Technical Tip: Traffic is not hitting the newly created policy

Scenario:

• A more specific route was added.
• A new policy was created above the existing policy.
• Test done from connected PC with ip 10.x.x.173 to 8.8.8.8 (ping).

From the forward traffic logs, traffic is still hitting the previously configured policy.

The following needs to be done:

1. Ensure that the policy is created correctly (source and destination interface) and policy match tools should show that traffic is matching the new policy.

Confirm the direction of the policy is as intended. In this example, it should be from port2 to IPsec. 

Policy lookup tools show that the traffic would match the new policy, which means the policy order is correct. 

2. Check if there is any existing session.

    

   diag sys session filter src <source ip>

   diag sys session filter dst <destination ip>

   diag sys session list 

    

   

    

    

3. Noticed that there are existing sessions where the duration is much longer than the created policy.

   For such cases, it is necessary to clear the existing session 

    

   diag sys session filter src <source ip>

   diag sys session filter dst <destination ip>

   diag sys session list     --> This will list current active sessions that match the above filter.

   diag sys session clear   --> This will only clear the session that matches the above filter.

    

   After the session is clear, traffic should able to match the newly created policy.