|
If the following command is run to reset application control cache and route-tags for any reason, the SD-WAN rules with route-tags will stop working.
diagnose sys sdwan reset
Here, as an example, there are three SD-WAN members (port1, port8, port9).
The FortiGate is configured to use port1 for traffic matching route-tag 10 (in the following example only 8.8.8.8), and port9 or port 8 for all other traffic.
FGT-7-2 # show system sdwan
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
end
config members
edit 1
set interface "port8"
set gateway 10.5.255.254
next
edit 2
set interface "port9"
set gateway 10.5.191.254
next
edit 3
set interface "port1"
set gateway 10.134.19.165
set priority 100
next
end
[...]
config service
edit 1
set name "Tag-10"
set route-tag 10
set priority-members 3
next
edit 2
set name "all-to-internet"
set dst "all"
set priority-members 2 1
next
end
end
Checking the SD-WAN service, only 8.8.8.8 matches rule 1, as it is the only address matching the route-tag 10.
FGT-7-2 # diagnose sys sdwan service
Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Tie break: cfg
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members(1):
1: Seq_num(3 port1), alive, selected
Route tag address(1):
8.8.8.8-8.8.8.8
Service(2): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Tie break: cfg
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members(2):
1: Seq_num(2 port9), alive, selected
2: Seq_num(1 port8), alive, selected
Dst address(1):
0.0.0.0-255.255.255.255
After resetting the SD-WAN, SD-WAN rule 1 is not matching any traffic:
FGT-7-2 # diagnose sys sdwan reset
All SD-WAN application ctrl internet service cache and route-tag address cache will be clean out.
Do you want to continue? (y/n)y
FGT-7-2 # diagnose sys sdwan service
Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Tie break: cfg
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Service disabled caused by no destination.
Members(1):
1: Seq_num(3 port1), alive, selected
Service(2): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Tie break: cfg
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members(2):
1: Seq_num(2 port9), alive, selected
2: Seq_num(1 port8), alive, selected
Dst address(1):
0.0.0.0-255.255.255.255
Solution:
This is normal behavior, as route-tags are learned by BGP, not from the sdwan daemon, and resetting SD-WAN will lose this information.
If this occurs, to solve the issue, the BGP service must be restarted as well.
In this example, after restarting BGP, SD-WAN rules with route-tags are going to match again the correct addresses.
FGT-7-2 # execute router clear bgp all
FGT-7-2 # diagnose sys sdwan service
Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Tie break: cfg
Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members(1):
1: Seq_num(3 port1), alive, selected
Route tag address(1):
8.8.8.8-8.8.8.8
Service(2): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Tie break: cfg
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members(2):
1: Seq_num(2 port9), alive, selected
2: Seq_num(1 port8), alive, selected
Dst address(1):
0.0.0.0-255.255.255.255
Note: Restarting BGP is traffic affecting, as the BGP connection will be teared down and will need to be re-established.
Note: This is only valid for 7.2 or below. From 7.4, the route-tag handling has been redesigned ( Add route tag address objects) and an SD-WAN reset will not lose route-tag information.
|
