On Mar 20, 2020, at 5:50 PM, Job Snijders <job@ntt.net> wrote:
On Fri, Mar 20, 2020 at 05:33:31PM -0400, Nimrod Levy wrote:
With the increase in remote workers and VPN traffic that won't hash across multiple paths, I thought this anecdote might help someone else track down a problem that might not be so obvious.
Do we know which specific VPN technologies specifically are harder to hash in a meaningful way for load balanacing purposes, than others?
If the outcome of this troubleshooting is a list of recommendations about which VPN approaches to use, and which ones to avoid (because of the issue you described), that'll be a great outcome.
It’s the protocol 50 IPSEC VPNs. They are very sensitive to path changes and reordering as well. If you’re tunneling more than 5 or 10Gb/s of IPSEC it’s likely going to be a bad day when you find a low speed link in the middle. Generally providers with these types of flows have both sides on the same network vs going off-net as they’re not stable on peering links that might change paths. You also need to watch out to ensure you’re not on some L2VPN type product that bumps up against a barrier. I know it’s a stressful time for many networks and systems people as traffic shifts. Good luck out there! - Jared