Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Improving IPsec VPN Traffic Performance

 

The performance of IPsec VPN traffic to minimize packet forwarding overhead can be optimized by enabling VPN session affinity and performance acceleration.

Understanding VPN Session Affinity

VPN session affinity occurs when a cleartext session is located in a Services Processing Unit (SPU) that is different from the SPU where the IPsec tunnel session is located. The goal of VPN session affinity is to locate the cleartext and IPsec tunnel session in the same SPU. This feature is supported only on SRX5400, SRX5600, and SRX5800 devices.

Without VPN session affinity, a cleartext session created by a flow might be located in one SPU and the tunnel session created by IPsec might be located in another SPU. An SPU to SPU forward or hop is needed to route cleartext packets to the IPsec tunnel.

By default, VPN session affinity is disabled on SRX Series devices. When VPN session affinity is enabled, a new cleartext session is placed on the same SPU as the IPsec tunnel session. Existing cleartext sessions are not affected.

Junos OS Release 15.1X49-D10 introduces the SRX5K-MPC3-100G10G (IOC3) and the SRX5K-MPC3-40G10G (IOC3) for SRX5400, SRX5600, and SRX5800 devices.

The SRX5K-MPC (IOC2) and the IOC3 support VPN session affinity through improved flow module and session cache. With IOCs, the flow module creates sessions for IPsec tunnel-based traffic before encryption and after decryption on its tunnel-anchored SPU and installs the session cache for the sessions so that the IOC can redirect the packets to the same SPU to minimize packet forwarding overhead. Express Path (previously known as services offloading) traffic and NP cache traffic share the same session cache table on the IOCs.

To display active tunnel sessions on SPUs, use the show security ipsec security-association command and specify the Flexible PIC Concentrator (FPC) and Physical Interface Card (PIC) slots that contain the SPU. For example:

You need to evaluate the tunnel distribution and traffic patterns in your network to determine if VPN session affinity should be enabled.

Starting with Junos OS Release 12.3X48-D50, Junos OS Release 15.1X49-D90, and Junos OS Release 17.3R1, if VPN session affinity is enabled on SRX5400, SRX5600, and SRX5800 devices, the tunnel overhead is calculated according to the negotiated encryption and authentication algorithms on the anchor Services Processing Unit (SPU). If the configured encryption or authentication changes, the tunnel overhead is updated on the anchor SPU when a new IPsec security association is established.

The VPN session affinity limitations are as follows:

  • Traffic across logical systems is not supported.

  • If there is a route change, established cleartext sessions remain on an SPU and traffic is rerouted if possible. Sessions created after the route change can be set up on a different SPU.

  • VPN session affinity only affects self traffic that terminates on the device (also known as host-inbound traffic); self traffic that originates from the device (also known as host-outbound traffic) is not affected.

  • Multicast replication and forwarding performance is not affected.

Enabling VPN Session Affinity

By default, VPN session affinity is disabled on SRX Series devices. Enabling VPN session affinity can improve VPN throughput under certain conditions. This feature is supported only on SRX5400, SRX5600, and SRX5800 devices. This section describes how to use the CLI to enable VPN session affinity.

Determine if clear-text sessions are being forwarded to IPsec tunnel sessions on a different SPU. Use the show security flow session command to display session information about clear-text sessions.

In the example, there is a tunnel session on FPC 3, PIC 0 and a clear-text session on FPC 6, PIC 0. A forwarding session (session ID 60017354) is set up on FPC 3, PIC 0.

Junos OS Release 15.1X49-D10 introduces session affinity support on IOCs (SRX5K-MPC [IOC2], SRX5K-MPC3-100G10G [IOC3], and SRX5K-MPC3-40G10G [IOC3]) and Junos OS Release 12.3X48-D30 introduces session affinity support on IOC2. You can enable session affinity for the IPsec tunnel session on the IOC FPCs. To enable IPsec VPN affinity, you must also enable the session cache on IOCs by using the set chassis fpc fpc-slot np-cache command.

To enable VPN session affinity:

  1. In configuration mode, use the set command to enable VPN session affinity.
  2. Check your changes to the configuration before committing.
  3. Commit the configuration.

After enabling VPN session affinity, use the show security flow session command to display session information about clear-text sessions.

After VPN session affinity is enabled, the clear-text session is always located on FPC 3, PIC 0.

Accelerating the IPsec VPN Traffic Performance

You can accelerate IPsec VPN performance by configuring the performance acceleration parameter. By default, VPN performance acceleration is disabled on SRX Series devices. Enabling the VPN performance acceleration can improve the VPN throughput with VPN session affinity enabled. This feature is only supported on SRX5400, SRX5600, and SRX5800 devices.

This topic describes how to use the CLI to enable VPN performance acceleration.

To enable performance acceleration, you must ensure that cleartext sessions and IPsec tunnel sessions are established on the same Services Processing Unit (SPU). Starting with Junos OS Release 17.4R1, IPsec VPN performance is optimized when the VPN session affinity and performance acceleration features are enabled. For more information on enabling session affinity, see Understanding VPN Session Affinity.

To enable IPsec VPN performance acceleration:

  1. Enable VPN session affinity.
  2. Enable IPsec performance acceleration.
  3. Check your changes to the configuration before committing.
  4. Commit the configuration.

After enabling VPN performance acceleration, use the show security flow status command to display flow status.

IPsec Distribution Profile

Starting with Junos OS Release 19.2R1, you can configure one or more IPsec distribution profiles for IPsec security associations (SAs). Tunnels are distributed evenly across all resources (SPCs) specified in the configured distribution profile. It is supported in SPC3 only and mixed-mode (SPC3 + SPC2), it is not supported on SPC1 and SPC2 systems. With the IPsec distribution profile, use the set security ipsec vpn vpn-name distribution-profile distribution-profile-name command to associate tunnels to a specified:

  • Slot

  • PIC

Alternatively, you can use the default IPsec distribution profiles:

  • default-spc2-profile —Use this predefined default profile to associate IPsec tunnels to all available SPC2 cards.

  • default-spc3-profile —Use this predefined default profile to associate IPsec tunnels to all available SPC3 cards.

You can now assign a profile to a specific VPN object, where all associated tunnels will be distributed based on this profile. If no profile is assigned to the VPN object, the SRX Series device automatically distributes these tunnels evenly across all resources.

You can associate a VPN object with either a user-defined profile or a predefined (default) profile.

In the following example, all tunnels associated with profile ABC will be distributed on FPC 0, PIC 0.

Improving IPsec Performance with PowerMode IPsec

PowerMode IPsec (PMI) is a new mode of operation that provides IPsec performance improvements using Vector Packet Processing and Intel AES-NI instructions. PMI utilizes a small software block inside the Packet Forwarding Engine that bypasses flow processing and utilizes the AES-NI instruction set for optimized performance of IPsec processing and is activated when PMI is enabled.

You enable PMI processing by using the set security flow power-mode-ipsec configuration mode command.

To disable PMI processing, use the delete security flow power-mode-ipsec configuration mode command to delete the statement from the configuration.

For SRX4100, SRX4200 devices running Junos OS Release 18.4R1 and vSRX running Junos OS Release 18.3R1, after you enable or disable the PMI, you must reboot the device for the configuration to take effect. However, for SRX5000 line devices and vSRX instances running Junos OS Release 19.2R1, reboot is not required.

Packets cannot go through the PMI when firewall or advanced security services are combined with IPsec. Hence, PMI must not be used when firewall or advanced security services are combined with IPsec.

You can verify the PMI status by using the show security flow status operational mode command.

A tunnel session can either be PMI or non-PMI. If a session is configured with any of the non-supported features listed in Table 1, the session is marked as non-PMI and the tunnel will go into non-PMI mode. Once the tunnel goes into the non-PMI mode, it will not go back to the PMI mode.

Table 1 summarizes the features supported in PMI, along with the features that are not supported.

Table 1: Summary of Features Supported in PowerMode IPsec

Supported Features in PowerMode IPsec

Non-Supported Features in PowerMode IPsec

Internet Key Exchange (IKE) functionality

IPsec-in-IPsec tunnels

AutoVPN with traffic selectors

Layer 4 - 7 applications: application firewall and AppSecure

High availability

GPRS tunneling protocol (GTP) and Stream Control Transmission Protocol (SCTP) firewalls

IPv6

Host traffic

Stateful firewall

Multicast

st0 interface

Nested tunnels

Traffic selectors

Screen options

NAT-T

DES-CBC encryption algorithm

GTP-U scenario with TEID distribution and asymmetric fat tunnel solution

3DES-CBC encryption algorithm

Quality of Service (QoS)

Application Layer Gateway (ALG)

First path and fast path processing for fragment handling and unified encryption.

NAT

AES-GCM encryption algorithm. We recommend you to use AES-GSM encryption algorithm for optimal performance.

AES-CBC with SHA1 encryption algorithm

AES-CBC with SHA2 encryption algorithm

NULL encryption algorithm

 

Note the following usage considerations with PMI:

  • Antireplay maximum window size supported is 64 packets.

  • PMI does a pre-fragmentation and post-fragmentation check. If the PMI detects pre-fragmentation and post-fragmentation packets, packets are not allowed through the PMI mode. The packets will return to non-PMI mode.

  • Any fragments received on an interface will not go through PMI.

  • PMI is supported on link aggregation group (LAG) and redundant Ethernet (reth) interfaces with only one member.

  • PMI for NAT-T is supported only on SRX5400, SRX5600, SRX5800 devices equipped with SRX5K-SPC3 Services Processing Card (SPC), or with vSRX.

Starting in Junos OS Release 19.1R1, Class of Service(CoS) supports configuration of behavior aggregate (BA) classifier, multifield (MF) classifier, and rewrite-rule functions in PMI on SRX5K-SPC3 Services Processing Card (SPC) cards.

Starting in Junos OS Release 19.2R1, PowerMode IPsec (PMI) supports GTP-U scenario with TEID distribution and asymmetric fat tunnel solution.

Starting in Junos OS Release 19.3R1, GTP-U scenario with TEID distribution and asymmetric fat tunnel solution and Software Recieve Side Scaling feature on vSRX and vSRX 3.0.

Starting in Junos OS Release 19.4R1, vSRX instances support-

  • Per-flow CoS functions for GTP-U traffic in PowerMode IPsec (PMI) mode.

  • Class of Service (CoS) features in PowerMode IPsec (PMI) mode. The following CoS features are supported in PMI mode:

    • Classifier

    • Rewrite-rule functions

    • Queuing

    • Shaping

    • Scheduling

Benefits of PowerMode IPsec

  • Enhances the performance of IPsec.

Configuring Security Flow PMI

The below section describes you how to configure security flow PMI.

To configure security flow PowerMode IPsec, you much enable session cache on IOCs and session affinity:

  1. Enable the session cache on IOCs (IOC2 and IOC3)
  2. Enable VPN session affinity
  3. Create security flow in PMI.
  4. Confirm your configuration by entering the show security command.

Example: Configuring Behavior Aggregate Classifier in PMI

This example shows how to configure behavior aggregate(BA) classifiers for a SRX device to determine forwarding treatment of packets in PowerMode IPsec (PMI).

Requirements

This example uses the following hardware and software components:

  • SRX Series device.

  • Junos OS Release 19.1R1 and later releases.

Before you begin:

  • Determine the forwarding class and PLP that are assigned by default to each well-known DSCP that you want to configure for the behavior aggregate classifier.

Overview

Configure behavior aggregate classifiers to classify the packets that contain valid DSCPs to appropriate queues. Once configured, you apply the behavior aggregate classifier to the correct interfaces. You override the default IP precedence classifier by defining a classifier and applying it to a logical interface. To define new classifiers for all code point types, include the classifiers statement at the [edit class-of-service] hierarchy level.

In this example, set the DSCP behavior aggregate classifier to ba-classifier as the default DSCP map. Set a best-effort forwarding class as be-class, an expedited forwarding class as ef-class, an assured forwarding class as af-class, and a network control forwarding class as nc-class. Finally, apply the behavior aggregate classifier to the interface ge-0/0/0.

Table 2 shows how the behavior aggregate classifier assigns loss priorities, to incoming packets in the four forwarding classes.

Table 2: Sample ba-classifier Loss Priority Assignments

mf-classifier Forwarding Class

For CoS Traffic Type

ba-classifier Assignments

be-class

Best-effort traffic

High-priority code point: 000001

ef-class

Expedited forwarding traffic

High-priority code point: 101111

af-class

Assured forwarding traffic

High-priority code point: 001100

nc-class

Network control traffic

High-priority code point: 110001

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure Behavior Aggregate Classifiers for a device in PMI:

  1. Configure the class of service.
  2. Configure behavior aggregate classifiers for Differentiated Services (DiffServ) CoS.
  3. Configure a best-effort forwarding class classifier.
  4. Configure an expedited forwarding class classifier.
  5. Configure an assured forwarding class classifier.
  6. Configure a network control forwarding class classifier.
  7. Apply the behavior aggregate classifier to an interface.

Results

From configuration mode, confirm your configuration by entering the show class-of-service command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the Classifier is applied to the Interfaces

Purpose

Make sure that the classifier is applied to the correct interfaces.

Action

From the operational mode, enter the show class-of-service interface ge-0/0/0 command.

user@host> show class-of-service interface ge-0/0/0

Meaning

The interfaces are configured as expected.

Example: Configuring Behavior Aggregate Classifier in PMI for vSRX instances

This example shows how to configure behavior aggregate (BA) classifiers for a vSRX instance to determine forwarding treatment of packets in PowerMode IPsec (PMI).

Requirements

This example uses the following hardware and software components:

  • A vSRX instance.

  • Junos OS Release 19.4R1 and later releases.

Before you begin:

  • Determine the forwarding class and Packet loss priorities(PLP) that are assigned by default to each well-known DSCP that you want to configure for the behavior aggregate classifier.

Overview

Configure behavior aggregate classifiers to classify the packets that contain valid DSCPs to appropriate queues. Once configured, you apply the behavior aggregate classifier to the correct interfaces. You override the default IP precedence classifier by defining a classifier and applying it to a logical interface. To define new classifiers for all code point types, include the classifiers statement at the [edit class-of-service] hierarchy level.

In this example, set the DSCP behavior aggregate classifier to ba-classifier as the default DSCP map. Set a best-effort forwarding class as be-class, an expedited forwarding class as ef-class, an assured forwarding class as af-class, and a network control forwarding class as nc-class. Finally, apply the behavior aggregate classifier to the interface ge-0/0/0.

Table 2 shows how the behavior aggregate classifier assigns loss priorities, to incoming packets in the four forwarding classes.

Table 3: Sample ba-classifier Loss Priority Assignments

mf-classifier Forwarding Class

For CoS Traffic Type

ba-classifier Assignments

be-class

Best-effort traffic

High-priority code point: 000001

ef-class

Expedited forwarding traffic

High-priority code point: 101111

af-class

Assured forwarding traffic

High-priority code point: 001100

nc-class

Network control traffic

High-priority code point: 110001

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure Behavior Aggregate Classifiers for a device in PMI:

  1. Configure the class of service.
  2. Configure behavior aggregate classifiers for Differentiated Services (DiffServ) CoS.
  3. Configure a best-effort forwarding class classifier.
  4. Configure an expedited forwarding class classifier.
  5. Configure drop profiles.
  6. Configure the forwarding classes queues.
  7. Apply the classifier to the interfaces.
  8. Configure the schedulers.

Results

From configuration mode, confirm your configuration by entering the show class-of-service command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the Classifier is applied to the Interfaces

Purpose

Verify that the classifier is configured properly and confirm that the forwarding classes are configured correctly.

Action

From the operational mode, enter the show class-of-service forwarding-class command.

user@host> show class-of-service forwarding-class

Meaning

The output shows the configured custom classifier settings.

Example: Configuring and Applying a Firewall Filter for a Multifield Classifier in PMI

This example shows how to configure a firewall filter to classify traffic to different forwarding class by using DSCP value and multifield (MF) classifier in PowerMode IPsec (PMI).

The classifier detects packets of interest to class of service (CoS) as they arrive on an interface. MF classifiers are used when a simple behavior aggregate (BA) classifier is insufficient to classify a packet, when peering routers do not have CoS bits marked, or the peering router’s marking is untrusted.

Requirements

This example uses the following hardware and software components:

  • SRX Series device.

  • Junos OS Release 19.1R1 and later releases.

Before you begin:

Overview

This example explain how to configure the firewall filter mf-classifier. To configure the MF classifier, create and name the assured forwarding traffic class, set the match condition, and then specify the destination address as 192.168.44.55. Create the forwarding class for assured forwarding DiffServ traffic as af-class and set the loss priority to low.

In this example, create and name the expedited forwarding traffic class and set the match condition for the expedited forwarding traffic class. Specify the destination address as 192.168.66.77. Create the forwarding class for expedited forwarding DiffServ traffic as ef-class and set the policer to ef-policer. Create and name the network-control traffic class and set the match condition.

In this example, create and name the forwarding class for the network control traffic class as nc-class and name the forwarding class for the best-effort traffic class as be-class. Finally, apply the multifield classifier firewall filter as an input and output filter on each customer-facing or host-facing that needs the filter. In this example, the interface for input filter is ge-0/0/2 and interface for output filter is ge-0/0/4.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a Firewall Filter for a Multifield Classifier for a device in PMI:

  1. Create and name the multifield classifier filter.
  2. Create and name the term for the assured forwarding traffic class.
  3. Specify the destination address for assured forwarding traffic.
  4. Create the forwarding class and set the loss priority for the assured forwarding traffic class.
  5. Create and name the term for the expedited forwarding traffic class.
  6. Specify the destination address for the expedited forwarding traffic.
  7. Create the forwarding class and apply the policer for the expedited forwarding traffic class.
  8. Create and name the term for the network control traffic class.
  9. Create the match condition for the network control traffic class.
  10. Create and name the forwarding class for the network control traffic class.
  11. Create and name the term for the best-effort traffic class.
  12. Create and name the forwarding class for the best-effort traffic class.
  13. Apply the multifield classifier firewall filter as an input filter.
  14. Apply the multifield classifier firewall filter as an output filter.

Results

From configuration mode, confirm your configuration by entering the show firewall filter mf-classifier command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm your configuration by entering the show interfaces command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying a Firewall Filter for a Multifield Classifier Configuration

Purpose

Verify that a firewall filter for a multifield classifier is configured properly on a device and confirm that the forwarding classes are configured correctly.

Action

From configuration mode, enter the show class-of-service forwarding-class command.

user@host> show class-of-service forwarding-class

Meaning

The output shows the configured custom classifier settings.

Example: Configuring and Applying Rewrite Rules on a Security Device in PMI

This example shows how to configure and apply rewrite rules for a device in PowerMode IPsec (PMI).

Requirements

This example uses the following hardware and software components:

  • SRX Series device.

  • Junos OS Release 19.1R1 and later releases.

Before you begin:

Overview

This example explains how to configure rewrite rules to replace CoS values on packets received from the customer or host with the values expected by other SRX devices. You do not have to configure rewrite rules if the received packets already contain valid CoS values. Rewrite rules apply the forwarding class information and packet loss priority used internally by the device to establish the CoS value on outbound packets. After you configure the rewrite rules, apply them to the correct interfaces.

In this example, configure the rewrite rule for DiffServ CoS as rewrite-dscps. Specify the best-effort forwarding class as be-class, expedited forwarding class as ef-class, an assured forwarding class as af-class, and a network control class as nc-class. Finally, apply the rewrite rule to the ge-0/0/0 interface.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from the configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure and apply Rewrite Rules for a device in PMI:

  1. Configure rewrite rules for DiffServ CoS.
  2. Configure best-effort forwarding class rewrite rules.
  3. Configure expedited forwarding class rewrite rules.
  4. Configure an assured forwarding class rewrite rules.
  5. Configure a network control class rewrite rules.
  6. Apply rewrite rules to an interface.

Results

From configuration mode, confirm your configuration by entering the show class-of-service command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Rewrite Rules Configuration

Purpose

Verify that rewrite rules are configured properly.

Action

From the operational mode, enter the show class-of-service command.

user@host> show class-of-service

Meaning

Rewrite rules are configured on ge-0/0/0 interface as expected.

Configure IPsec ESP Authentication-only Mode in PMI

The PowerMode IPsec (PMI) introduced a new data path for achieving a high IPsec throughput performance. Starting in Junos OS Release 19.4R1, on SRX5000 Series devices with SRX5K-SPC3 card, you can use Encapsulating Security Payload (ESP) authentication-only mode in PMI mode, which provides authentication, integrity checking, and replay protection without encrypting the data packets.

Before you begin:

To configure ESP authentication-only mode:

  1. Configure IPsec proposal and policy.
  2. Confirm your configuration by entering the show security ipsec command.

    If you are done configuring the device, enter commit from configuration mode.

See also

Understanding the Loopback Interface for a High Availability VPN

In an IPsec VPN tunnel configuration, an external interface must be specified to communicate with the peer IKE gateway. Specifying a loopback interface for the external interface of a VPN is a good practice when there are multiple physical interfaces that can be used to reach a peer gateway. Anchoring a VPN tunnel on the loopback interface removes the dependency on a physical interface for successful routing.

Using a loopback interface for VPN tunnels is supported on standalone SRX Series devices as well as on SRX Series devices in chassis clusters. In a chassis cluster active-passive deployment, you can create a logical loopback interface and make it a member of a redundancy group so that it can be used to anchor VPN tunnels. The loopback interface can be configured in any redundancy group and is assigned as the external interface for the IKE gateway. VPN packets are processed on the node where the redundancy group is active.

On SRX5400, SRX5600, and SRX5800 devices, if the loopback interface is used as the IKE gateway external interface, it must be configured in a redundancy group other than RG0.

In a chassis cluster setup, the node on which the external interface is active selects an SPU to anchor the VPN tunnel. IKE and IPsec packets are processed on that SPU. Thus an active external interface determines the anchor SPU.

You can use the show chassis cluster interfaces command to view information on the redundant pseudointerface.

Release History Table
Release
Description
Starting with Junos OS Release 17.4R1, IPsec VPN performance is optimized when the VPN session affinity and performance acceleration features are enabled.
Starting with Junos OS Release 12.3X48-D50, Junos OS Release 15.1X49-D90, and Junos OS Release 17.3R1, if VPN session affinity is enabled on SRX5400, SRX5600, and SRX5800 devices, the tunnel overhead is calculated according to the negotiated encryption and authentication algorithms on the anchor Services Processing Unit (SPU).