Classified traffic not following SD-WAN SLA rules

Question

Hello,I have two FortiGates (Site 1 & Site 3) connected via two GRE overlays:GRE_DC1_S3_AS20 – latency: 0.39ms, packet loss: 0%, jitter: 0.05msGRE_DC1_S3_SP5 – latency: 35.15ms, packet loss: 0%, jitter: 2.79msI configured SD-WAN between the two sites.Test scenario:Site 1: 172.16.213.2Site 3: 172.16.233.31. Best-effort / untagged trafficSD-WAN rule: Best Quality, latency criterionTraffic correctly uses AS20When AS20 degrades, traffic fails over to SP5 → works as expectedAfter this test, I modified the SD-WAN rule for untagged traffic:Strategy: ManualPreferred interface: SP5Observed behavior:Untagged traffic correctly goes via SP5 (as intended)2. Classified traffic (CS6) SD-WAN ruleNetwork Control for CS6 class trafficStrategy: Best QualityCriteria: LatencyProtocol specification:Protocol number: 0Type of Service (TOS): 0xc0Bit mask: 0xffTest ping from 172.16.233.2 :ping -s 600 -c 100 -D -Q 0xc0 172.16.213.2Expected behavior:Traffic should use AS20 because latency (0.39ms) is well below the SLA threshold (30ms)SP5 latency (35.15ms) is above the threshold → it should not be selectableTest unvalid:Classified traffic also goes via SP5, even though it should follow Best Quality / latencyObservations:diagnose sniffer packet GRE_DC1_S3_SP5 "host 172.16.233.2 and len=628" 4 1000 l sniff the ping on SP5 linkGUI shows route via AS20 for classified trafficdiagnose sys sdwan service shows both links selectedClassified traffic still exits via SP5Question:Why is classified traffic still using SP5 even though its latency exceeds SLA? How can I enforce SD-WAN path selection according to SLA for classified traffic, independently of untagged traffic rules?

akileshc · Accepted Answer

Hello Danibow,

Based on the details you've provided and the standard behavior of FortiOS, your CS6 traffic is likely being matched by the untagged (Manual/SP5) rule instead of the intended Best Quality rule. This happens because SD-WAN selects the first matching rule in its sequence .

Even though the "Best Quality" rule is configured for CS6 traffic, if the "Manual" rule for untagged traffic appears higher in the SD-WAN rule list, it will match all traffic first, including your tagged traffic, and send it out via SP5 as you observed.

To enforce the correct behavior, the SD-WAN rules must be processed from most specific to most general . Your "Classified traffic (CS6) SD-WAN rule" with Best Quality must be evaluated before the "Best-effort / untagged traffic" rule with the Manual/SP5 strategy.

Here is the recommended order for your rules:

Rule 1: Classified Traffic (CS6) – This rule should be first. It has a specific TOS match (0xc0/0xff). Traffic matching this TOS value will be steered according to the Best Quality (latency) strategy.

Rule 2: Best-effort / untagged traffic – This rule should be second. As it has no TOS match, it will catch all remaining traffic and send it via the Manual SP5 interface, as you intended.

You can reorder rules using the GUI (by dragging them) or the CLI. After reordering, clear existing sessions to ensure new traffic follows the updated rules.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded