Traffic is unstable when inspected by two VAP groups serialized externally.

book

Article ID: 167823

calendar_today

Updated On:

Products

XOS

Issue/Introduction

This article describes a solution for an issue in which traffic is delayed or lost when passing through two VAP groups that are connected using an external router or switch.The following symptoms may be seen:
  • Unstable traffic flows when VAP groups are connected using an external circuit
  • Delayed packets or packets dropped as "out of state" by the firewall application
  • Significant number of retransmissions
  • Unequal load balancing between VAP group members

Cause

Problem:

This situation occurs when traffic enters the first VAP group, leaves the chassis and re-enters it again to be processed by another VAP group:

User-added image

The NPM uses IP header information (source/destination IP address, protocol, source/destination port) and domain-id  assigned to ingress circuit to classify and distinguish flows. When all circuits have the same domain-id and traffic is serialized externally as in the above example, the same IP connection is classified twice for each packet and direction. When packet leaves the first VAP group and re-enters the NPM destined for the second VAP group, the original flow information is invalidated and overwritten by a new flow created for the second VAP group.
 
Similarly, return traffic will need to be re-classified when received by the NPM. In addition, if VAP groups have multiple members, the return flow may be sent to another VAP in the VAP group, resulting in asymmetrical routing and potential traffic drops by the firewall application.

Resolution

When using an external serialization design, a different domain-id must be configured on the circuits connecting the VAP groups. This allows the NPM to distinguish traffic for each VAP group and to establish stable separate flows. For example:

circuit vlan100  domain 2
  vap-group <VAP-GROUP 1>
    ip 100.0.0.254/24 100.0.0.255

circuit vlan200  domain 3
  vap-group <VAP-GROUP 2>
    ip 200.0.0.254/24 200.0.0.255


NOTE:  You cannot change the domain for an existing circuit.  You must delete the circuit and re-create it with a unique domain-id.

Workaround

As a temporary workaround to avoid the firewall drops, the VAP groups can be reduced to one member by configuring the max-load-count to 1. However, this workaround does not resolve the re-classification issue.

Attachments