Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 40 subscribers
  • Views 3508 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

v18 SD-WAN Policy Routing Issues

JD MaC

I'm having a Policy Routing issue on a VM upgraded from v17.5 MR9. 

I have 2 gateways.  On v17 I had three firewall rules that routed designated clients over the secondary gateway.  After upgrading, these rules still work with Migrated Policy Routes.  I deleted one of the Migrated Policy Routes to try to create it the "normal" way.  I cannot get this new Policy Route to work.  When it is enabled, the devices in the designated Host Group can no longer access the Internet.  When it is disabled, those devices can access the Internet over the primary/normal gateway.  The Migrated Policy Routes (that I didn't touch) use the same secondary gateway and they are working with no issues.

I assume there's some step I'm missing here.  Has anyone gotten this working?

To create the new Policy Route, I did the following:

  • Change the Route Precedence
    • system route_precedence set static sdwan_policyroute vpn
  • Delete the Migrated Policy route
  • Disable the firewall rule (in v17 it only existed to route these clients over the VPN)
  • Create a new Policy Route with the same settings (screenshot below)



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Kishore Rajani

    Kishore Rajani said:

    Do you have any other rules set-up? can you post a screenshot

     

    I have a ton of Firewall rules, but no other PBR rules.  I can't see any reason the firewall rules would be blocking, but what screenshots would help?

     

    I am seeing this is the packet trace from the host that can't access the Internet.  This is from trying to access a web site, but I see similar with ping.  There's no NAT or Rule ID though, so I'm not sure how to track down the violation...

     

  • +1 in reply to JD MaC

    Typing that last message led to an ah-ha moment.  The firewall uses the LAN interface to access the secondary gateway.  I did not have a rule in place to allow the VPN Routed Clients to use LAN as a destination.  Normally this is unnecessary, because that's the same VLAN they reside on so they don't route to get there.  Adding that rule resolved the issue.

    Kishore Rajani, thanks for taking the time to help.

  • 0 in reply to JD MaC

    GO to Diagnostics > Tools > Policy Tester 

    Test the policy there to see whats the result.

    Also check the NAT rules you have..

Unfiltered HTML