NGX R60 QoS, IPSEC and ClusterXL - FTP DiffServ Marking

[pbkirk]

I'm having problems getting CP SPLAT to properly mark DiffServ for FTP traffic over an encrypted link. The VPN community includes a remote Gateway's inside LAN segment and central site cluster inside LAN segment.

I've added the SPLAT and FW hotfixes to all gateways/cluster members and Smartcenter Server, performed some tests, and here's what I found. I can get a single Gateway to mark FTP packets with Diffserv on a traffic flow between a host (on remote Gateway's inside LAN segment) and central site server (on inside cluster LAN segment), but the cluster will not mark the packets. It doesn't matter what direction the connection and transfer occur in (RMT to CS or vice versa), no packets sourced from central site are ever marked. It's almost as if the QoS Diffserv should be applied to the physical interfaces instead of the Cluster interface IP, but the object's topology edit won't let you do that (there's not a QoS tab for the physical interfaces, just for the cluster interface). Has anyone else had this problem?

[Yasushi Kono]

you have to alter the global properties. Launch GuiDBedit and look for the parameter :ipsec.copy_TOS_to_inner and :ipsec.copy_TOS_t_outer.

You should set both parameters to true. That' s it.
Of course, you could modify these settings with dbedit. You should be familiar with this tool.

Kind regards,
Yasushi