Troubleshooting Tip: How to match debug flow to SD-WAN rules

To match debug flow output to an SDWAN rule, run diag firewall proute list and match it to the debug flow.

Match the ID in the proute list to the policy routing id=2131230723.

For example:

Debug flow output snippet: Technical Tip: Debug flow tool

id=65308 trace_id=11 func=iprope_dnat_check line=5505 msg="result: skb_flags-02000000, vid-0, ret-no-match, ac
t-accept, flag-00000000"
id=65308 trace_id=11 func=rpdb_srv_match_input line=1150 msg="Match policy routing id=2131230723: to X.X.X.8 v
ia ifindex-3"
id=65308 trace_id=11 func=__vf_ip_route_input_rcu line=1989 msg="find a route: flag=00000000 gw-X.X.X.254 vi
a port1"
id=65308 trace_id=11 func=__iprope_fwd_check line=810 msg="in-[port2], out-[port1], skb_flags-02000000, vid-0,
app_id: 0, url_cat_id: 0"
id=65308 trace_id=11 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=35, len=2"
id=65308 trace_id=11 func=__iprope_check_one_policy line=2140 msg="checked gnum-100004 policy-1, ret-matched,
act-accept"
id=65308 trace_id=11 func=__iprope_user_identity_check line=1903 msg="ret-matched"
id=65308 trace_id=11 func=__iprope_check line=2404 msg="gnum-4e20, check-ffffffffa002cac7"
id=65308 trace_id=11 func=__iprope_check_one_policy line=2140 msg="checked gnum-4e20 policy-6, ret-no-match, a="in-[internal], out-[wan2], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"

diag firewall proute list

id=2131230723(0x7f080003) vwl_service=3(internet) vwl_mbr_seq=1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask

=0x00 protocol=0 port=src(0->0):dst(0->0) iif=0(any)

path(1): oif=3(port1) path_last_used=2025-02-27 06:04:59

source(1): 0.0.0.0-255.255.255.255

destination(1): 0.0.0.0-255.255.255.255

Matching the ID in 'diag firewall proute list' to the ID in the debug flow will reveal that it matches the SD-WAN rule vwl_service=3, which is rule 3.

This is the screenshot showing the rule that is matched on the GUI.