Outbound SD-WAN rule with DNAT

Question

Hello!

Trying to sort this out a common(?) scenario with a DNAT in an SD-WAN configuration.

DNAT is configured in WAN1, inbound rule has SD-WAN zone as incoming interface, inbound traffic to the DNAT works (webpage service loads normally).

SD-WAN rules for catch-all traffic (Internet bound) is set to manual, with WAN2 as preferred interface, followed by WAN1 as backup.

When traffic is originated from the target server in the DNAT, it gets NAT'd to the proper interface (WAN1), however the traffic is being steered through WAN2 due to the SD-WAN rule

Only way that's working if an SD-WAN rule is above the catch-all with WAN1 as outgoing interface for this server only.

Is this the expected behavior? Any other options to get this working without the extra SD-WAN rule? PBR (WAN1 in WAN1 out, WAN2 in WAN2 out)? Auxiliary sessions and Asym traffic have been checked.

Running 7.2.11 on a 100F in this scenario.

TIA!

ElwinBERRAR · Accepted Answer

Yes, that behavior is normal with manual SD-WAN rules. Path selection always overrides routing or NAT decisions, so even if DNAT uses WAN1, SD-WAN may still send replies through WAN2.

The result is asymmetric traffic because packets enter via WAN1 but leave via WAN2. To fix it, add a higher-priority SD-WAN rule or a PBR forcing that server’s traffic to go out through WAN1.

AEK · Answer

Hi GarnicaYou said when the traffic is generated from the server it is sent through WAN2.Do you actually mean the traffic that is initiated or the replies?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded