Troubleshooting Tip: Website access problem caused by missconfig in SD-WAN load-balance-mode

In this case, the configuration has been applied to the three WAN interfaces as SD-WAN members however the WAN links (WAN1, WAN2, WAN3) configured in SD-WAN with volume ratios 0,3,3 (%)it not fulfill 100(%).

config system sdwan
    set status enable
    set load-balance-mode measured-volume-based
    config zone
        edit "virtual-wan-link"
    next
end

config members
    edit 2
        set interface "wan1"
        set gateway 111.222.111.222
    next
        edit 3
            set interface "wan2"
            set volume-ratio 3
        next
            edit 4
                set interface "internal1"
                set volume-ratio 3
            next
        end

Tracing packet flow by running the commands below:

Debug flow logs.

diag debug reset
diag deb flow filter saddr x.x.x.x (source IP
diag deb flow filter daddr x.x.x.x (destination IP)
diag deb flow filter port x (destination port)
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diag deb en
diag deb flow trace start 999

Then replicate the issue to generate a log, and disable debugging once done:

diag deb dis
diag deb reset

Output:

192.168.1.100 <----- Source IP.

59.127.175.225 <----- Destination IP.

id=65308 trace_id=6 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=6, 192.168.1.100:52623->59.127.175.225:80) tun_id=0.0.0.0 from lan. flag [S], seq 268208240, ack 0, win 65535"
id=65308 trace_id=6 func=init_ip_session_common line=6073 msg="allocate a new session-052b0b8c, tun_id=0.0.0.0"
id=65308 trace_id=6 func=iprope_dnat_check line=5327 msg="in-[lan], out-[]"
id=65308 trace_id=5 func=get_new_addr line=1228 msg="find SNAT: IP-36.237.170.16(from IPPOOL), port-52622" <<< SNAT to wan3 interface ip address
id=65308 trace_id=5 func=iprope_reverse_dnat_check line=1307 msg="in-[lan], out-[ppp3], skb_flags-02000000, vid-0" <<<<<<< selected the wan3 as outgoing interface
id=65308 trace_id=6 func=iprope_fwd_check line=789 msg="in-[lan], out-[ppp2], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0" <<<<<<< reached the volume ratio very quickly, re-selected wan2 as the outgoing interface.
id=65308 trace_id=5 func=iprope_reverse_dnat_tree_check line=915 msg="len=0"
id=65308 trace_id=6 func=__iprope_tree_check line=557 msg="gnum-100004, use addr/intf hash, len=13"
id=65308 trace_id=5 func=fw_forward_handler line=918 msg="Allowed by Policy-2: SNAT"

A better approach to keep sessions stable and which overcomes this problem is to change the load-balance method of the SD-WAN setting.

config system sdwan
    set load-balance-mode source-ip-based
end

config system sdwan

(sdwan) # set load-balance-mode

source-ip-based <----- Source IP load balancing. All traffic from a source IP is sent to the same interface.

weight-based  <----- Weight-based load balancing. Interfaces with higher weights have higher priority and get more traffic.

usage-based <----- Usage-based load balancing. All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spill-over limit new traffic is sent to the next interface.

source-dest-ip-based <----- Source and destination IP load balancing. All traffic from a source IP to a destination IP is sent to the same interface.

measured-volume-based   <----- Volume-based load balancing. Traffic is load-balanced based on traffic volume (in bytes). More traffic is sent to interfaces with higher volume ratios.