disable ecmp everything is fine .
The first internet line is lease line on which the ipsec is terminated and the other line is ADSL i.e. dynamic IP .
i am suspecting , since the ecmp is enabled the traffic is going from adsl line and the return traffic is coming on lease line and getting dropped by FW .
please advise if there is any solution for this senario... if i ebale IP modulo or IP hash for ECMP will this resolve the issue or PBF for symetric return ??
07-10-2018 05:47 AM
how did you configure the vpn exactly? is it bound to a loopback or the physical interfaces
IP modulo/hash should help the connection be 'sticky' to a single link and only switch when the link goes down
PBF will not be an option as you can't control system sourced connections through pbf
07-10-2018 05:51 AM
the ipsec is configured to use the tunnel interface and terminated on the physical interface of 1st IP i.e. the lease line.
i guess ip modulo\hash should help is resolving this issue ...any more suggestions on this senario
07-10-2018 06:05 AM
if the VPN is bound to the physical interface of the leased line, you should also be able to add a static route for the remote peer pointed to the next hop on the leased line (metric 1)
07-10-2018 06:06 AM
If VPN is bound to IP of first ISP then it should never go over 2nd interface. As you will always receive return packets on first.
However if you choose something else of phase 1 identification (or seperate IP for ID and transport IP for phase 1) you can setup tunnel with dynamic IPs.
07-10-2018 06:12 AM
Then this IPSEC traffic must stick to first ISP cause reply will always come over that one.
07-10-2018 06:22 AM
07-10-2018 06:33 AM
proxy IDs are routing _inside_ the tunnel, this has no impact whatsoever in regards to the physical route the tunnel takes
07-10-2018 06:38 AM
thank you ..but m kind of confuse here.. when you say...if the VPN is bound to the physical interface of the leased line, you should also be able to add a static route for the remote peer pointed to the next hop on the leased line (metric 1)...
the destination is private IP or public ip of remote peer ? ...the next hope will be the ISP router IP of lease line ?
07-10-2018 06:43 AM
The public IP of the remote vpn peer , pointed to the router of the leased line
This will ensure outgoing vpn connections always go out the ISP1 interface
07-10-2018 06:46 AM
Thank you for the clarification ...i will try the same and let you know if this helps ...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!