Enterprise Extender and VPN Connectivity

Resolving The Problem

Enterprise Extender (HPR over IP) uses UDP ports 12000-12004 rather than TCP protocol. These ports map to specific functions related to the priorities used with Class-of-Service descriptions available with APPN configurations.

12000	Used for XID negotiation. Contains LDLC traffic only.
12001	Used for network traffic. Information is exchanged related to the HPR/RTP path information.
12002	Equivalent to HIGH priority used in Class-of-Service description. Default COSD is #INTER.
12003	Equivalent to MEDIUME priority used in Class-of-Service description. Default COSD is #CONNECT.
12004	Equivalent to LOW priority used in Class-of-Service description. Default COSD is #BATCH.

When using Enterprise Extender over a Virtual Private Network (VPN), everything beyond the IP header is encrypted. This includes the UDP header which contains the UDP port number. Fortunately, Enterprise Extender architecture permits the use of the precedence bits (3 bits) found in the IP header. One byte of the IP header represents the Service Type. Bits 0,1, and 2 represent the precedence bits. If routers and other network equipment support the use of these bits, the priority of the traffic can remain in tact even if a VPN configuration is used.

The following shows how Enterprise Extender maps the traffic priority to the precedence bits in the IP header:

12000	precedence bits B'110'
12001	precedence bits B'110'
12002	precedence bits B'100'
12003	precedence bits B'010'
12004	precedence bits B'001'

The precedence bits can be set only by Enterprise Extender if the QoS Enablement parameter is set to *TOS in the TCP attributes. To change this parameter, use the following:

CHGTCPA IPQOSENB(*TOS)

If this parameter is already set to *YES (using Quality of Service (QoS) rather than the Type of Service (TOS) in the IP header) and this cannot be changed, the QoS policy/policies must be modified to handle the traffic prioritization using QoS. This simply means that the precedence bits will be set by the QoS policy, rather than by the built-in functionality of Enterprise Extender.

Important Note: IPSec adds additional ESP and AH headers to each IP packet, therefore enlarging the size of the original IP datagram in the WAN. If the resulting IPSec datagram exceeds the MTU size of the next hop, it must be fragmented. Some devices will not route fragmented packets for security reasons, causing retransmissions at RTP layer. Unfortunately, the retransmitted NLPs will suffer the failure as they will also have to be fragmented, and the HPR pipe will be stalled. If EE traffic is traversing IPSec tunnels, it is recommended to reduce the MTU size toward the destination host to 1420 to accommodate the increase of the packet size caused by IPSec.