| Description |
This article describes how FortiGate can be configured with a 'Lowest Cost' strategy and when no member meets the SLA, the traffic is routed by the member with the best quality. Order of member selection:
The challenge with the Lowest Cost configuration arises when no members meet the SLA. In such cases, traffic is routed according to the previous selection order, which might result in choosing a member with the worst quality among all available members. To address this, when all members fail to meet the SLA target, traffic should be routed through the member with the best quality. The following explains how to configure and resolve this challenge. |
| Scope | Fortigate 7.4.5 Build 2702. |
| Solution |
Configuration: Layer 3 Topology:
SD-WAN Topology:
Create configuration of the Performance SLA.
config system sdwan config health-check edit "1HC_HUB" set server "10.0.0.254" set members 3 4 config sla edit 1 set link-cost-factor latency set latency-threshold 100 next end next end end
GUI: Go to Network -> SD-WAN -> Performance SLAs -> Create New.
Create configuration of the SD-WAN rule with Lowest Cost strategy. CLI: config system sdwan config service edit 1 set name "ALL_TRAFFIC" set mode sla set minimum-sla-meet-members 1 set dst "all" set src "all" config sla edit "1HC_HUB" set id 1 next end set priority-members 3 4 next end end
The parameter 'set minimum-sla-meet-members' defines the minimum number of members that must meet at least one of the SLA targets configured in a rule, so the rule remains active. If the number of members that meet the SLA is below the minimum threshold, the rule is disabled and skipped during the rule matching stage. Create an SD-WAN rule with the Best Quality strategy.
CLI:
config system sdwan config service edit 2 set name "ALL_BEST_OVERLAY" set mode priority set dst "all" set src "all" set health-check "1HC_HUB" set priority-members 3 4 next end end
GUI: Go to Network -> SD-WAN -> SD-WAN Rules -> Create New.
With the above configuration, there are two SD-WAN rules. When the first rule (Lowest Cost) is active but none of its members meet the SLA, the Lowest Cost rule is disabled and skipped. As a result, traffic flows to the next SD-WAN rule, 'Best Quality.' This rule selects the member with the best link quality, even if it does not meet the SLA. Testing For the first rule, 'ALL_TRAFFIC', all members meet the SLA and have the same cost. Member '1VPN' is selected by the configuration order. The traffic is routed by the first SD-WAN rule by the member 1VPN.
The 'HOST 10.7.0.7' opens an SSH session to 'SERVER 10.10.0.11'.
diagnose sys sdwan service
diagnose sys session list
The delay of both members will increase to the point of not meeting the SLA:
The first SD-WAN rule (Lowest Cost) is disabled:
After the SD-WAN rule (Lowest Cost) is disabled, the SSH session will be routed to the next rule, 'ALL_BEST_OVERLAY.' Since member "2VPN" has the best quality, the SSH session remains active and supports the change without losing the connection:
If some member meets the SLA, the first SD-WAN rule is reactivated and the session is back to the SD-WAN rule:
During all testing, the SSH session remains active at all times. |
