Link Search Menu Expand Document

Tunnels Template

NOTE: If you are deploying an SD-WAN network, the Business Intent Overlays (BIOs) govern tunnel properties. In this case, you do not need this template.

If you are not creating overlays, use this template to assign and manage tunnel properties.

  • Tunnel templates can be applied to any appliances (with or without tunnels). However, only existing tunnels can accept the template settings. To enable an appliance to apply these same settings to future tunnels, select Make these the Defaults for New Tunnels.

  • To view, edit, and delete tunnels, use the Tunnels tab. The Mode selected determines the tabs that display.

img

Tunnels Template Settings

Field Description
Mode Indicates whether the tunnel protocol is udp, gre, or ipsec.
Admin state Indicates whether the tunnel has been set to admin Up or Down.
Auto discover MTU enabled Allows an appliance to determine the best MTU to use.
Auto max BW enabled When enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth.
DSCP Determines the DSCP marking that the keep-alive messages should use.
Fastfail Thresholds When multiple tunnels are carrying data between two appliances, this feature determines how quickly to disqualify a tunnel from carrying data.

The Fastfail connectivity detection algorithm for the wait time from receipt of last packet before declaring a brownout is:

Twait = Base + N * RTTavg

where Base is a value in milliseconds, and N is the multiplier of the average Round Trip Time over the past minute. For example, if:

Base = 200mS
N = 2

Then,

RTTavg = 50mS

The appliance declares a tunnel to be in brownout if it does not see a reply packet from the remote end within 300mS of receiving the most recent packet.

In the Tunnel Advanced Options, Base is expressed as Fastfail wait-time base offset (ms), and N is expressed as Fastfail RTT multiplication factor.

Fastfail enabled – This option is triggered when a tunnel’s keepalive signal does not receive a reply. The options are disable, enable, and continuous. If the disqualified tunnel subsequently receives a keepalive reply, its recovery is instantaneous.

If set to disable, keepalives are sent every second, and 30 seconds elapse before failover. In that time, all transmitted data is lost.

If set to enable, keepalives are sent every second, and a missed reply increases the rate at which keepalives are sent from one per second to ten per second. Failover occurs after one second.

When set to continuous, keepalives are continuously sent at ten per second. Therefore, failover occurs after one tenth of a second.

Thresholds for Latency, Loss, or Jitter are checked once every second.

Receiving three successive measurements in a row that exceed the threshold puts the tunnel into a brownout situation and flows will attempt to fail over to another tunnel within the next 100mS.

Receiving three successive measurements in a row that drop below the threshold will drop the tunnel out of brownout.
FEC (Forward Error Correction) can be set to enable, disable, or auto.
FEC ratio Is an option when FEC is set to auto that specifies the maximum ratio. The options are 1:2, 1:5, 1:10, or 1:20.
IPSec anti-replay window Provides protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor keeps track of which packets it has seen on the basis of these numbers. The default window size is 64 packets.
IPSec pre-shared key A shared, secret string of Unicode characters that is used for authentication of an IPSec connection between two parties.
Mode Indicates whether the tunnel protocol is udp, gre, or ipsec.
MTU Maximum Transmission Unit (MTU) is the largest possible unit of data that can be sent on a given physical medium. For example, the MTU of Ethernet is 1500 bytes. MTUs up to 9000 bytes are supported. Auto allows the tunnel MTU to be discovered automatically, and it overrides the MTU setting.
Reorder wait Maximum time (in ms) the appliance holds an out-of-order packet when attempting to reorder. The 100ms default value should be adequate for most situations. FEC can introduce out-of-order packets if the reorder wait time is not set high enough.
Retry count Number of failed keep-alive messages that are allowed before the appliance brings the tunnel down.
UDP destination port Used in UDP mode. Accept the default value unless the port is blocked by a firewall.
UDP flows Used in UDP mode. Number of flows over which to distribute tunnel data. Accept the default.

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP.

For third-party trademark acknowledgements, go to Trademark Acknowledgements. All third-party marks are property of their respective owners.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America