IPSec Tunnel Active-Active Configuration Packet Loss Issue

Hi All,

I would like to share the details on our recent troubleshooting with the CATO Support team, we observed the following behavior:

- On the CATO POP side, the service is responding to all ingress requests. However, it appears that the POP is unable to consistently decide the correct return path for packets.

- Due to this, we are experiencing 30–40% packet drops across both links, along with frequent tunnel flapping.

- On our firewall end, continuous pings to external resources (e.g., Google DNS) and other IPsec tunnels show no packet loss. The issue only occurs when traffic is routed through the CATO IPsec tunnels in Active-Active mode.

- We have applied the Network Rule configuration as recommended by the CATO team, but the issue still persists.

- Interestingly, when configured in Active-Passive mode, the tunnels stabilize with no packet drops observed, and traffic flows without issue.

At this point, it seems to be a limitation or unexpected behavior in how CATO handles path selection in Active-Active deployments.

Hi PrakashRIndia,

For the Active-Active WAN ISP Packet loss investigation, have you submitted a ticket with Cato Support team or with the ISP to investigate? 
Do you encounter packetloss in Active-Active WAN and Active-Passive WAN scenarios?

Cheers

Hi PrakashRIndia,

Appreciate your feedback.

Seems the issue occurs when the 2nd IPSec is connected.
Would it be a good idea to review the IPsec configuration and pcap for both scenarios:
(1) Standalone IPsec and
(2) when the 2nd IPSec is connected?

Seems that something is causing packetloss only when the 2nd IPSec is connected 🤔

Cheers!