SD-WAN Tracert

Please can anyone explain why am getting this?

I configured SD-WAN so that some VLAN interfaces can use the secondary ISP WAN interface. Fine, it worked if I check the WAN IP using Whois Ip. But to my surprise, If I tracert from this VLAN to like, it still passes through Primary ISP default gateway instead of Secondary Isp default Gateway.

Is there anything am missing here?



  • Options

    Do you have a Ping policy for this VLAN with SD-WAN selected on it?

  • Options

    Windows tracert uses ICMP - which the Ping policy allows.

  • Options

    @Bruce_Briggs I have a ping policy that allows any-trusted to any external with ICMP and ICMPv6.
    I can ping but my ping is routing through my Primary interface instead of the secondary interface but If I check my IP, it's my secondary WAN IP.


  • Options

    Without SD-WAN on that policy, why do you expect tracerts to go out the WAN that you want?

  • Options

    In SD WAN add a new action Secondary Only
    Create a new ping policy from VLAN ID > Any External
    Choose Route outbound traffic using SD WAN
    In the SD WAN action drop down choose the Secondary Only Action.

    Now your pings from that vlan will route our your secondary using sd wan.

    Hope that's what you are looking for.

    It's usually something simple.

  • Options

    Like l asked in my 1st post

  • Options
    edited February 2022


    Are you talking of Ping Policy or SDWAN policy for the specific VLAN to any external?
    If it's SDWAN, this has been created and If I check the traffic going out through this VLAN, it's using the secondary but tracert only goes through the Default gateway of the Primary ISP, which I found as abnormal behaviour.
    Since my Public Ip shows the secondary for the specific VLAN, it means am fine right?


  • Options

    Turn on Logging on your Ping policy From this VLAN with a SD-WAN action.
    Then look in Traffic Monitor - you should see Ping allow entries To: the IP addr of the tracert you are doing.
    The src_ip_nat= on the log record should show the IP addr selected in the SD-WAN action.
    If not, then open a support incident on this.

Sign In to comment.