Technical Tip: Behavior of enabling 'Update static route' in Performance SLA, where an interface member does not have an IP address

Consider a scenario where there is a port configured as an SD-WAN zone member. If, for any reason, an IP address is not configured on the port: adding the interface to a performance SLA (health-check) with the feature 'update-static-route' set as enabled will not remove any static route that references that interface, even though a health-check marks the interface as 'dead'.

For example: consider port3 as an interface that is part of an ISP2 SD-WAN zone, and is a member of a 'Default_Google Search' health-check with 'update-static-route' set to enable:

config system interface

    edit "port3" 
        set vdom "root"
        set allowaccess ping https http
        set type physical
    next

end

config system sdwan
    set status enable
        config zone
            edit "virtual-wan-link"
            next
            edit "ISP1"
            next
            edit "ISP2"
            next
        end
        config members
            edit 1
                set interface "port2"
                set zone "ISP1"
                set gateway 10.16.23.254
            next
            edit 2
                set interface "port3" <---------------
                set zone "ISP2"
            next
        end

    config system sdwan
        config health-check
            edit "Default_Google Search"
                set server "http://www.google.com"
                set protocol https
                set interval 1000
                set probe-timeout 1000
                set failtime 10
                set recoverytime 10
                set update-static-route enable <-----
                set members 1 2 <-----
                    config sla
                        edit 1
                            set latency-threshold 250
                            set jitter-threshold 50
                            set packetloss-threshold 10
                        next
                    end
                next

If there is a static route configured for port3, the route will be kept in the routing table, even though the health-check is in the failed state.

config router static

    edit 2
        set gateway 172.16.18.2
        set distance 1
        set device "port3"
    next
end

diagnose system sdwan health-check status

Health Check(Default_Google Search):
Seq(1 port2): state(alive), packet-loss(1.000%) latency(69.395), jitter(74.432), mos(4.110), bandwidth-up(9999978), bandwidth-dw(9999809), bandwidth-bi(19999787) sla_map=0x0
Seq(2 port3): state(dead), packet-loss(100.000%) sla_map=0x0 <-----

get router info routing-table all

S* 0.0.0.0/0 [1/0] via 172.16.18.2, port3, [1/0] <-----
[1/0] via 10.16.23.254, port2, [1/0]

This is expected behavior. The feature 'update-static-route' in a health-check works on the prerequisite that the health-check can install a dedicated route from the source to the destination. But in this case, the interface lacks a source IP, so the dedicated route installation fails. When this happens, health-check gives up control of the static route. 

This can cause traffic to be black holed. It is therefore important to avoid configuring static routes for an interface that is not yet assigned an IP address, even when there are SD-WAN health-checks configured to control the availability of the static routes.