Using link latency as a failover criterion between SD-WAN members may sometimes choose the member that has slightly more latency.

Here is an example:

The Latency for SD-WAN member Spoke1_VPN2 is less than member Spoke1_VPN1, so member Spoke1_VPN2 should be selected as the outgoing interface.

However, the member Spoke1_VPN1 is chosen as best :

diagnose sys sdwan member | grep VPN
Member(3): transport-group: 0, interface: Spoke1_VPN1, flags=0xd may_child, gateway: 10.5.31.165, peer: 10.20.20.1, priority: 1 1024, weight: 0
Member(4): transport-group: 0, interface: Spoke1_VPN2, flags=0xd may_child, gateway: 10.0.0.1, peer: 10.20.20.1, priority: 1 1024, weight: 0

diagnose sys sdwan health-check | grep VPN
Seq(3 Spoke1_VPN1): state(alive), packet-loss(0.000%) latency(0.727), jitter(0.219), mos(4.404), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x0
Seq(4 Spoke1_VPN2): state(alive), packet-loss(0.000%) latency(0.688), jitter(0.225), mos(4.404), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x0

The reason for choosing  poke1_VPN1 as the best member is that the default settings for the SD-WAN link-cost-threshold is 10.

This means it would only choose another member if the difference between them for Latency is more than 10%.

config system sdwan

(sdwan) # config service

(service) # edit "2"

link-cost-threshold   <----- Percentage threshold change of link cost values that will result in policy route regeneration (0 - 10000000, default= 10).

This default setting can be reduced as per the requirement with correct analysis and chosen value.

After making the value 2, the other member Spoke1_VPN2 was selected as best :

Related article:

Technical Tip: Fortinet's Secure SD-WAN Resource List