This article describes the behavior and benefits of packet duplication with SD-WAN

Packet duplication is an SD-WAN feature to reduce data loss over any underlay and overlay SD-WAN. It enables the sending of duplicate packets through up to 3 additional members of any kind, provided the best route to the destination is an SD-WAN member and the links used for duplication have a route to the destination. These duplicate packets are verbatim copies of the original packet.

This way the duplicate packets can be used for data loss protection, and for out-of-band inspection or packet capture.

It is also possible to enable packet de-duplication on the receiving FortiGate. When enabled, the receiving FortiGate accepts only the first copy of the packet received and drops the additional copies.

The goal is to save resources at the receiving end by instructing the FortiGate to forward one copy only, instead of forwarding all the copies and letting the next hop discard additional packets.

In the topology below, 2 FortiGates are connected through 3 IPSec overlays, which are members of the overlay zone.

Spoke CLI configuration:

config system sdwan

    set duplication-max-num 3
        config duplication

            edit 1

              set srcaddr "10.0.1.0/24"

              set dstaddr "10.1.0.0/24"

              set srcintf "port5"

              set dstintf "overlay"

              set service "ALL"

              set packet-duplication force

            next

         end

    end

On the Spoke FortiGate, duplication-max-num is set to 3. This indicates that FortiGate will forward up to three copies of each packet: the original packet plus two duplicates. Each copy is sent through a different SD-WAN member.

Hub CLI configuration:

                                    
config system sdwan
    config duplication

        edit 1

            set srcaddr "10.0.1.0/24"

            set dstaddr "10.1.0.0/24"

            set srcintf "overlay"

            set dstintf "port5"

            set service "ALL"

            set packet-de-duplication enable

        next

    end

end

On the hub side, packet-de-duplication is enabled to instruct the FortiGate to accept only one copy of the packet. The first packet to arrive will be accepted, and additional copies will be dropped.

Packet capture on the Spoke side:

Packet capture on the Hub Side:

In v7.6.0 and earlier, the expected max latency difference of two channels in one way is hard-set to 250ms for packet de-duplication. Starting in v7.6.1, this value is customizable using duplication-max-discrepancy.

config system sdwan

set duplication-max-discrepancy <latency>  [Enter an integer value from <250> to <1000> (default = <250>]

end

Example Scenario:
Consider a scenario where one of the SD-WAN members is a satellite connection, which introduces high latency. When packet duplication is enabled, two packets are sent. If the difference in latency exceeds 250 ms between the links, the packet received over the higher latency link will be forwarded instead of being de-duplicated. 

This can be remedied by configuring a larger duplication-max-discrepancy value suiting the use case (for example, 1000 ms) in v7.6.1 and later.

Note:

• As of v7.6.3, de-duplication is limited to ICMP, UDP, TCP, and SCTP protocols only. GRE is not supported for de-duplication.
• When configuring the duplication-max-discrepancy parameter, use caution with high values. Increasing this threshold allows a greater latency window for de-duplication, but it also requires the system to cache more packets in memory for a longer duration. Excessively large values may lead to increased memory usage, potentially impacting overall system performance. It is recommended to tune this setting based on the specific latency characteristics of the deployment environment.