No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

USG5310 as a headquarters establishes IPSEC tunnel with branch, the ping delay will become great

Publication Date:  2012-10-09 Views:  49 Downloads:  0
Issue Description
Customers headquarters use USG5310 establish branch IPSEC tunnel, headquarters is fixed IP address, uses the template way, headquarters establishes IPSEC tunnel with branch respectively, branches and branches establishes IPSEC tunnel through headquarters, IPSEC tunnel are established successfully, the problem: the internal PC of headquarters ping branch is normal, as long as any branch node ping each other, headquarters ping branch delay will become great. If the branches do not ping each other, they are normal.
Alarm Information
None.
Handling Process
First of all branches and branches ping each other, then use a internal network server of headquarters Ping branch, there will be dozens to hundreds ms delay before close it, then close the order preserving, it will be changed into 16 to 20 ms immediately. 
Root Cause
1, MTU problem cause
2, open order preserving problem cause
Suggestions
V100R003C01SPC600 version will exist such a problem, when the order preserving and IPSec are used together, IPSec message can lead to the order preserving queue overtime processing, thus affect other message rate, another kind of circumstance is that when branch node visit branch node, a message will experience decryption and encryption at the same time, the result will affect single decryption message’s rate.
USG5300 series firewall is multi-core CPU, after received messages, due to different message’s processing flow and different core’s busy or idle degree, leading to the message appears random sequence, the message enter the firewall first may be issued later. Some application scene has higher demand to the order of the message, so need to implement order preserving function.
The principle of order preserving is:
For each physical interface to create a queue, number the message when received it from interface, and send it according to this order. If occurs some later message finish first, then the message waiting in the queue, send it until the message received before it be processed.
If subsequent appears this kind of question, can turn off the fifo (undo firewall fifo enable), look at whether the problem has been solved. It has no influence to the internet business after close it.

END