Troubleshooting tip: SD-WAN rules with route-tag stop working after resetting SD-WAN settings
| Description | This article describes why SD-WAN rules with route-tags might not match after SD-WAN reset. |
| Scope | FortiGate in 7.2. |
| Solution | If the following command is run to reset application control cache and route-tags for any reason, the SD-WAN rules with route-tags will stop working. diagnose sys sdwan reset Here, as an example, there are three SD-WAN members (port1, port8, port9). The FortiGate is configured to use port1 for traffic matching route-tag 10 (in the following example only 8.8.8.8), and port9 or port 8 for all other traffic. FGT-7-2 # show system sdwan config system sdwan set status enable config zone edit "virtual-wan-link" next end config members edit 1 set interface "port8" set gateway 10.5.255.254 next edit 2 set interface "port9" set gateway 10.5.191.254 next edit 3 set interface "port1" set gateway 10.134.19.165 set priority 100 next end [...] config service edit 1 set name "Tag-10" set route-tag 10 set priority-members 3 next edit 2 set name "all-to-internet" set dst "all" set priority-members 2 1 next end end Checking the SD-WAN service, only 8.8.8.8 matches rule 1, as it is the only address matching the route-tag 10. FGT-7-2 # diagnose sys sdwan service Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla Tie break: cfg Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Members(1): 1: Seq_num(3 port1), alive, selected Route tag address(1): 8.8.8.8-8.8.8.8 Service(2): Address Mode(IPV4) flags=0x200 use-shortcut-sla Tie break: cfg Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Members(2): 1: Seq_num(2 port9), alive, selected 2: Seq_num(1 port8), alive, selected Dst address(1): 0.0.0.0-255.255.255.255 After resetting the SD-WAN, SD-WAN rule 1 is not matching any traffic: FGT-7-2 # diagnose sys sdwan reset All SD-WAN application ctrl internet service cache and route-tag address cache will be clean out. Do you want to continue? (y/n)y FGT-7-2 # diagnose sys sdwan service Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla Tie break: cfg Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Service disabled caused by no destination. Members(1): 1: Seq_num(3 port1), alive, selected Service(2): Address Mode(IPV4) flags=0x200 use-shortcut-sla Tie break: cfg Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Members(2): 1: Seq_num(2 port9), alive, selected 2: Seq_num(1 port8), alive, selected Dst address(1): 0.0.0.0-255.255.255.255 Solution: This is normal behavior, as route-tags are learned by BGP, not from the sdwan daemon, and resetting SD-WAN will lose this information. If this occurs, to solve the issue, the BGP service must be restarted as well. In this example, after restarting BGP, SD-WAN rules with route-tags are going to match again the correct addresses. FGT-7-2 # execute router clear bgp all FGT-7-2 # diagnose sys sdwan service Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla Tie break: cfg Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Members(1): 1: Seq_num(3 port1), alive, selected Route tag address(1): 8.8.8.8-8.8.8.8 Service(2): Address Mode(IPV4) flags=0x200 use-shortcut-sla Tie break: cfg Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Members(2): 1: Seq_num(2 port9), alive, selected 2: Seq_num(1 port8), alive, selected Dst address(1): 0.0.0.0-255.255.255.255 Note: Restarting BGP is traffic affecting, as the BGP connection will be teared down and will need to be re-established. Note: This is only valid for 7.2 or below. From 7.4, the route-tag handling has been redesigned (Add route tag address objects) and an SD-WAN reset will not lose route-tag information. Related articles: Using BGP tags with SD-WAN rules (for 7.2 or earlier) |