VPN Session Affinity
The performance of IPsec VPN traffic to minimize packet forwarding overhead can be optimized by enabling VPN session affinity and performance acceleration.
Understanding VPN Session Affinity
VPN session affinity occurs when a cleartext session is located in a Services Processing Unit (SPU) that is different from the SPU where the IPsec tunnel session is located. The goal of VPN session affinity is to locate the cleartext and IPsec tunnel session in the same SPU. This feature is supported only on SRX5400, SRX5600, and SRX5800 devices.
Without VPN session affinity, a cleartext session created by a flow might be located in one SPU and the tunnel session created by IPsec might be located in another SPU. An SPU to SPU forward or hop is needed to route cleartext packets to the IPsec tunnel.
By default, VPN session affinity is disabled on SRX Series Firewalls. When VPN session affinity is enabled, a new cleartext session is placed on the same SPU as the IPsec tunnel session. Existing cleartext sessions are not affected.
Junos OS Release 15.1X49-D10 introduces the SRX5K-MPC3-100G10G (IOC3) and the SRX5K-MPC3-40G10G (IOC3) for SRX5400, SRX5600, and SRX5800 devices.
The SRX5K-MPC (IOC2) and the IOC3 support VPN session affinity through improved flow module and session cache. With IOCs, the flow module creates sessions for IPsec tunnel-based traffic before encryption and after decryption on its tunnel-anchored SPU and installs the session cache for the sessions so that the IOC can redirect the packets to the same SPU to minimize packet forwarding overhead. Express Path (previously known as services offloading) traffic and NP cache traffic share the same session cache table on the IOCs.
To display active tunnel sessions on SPUs, use the show
security ipsec security-association command and specify the
Flexible PIC Concentrator (FPC) and Physical Interface
Card (PIC) slots that contain the SPU. For example:
user@host> show security ipsec security-association fpc 3 pic 0 Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway <131073 ESP:aes-128/sha1 18c4fd00 491/ 128000 - root 500 203.0.113.11 >131073 ESP:aes-128/sha1 188c0750 491/ 128000 - root 500 203.0.113.11
You need to evaluate the tunnel distribution and traffic patterns in your network to determine if VPN session affinity should be enabled.
Starting with Junos OS Release 12.3X48-D50, Junos OS Release 15.1X49-D90, and Junos OS Release 17.3R1, if VPN session affinity is enabled on SRX5400, SRX5600, and SRX5800 devices, the tunnel overhead is calculated according to the negotiated encryption and authentication algorithms on the anchor Services Processing Unit (SPU). If the configured encryption or authentication changes, the tunnel overhead is updated on the anchor SPU when a new IPsec security association is established.
The VPN session affinity limitations are as follows:
Traffic across logical systems is not supported.
If there is a route change, established cleartext sessions remain on an SPU and traffic is rerouted if possible. Sessions created after the route change can be set up on a different SPU.
VPN session affinity only affects self traffic that terminates on the device (also known as host-inbound traffic); self traffic that originates from the device (also known as host-outbound traffic) is not affected.
Multicast replication and forwarding performance is not affected.
See Also
Enabling VPN Session Affinity
By default, VPN session affinity is disabled on SRX Series Firewalls. Enabling VPN session affinity can improve VPN throughput under certain conditions. This feature is supported only on SRX5400, SRX5600, and SRX5800 devices. This section describes how to use the CLI to enable VPN session affinity.
Determine if clear-text sessions are being forwarded to IPsec
tunnel sessions on a different SPU. Use the show security flow
session command to display session information about clear-text
sessions.
user@host> show security flow session Flow Sessions on FPC3 PIC0: Session ID: 60000001, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/6204 --> 203.0.113.6/41264;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 60000002, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 60000003, Policy name: self-traffic-policy/1, Timeout: 58, Valid In: 203.0.113.6/500 --> 203.0.113.11/500;udp, If: .local..0, Pkts: 105386, Bytes: 12026528 Out: 203.0.113.11/500 --> 203.0.113.6/500;udp, If: ge-0/0/2.0, Pkts: 106462, Bytes: 12105912 Session ID: 60017354, Policy name: N/A, Timeout: 1784, Valid In: 0.0.0.0/0 --> 0.0.0.0/0;0, If: N/A, Pkts: 0, Bytes: 0 Out: 198.51.100.156/23 --> 192.0.2.155/53051;tcp, If: N/A, Pkts: 0, Bytes: 0 Total sessions: 4 Flow Sessions on FPC6 PIC0: Session ID: 120000001, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 120000002, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 120031730, Policy name: default-policy-00/2, Timeout: 1764, Valid In: 192.0.2.155/53051 --> 198.51.100.156/23;tcp, If: ge-0/0/1.0, Pkts: 44, Bytes: 2399 Out: 198.51.100.156/23 --> 192.0.2.155/53051;tcp, If: st0.0, Pkts: 35, Bytes: 2449 Total sessions: 3
In the example, there is a tunnel session on FPC 3, PIC 0 and a clear-text session on FPC 6, PIC 0. A forwarding session (session ID 60017354) is set up on FPC 3, PIC 0.
Junos OS Release 15.1X49-D10 introduces session affinity support
on IOCs (SRX5K-MPC [IOC2], SRX5K-MPC3-100G10G [IOC3], and SRX5K-MPC3-40G10G
[IOC3]) and Junos OS Release 12.3X48-D30 introduces session affinity
support on IOC2. You can enable session affinity for the IPsec tunnel
session on the IOC FPCs. To enable IPsec VPN affinity, you must also
enable the session cache on IOCs by using the set chassis fpc fpc-slot np-cache command.
To enable VPN session affinity:
After enabling VPN session affinity, use the show security
flow session command to display session information about clear-text
sessions.
user@host> show security flow session Flow Sessions on FPC3 PIC0: Session ID: 60000001, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/6352 --> 203.0.113.6/7927;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 60000002, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 60000003, Policy name: self-traffic-policy/1, Timeout: 56, Valid In: 203.0.113.6/500 --> 203.0.113.11/500;udp, If: .local..0, Pkts: 105425, Bytes: 12031144 Out: 203.0.113.11/500 --> 203.0.113.6/500;udp, If: ge-0/0/2.0, Pkts: 106503, Bytes: 12110680 Session ID: 60017387, Policy name: default-policy-00/2, Timeout: 1796, Valid In: 192.0.2.155/53053 --> 198.51.100.156/23;tcp, If: ge-0/0/1.0, Pkts: 10, Bytes: 610 Out: 198.51.100.156/23 --> 192.0.2.155/53053;tcp, If: st0.0, Pkts: 9, Bytes: 602 Total sessions: 4 Flow Sessions on FPC6 PIC0: Session ID: 120000001, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Session ID: 120000002, Policy name: N/A, Timeout: N/A, Valid In: 203.0.113.11/0 --> 203.0.113.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 Total sessions: 2
After VPN session affinity is enabled, the clear-text session is always located on FPC 3, PIC 0.
See Also
Accelerating the IPsec VPN Traffic Performance
You can accelerate IPsec VPN performance by configuring the performance acceleration parameter. By default, VPN performance acceleration is disabled on SRX Series Firewalls. Enabling the VPN performance acceleration can improve the VPN throughput with VPN session affinity enabled. This feature is only supported on SRX5400, SRX5600, and SRX5800 devices.
This topic describes how to use the CLI to enable VPN performance acceleration.
To enable performance acceleration, you must ensure that cleartext sessions and IPsec tunnel sessions are established on the same Services Processing Unit (SPU). Starting with Junos OS Release 17.4R1, IPsec VPN performance is optimized when the VPN session affinity and performance acceleration features are enabled. For more information on enabling session affinity, see Understanding VPN Session Affinity.
To enable IPsec VPN performance acceleration:
After enabling VPN performance acceleration, use the show
security flow status command to display flow status.
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: Hash-based
Flow packet ordering
Ordering mode: Hardware
Flow ipsec performance acceleration: on
See Also
IPsec Distribution Profile
Starting with Junos OS Release 19.2R1, you can configure one
or more IPsec distribution profiles for IPsec security associations
(SAs). Tunnels are distributed evenly across all resources (SPCs)
specified in the configured distribution profile. It is supported
in SPC3 only and mixed-mode (SPC3 + SPC2), it is not supported on
SPC1 and SPC2 systems. With the IPsec distribution profile, use the set security ipsec vpn vpn-name distribution-profile distribution-profile-name command to associate tunnels
to a specified:
Slot
PIC
Alternatively, you can use the default IPsec distribution profiles:
default-spc2-profile—Use this predefined default profile to associate IPsec tunnels to all available SPC2 cards.default-spc3-profile—Use this predefined default profile to associate IPsec tunnels to all available SPC3 cards.
You can now assign a profile to a specific VPN object, where all associated tunnels will be distributed based on this profile. If no profile is assigned to the VPN object, the SRX Series Firewall automatically distributes these tunnels evenly across all resources.
You can associate a VPN object with either a user-defined profile or a predefined (default) profile.
Starting in Junos OS Release 20.2R2, the invalid thread IDs configured to the distribution profile are ignored with no commit-check error message. The IPsec tunnel gets anchored as per the configured distribution profile ignoring invalid thread IDs if any for that profile.
In the following example, all tunnels associated with profile ABC will be distributed on FPC 0, PIC 0.
userhost# show security {
distribution-profile ABC {
fpc 0 {
pic 0;
}
}
}
Understanding the Loopback Interface for a High Availability VPN
In an IPsec VPN tunnel configuration, an external interface must be specified to communicate with the peer IKE gateway. Specifying a loopback interface for the external interface of a VPN is a good practice when there are multiple physical interfaces that can be used to reach a peer gateway. Anchoring a VPN tunnel on the loopback interface removes the dependency on a physical interface for successful routing.
Using a loopback interface for VPN tunnels is supported on standalone SRX Series Firewalls as well as on SRX Series Firewalls in chassis clusters. In a chassis cluster active-passive deployment, you can create a logical loopback interface and make it a member of a redundancy group so that it can be used to anchor VPN tunnels. The loopback interface can be configured in any redundancy group and is assigned as the external interface for the IKE gateway. VPN packets are processed on the node where the redundancy group is active.
On SRX5400, SRX5600, and SRX5800 devices -
-
For SPC2 based devices running kmd process, if the loopback interface is used as the IKE gateway external interface, configure the interface binding in a redundancy group other than RG0.
-
For SPC3 or SPC3+SPC2 based devices running iked process, loopback interface binding to a redundancy group is not required.
In a chassis cluster setup, the node on which the external interface is active selects an SPU to anchor the VPN tunnel. IKE and IPsec packets are processed on that SPU. Thus an active external interface determines the anchor SPU.
You can use the show chassis cluster interfaces command to view
information on the redundant pseudointerface.
See Also
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.