On Apr 21, 2011, at 4:20PM, Steven Bellovin wrote: > For your application or for the VPN? For the VPN, I *strongly* > suggest you use UDP, or you're going to get dueling retransmissions > and spend a lot of time sending many copies of the same thing. Consider: > if a packet is dropped, either due to line noise or queuing delay for > the slow link, the sending TCP will resend. If you're using TCP for > OpenVPN, that session's TCP will resend. Of course, the TCP running > on top of it will resend as well, so you'll get two copies of the data > sent to the application's TCP, wasting precious bandwidth.
Is this actually how OpenVPN's TCP encapsulation works? I'd be curious to know. It isn't how Cisco's TCP/10000 encapsulation works, at least not with the IOS devices I have experience with. Cisco's TCP/10000 looks like TCP to a firewall, but it really isn't. There is no reliability -- no retransmits, etc. It's pretty close to UDP behavior but with a TCP header, which was confusing to troubleshoot at first but quickly made perfect sense to me for the reasons you state above. -Terry