Skip to content
English
  • There are no suggestions because the search field is empty.

Network Configurations: IPSec VPNs and MPLS Considerations for Xona Fabric

Network Configurations: Adjusting MTU Sizes for IPSec VPNs and MPLS on Cloud vs. Physical CSGs

Table of Contents

  • Symptoms

  • Affected Environments

  • Root Cause

  • MPLS Troubleshooting Considerations

  • Resolution Steps: Adjusting MTU

  • Related Articles

Symptoms

The CSG has joined the Xona Fabric, but the connection status is Pending on both the CSG and XCM. This behavior is frequently observed when the CSG is located at a remote site connected to the XCM via an IPSec VPN or an MPLS network.

 Affected Environments

  • Platform: Physical Hardware (1U server, DIN Rail), Virtual Hardware (VMware/Hyper-V)

  • Component: CSG joined to XCM

Root Cause

The Xona Fabric relies on a Wireguard tunnel for secure communication between the CSG and XCM. This tunnel can fail if the network path restricts packet sizes or traffic types:

  • IPSec VPNs: The default size is 1500 and this is typically too large for most VPN tunnels. This causes the Wireguard tunnel to experience issues.

     

  • MPLS Networks: If the CSG connects to the XCM via an MPLS (i.e., ATT Silver Peak, Cisco Meraki, etc), there is a possibility that Quality of Service (QoS) rules in the MPLS are interfering with the wireguard handshake used for Xona Fabric.

MPLS Troubleshooting Considerations

If you suspect an MPLS network is causing the "Pending" status, adjusting the MTU may not be sufficient.

  • MPLS could cause the Wireguard connection from the CSG to be routed differently than what is shown in the traceroute from the CSG to XCМ, depending on Quality of Service (QoS) rules in the MPLS.

  • QoS rules in MPLS are typically handled by senior network engineers, and so resolving this problem will require you to escalate the issue, possibly up to the ISP level.

  • Packet captures from the CSG and XCM should show wireguard handshake failures during these events.

  • To isolate the issue and provide an example to your network team, test the Xona Fabric on the same subnet (or adjacent subnet) without MPLS to demonstrate what a working setup should look like. Provide a packet capture of the working setup to the network engineers.

Resolution Steps: Adjusting MTU

Note: The MTU only needs to be changed on the NIC used to route to the XCM.

Step 1: Determine the Correct MTU Network admins can provide you with the correct MTU size for the VPN tunnel. If a network admin is not available, then you use trial and error to find an MTU size that works. A conservative value of 1200 should work, but it is always best to find the exact size.

Step 2: Modify the Configuration via the Setup Console

  1. Change the NIC MTU by accessing the CSG setup console and navigating to the Trusted/Untrusted configuration under Network Configuration.

  2. Use the arrow key to select the option to the right of ETHERNET at the top.

  3. Press Enter to expand the Ethernet settings.

  4. Use the arrow key to navigate to the MTU field.

  5. Enter in your MTU (for example, 1272).

  6. Use the arrow keys to select the button on the lower right of the screen.

  7. Press Enter to save the network configuration.

Step 3: Verify Connectivity Login to the CSG/XCM web UI to view the Xona Fabric connection status. If there are no other issues affecting Xona Fabric, then it should show "Connected" status.