This article describes a solution for an issue in which traffic is delayed or lost when passing through two VAP groups that are connected using an external router or switch.The following symptoms may be seen:
Unstable traffic flows when VAP groups are connected using an external circuit
Delayed packets or packets dropped as "out of state" by the firewall application
Significant number of retransmissions
Unequal load balancing between VAP group members
This situation occurs when traffic enters the first VAP group, leaves the chassis and re-enters it again to be processed by another VAP group:
The NPM uses IP header information (source/destination IP address, protocol, source/destination port) and domain-id assigned to ingress circuit to classify and distinguish flows. When all circuits have the same domain-id and traffic is serialized externally as in the above example, the same IP connection is classified twice for each packet and direction. When packet leaves the first VAP group and re-enters the NPM destined for the second VAP group, the original flow information is invalidated and overwritten by a new flow created for the second VAP group.
Similarly, return traffic will need to be re-classified when received by the NPM. In addition, if VAP groups have multiple members, the return flow may be sent to another VAP in the VAP group, resulting in asymmetrical routing and potential traffic drops by the firewall application.
When using an external serialization design, a different domain-id must be configured on the circuits connecting the VAP groups. This allows the NPM to
distinguish traffic for each VAP group
and to establish stable separate flows. For example:
vap-group <VAP-GROUP 1>
ip 188.8.131.52/24 184.108.40.206
vap-group <VAP-GROUP 2>
ip 220.127.116.11/24 18.104.22.168
NOTE: You cannot change the domain for an existing circuit. You must delete the circuit and re-create it with a unique domain-id.
As a temporary workaround to avoid the firewall drops, the VAP group
s can be reduced to one member by configuring the max-load-count to 1. However, this workaround does not resolve the re-classification issue.
Imported Document ID: 000019002
Subscribing will provide email updates when this Article is updated. Login is required.