Corrected Notice of Allowance

Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Terminal Disclaimer
2.    The terminal disclaimer filed on 10/22/2020 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of U.S. Patent No. 10,051,000, has been reviewed and is accepted. The terminal disclaimer has been recorded.

Information Disclosure Statement
3.    The information disclosure statement (IDS) submitted on 8/14/2020 and 1/11/2021 was filed after the mailing date of the non-final rejection on 07/22/2020. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

EXAMINER'S AMENDMENT
4.    An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
5. Authorization for this examiner’s amendment was given in an interview with Austin Kim on 12/3/2020.

The application has been amended as follows:
1-20. (Canceled)

21. (Currently Amended) A method comprising
(a)    establishing, by a device intermediary to a plurality of clients and one or more servers, a plurality of paths concurrently for an IPsec connection, the IPsec connection associated with the plurality of paths sharing an IPsec security
association, the plurality of paths between the device and one of the plurality of clients or the one or more servers;
(b)    receiving, by the device, a datagram to transmit via one of the plurality of paths to one of the plurality of clients or the one or more servers;
(c)    creating, by the device, metadata for the datagram based at least on a priority of the datagram;
(d)    encoding, by the device, the datagram with at least one the IPSec security association of the IPsec connection;
(e)    determining, by the device, based on the metadata, routing information for the datagram, the routing information included in the metadata;
(f)    selecting, by the device, a path from the plurality of paths for the IPsec connection based at least on the priority and routing information of the metadata;
and
 (g) transmitting, by the device, the datagram via the selected connection.

31. (Currently Amended) A system comprising
a device intermediary to a plurality of clients and one or more servers, the device configured to:
establish a plurality of paths concurrently for an IPsec connection, the IPsec connection associated with the plurality of paths sharing an IPsec security
association, the plurality of paths between the device and one of the plurality of clients or the one or more servers;
receive a datagram to transmit via one of the plurality of paths to one of the plurality of clients or the one or more servers;
create metadata for the datagram based at least on a priority of the datagram;
encode the datagram with at least one the IPSec security association of the IPsec connection;
determine, based on the metadata, routing information for the datagram, the routing information included in the metadata,
select a path from the plurality of paths for the IPsec connection based at least on the priority and routing information of the metadata; and transmit the datagram via the selected connection.

Reasons for Allowance
6. Claims 21 -40 including all of the limitations of the base claim and any intervening
claims are allowed.
Closest Prior Art:
U.S. Publication No. 20100313023 discloses on Fig. 1, para 0007 “In a
one-to-many network scenario as shown in FIG. 1, one network node communicates with other nodes. This application requires IKE negotiation to implement IPsec. The core site connects to each remote site over a VPN connection, but the remote sites do not set up VPN connections among one another. Remote sites carry out VPN communications with one another through the core site. For this purpose, the core site must be capable of concurrently establishing an IPSec connection and SAs to each remote site.” Paragraph 0016 “This solution distributes IKE negotiation tasks to different service cards of a device, instead of the main board. The distributed processing allows a node to simultaneously set up a large number of IPsec connections with remote sites.”

U.S. Publication No. 20120147839 discloses on paragraph 0043 “In the embodiment of the present invention, the sharing the resources by the at least two traffic flows may specifically be: sharing, by PDN connections corresponding to the at least two traffic flows, a wireless bearer and an SI default bearer; or sharing, by PDN connections corresponding to the at least two traffic flows, an IPSec tunnel.”

U.S. Publication No. 20150188823 discloses 0087 “Rather, the technique herein ensures that load balancing of the data flows within the single logical tunnel is achieved while ensuring that two important additional characteristics are met: (1) that load within the single logical tunnel is shared among the machines in the VPN cluster concentrator, with flows shifted across those machines as necessary for load balancing, while maintaining an assurance that replay protection remains in place (in other words, that packet replays can be detected); and (2) that a particular flow that has been directed to a particular machine in the VPN cluster concentrator is persisted to the machine so as to avoid problems associated with packet re-ordering that would otherwise be required if this specific data flow-per cluster machine association were not enforced during load balancing.” Paragraph 0099 “This method of replay protection is problematic for a load-balanced tunnel endpoint, where a full region will act as a single logical IPsec endpoint, sharing the security association. For this reason, preferably each individual machine in the region and the non-load-balanced endpoint maintains sequence numbers that are unique for each of the host-specific SPI values. The global SPI has shared sequence numbers, but this SPI is only used for transmissions to the load-balanced region, not from it. For all machines that might need to authenticate packets that used the global SPI to function correctly, the global SPI's received sequence number periodically is synchronized within the region. As long as it is synchronized more frequently than would be required for the 32-bit low-order sequence number to wrap, all the machines in the region will know what the high order 32-bits are, thereby allowing those machines to calculate the necessary integrity check values.”

U.S. Publication No. 20050198691 discloses on paragraph 0016 “The method may further comprise sharing at least one security association among the plurality of security gateways.” Paragraph 0030 “For example, since inbound processing is no longer dependent on destination IP address, the change of outer IP address would not affect a security gateway's ability to locate the correct SA(s). Further, with the removal of dependency on destination IP address, the same SA may be shared among multiple IPsec tunnels and multiple nodes in a group.”

The following is an Examiner’s Statement of Reasons for Allowance:
Claims 21-40 are allowable over prior art references taken individually or in combination fails to particularly disclose, fairly suggests or render obvious are argued by the applicant which examiner considers persuasive as set forth above
Although the prior art discloses establishing concurrent IPsec connection and selecting a path for the IPsec connection, no one or two references anticipates or obviously suggest establishing, by a device intermediary to a plurality of clients and one or more servers, a plurality of paths concurrently for an IPsec connection, the IPsec connection associated with the plurality of paths sharing an IPsec security association.
Furthermore, receiving, by the device, a datagram to transmit via one of the plurality of paths to one of the plurality of clients or the one or more servers, creating, by the device, metadata for the datagram based at least on a priority of the datagram, encoding, by the device, the datagram with at least one the IPSec security association of the IPsec connection, and determining, by the device, based on the metadata, routing information for the datagram, the routing information included in the metadata.
Lastly, selecting, by the device, a path from the plurality of paths for the IPsec connection based at least on the priority and routing information of the metadata and transmitting, by the device, the datagram via the selected connection.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192.  The examiner can normally be reached on Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/GARY S GRACIA/Primary Examiner, Art Unit 2491