Traffic is unstable when inspected by two VAP groups serialized externally.
Article ID: 167823
Updated On:
Products
XOS
Issue/Introduction
This article describes a solution for an issue in which traffic is delayed or lost when passing through two VAP groups that are connected using an external router or switch.The following symptoms may be seen:
- Unstable traffic flows when VAP groups are connected using an external circuit
- Delayed packets or packets dropped as "out of state" by the firewall application
- Significant number of retransmissions
- Unequal load balancing between VAP group members
Cause
Problem:
This situation occurs when traffic enters the first VAP group, leaves the chassis and re-enters it again to be processed by another VAP group:
This situation occurs when traffic enters the first VAP group, leaves the chassis and re-enters it again to be processed by another VAP group:
The NPM uses IP header information (source/destination IP address, protocol, source/destination port) and domain-id assigned to ingress circuit to classify and distinguish flows. When all circuits have the same domain-id and traffic is serialized externally as in the above example, the same IP connection is classified twice for each packet and direction. When packet leaves the first VAP group and re-enters the NPM destined for the second VAP group, the original flow information is invalidated and overwritten by a new flow created for the second VAP group.
Similarly, return traffic will need to be re-classified when received by the NPM. In addition, if VAP groups have multiple members, the return flow may be sent to another VAP in the VAP group, resulting in asymmetrical routing and potential traffic drops by the firewall application.
Resolution
When using an external serialization design, a different domain-id must be configured on the circuits connecting the VAP groups. This allows the NPM to distinguish traffic for each VAP group and to establish stable separate flows. For example:
NOTE: You cannot change the domain for an existing circuit. You must delete the circuit and re-create it with a unique domain-id.
circuit vlan100 domain 2
vap-group <VAP-GROUP 1>
ip 100.0.0.254/24 100.0.0.255
circuit vlan200 domain 3
circuit vlan200 domain 3
vap-group <VAP-GROUP 2>
ip 200.0.0.254/24 200.0.0.255
NOTE: You cannot change the domain for an existing circuit. You must delete the circuit and re-create it with a unique domain-id.
Workaround
As a temporary workaround to avoid the firewall drops, the VAP groups can be reduced to one member by configuring the max-load-count to 1. However, this workaround does not resolve the re-classification issue.Attachments
Feedback
Powered by
