Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee. 

Per phone interview between the examiner and the attorney of record conducted on 03/09/2021, both the examiner and the attorney agree that by amending the claims as shown below, the claimed subject matters would overcome the prior art rejection and be in condition for allowance. 

Examiner’s Amendment
Amendments to the Claims: 
This listing of claims will replace all prior versions, and listings, of claims in the application: 
Listing of Claims: 

one or more hardware processors;
computer memory holding computer program instructions executable by the one or more hardware processors and configured to:
establish and maintain a partitioned namespace, each partition in the partitioned namespace having a set of sequence numbers uniquely associated with a given one of the set of machines in the VPN cluster to provide replay protection; 
receive a set of data flows over a single logical tunnel connected between an external computing entity and the apparatus, the set of data flows including at least one data flow having associated therewith a flow identifier hash value; 
upon being selected as a leader by a leader election routine executing across the set of machines, implement a load balancing routine with respect to a load presented by the set of data flows over the single logical tunnel, thereby load balancing the data flows over the single logical tunnel such that the load within the single logical tunnel is shared among the set of machines and the replay protection is maintained, the flow identifier hash value determining a particular one of the set of machines in the VPN cluster to receive and process the at least one data flow persistently; and 
associate a sequence number with a response generated by the particular machine, the sequence number being from the set of sequence numbers uniquely associated with the particular machine;
wherein the apparatus is positioned to receive the set of data flows at a content delivery network (CDN) edge region located at an ingress point to the content delivery network, thereby acting as a VPN cluster concentrator with respect to the set of data flows, the apparatus providing at least one CDN-specific Transmission Control Protocol (TCP) optimization and at least one CDN-specific routing optimization together with further transport of the data flows to another CDN edge region across the content delivery network, wherein the at least one TCP optimization is one of: packet loss mitigation, and TCP buffer management.

2.	(original) The apparatus as described in claim 1 wherein the computer program instructions are further operative in response to receipt of a new data flow associated with the flow identifier hash value and the sequence number to direct the new data flow back to the particular machine.  

3.	(original) The apparatus as described in claim 1 wherein the set of data flows in the single logical tunnel are each an Internet Protocol Security (IPsec) data flow. 

4.	(original) The apparatus as described in claim 3 wherein the partitioned namespace is defined by a set of bits within an IPsec Security Parameter Index (SPI).  

5.	(original) The apparatus as described in claim 4 wherein associating the sequence number ensures that IPsec replay protection is enabled on the response.

6.	(original) The apparatus as described in claim 1 wherein the flow identifier hash value is calculated by applying a given hash function to source and destination information defining the at least one data flow. 

7.	(original) The apparatus as described in claim 6 wherein the flow identifier hash value is associated in an Encapsulating Security Payload (ESP) payload. 

8.	(cancelled)  

9.	(previously presented) The apparatus as described in claim 1 wherein the external computing entity is a network appliance that establishes and manages the single logical tunnel.  



11.	(original) The apparatus as described in claim 1 wherein the set of machines are physical machines or virtual machines.  

12.	(cancelled) 


Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
Regarding claim 1, it discloses an apparatus operative within a virtual private network (VPN) cluster that comprises a set of machines, comprising: one or more hardware processors; computer memory holding computer program instructions executable by the one or more hardware processors and configured to: establish and maintain a partitioned namespace, each partition in the partitioned namespace having a set of sequence numbers uniquely associated with a given one of the set of machines in the VPN cluster to provide replay protection; receive a set of data flows over a single logical tunnel connected between an external computing entity and the apparatus, the set of data flows including at least one data flow having associated therewith a flow identifier hash value; upon being selected as a leader by a leader election routine executing across the set of machines, implement a load balancing routine with respect to a load presented by the set of data flows over the single logical tunnel, thereby load balancing the data flows over the single logical tunnel such that the load within the single logical tunnel is shared among the set of machines and the replay protection is 
These claimed features contain particular communications between the network entities as well as specific procedures for obtaining specific contents of such communications that are not taught in the prior arts of record combined or alone.  Hence, these claimed features contain allowable subject matter.  
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The following prior arts are all cited to show systems which are considered pertinent to the claimed invention. 
See form PTO-892 for detail.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YEE LAM whose telephone number is 571-270-7577.  The examiner can normally be reached on Mon-Fri 8am-5pm.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Marsha Banks-Harold can be reached on 571-272-7905.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/YEE F LAM/Primary Examiner, Art Unit 2465