SD-WAN Tracert

Please can anyone explain why am getting this?

I configured SD-WAN so that some VLAN interfaces can use the secondary ISP WAN interface. Fine, it worked if I check the WAN IP using Whois Ip. But to my surprise, If I tracert from this VLAN to like, it still passes through Primary ISP default gateway instead of Secondary Isp default Gateway.

Is there anything am missing here?



  • Do you have a Ping policy for this VLAN with SD-WAN selected on it?

  • Windows tracert uses ICMP - which the Ping policy allows.

  • @Bruce_Briggs I have a ping policy that allows any-trusted to any external with ICMP and ICMPv6.
    I can ping but my ping is routing through my Primary interface instead of the secondary interface but If I check my IP, it's my secondary WAN IP.


  • Without SD-WAN on that policy, why do you expect tracerts to go out the WAN that you want?

  • In SD WAN add a new action Secondary Only
    Create a new ping policy from VLAN ID > Any External
    Choose Route outbound traffic using SD WAN
    In the SD WAN action drop down choose the Secondary Only Action.

    Now your pings from that vlan will route our your secondary using sd wan.

    Hope that's what you are looking for.

    It's usually something simple.

  • Like l asked in my 1st post

  • OlaOla
    edited February 2022


    Are you talking of Ping Policy or SDWAN policy for the specific VLAN to any external?
    If it's SDWAN, this has been created and If I check the traffic going out through this VLAN, it's using the secondary but tracert only goes through the Default gateway of the Primary ISP, which I found as abnormal behaviour.
    Since my Public Ip shows the secondary for the specific VLAN, it means am fine right?


  • Turn on Logging on your Ping policy From this VLAN with a SD-WAN action.
    Then look in Traffic Monitor - you should see Ping allow entries To: the IP addr of the tracert you are doing.
    The src_ip_nat= on the log record should show the IP addr selected in the SD-WAN action.
    If not, then open a support incident on this.

Sign In to comment.