Bandwidth per ipsec tunnel

(Ajit) #1

What is the current bandwidth per IPSEC tunnel ? I know it was 200Mbps earlier but in a recent webinar it was stated the same has been increased. Can you confirm what is the new value


(Scott Bullock) #2

Hi Ajit,
At the moment 200mbps is the stated limit, but expect to see this increase in a soft manner. I already have customers bursting over 300mbps in some locations. Over time I’d expect this to scale up further, we are the Zenith of Scalability after all :slight_smile:

If you do happen to hit this limit, you can mitigate by directing different segments up different Phase-II (Proxy-ID) segments, I’ve also head of customer using multiple phase-II and leveraging ECMP to balance across the Phase-2 segments. Best check with your edge vendor is they support such tech, today I’ve only heard of it and do not have specific configs to share.



(Ajit) #3

Hi Scott,
Thanks for the quick response, So when you say multiple phase 2 let say I have a phase 2 with and another with then that whole tunnel gets 400Mbps but then there are chances that the may go above 200M right.

Also when you say certain locations going beyond 200M do you refer to certain Data center of Zscaler ?

We do have a device that support ECMP and is employing it but then with single phase2 per tunnel, the problem is for 1G traffic its a total of 10 tunnels (active & standby) and I have customer asking for 4G which makes it more complex design.

(Scott Bullock) #4

Hi Ajit,
You have understood correctly. You can get even more granular and split the 10/8 into multiple 10/16s’, this would further reduce the chance of any segment maxing the phase-ii, more likely that the customer internal link will reach saturation before the tunnel.

The >200 statement is based on observation, it’s not an official position. I’ve seen my local DC (Melbourne, Aus) have a single customer sustain traffic at around 250mbps, which is the saturation point of the customer link, not Z. Bus as said, and to be clear, 200mbps per phase-ii is what you should design for as of this day (20180823).

For the ECMP usage, I’ll firmly leave it to you if to decide on it’s usage and complexity. We should be OK to go should you decide ECMP is simpler than phase-ii splitting.



(Prajith) #5

Hi @skottieb,

Its technically 200 per phase1 and not phase2.
I know there has been a lot of confusion wrt this over time, but the limit is 200Mbps per phase1.

Think of it this way… Say the customer uses one phase1 and makes 4 phase2 SA each doing 200Mbps, it would max out the box, from one customer connection alone.


(Joost Hage) #6

Good point. You should still be able to set up multiple IpSec tunnels to the same ZEN-cluster by creating different crypto-domains (as defined in Phase-2), but tie them to different IKE-1’s. Note that there’s no exchange of state information between the tunnels (there never is) but that these could still belong to the same location definition. I’m not sure however how this influenced BWC (hm, maybe I’ll test it myself).
The tunnels should be load-balanced over multiple SMEs and allow you to go beyond the regular IpSec limit.

Speaking of which, I thought we extended this limit to 300Mbps (or even 350?) about 6 months ago. Am I wrong?

Grtz, Joost

(Ajit) #7

Hi Joost,
That’s what we are currently doing, we have multiple IPSEC tunnels from different interfaces running towards a single Zscaler DC and then employing a load balancing algorithm to split the load. Now our problem is I have customers asking for 2G and above so that accounts for 20 tunnels (10 to primary zen and 10 to secondary) on a minimum :frowning: .

Now with regard to the increase in limit on the tunnels I came to know this from one of your webinar but there is no proper documentation on this. It will be really helpful if some ones shares some concreate idea on this.


(Manish Jasyal) #9

Hi All,

As of right now, the same tunnel limits apply to IPSec as before:
200 Mbps (per Phase 1 SA) - i.e. 200 Mbps upload and 200 Mbps download.

Even if you build multiple Phase 2 SAs, the maximum bandwidth is still limited to 200 Mbps.
In order to scale further, you should create multiple IPSec tunnels with different source IP addresses.