Link Search Menu Expand Document

Tunnel Settings Tab

Orchestrator > Orchestrator Server > Tools > Tunnels Settings

Use this tab to manage the properties for tunnels created by Orchestrator. It provides tunnel settings for General, IKE, IPSec for MPLS, Internet, and LTE WAN Interface labels.

General Tab

Access the following fields on the General Tab.

General

Field Description
Mode Indicates whether the tunnel protocol is IPSec, IPSec UDP, UDP, or GRE. If you select IPSec, you can specify the IKE version on the IKE tab.
Auto max BW enabled Allows the appliances to auto-negotiate the maximum tunnel bandwidth.
Auto discover MTU enabled Allows the appliances to auto-negotiate the maximum tunnel bandwidth.
MTU Maximum Transmission Unit (MTU) is the largest possible unit of data that can be sent on a given physical medium. For example, the MTU of Ethernet is 1500 bytes. MTUs up to 9000 bytes are supported.

Auto allows the tunnel MTU to be discovered automatically, and it overrides the MTU setting.
UDP destination port Used in UDP mode. Accept the default value unless the port is blocked by a firewall.
UDP flows Used in UDP mode. Indicates the number of flows over which to distribute tunnel data. Accept the default.

Packet

Field Description
Reorder wait Maximum time the appliance holds an out-of-order packet when attempting to reorder. The packets can come from the same or a different path, or from the FEC correction engine. 100ms is the default value and should be adequate for most situations. If the reorder wait time exceeds 100ms (or the set value), the packet is delivered out of order.
FEC Forward Error Correction (FEC) can be set to enable, disable, or auto.
FEC ratio When FEC is set to auto, this specifies the maximum ratio. The options are 1:2, 1:5, 1:10, or 1:20.

Tunnel Health

Field Description
Retry count Number of failed keep-alive messages allowed before the appliance brings the tunnel down.
DSCP Determines the DSCP marking that the keep-alive messages should use.

FastFail Thresholds

Field Description
Fastfail enabled Fastfail thresholds determine how quickly to disqualify a tunnel from carrying data when multiple tunnels carry data between two appliances.

The Fastfail connectivity detection algorithm for the wait time from receipt of last packet before declaring a brownout is:

Twait = Base + N * RTTavg

where Base is a value in milliseconds and N is the multiplier of the average Round Trip Time over the past minute.

For example, if:

Base = 200mS
N = 2

then,

RTTavg = 50mS

The appliance declares a tunnel to be in brownout if it does not see a reply packet from the remote end within 300mS of receiving the most recent packet.

In the Tunnel Advanced Options, Base is expressed as Fastfail wait-time base offset (ms), and N is expressed as Fastfail RTT multiplication factor.

Fastfail enabled - This option is triggered when a tunnel’s keep-alive signal does not receive a reply. The options are disable, enable, and continuous. If the disqualified tunnel subsequently receives a keep-alive reply, its recovery is instantaneous.

If set to disable, keep-alives are sent every second, and 30 seconds elapse before failover. In that time, all transmitted data is lost.

If set to enable, keep-alives are sent every second, and a missed reply increases the rate at which keep-alives are sent from one per second to ten per second. Failover occurs after one second.

When set to continuous, keep-alives are continuously sent at ten per second. Therefore, failover occurs after one-tenth of a second.
Latency Amount of latency measure in MS. Thresholds for Latency, Loss, or Jitter are checked once every second.

Receiving three successive measurements in a row that exceed the threshold puts the tunnel into a brownout situation and flows will attempt to fail over to another tunnel within the next 100mS.

Receiving three successive measurements in a row that drop below the threshold will drop the tunnel out of brownout.
Loss Amount of data lost measured in percent.
Jitter Amount of jitter measured in MS.
Fastfail wait-time base offset Base time used when calculating the fastfail timeout.
Fastfail RTT multiplication factor Multiplier in the formula used to calculate the fastfail timeout.

IKE Tab

Access the following fields by clicking the IKE tab. This tab is displayed only if the Mode field on the General tab is set to IPSec.

IKE

Field Description
Authentication algorithm Sets tunnel authentication. Select SHA-1, SHA2-256, SHA2-384, or SHA2-512.
Encryption algorithm Specifies the encryption algorithm used for the Phase 1 negotiation. Select AES-256, AES-128, or auto.
Diffie-Hellman group Diffie-Hellman group used for IKE SA negotiation.
Rekey interval/lifetime Rekey interval/lifetime of IKE SA.
Dead peer detection Delay time: Amount of time, in seconds, to wait for traffic from the destination IKE peer.

Retry count: Number of times to retry the connection before determining that the connection is dead.

NOTE: Dead Peer Detection is supported only on EdgeConnect appliances running VXOA software version 8.2.1 and higher.
Phase 1 mode Defines the exchange mode for Phase 1. The options are Main or Aggressive. If IKEv2 is selected, the default mode is aggressive.
IKE version IKE major version. Select IKEv1 or IKEv2.

IPSec Tab

Access the following fields by clicking the IPSec tab. The IPSec tab is displayed only if the Mode field on the General tab is set to IPSec or IPSec UDP.

IPSec

Field Description
Authentication algorithm Authentication algorithm used by IPSec SA. Select SHA-1, SHA2-256, SHA2-384, or SHA2-512.
Encryption algorithm Specifies the encryption algorithm used for the Phase 1 negotiation. Select AES-256, AES-128, or auto.
IPSec anti-replay window Select a size from the drop-down list or Disable to disable the IPSec anti-replay window. If a size is selected, protection is provided against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet.
Relay interval/lifetime Relay interval/lifetime of IPSec SA.
Perfect forward secrecy group Specifies the Diffie-Hellman Group exponentiations used for IPSec SA negotiation.

Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.