Traffic Management for specific traffic over BOVPN Virtual Interface

We have a BOVPN Virtual interface set up. We recently set up two SAN devices that replicate data between them over this VPN. When the replication is occurring, they use up all available bandwidth and other VPN traffic is negatively affected.

We tried adding various new policies with the IP addresses of the devices, but the traffic still flows over the normal BOVPN policy. And if we try to add the BOVPN interface to the to side of a policy, we get a warning message saying:
"When a policy is configured to use Multi-WAN or policy-based routing to route outbound non-IPsec traffic through external interfaces, the policy must use the Any-Externa alias instead of individual external interface aliases in the To Field. This policy may violate such condition."

I am not sure if this is part of our issue, or if this message even applies as we are not enabling multi-wan or policy-based routing, but I thought I would mention it in case.

Is there something we are doing wrong, or a better way to accomplish throttling specific traffic over a BOVPN virtual interface?


  • Options

    Make sure that the new added policies are above the normal BOVPN policy

  • Options

    @Bruce_Briggs said:
    Make sure that the new added policies are above the normal BOVPN policy

    All of the ones we added were above the normal policy (we have auto-order mode still enabled).
    The normal policy is called BOVPN-Allow.out, is from Any and is to BovpnVif.Remote. We first added a policy from local SAN IP to remove SAN IP. But traffic still went over normal policy. Then we added BovpnVif.Remote to To, but still no dice.

  • Options

    Beats me.
    Consider opening a support incident on this.
    Should you find a resolution so that others (including me) can learn from it.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    There should be a check-box in the bottom of your VIF's gateway tab that says "add this tunnel to BOVPN-Allow policies." Unchecking that will remove it from the default BOVPN rules.


    -James Carson
    WatchGuard Customer Support

Sign In to comment.