Description
This article describes the traffic behavior when a SD-WAN rule is configured as ‘set mode load-balance’ from CLI or set as 'Maximize Bandwidth' (SLA) from GUI.
Scope
FortiGate.
Solution
SD-WAN config.
config system virtual-wan-link
set status enable
set load-balance-mode source-dest-ip-based
config members
edit 1
set interface "wan1"
set gateway 10.191.47.254
next
edit 2
set interface "wan2"
set gateway 10.191.31.254
next
end
config health-check
edit "test_hc"
set server "8.8.4.4"
set interval 1000
set failtime 15
set recoverytime 120
set members 1 2
config sla
edit 1
set latency-threshold 250
set jitter-threshold 20
set packetloss-threshold 5
next
end
next
end
config service
edit 1
set name "test_rule_load_balance"
set mode load-balance <----- Configured here.
set dst "all"
set src "all"
# config sla
edit " test_hc"
set id 1
next
end
set priority-members 1 2
next
end
end
Note:
- Starting with v6.4.1 'config system virtual-wan-link' was replaced with 'config system sdwan'.
- Starting with v7.4.1 'set mode load-balance' option was removed and a new option was added 'set load-balance enable' to achieve a similar functionality, more details are available in the article below: Use maximize bandwidth to load balance traffic between ADVPN shortcuts
As per the above config, all the traffic matches the SD-WAN rule configured with method as load-balance.
With rule configured as 'mode load-balance', rules selects a set of links and distribute the sessions among them (basic round robin).
diagnose firewall proute list
list route policy info(vf=root):
id=2131820545 vwl_service=1(test_rule_load_balance) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x10 load-balance tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=17 num_pass=1 oif=18 num_pass=1
source(1): 0.0.0.0-255.255.255.255
destination(1): 0.0.0.0-255.255.255.255
hit_count=17 last_used=2020-06-24 02:52:39
The debug flows clearly show that once the session is established on a specific interface, the traffic matches against the same session.
Debug Flow.
FortiGate# diagnose debug flow filter daddr 8.8.8.8
FortiGate# diagnose debug flow filter proto 1
FortiGate# diagnose debug flow trace start 10000
FortiGate# diagnose debug enable
id=20085 trace_id=1057 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=1, 192.168.131.89:1->8.8.8.8:2048) from port1. type=8, code=0, id=1, seq=601."
id=20085 trace_id=1057 func=init_ip_session_common line=5666 msg="allocate a new session-000ae438"
id=20085 trace_id=1057 func=vf_ip_route_input_common line=2581 msg="Match policy routing id=2131820545: to 8.8.8.8 via ifindex-17"
id=20085 trace_id=1057 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-10.191.47.254 via wan1"
id=20085 trace_id=1057 func=fw_forward_handler line=771 msg="Allowed by Policy-1: SNAT"
id=20085 trace_id=1057 func=__ip_session_run_tuple line=3286 msg="SNAT 192.168.131.89->10.191.32.10:60417"
id=20085 trace_id=1058 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=1, 192.168.131.89:1->8.8.8.8:2048) from port1. type=8, code=0, id=1, seq=602."
id=20085 trace_id=1058 func=resolve_ip_tuple_fast line=5581 msg="Find an existing session, id-000ae438, original direction"
id=20085 trace_id=1058 func=npu_handle_session44 line=1139 msg="Trying to offloading session from port1 to wan1, skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x00000001"
id=20085 trace_id=1058 func=fw_forward_dirty_handler line=449 msg="state=00000204, state2=00000001, npu_state=00000001"
id=20085 trace_id=1058 func=__ip_session_run_tuple line=3286 msg="SNAT 192.168.131.89->10.191.32.10:60417"
id=20085 trace_id=1059 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=1, 192.168.131.89:1->8.8.8.8:2048) from port1. type=8, code=0, id=1, seq=603."
id=20085 trace_id=1059 func=resolve_ip_tuple_fast line=5581 msg="Find an existing session, id-000ae438, original direction"
id=20085 trace_id=1059 func=npu_handle_session44 line=1139 msg="Trying to offloading session from port1 to wan1, skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x00000001"
id=20085 trace_id=1059 func=fw_forward_dirty_handler line=449 msg="state=00000204, state2=00000001, npu_state=00000001"
id=20085 trace_id=1059 func=__ip_session_run_tuple line=3286 msg="SNAT 192.168.131.89->10.191.32.10:60417"
id=20085 trace_id=1060 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=1, 192.168.131.89:1->8.8.8.8:2048) from port1. type=8, code=0, id=1, seq=604."
id=20085 trace_id=1060 func=resolve_ip_tuple_fast line=5581 msg="Find an existing session, id-000ae438, original direction"
id=20085 trace_id=1060 func=npu_handle_session44 line=1139 msg="Trying to offloading session from port1 to wan1, skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x00000001"
id=20085 trace_id=1060 func=fw_forward_dirty_handler line=449 msg="state=00000204, state2=00000001, npu_state=00000001"
id=20085 trace_id=1060 func=__ip_session_run_tuple line=3286 msg="SNAT 192.168.131.89->10.191.32.10:60417"
Related document:
SD-WAN rules - maximize bandwidth (SLA)
