Tunnels Template

NOTE: If you are deploying an SD-WAN network, the Business Intent Overlays (BIOs) govern tunnel properties. In this case, you do not need this template.

If you are not creating overlays, use this template to assign and manage tunnel properties.

  • Tunnel templates can be applied to any appliances (with or without tunnels). However, only existing tunnels can accept the template settings. To enable an appliance to apply these same settings to future tunnels, select Make these the Defaults for New Tunnels.

  • To view, edit, and delete tunnels, use the Tunnels tab. The Mode selected determines the tabs that display.


Tunnels Template Settings

Field Description
Admin state Indicates whether the tunnel has been set to admin Up or Down.
Auto discover MTU enabled Allows an appliance to determine the best MTU to use.
Auto max BW enabled When enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth.
DSCP Determines the DSCP marking that the keep-alive messages should use.
Fastfail Thresholds When multiple tunnels are carrying data between two appliances, this feature determines how quickly to disqualify a tunnel from carrying data.

The Fastfail connectivity detection algorithm for the wait time from receipt of last packet before declaring a brownout is:

Twait = Base + N * RTTavg

where Base is a value in milliseconds, and N is the multiplier of the average Round Trip Time over the past minute. For example, if:

Base = 200mS
N = 2


RTTavg = 50mS

The appliance declares a tunnel to be in brownout if it does not see a reply packet from the remote end within 300mS of receiving the most recent packet.

In the Tunnel Advanced Options, Base is expressed as Fastfail wait-time base offset (ms), and N is expressed as Fastfail RTT multiplication factor.

Fastfail enabled – This option is triggered when a tunnel’s keepalive signal does not receive a reply. The options are disable, enable, and continuous. If the disqualified tunnel subsequently receives a keepalive reply, its recovery is instantaneous.

If set to disable, keepalives are sent every second, and 30 seconds elapse before failover. In that time, all transmitted data is lost.

If set to enable, keepalives are sent every second, and a missed reply increases the rate at which keepalives are sent from one per second to ten per second. Failover occurs after one second.

When set to continuous, keepalives are continuously sent at ten per second. Therefore, failover occurs after one tenth of a second.

Thresholds for Latency, Loss, or Jitter are checked once every second.

Receiving three successive measurements in a row that exceed the threshold puts the tunnel into a brownout situation and flows will attempt to fail over to another tunnel within the next 100mS.

Receiving three successive measurements in a row that drop below the threshold will drop the tunnel out of brownout.
FEC (Forward Error Correction) can be set to enable, disable, or auto.
FEC ratio Is an option when FEC is set to auto that specifies the maximum ratio. The options are 1:2, 1:5, 1:10, or 1:20.
IPSec anti-replay window Select a size from the drop-down list or Disable to disable the IPSec anti-replay window. If a size is selected, protection is provided against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet.
IPSec pre-shared key A shared, secret string of Unicode characters that is used for authentication of an IPSec connection between two parties.
Mode Indicates whether the tunnel protocol is udp, gre, or ipsec.
MTU Maximum Transmission Unit (MTU) is the largest possible unit of data that can be sent on a given physical medium. For example, the MTU of Ethernet is 1500 bytes. MTUs up to 9000 bytes are supported. Auto allows the tunnel MTU to be discovered automatically, and it overrides the MTU setting.
Reorder wait Maximum time (in ms) the appliance holds an out-of-order packet when attempting to reorder. The 100ms default value should be adequate for most situations. FEC can introduce out-of-order packets if the reorder wait time is not set high enough.
Retry count Number of failed keep-alive messages that are allowed before the appliance brings the tunnel down.
UDP destination port Used in UDP mode. Accept the default value unless the port is blocked by a firewall.
UDP flows Used in UDP mode. Number of flows over which to distribute tunnel data. Accept the default.

