Link Search Menu Expand Document

Tunnels Tab

Configuration > Networking > Tunnels > Tunnels

Use this tab to view, edit, add, or delete tunnels. Separate tables are provided for Overlay, Underlay, and Passthrough tunnels.

If you have deployed an SD-WAN network, Business Intent Overlays (BIOs) govern tunnel creation and properties. Overlay tunnels consist of bonded underlay tunnels.

Status: You can also filter by the following statuses: All, Up, or Down.

Add a Tunnel

Complete the following fields to add a tunnel to an overlay or passthrough tunnel.

FieldDescription
ApplianceName of the selected appliance.
SegmentName of the segment, if enabled.
Overlay TunnelDesignated overlay tunnel.
OverlayTunnels are applied to this designated overlay.
Admin StatusIndicates whether the tunnel has been set to admin Up or Down.
StatusIndications are as follows:
  • Down – The tunnel is down. This can be because the tunnel administrative setting is down or the tunnel cannot communicate with the appliance at the other end. Possible causes are:
    • Lack of end-to-end connectivity / routability (test with iperf).
    • Intermediate firewall is dropping the packets (open the firewall).
    • Intermediate QoS policy (be packets are being starved. Change control packet DSCP marking).
    • Mismatched tunnel mode (udp / gre / ipsec / ipsec_udp).
    • IPSec is misconfigured: (1) enabled on one side (see show int tunnel configured), or mismatched pre-shared key.
  • Down - In progress – The tunnel is down. Meanwhile, the appliance is exchanging control information with the appliance at the other end, trying to bring up the tunnel.
  • Down - Misconfigured – The two appliances are configured with the same System ID (see show system).
  • Up - Active – The tunnel is up and active. Traffic destined for this tunnel will be forwarded to the remote appliance.
  • Up - Active - Idle – The tunnel is up and active, but it has not had recent activity in the past five minutes, and it has slowed the rate of issuing keep-alive packets.
  • Up - Reduced Functionality – The tunnel is up and active, but the two endpoint appliances are running mismatched software releases that give no performance benefit.
  • UNKNOWN – The tunnel status is unknown. This can be because the appliance is unable to retrieve the current tunnel status. Try again later.
MTUMaximum Transmission Unit. The largest possible unit of data that can be sent on a given physical medium. MTUs up to 9000 bytes are supported. Auto allows the tunnel MTU to be discovered automatically. It overrides the MTU setting.
UptimeHow long since the tunnel has been up.
Underlay TunnelsDesignated underlay tunnel.
Live ViewLive view of the status of your selected tunnel. You can view by bandwidth, loss, jitter, latency, MOS, chart, traceroute, inbound or outbound, and lock the scale.
Historical ChartsA display of the historical charts for the selected appliance.

Troubleshooting

  1. Have you created and applied the Overlay to all the appliances on which you are expecting tunnels to be built?

    Verify this on the Apply Overlays tab.

  2. Are the appliances on which you are expecting the Overlays to be built using Release 8.0 or later?

    View the active software releases on Administration > Software > Upgrade > Software Versions.

  3. Do you have at least one WAN Label selected as a Primary port in the Overlay Policy?

    Verify this on the Business Intent Overlay tab in the WAN Links & Bonding Policy section.

  4. Are the same WAN labels selected in the Overlay assigned to the WAN interfaces on the appliances?

    Verify that at least one of the Primary Labels selected in the Business Intent Overlay is identical to a Label assigned on the appliance’s Deployment page. Tunnels are built between matching Labels on all appliances participating in the overlay.

  5. Do any two (or more) appliances have the same Site Name?

    We only assign the same Site Name if we do not want those appliances to connect directly. To view the list of Site Names, navigate to the Configuration > Networking > Tunnels > Tunnels tab, and then click Sites at the top.

Use Passthrough Tunnels

You would add a passthrough tunnel under the following circumstances:

  • For internet breakout to a trusted SaaS application, like Office 365

  • For service chaining to a cloud security service, like Zscaler or Symantec

    • This requires building secure and compatible third-party IPSec tunnels from EdgeConnect devices to non-EdgeConnect devices in the data center or cloud.

    • When you create the tunnel, the Service Name in the Business Intent Overlay’s Internet Traffic Policies must exactly match the Peer/Service specified in the Passthrough tunnel configuration.

    • To load balance, create two or more passthrough IPSec tunnels and, in the Business Intent Overlay, ensure that they all specify the same Service Name in the Internet Traffic Policies.

Tunnels CSH Edit Row

Use this dialog box to view, edit, or delete tunnels. Separate tables are provided for Overlay, Underlay, and Passthrough tunnels.

If you have deployed an SD-WAN network, Business Intent Overlays (BIOs) govern tunnel creation and properties. Overlay tunnels consist of bonded underlay tunnels.

Use Passthrough Tunnels

You would add a passthrough tunnel under the following circumstances:

  • For internet breakout to a trusted SaaS application, like Office 365

  • For service chaining to a cloud security service, like Zscaler or Symantec

    • This requires building secure and compatible third-party IPSec tunnels from EdgeConnect devices to non-EdgeConnect devices in the data center or cloud.

    • When you create the tunnel, the Service Name in the Business Intent Overlay’s Internet Traffic Policies must exactly match the Peer/Service specified in the Passthrough tunnel configuration.

    • To load balance, create two or more passthrough IPSec tunnels and, in the Business Intent Overlay, ensure that they all specify the same Service Name in the Internet Traffic Policies.

Add a Tunnel

Complete the following steps to add a tunnel to an underlay or passthrough tunnel.

  1. Select Underlay or Passthrough.

  2. Select Add Tunnel.

    The Add Tunnel dialog box opens.

  3. Complete the following fields for either underlay or passthrough tunnels.

    Underlay - Add Tunnel

    General

    FieldDescription
    AliasAlias name of the tunnel.
    ModeIndicates whether the tunnel protocol is UDP, GRE, or IPSec.
    AdminIndicates whether the tunnel has been set to admin Up or Down.
    Local IPLocal ID address.
    Remote IPRemote IP address.
    Auto discover MTU enabledWhen enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth.
    MTUMaximum Transmission Unit (MTU) is the largest possible unit of data that can be sent on a given physical medium. For example, the MTU of Ethernet is 1500 bytes. MTUs up to 9000 bytes are supported. Auto allows the tunnel MTU to be discovered automatically, and it overrides the MTU setting.
    Auto max BW enabledWhen enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth.
    Max BW KbpsMaximum amount of bandwidth in kbps.
    UDP destination portUsed in UDP mode. Accept the default value unless the port is blocked by a firewall.
    UDP flowsUsed in UDP mode. Number of flows over which to distribute tunnel data.
    Min BW KbpsMinimum amount of bandwidth measured in Kbps.

    Packet

    FieldDescription
    Reorder waitMaximum time the appliance holds an out-of-order packet when attempting to reorder. 100ms is the default value and should be adequate for most situations. FEC can introduce out-of-order packets if the reorder wait time is not set high enough.
    FECForward Error Correction (FEC) can be set to enable, disable, or auto.
    FEC ratioWhen FEC is set to auto, this specifies the maximum ratio. The options are 1:2, 1:5, 1:10, or 1:20.

    Tunnel Health

    FieldDescription
    Retry countNumber of failed keep-alive messages that are allowed before the appliance brings the tunnel down.
    DSCPDetermines the DSCP marking that the keep-alive messages should use.

    FastFail Thresholds

    FieldDescription
    Fastfail enabledWhen multiple tunnels are carrying data between two appliances, this feature determines how quickly to disqualify a tunnel from carrying data.

    The Fastfail connectivity detection algorithm for the wait time from receipt of last packet before declaring a brownout is:

    Twait = Base + N * RTTavg

    where Base is a value in milliseconds, and N is the multiplier of the average Round Trip Time over the past minute.

    For example, if:

    Base = 200mSN = 2

    Then,

    RTTavg = 50mS

    The appliance declares a tunnel to be in brownout if it does not see a reply packet from the remote end within 300mS of receiving the most recent packet.

    In the Tunnel Advanced Options, Base is expressed as Fastfail wait-time base offset (ms), and N is expressed as Fastfail RTT multiplication factor.

    Fastfail enabled – This option is triggered when a tunnel’s keepalive signal does not receive a reply. The options are disable, enable, and continuous. If the disqualified tunnel subsequently receives a keepalive reply, its recovery is instantaneous.
    • If set to disable, keepalives are sent every second, and 30 seconds elapse before failover. In that time, all transmitted data is lost.
    • If set to enable, keepalives are sent every second, and a missed reply increases the rate at which keepalives are sent from one per second to ten per second. Failover occurs after one second.
    • When set to continuous, keepalives are continuously sent at ten per second. Therefore, failover occurs after one tenth of a second.
    LatencyAmount of latency measure in MS. Thresholds for Latency, Loss, or Jitter are checked once every second.
    • Receiving three successive measurements in a row that exceed the threshold puts the tunnel into a brownout situation and flows will attempt to fail over to another tunnel within the next 100mS.
    • Receiving three successive measurements in a row that drop below the threshold will drop the tunnel out of brownout.
    LossAmount of data lost measured in percent.
    JitterAmount of jitter measured in MS.
    Fastfail wait-time base offsetFastfail basic timeout time.
    Fastfail RTT multiplication factorAmount of RTT (Round Trip Time) added to the basic timeout.

    Passthrough - Add Tunnel

    Some settings are set to default, as listed in the screen shot below. For the remaining options, see the following table.

    General

    FieldDescription
    AliasAlias name of the tunnel.
    ModeIndicates whether the tunnel protocol is UDP, GRE, or IPSec.
    AdminIndicates whether the tunnel has been set to admin Up or Down.
    Local IPLocal ID address.
    Remote IPRemote IP address.
    NATWhether NAT has been applied.
    Peer/ServiceEnter the peer/service being used.
    Auto max BW enabledSelect whether the auto max BW is enabled.
    Max BW KbpsMaximum amount of bandwidth in Kbps.

    IKE

    Access the following fields by clicking the IKE tab. This tab is displayed only if the Mode field on the General tab is set to IPSec.

    img

    IKE

    FieldDescription
    Pre-shared keyPre-shared key used for IKE authentication.
    Authentication algorithmAuthentication algorithm used for IKE SA.
    Encryption algorithmEncryption algorithm used for IKE SA.
    Diffie-Hellman groupDiffie-Hellman Group used for IKE SA negotiation.
    Rekey interval/lifetimeRekey interval/lifetime of IKE SA.
    Dead peer detectionDelay time: The interval to check the lifetime of the IKE peer.

    Retry count: The number of times to retry the connection before determining that the connection is dead.
    IKE identifierID of the IKE tunnel.
    Phase 1 modeExchange mode for the IKE SA negotiation.
    IKE versionSelect IKE v1 or IKE v2.

    IPSec

    Access the following fields by clicking the IPSec tab. This tab is displayed only if the Mode field on the General tab is set to IPSec.

    img

    IPSec

    FieldDescription
    Authentication algorithmAuthentication algorithm used for the IPSec SA.
    Encryption algorithmEncryption algorithm used for the IPSec SA.
    IPSec anti-replay windowSelect a size from the drop-down list or Disable to disable the IPSec anti-replay window.

    If a size is selected, protection is provided against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet.
    Rekey interval/lifetimeRekey interval/lifetime of the IPSec SA.
    Perfect forward secrecy groupDiffie-Hellman group used for IPSec SA negotiation.
  4. Click Save.


Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.