It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure Traffic Duplication for VPN Tunnels with Traffic Intelligence

  • Last updated on

Traffic Duplication copies packets and sends them over the primary and secondary transport simultaneously to ensure that traffic continues uninterrupted even if one VPN transport goes down. At the other VPN endpoint, the packet stream is reassembled. Traffic Duplication should be used only for critical, real-time traffic using two transports with the same latency and bandwidth.

ti_traffic_replication.png

Limitations

  • Not available for transports using IPv6 VPN envelopes
  • Latency and bandwidth must be identical for both transports. 

Before You Begin

Create a multi-transport VPN tunnel between two CloudGen Firewalls:

Step 1. Create a Custom Connection Object for the TI Master

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.   
  2. In the left menu, click Connections.
  3. Right-click the table and select New Connection. The Edit/Create a Connection Object window opens.  
  4. Enter the Name.
  5. From the Translated Source IP list, select Original Source IP.
    sdwan_FEC_01.png
  6. To edit the VPN Traffic Intelligence settings, click Edit/Show. The TI Transport Selection window opens.
  7. Configure the Transport Policies:
    • Transport Selection Policy – Select Explicit Transport Selection.
    • TI Learning Policy – Select Master
      sdwan_FEC_01a.png
  8. Configure the Explicit Transport Selection:
    • Primary Transport Class – Select the primary transport.
    • Primary Transport ID – Select the ID for the primary transport.
    • Secondary Transport Class – Select the secondary transport.
    • Secondary Transport ID – Select the ID for the secondary transport.
  9. From the Traffic Duplication (FEC) list, select Yes.
    sdwan_FEC_01b.png
  10. Click OK.
  11. Click Send Changes and Activate.

Step 3. Create a Custom Connection Object for the TI Slave

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.   
  2. In the left menu, click Connections.
  3. Right-click the table and select New Connection. The Edit/Create a Connection Object window opens.  
  4. Enter the Name.
  5. From the Translated Source IP list, select Original Source IP.
    sdwan_FEC_01.png
  6. To edit the VPN Traffic Intelligence settings, click Edit/Show. The TI Transport Selection window opens.
  7. From the TI Learning Policy drop-down list, select Slave.
    sdwan_FEC_03.png
  8. Click OK.
  9. Click Send Changes and Activate.

Step 4. Modify Access Rule on the Firewall Acting as TI Master

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Right-click the ruleset and select New > Rule to create an access rule to match the VPN traffic you want to balance:
    • Action – Select Pass.
    • Bi-Directional – Select the check box to apply the rule in both directions.
    • Source – Select a network object for all local networks. 
    • Service – Select a service object from the list.
    • Destination – Select the network object containing the remote networks.
    • Connection Method – Select the connection object for the TI master created in step 2.
    sdwan_FEC_04a.png
  4. Click OK.
  5. Click Send Changes and Activate.

Step 5. Modify Access Rule on the Firewall Acting as TI Slave

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Right-click the ruleset and select New > Rule to create an access rule to match the VPN traffic you want to balance:  
    • Action – Select Pass.
    • Bi-Directional – Select the check box to apply the rule in both directions.

    • Source – Select a network object for all local networks. 
    • Service – Select a service object from the list.
    • Destination – Select the network object containing the remote networks.
    • Connection Method – Select the connection object for the TI slave created in step 3.
    sdwan_FEC_04.png
  4. Click OK.
  5. Click Send Changes and Activate.

Traffic matching these access rules is now duplicated on the primary and secondary transport. Failure of one of the transports is completely transparent and no packet is dropped. In the VPN tab, Traffic Duplication is not visualized. Traffic Duplication can be tested very easily by disabling one transport. If traffic fails over instantly with no packets dropped and with no delay, Traffic Duplication is working correctly.