Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

VPN Session Affinity

The performance of IPsec VPN traffic to minimize packet forwarding overhead can be optimized by enabling VPN session affinity and performance acceleration.

Understanding VPN Session Affinity

VPN session affinity occurs when a cleartext session is located in a Services Processing Unit (SPU) that is different from the SPU where the IPsec tunnel session is located. The goal of VPN session affinity is to locate the cleartext and IPsec tunnel session in the same SPU. This feature is supported only on SRX5400, SRX5600, and SRX5800 devices.

Without VPN session affinity, a cleartext session created by a flow might be located in one SPU and the tunnel session created by IPsec might be located in another SPU. An SPU to SPU forward or hop is needed to route cleartext packets to the IPsec tunnel.

By default, VPN session affinity is disabled on SRX Series devices. When VPN session affinity is enabled, a new cleartext session is placed on the same SPU as the IPsec tunnel session. Existing cleartext sessions are not affected.

Junos OS Release 15.1X49-D10 introduces the SRX5K-MPC3-100G10G (IOC3) and the SRX5K-MPC3-40G10G (IOC3) for SRX5400, SRX5600, and SRX5800 devices.

The SRX5K-MPC (IOC2) and the IOC3 support VPN session affinity through improved flow module and session cache. With IOCs, the flow module creates sessions for IPsec tunnel-based traffic before encryption and after decryption on its tunnel-anchored SPU and installs the session cache for the sessions so that the IOC can redirect the packets to the same SPU to minimize packet forwarding overhead. Express Path (previously known as services offloading) traffic and NP cache traffic share the same session cache table on the IOCs.

To display active tunnel sessions on SPUs, use the show security ipsec security-association command and specify the Flexible PIC Concentrator (FPC) and Physical Interface Card (PIC) slots that contain the SPU. For example:

You need to evaluate the tunnel distribution and traffic patterns in your network to determine if VPN session affinity should be enabled.

Starting with Junos OS Release 12.3X48-D50, Junos OS Release 15.1X49-D90, and Junos OS Release 17.3R1, if VPN session affinity is enabled on SRX5400, SRX5600, and SRX5800 devices, the tunnel overhead is calculated according to the negotiated encryption and authentication algorithms on the anchor Services Processing Unit (SPU). If the configured encryption or authentication changes, the tunnel overhead is updated on the anchor SPU when a new IPsec security association is established.

The VPN session affinity limitations are as follows:

  • Traffic across logical systems is not supported.

  • If there is a route change, established cleartext sessions remain on an SPU and traffic is rerouted if possible. Sessions created after the route change can be set up on a different SPU.

  • VPN session affinity only affects self traffic that terminates on the device (also known as host-inbound traffic); self traffic that originates from the device (also known as host-outbound traffic) is not affected.

  • Multicast replication and forwarding performance is not affected.

Enabling VPN Session Affinity

By default, VPN session affinity is disabled on SRX Series devices. Enabling VPN session affinity can improve VPN throughput under certain conditions. This feature is supported only on SRX5400, SRX5600, and SRX5800 devices. This section describes how to use the CLI to enable VPN session affinity.

Determine if clear-text sessions are being forwarded to IPsec tunnel sessions on a different SPU. Use the show security flow session command to display session information about clear-text sessions.

In the example, there is a tunnel session on FPC 3, PIC 0 and a clear-text session on FPC 6, PIC 0. A forwarding session (session ID 60017354) is set up on FPC 3, PIC 0.

Junos OS Release 15.1X49-D10 introduces session affinity support on IOCs (SRX5K-MPC [IOC2], SRX5K-MPC3-100G10G [IOC3], and SRX5K-MPC3-40G10G [IOC3]) and Junos OS Release 12.3X48-D30 introduces session affinity support on IOC2. You can enable session affinity for the IPsec tunnel session on the IOC FPCs. To enable IPsec VPN affinity, you must also enable the session cache on IOCs by using the set chassis fpc fpc-slot np-cache command.

To enable VPN session affinity:

  1. In configuration mode, use the set command to enable VPN session affinity.
  2. Check your changes to the configuration before committing.
  3. Commit the configuration.

After enabling VPN session affinity, use the show security flow session command to display session information about clear-text sessions.

After VPN session affinity is enabled, the clear-text session is always located on FPC 3, PIC 0.

Accelerating the IPsec VPN Traffic Performance

You can accelerate IPsec VPN performance by configuring the performance acceleration parameter. By default, VPN performance acceleration is disabled on SRX Series devices. Enabling the VPN performance acceleration can improve the VPN throughput with VPN session affinity enabled. This feature is only supported on SRX5400, SRX5600, and SRX5800 devices.

This topic describes how to use the CLI to enable VPN performance acceleration.

To enable performance acceleration, you must ensure that cleartext sessions and IPsec tunnel sessions are established on the same Services Processing Unit (SPU). Starting with Junos OS Release 17.4R1, IPsec VPN performance is optimized when the VPN session affinity and performance acceleration features are enabled. For more information on enabling session affinity, see Understanding VPN Session Affinity.

To enable IPsec VPN performance acceleration:

  1. Enable VPN session affinity.
  2. Enable IPsec performance acceleration.
  3. Check your changes to the configuration before committing.
  4. Commit the configuration.

After enabling VPN performance acceleration, use the show security flow status command to display flow status.

IPsec Distribution Profile

Starting with Junos OS Release 19.2R1, you can configure one or more IPsec distribution profiles for IPsec security associations (SAs). Tunnels are distributed evenly across all resources (SPCs) specified in the configured distribution profile. It is supported in SPC3 only and mixed-mode (SPC3 + SPC2), it is not supported on SPC1 and SPC2 systems. With the IPsec distribution profile, use the set security ipsec vpn vpn-name distribution-profile distribution-profile-name command to associate tunnels to a specified:

  • Slot

  • PIC

Alternatively, you can use the default IPsec distribution profiles:

  • default-spc2-profile —Use this predefined default profile to associate IPsec tunnels to all available SPC2 cards.

  • default-spc3-profile —Use this predefined default profile to associate IPsec tunnels to all available SPC3 cards.

You can now assign a profile to a specific VPN object, where all associated tunnels will be distributed based on this profile. If no profile is assigned to the VPN object, the SRX Series device automatically distributes these tunnels evenly across all resources.

You can associate a VPN object with either a user-defined profile or a predefined (default) profile.

Starting in Junos OS Release 20.2R2, the invalid thread IDs configured to the distribution profile are ignored with no commit-check error message. The IPsec tunnel gets anchored as per the configured distribution profile ignoring invalid thread IDs if any for that profile.

In the following example, all tunnels associated with profile ABC will be distributed on FPC 0, PIC 0.

Understanding the Loopback Interface for a High Availability VPN

In an IPsec VPN tunnel configuration, an external interface must be specified to communicate with the peer IKE gateway. Specifying a loopback interface for the external interface of a VPN is a good practice when there are multiple physical interfaces that can be used to reach a peer gateway. Anchoring a VPN tunnel on the loopback interface removes the dependency on a physical interface for successful routing.

Using a loopback interface for VPN tunnels is supported on standalone SRX Series devices as well as on SRX Series devices in chassis clusters. In a chassis cluster active-passive deployment, you can create a logical loopback interface and make it a member of a redundancy group so that it can be used to anchor VPN tunnels. The loopback interface can be configured in any redundancy group and is assigned as the external interface for the IKE gateway. VPN packets are processed on the node where the redundancy group is active.

On SRX5400, SRX5600, and SRX5800 devices, if the loopback interface is used as the IKE gateway external interface, it must be configured in a redundancy group other than RG0.

In a chassis cluster setup, the node on which the external interface is active selects an SPU to anchor the VPN tunnel. IKE and IPsec packets are processed on that SPU. Thus an active external interface determines the anchor SPU.

You can use the show chassis cluster interfaces command to view information on the redundant pseudointerface.

Release History Table
Release
Description
12.3X48-D50
Starting with Junos OS Release 12.3X48-D50, Junos OS Release 15.1X49-D90, and Junos OS Release 17.3R1, if VPN session affinity is enabled on SRX5400, SRX5600, and SRX5800 devices, the tunnel overhead is calculated according to the negotiated encryption and authentication algorithms on the anchor Services Processing Unit (SPU).
17.4R1
Starting with Junos OS Release 17.4R1, IPsec VPN performance is optimized when the VPN session affinity and performance acceleration features are enabled.
Junos OS Release 20.2R
Starting in Junos OS Release 20.2R2, the invalid thread IDs configured to the distribution profile are ignored with no commit-check error message. The IPsec tunnel gets anchored as per the configured distribution profile ignoring invalid thread IDs if any for that profile.