Abstract: Some embodiments provide a method of load balancing data message flows across multiple secure connections. The method receives a data message having source and destination addresses formatted according to a first protocol. Based on the source and destination addresses, the method selects one of the multiple secure connections for the data message. Each of the secure connections handles a first set of connections formatted according to the first protocol and a second set of connections formatted according to a second protocol that is an alternative to the first protocol. The method securely encapsulates the data message and forwards the encapsulated data message onto a network. The encapsulation includes an identifier for the selected secure connection.

Abstract: Some embodiments provide a method of load balancing data message flows across multiple secure connections. The method receives a data message having source and destination addresses formatted according to a first protocol. Based on the source and destination addresses, the method selects one of the multiple secure connections for the data message. Each of the secure connections handles a first set of connections formatted according to the first protocol and a second set of connections formatted according to a second protocol that is an alternative to the first protocol. The method securely encapsulates the data message and forwards the encapsulated data message onto a network. The encapsulation includes an identifier for the selected secure connection.

Abstract: The disclosure provides an approach for pre-filtering traffic in a logical network. One method includes receiving, by a hypervisor, a packet from a virtual computing instance (VCI) and determining a service path for the packet based on a service table. The method further includes setting, by the hypervisor, a pre-filter component as a next hop for the packet based on the service path. The method further includes receiving, by the pre-filter component, the packet. The method further includes making a determination, by the pre-filter component, of whether the packet requires processing by the security component. The method further includes performing, by the pre-filter component, based on the determination, one of: forwarding the packet to its destination and bypassing the security component; or forwarding the packet to the security component.

Abstract: Some embodiments provide a method of load balancing data message flows across multiple secure connections. The method receives a data message having source and destination addresses formatted according to a first protocol. Based on the source and destination addresses, the method selects one of the multiple secure connections for the data message. Each of the secure connections handles a first set of connections formatted according to the first protocol and a second set of connections formatted according to a second protocol that is an alternative to the first protocol. The method securely encapsulates the data message and forwards the encapsulated data message onto a network. The encapsulation includes an identifier for the selected secure connection.

Abstract: Certain embodiments described herein relate to a method for performing dead peer detection (DPD) by a local gateway. The method includes periodically examining one or more array elements of a timestamp array. The method further includes, for each of the examined one or more array elements, determining whether a corresponding idle timeout threshold is met. The method further includes, upon determining that the corresponding idle timeout threshold is not met, refraining from causing a notification to be transmitted to a peer gateway. The method also includes, upon determining that the corresponding idle timeout threshold is met, causing a notification to be transmitted to the peer gateway to determine whether the peer gateway is responsive with respect to a tunnel associated with the examined array element.

Abstract: Certain embodiments described herein relate to a method for performing dead peer detection (DPD) by a local gateway. The method includes periodically examining one or more array elements of a timestamp array. The method further includes, for each of the examined one or more array elements, determining whether a corresponding idle timeout threshold is met. The method further includes, upon determining that the corresponding idle timeout threshold is not met, refraining from causing a notification to be transmitted to a peer gateway. The method also includes, upon determining that the corresponding idle timeout threshold is met, causing a notification to be transmitted to the peer gateway to determine whether the peer gateway is responsive with respect to a tunnel associated with the examined array element.

Abstract: The disclosure provides an approach for pre-filtering traffic in a logical network. One method includes receiving, by a hypervisor, a packet from a virtual computing instance (VCI) and determining a service path for the packet based on a service table. The method further includes setting, by the hypervisor, a pre-filter component as a next hop for the packet based on the service path. The method further includes receiving, by the pre-filter component, the packet. The method further includes making a determination, by the pre-filter component, of whether the packet requires processing by the security component. The method further includes performing, by the pre-filter component, based on the determination, one of: forwarding the packet to its destination and bypassing the security component; or forwarding the packet to the security component.

Abstract: Certain embodiments described herein relate to a method for performing dead peer detection (DPD) by a local gateway. The method includes periodically examining one or more array elements of a timestamp array. The method further includes, for each of the examined one or more array elements, determining whether a corresponding idle timeout threshold is met. The method further includes, upon determining that the corresponding idle timeout threshold is not met, refraining from causing a notification to be transmitted to a peer gateway. The method also includes, upon determining that the corresponding idle timeout threshold is met, causing a notification to be transmitted to the peer gateway to determine whether the peer gateway is responsive with respect to a tunnel associated with the examined array element.

Abstract: Certain embodiments described herein relate to a method for performing dead peer detection (DPD) by a local gateway. The method includes periodically examining one or more array elements of a timestamp array. The method further includes, for each of the examined one or more array elements, determining whether a corresponding idle timeout threshold is met. The method further includes, upon determining that the corresponding idle timeout threshold is not met, refraining from causing a notification to be transmitted to a peer gateway. The method also includes, upon determining that the corresponding idle timeout threshold is met, causing a notification to be transmitted to the peer gateway to determine whether the peer gateway is responsive with respect to a tunnel associated with the examined array element.