VPN Session Affinity
Learn how to improve the performance of IPsec VPN using VPN session affinity.
The performance of IPsec VPN traffic to minimize packet forwarding overhead can be optimized by enabling VPN session affinity and performance acceleration.
Use Feature Explorer to confirm platform and release support for specific features.
Review the Platform-Specific High Availability VPN Loopback Interface Behavior section for notes related to your platform.
Understanding VPN Session Affinity
VPN session affinity occurs when a cleartext session is located in a Services Processing Unit (SPU) that is different from the SPU where the IPsec tunnel session is located. The goal of VPN session affinity is to locate the cleartext and IPsec tunnel session in the same SPU.
Without VPN session affinity, a cleartext session created by a flow might be located in one SPU and the tunnel session created by IPsec might be located in another SPU. An SPU to SPU forward or hop is needed to route cleartext packets to the IPsec tunnel.
By default, VPN session affinity is disabled on SRX Series Firewalls. When VPN session affinity is enabled, a new cleartext session is placed on the same SPU as the IPsec tunnel session. Existing cleartext sessions are not affected.
The firewalls support VPN session affinity through improved flow module and session cache. With IOCs, the flow module creates sessions for IPsec tunnel-based traffic before encryption and after decryption on its tunnel-anchored SPU and installs the session cache for the sessions so that the IOC can redirect the packets to the same SPU to minimize packet forwarding overhead. Express Path (previously known as services offloading) traffic and NP cache traffic share the same session cache table on the IOCs.
To display active tunnel sessions on SPUs, use the show
security ipsec security-association
command and specify the
Flexible PIC Concentrator (FPC) and Physical Interface
Card (PIC) slots that contain the SPU. For example:
user@host> show security ipsec security-association fpc 3 pic 0 Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway <131073 ESP:aes-128/sha1 18c4fd00 491/ 128000 - root 500 203.0.113.11 >131073 ESP:aes-128/sha1 188c0750 491/ 128000 - root 500 203.0.113.11
You need to evaluate the tunnel distribution and traffic patterns in your network to determine if VPN session affinity should be enabled.
If VPN session affinity is enable on the firewall, the tunnel overhead is calculated according to the negotiated encryption and authentication algorithms on the anchor Services Processing Unit (SPU). If the configured encryption or authentication changes, the tunnel overhead is updated on the anchor SPU when a new IPsec security association is established.
The VPN session affinity limitations are as follows:
Traffic across logical systems is not supported.
If there is a route change, established cleartext sessions remain on an SPU and traffic is rerouted if possible. Sessions created after the route change can be set up on a different SPU.
VPN session affinity only affects self traffic that terminates on the device (also known as host-inbound traffic); self traffic that originates from the device (also known as host-outbound traffic) is not affected.
Multicast replication and forwarding performance is not affected.
See Also
Enabling VPN Session Affinity
By default, VPN session affinity is disabled on SRX Series Firewalls. Enabling VPN session affinity can improve VPN throughput under certain conditions. This section describes how to use the CLI to enable VPN session affinity.
Determine if clear-text sessions are being forwarded to IPsec
tunnel sessions on a different SPU. Use the show security flow
session
command to display session information about clear-text
sessions.
user@host> show security flow session Flow Sessions on FPC3 PIC0: Session ID: 60000001, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/6204 --> 203.0.113.6/41264;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 60000002, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 60000003, Policy name: self-traffic-policy/1, Timeout: 58, Valid In: 203.0.113.6/500 --> 203.0.113.11/500;udp, If: .local..0, Pkts: 105386, Bytes: 12026528 Out: 203.0.113.11/500 --> 203.0.113.6/500;udp, If: ge-0/0/2.0, Pkts: 106462, Bytes: 12105912 Session ID: 60017354, Policy name: N/A, Timeout: 1784, Valid In: 0.0.0.0/0 --> 0.0.0.0/0;0, If: N/A, Pkts: 0, Bytes: 0 Out: 198.51.100.156/23 --> 192.0.2.155/53051;tcp, If: N/A, Pkts: 0, Bytes: 0 Total sessions: 4 Flow Sessions on FPC6 PIC0: Session ID: 120000001, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 120000002, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 120031730, Policy name: default-policy-00/2, Timeout: 1764, Valid In: 192.0.2.155/53051 --> 198.51.100.156/23;tcp, If: ge-0/0/1.0, Pkts: 44, Bytes: 2399 Out: 198.51.100.156/23 --> 192.0.2.155/53051;tcp, If: st0.0, Pkts: 35, Bytes: 2449 Total sessions: 3
In the example, there is a tunnel session on FPC 3, PIC 0 and a clear-text session on FPC 6, PIC 0. A forwarding session (session ID 60017354) is set up on FPC 3, PIC 0.
You
can enable session affinity for the IPsec tunnel session on the IOC FPCs. To enable IPsec
VPN affinity, you must also enable the session cache on IOCs by using the set
chassis fpc fpc-slot np-cache
command.
To enable VPN session affinity:
After enabling VPN session affinity, use the show security
flow session
command to display session information about clear-text
sessions.
user@host> show security flow session Flow Sessions on FPC3 PIC0: Session ID: 60000001, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/6352 --> 203.0.113.6/7927;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 60000002, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 60000003, Policy name: self-traffic-policy/1, Timeout: 56, Valid In: 203.0.113.6/500 --> 203.0.113.11/500;udp, If: .local..0, Pkts: 105425, Bytes: 12031144 Out: 203.0.113.11/500 --> 203.0.113.6/500;udp, If: ge-0/0/2.0, Pkts: 106503, Bytes: 12110680 Session ID: 60017387, Policy name: default-policy-00/2, Timeout: 1796, Valid In: 192.0.2.155/53053 --> 198.51.100.156/23;tcp, If: ge-0/0/1.0, Pkts: 10, Bytes: 610 Out: 198.51.100.156/23 --> 192.0.2.155/53053;tcp, If: st0.0, Pkts: 9, Bytes: 602 Total sessions: 4 Flow Sessions on FPC6 PIC0: Session ID: 120000001, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 120000002, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Total sessions: 2
After VPN session affinity is enabled, the clear-text session is always located on FPC 3, PIC 0.
See Also
Accelerating the IPsec VPN Traffic Performance
You can accelerate IPsec VPN performance by configuring the performance acceleration parameter. By default, VPN performance acceleration is disabled on SRX Series Firewalls. Enabling the VPN performance acceleration can improve the VPN throughput with VPN session affinity enabled.
This topic describes how to use the CLI to enable VPN performance acceleration.
To enable performance acceleration, you must ensure that cleartext sessions and IPsec tunnel sessions are established on the same Services Processing Unit (SPU). IPsec VPN performance is optimized when the VPN session affinity and performance acceleration features are enabled. For more information on enabling session affinity, see Understanding VPN Session Affinity.
To enable IPsec VPN performance acceleration:
After enabling VPN performance acceleration, use the show
security flow status
command to display flow status.
Flow forwarding mode: Inet forwarding mode: flow based Inet6 forwarding mode: drop MPLS forwarding mode: drop ISO forwarding mode: drop Flow trace status Flow tracing status: off Flow session distribution Distribution mode: Hash-based Flow packet ordering Ordering mode: Hardware Flow ipsec performance acceleration: on
See Also
IPsec Distribution Profile
You
can configure one or more IPsec distribution profiles for IPsec security associations
(SAs). Tunnels are distributed evenly across all resources (SPCs) specified in the
configured distribution profile. It is supported in SPC3 only and mixed-mode (SPC3 +
SPC2), it is not supported on SPC1 and SPC2 systems. With the IPsec distribution
profile, use the set security ipsec vpn vpn-name
distribution-profile distribution-profile-name
command
to associate tunnels to a specified:
-
Slot
-
PIC
Alternatively, you can use the default IPsec distribution profiles:
-
default-spc2-profile
—Use this predefined default profile to associate IPsec tunnels to all available SPC2 cards. -
default-spc3-profile
—Use this predefined default profile to associate IPsec tunnels to all available SPC3 cards.
You can now assign a profile to a specific VPN object, where all associated tunnels will be distributed based on this profile. If no profile is assigned to the VPN object, the SRX Series Firewall automatically distributes these tunnels evenly across all resources.
You can associate a VPN object with either a user-defined profile or a predefined (default) profile.
In the following example, all tunnels associated with profile ABC will be distributed on FPC 0, PIC 0.
userhost# show security { distribution-profile ABC { fpc 0 { pic 0; } } }
Understanding the Loopback Interface for a High Availability VPN
In an IPsec VPN tunnel configuration, an external interface must be specified to communicate with the peer IKE gateway. Specifying a loopback interface for the external interface of a VPN is a good practice when there are multiple physical interfaces that can be used to reach a peer gateway. Anchoring a VPN tunnel on the loopback interface removes the dependency on a physical interface for successful routing.
Using a loopback interface for VPN tunnels is supported on standalone SRX Series Firewalls as well as on SRX Series Firewalls in chassis clusters. In a chassis cluster active-passive deployment, you can create a logical loopback interface and make it a member of a redundancy group so that it can be used to anchor VPN tunnels. The loopback interface can be configured in any redundancy group and is assigned as the external interface for the IKE gateway. VPN packets are processed on the node where the redundancy group is active.
In a chassis cluster setup, the node on which the external interface is active selects an SPU to anchor the VPN tunnel. IKE and IPsec packets are processed on that SPU. Thus an active external interface determines the anchor SPU.
You can use the show chassis cluster interfaces
command to view
information on the redundant pseudointerface.
See Also
Platform-Specific High Availability VPN Loopback Interface Behavior
Use Feature Explorer to confirm platform and release support for specific features.
Use the following table to review platform-specific behaviors for your platforms.
Platform | Difference |
---|---|
SRX Series |
|
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.