[Help] SD-WAN with BGP on Loopback Issues – Packets Dropped on Hub Side
Hi everyone,
I'm at my wit's end trying to configure SD-WAN with BGP on loopback with segmentation over a single overlay (no ADVPN). Here's the situation:
Problem:
- Hub and Spoke tunnel connectivity is established.
- Pinging from Spoke's loopback to Hub's loopback fails (packets are dropped on the Hub side).
- Pinging from Hub's loopback to Spoke's loopback works fine.
I’ve triple-checked the following:
- Firewall policies. (overlay -> Loopback: any any)
- Local-in policies.
- Routing.
- Interface configurations.
The Hub's local traffic log shows the packets arriving, but there are no replies.
| Application Name | BGP |
| Protocol | 6 |
| Service | BGP |
| Received Bytes | 0 B |
| Received Packets | 0 |
| Sent Bytes | 0 B |
| Sent Packets | 0 |
| VPN Type | ipsecvpn |
| Message | Connection Failed |
| Action | deny |
| Threat | 262,144 |
| Policy Type | Firewall |
Packet Sniffer:
Confirms the packets are entering the Hub but vanishing with no response.
Configuration Details:
Here’s the relevant config for both Hub and Spoke:
## Hub ##
config system interface
edit "Loopback-HC"
set type loopback
set vrf 1
set ip 10.10.11.254/32
set allowaccess ping
next
edit "Loopback0"
set type loopback
set vrf 1
set ip 10.10.98.1/32
set allowaccess ping
next
end
config vpn ipsec phase1-interface
edit "EDGE_MPLS_0"
set type dynamic
set interface "vlan_10-sdwan-gw"
set ike-version 2
set peertype dialup
set usrgrp "usrgrp-mpls"
set proposal aes256gcm-prfsha256 aes256-sha256
set encapsulation vpn-id-ipip
set exchange-interface-ip enable
set exchange-ip-addr4 10.10.98.1
set add-route disable
set network-overlay enable
set network-id 53
set dpd-retrycount 2
set dpd-retryinterval 5
set dpd on-idle
next
end
config vpn ipsec phase2-interface
edit "EDGE_MPLS_0"
set phase1name "EDGE_MPLS_0"
set proposal aes256gcm
set keepalive enable
next
end
config system interface
edit "EDGE_MPLS_0"
set vrf 1
next
end
## SPOKE ##
config system interface
edit "Loopback0"
set type loopback
set vrf 1
set ip 10.10.98.10/32
set allowaccess ping
next
end
config vpn ipsec phase1-interface
edit "H1_MPLS1"
set interface "port1"
set ike-version 2
set localid "usr-test-mpls"
set psksecret Secret
set keylife 28800
set peertype any
set net-device enable
set proposal aes256gcm-prfsha256 aes256-sha256
set idle-timeout enable
set encapsulation vpn-id-ipip
set exchange-interface-ip enable
set exchange-ip-addr4 10.10.98.10
set network-overlay enable
set network-id 53
set remote-gw 10.10.90.10
set dpd-retrycount 3
set dpd-retryinterval 5
set dpd on-idle
next
end
config vpn ipsec phase2-interface
edit "H1_MPLS1"
set phase1name "H1_MPLS1"
set proposal aes256gcm
set keepalive enable
set keylifeseconds 3600
next
end
config system interface
edit "H1_MPLS1"
set vrf 1
next
end
Any insights into what might be causing this behavior? I’ve been staring at the config for hours and can't pinpoint the issue.
Thanks in advance!