Troubleshooting Tip: How to confirm if the correct SD-WAN policy is used in the session

Nivedha · ‎01-11-2023

Description

This article describes how to confirm if the correct SD-WAN policy is used by a session.

Scope

FortiGate, SD-WAN, SD-WAN rules.

Solution

Topology:

LAN (10.61.0.0/20)--- FortiGate A --- ADVPN --- FortiGate B-- LAN (10.14.0.0/20).

LAN (10.61.0.0/20)--- FortiGate A --- port1 -- Internet.

FortiGate uses SD-WAN rule 1 for Internet traffic and SD-WAN rule 2 for traffic over VPN.
The configuration can be checked using the following command:

diagnose sys sdwan service

Service(2): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members(1):
1: Seq_num(2 NSY1-B1), alive, selected
Src address(1):
10.61.0.0-10.61.15.255

Dst address(1):
10.14.0.0-10.14.15.255

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members(1):
1: Seq_num(4 port1), alive, selected
Src address(1):
10.61.0.0-10.61.15.255

Dst address(1):
0.0.0.0-255.255.255.255

Note:

Starting from v7.4.4, the 'diagnose sys sdwan service' command is now divided into two separate commands for IPv4 and IPv6.

IPv4: 'diagnose sys sdwan service4'.
IPv6: 'diagnose sys sdwan service6'.

To confirm if the traffic is correctly matching the SD-WAN rule, run the following command to check the session list:

diagnose sys session filter clear <----- To make sure that no filter was applied before.

diagnose sys session filter src <source address>

diagnose sys session list

The output will be as follows:

session info: proto=1 proto_state=00 duration=15 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=960/16/1 reply=960/16/1 tuples=2
tx speed(Bps/kbps): 62/0 rx speed(Bps/kbps): 62/0
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=10.56.243.254/10.61.2.39
hook=post dir=org act=snat 10.61.2.39:1->8.8.8.8:8(10.56.242.32:60417)
hook=pre dir=reply act=dnat 8.8.8.8:60417->10.56.242.32:0(10.61.2.39:1)
misc=0 policy_id=1 pol_uuid_idx=14742 auth_info=0 chk_client_info=0 vd=0
serial=00006f69 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=1 sdwan_service_id=1 <----- Indicates the service ID (SD-WAN rule).
rpdb_link_id=ff000001 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off

session info: proto=1 proto_state=00 duration=35 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=900/15/1 reply=900/15/1 tuples=2
tx speed(Bps/kbps): 35/0 rx speed(Bps/kbps): 35/0
orgin->sink: org pre->post, reply pre->post dev=4->23/23->4 gwy=10.56.242.13/10.61.2.39
hook=post dir=org act=snat 10.61.2.39:1->10.14.2.13:8(192.168.2.2:60417)
hook=pre dir=reply act=dnat 10.14.2.13:60417->192.168.2.2:0(10.61.2.39:1)
misc=0 policy_id=2 pol_uuid_idx=14744 auth_info=0 chk_client_info=0 vd=0
serial=00006ec1 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=3 sdwan_service_id=2 <----- Indicates the service id (SD-WAN rule).
rpdb_link_id=ff000002 ngfwid=n/a
npu_state=0x000100
npu info: flag=0x82/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
ofld_fail_reason(kernel, drv): none/not-established, none(0)/none(0)
npu_state_err=00/04
total session 2

Troubleshooting Tip: How to confirm if the correct SD-WAN policy is used in the session

You are leaving our website