VPN session affinity

VPN session affinity occurs when a clear-text session is located in a Services Processing Unit (SPU) that is different from the SPU where the IPsec tunnel session is located. The goal of VPN session affinity is to locate the clear-text and IPsec tunnel session in the same SPU. Without VPN session affinity, a clear-text session created by a flow might be located in one SPU and the tunnel session created by IPsec might be located in another SPU. An SPU to SPU forward or hop is needed to route clear-text packets to the IPsec tunnel. By default, VPN session affinity is disabled on SRX Series devices. Enabling VPN session affinity can improve VPN throughput under certain conditions.