Skip to main content
sagha
Staff
sagha
Staff
July 2, 2020

Technical Tip: SD-WAN rule with settings as ‘set mode load-balance’

  • July 2, 2020
  • 0 replies
  • 7042 views

Description


This article describes the traffic behavior when a SD-WAN rule is configured as ‘set mode load-balance’ from CLI or set as 'Maximize Bandwidth' (SLA) from GUI.

 

Scope

 

FortiGate.

Solution


SD-WAN config.

 

config system virtual-wan-link
    set status enable
    set load-balance-mode source-dest-ip-based
        config members
            edit 1
                set interface "wan1"
                set gateway 10.191.47.254
            next
                edit 2
                    set interface "wan2"
                    set gateway 10.191.31.254
                next
            end


    config health-check                         
        edit "test_hc"
            set server "8.8.4.4"
            set interval 1000
            set failtime 15
            set recoverytime 120
            set members 1 2
            config sla
                edit 1
                    set latency-threshold 250
                    set jitter-threshold 20
                    set packetloss-threshold 5
                next
            end
        next
    end
    config service                                 
        edit 1
            set name "test_rule_load_balance"
            set mode load-balance                   <----- Configured here.
            set dst "all"
            set src "all"
            # config sla
                edit " test_hc"
                    set id 1
                next
            end
            set priority-members 1 2
        next
    end
end

 

Note:

  • Starting with v6.4.1 'config system virtual-wan-link' was replaced with 'config system sdwan'.
  • Starting with v7.4.1  'set mode load-balance' option was removed and a new option was added 'set load-balance enable' to achieve a similar functionality, more details are available in the article below: Use maximize bandwidth to load balance traffic between ADVPN shortcuts 

 

As per the above config, all the traffic matches the SD-WAN rule configured with method as load-balance.

With rule configured as 'mode load-balance', rules selects a set of links and distribute the sessions among them (basic round robin).

 

diagnose firewall proute list

list route policy info(vf=root):
 
id=2131820545 vwl_service=1(test_rule_load_balance) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x10 load-balance tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=17 num_pass=1 oif=18 num_pass=1
source(1): 0.0.0.0-255.255.255.255
destination(1): 0.0.0.0-255.255.255.255
hit_count=17 last_used=2020-06-24 02:52:39

 

The debug flows clearly show that once the session is established on a specific interface, the traffic matches against the same session.

Debug Flow.

 

FortiGate# diagnose debug flow filter daddr 8.8.8.8
FortiGate# diagnose debug flow filter proto 1
FortiGate# diagnose debug flow trace start 10000
FortiGate# diagnose debug enable

id=20085 trace_id=1057 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=1, 192.168.131.89:1->8.8.8.8:2048) from port1. type=8, code=0, id=1, seq=601."
id=20085 trace_id=1057 func=init_ip_session_common line=5666 msg="allocate a new session-000ae438"
id=20085 trace_id=1057 func=vf_ip_route_input_common line=2581 msg="Match policy routing id=2131820545: to 8.8.8.8 via ifindex-17"
id=20085 trace_id=1057 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-10.191.47.254 via wan1"
id=20085 trace_id=1057 func=fw_forward_handler line=771 msg="Allowed by Policy-1: SNAT"
id=20085 trace_id=1057 func=__ip_session_run_tuple line=3286 msg="SNAT 192.168.131.89->10.191.32.10:60417"

id=20085 trace_id=1058 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=1, 192.168.131.89:1->8.8.8.8:2048) from port1. type=8, code=0, id=1, seq=602."
id=20085 trace_id=1058 func=resolve_ip_tuple_fast line=5581 msg="Find an existing session, id-000ae438, original direction"
id=20085 trace_id=1058 func=npu_handle_session44 line=1139 msg="Trying to offloading session from port1 to wan1, skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x00000001"
id=20085 trace_id=1058 func=fw_forward_dirty_handler line=449 msg="state=00000204, state2=00000001, npu_state=00000001"
id=20085 trace_id=1058 func=__ip_session_run_tuple line=3286 msg="SNAT 192.168.131.89->10.191.32.10:60417"

id=20085 trace_id=1059 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=1, 192.168.131.89:1->8.8.8.8:2048) from port1. type=8, code=0, id=1, seq=603."
id=20085 trace_id=1059 func=resolve_ip_tuple_fast line=5581 msg="Find an existing session, id-000ae438, original direction"
id=20085 trace_id=1059 func=npu_handle_session44 line=1139 msg="Trying to offloading session from port1 to wan1, skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x00000001"
id=20085 trace_id=1059 func=fw_forward_dirty_handler line=449 msg="state=00000204, state2=00000001, npu_state=00000001"
id=20085 trace_id=1059 func=__ip_session_run_tuple line=3286 msg="SNAT 192.168.131.89->10.191.32.10:60417"

id=20085 trace_id=1060 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=1, 192.168.131.89:1->8.8.8.8:2048) from port1. type=8, code=0, id=1, seq=604."
id=20085 trace_id=1060 func=resolve_ip_tuple_fast line=5581 msg="Find an existing session, id-000ae438, original direction"
id=20085 trace_id=1060 func=npu_handle_session44 line=1139 msg="Trying to offloading session from port1 to wan1, skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x00000001"
id=20085 trace_id=1060 func=fw_forward_dirty_handler line=449 msg="state=00000204, state2=00000001, npu_state=00000001"
id=20085 trace_id=1060 func=__ip_session_run_tuple line=3286 msg="SNAT 192.168.131.89->10.191.32.10:60417"

 

Related document:
SD-WAN rules - maximize bandwidth (SLA)

 

Terms & ConditionsAccessibility statement