I'm deploying an SD‑WAN configuration with BGP over loopback across my infrastructure.
Some spokes have only one WAN link, while others have two.
After configuring the dial‑up VPN on the hub (which only advertises the 10.200.0.0/16 network), and after creating the loopback interface used for BGP and the loopback used for health‑checks, I proceeded to configure the spokes.
Unfortunately, I ran into the following issue on the spokes that have two WAN links.
After creating the SD‑WAN rule that instructs all LAN traffic destined for the hub network (10.200.0.0/16) to use the VPN with the best latency, and after correctly configuring the SLA targets, only one of the two VPNs is detected as UP in the SLA targets.
The second VPN never shows as UP.
From my checks, it seems that only the first VPN is considered UP, because it is the only one responding to the SLA target ping.
This makes me suspect that there may be a missing configuration command related to BGP or VPN on the spokes.
Below is the configuration of one of the two VPNs on the spoke.
The other one is identical, except for the name and the WAN interface used:
config vpn ipsec phase1-interface
edit "VPN-HUB-"
set interface "port1"
set ike-version 2
set authmethod signature
set peertype any
set net-device disable
set exchange-interface-ip enable
set exchange-ip-addr4 10.200.100.126
set proposal aes256-sha512
set dhgrp 21
set remote-gw 25.x.x.x
set certificate "myfirewall.com"
next
this is the dial p vpn configuration on hub side:
edit "VPNtoSPOKEsites"
set type dynamic
set interface "port1"
set ike-version 2
set authmethod signature
set peertype peergrp
set net-device disable
set exchange-interface-ip enable
set exchange-ip-addr4 10.200.100.254
set proposal aes256-sha512
set add-route disable
set dpd on-idle
set dhgrp 21
set certificate "hubcert.com"
set peergrp "spoke-sites"
next
bgp hub configuration:
config router bgp
set as 60125
set router-id 10.200.100.254
config neighbor-group
edit "spokegroup"
set next-hop-self enable
set remote-as 60125
set update-source "Loopback0"
set additional-path send
next
end
config neighbor-range
edit 1
set prefix 10.200.100.0 255.255.255.0
set neighbor-group "spokegroup"
next
end
config network
edit 1
set prefix 10.200.100.254 255.255.255.255
next
edit 2
set prefix 10.200.0.0 255.255.0.0
next
bgp spoke configuration:
config router bgp
set as 60125
set router-id 10.200.100.254
config neighbor
edit "10.200.100.254"
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set interface "Loopback0"
set remote-as 60125
set update-source "Loopback0"
set additional-path receive
next
end
can anyone help me, don't know what is wrong.
Fw version is 7.4.9
Thank you
