SD-WAN routing behavior in 12.4?
I have a post over in the legacy forums and also an open case, but I figure I'd post here with my concerns.
What I'm told is the "The traffic to the local Firebox address is sent out through the external interface because the policy has an SD-WAN action enabled". As a result, this is what occurs when trying to run tracert to the FB's private IP address (x.x.x.1) with 12.4:
C:>tracert x.x.x.1
Tracing route to x.x.x.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms x.x.x.1
2 <1 ms <1 ms <1 ms FB.WAN.ADDRESS.1
3 ROUTER.IP.ADDRESS.1 reports: Destination net unreachable.
Trace complete.
Why would the FB continue to route the traffic past the destination IP when SD-WAN is enabled?
0
Sign In to comment.
Comments
Hi Craig,
I've been working with you on your support case. I've provided an update in the case with an explanation of the tracert behavior that has been observed with version 12.4. The tracert will complete if the ping policy to the Firebox does not have SD-WAN enabled, but I am also researching other solutions and will be providing updates through the support case.
Sincerely,
Juan Nakasone | Support Engineer
WatchGuard Technologies, Inc. | www.watchguard.com
I can also confirm issues in regards to SD-WAN behavior. We have 2 Wan connections. For some rules I had a SD-WAN policy to just use one of the wan connections. After the update to 12.4 my web server stopped working externally. Turning off the SD-WAN in the policy fixed it. It was fine in 12.3. For outbound only the SD-WAN policy is working fine. It seems to have issues with incoming traffic that expects a reply, like a web server.
Upgrading to 12.4.1 Update 1 fixed the problem. Under the resolved Issues in Fireware v12.4.1 Update 1:
SD-WAN actions are no longer incorrectly applied to traffic directed at a Firebox interface IP address. [FBX-16341]