You should be aware of a performance issue for a certain IPsec connection configuration
and
the best practice recommendation for eliminating the performance issue.
Performance issues can occur when a customer environment contains more than one
Cloud Edge gateway with multiple IPsec VPN connections. When the traffic passes through
multiple
IPsec connections Cloud Edge scans the traffic as it traverses each connection. Multiple
scans
do not provide better detection, but multiple scans of the same traffic do result
in a
performance drop.
To avoid any unnecessary scans, the best practice is to scan traffic only once by
the Cloud Edge gateway that is closest to the incoming traffic and configure other
gateways in
the route from source to destination to bypass the scan.
To achieve this, you can use the gateway policy rules to bypass scanning on all
but the closest gateway to the IPsec traffic.
Best Practice Configuration Rules
| Gateway's Role in Configuration | Rule Guidelines |
|
Full-mesh IPsec gateways
|
Create a policy rule where the Action is to
Bypass traffic and add the following to the specified fields:
|
|
Spokes of a star IPsec gateway
|
Create a policy rule where the Action is to
Bypass traffic and add the following to the specified fields:
|
|
Hub of a star IPsec gateway
|
Create a policy rule where the Action is to
Bypass traffic and add the following to the specified fields:
|
Example: Star Site-to-Site IPsec VPN with one hub and two spokes
| Gateway |
Role
|
Private Network
|
Bypass Rule
|
|
Spoke IPsec gateway (GS1)
|
Star spoke
|
NS1
|
|
|
Hub IPsec gateway (GH1)
|
Star hub
|
NH1
|
|
|
Spoke IPsec gateway (GS2)
|
Star spoke
|
NS2
|
|