SD-WAN Firewall Troubleshooting
search cancel

SD-WAN Firewall Troubleshooting

book

Article ID: 320673

calendar_today

Updated On:

Products

VMware SD-WAN by VeloCloud

Issue/Introduction

Symptoms:
1:1 NAT rules failing. 
1:1 NAT rules not seeing bidirectional traffic. 
Port forwarding failing

Environment

VMware SD-WAN by VeloCloud

Resolution

Inbound Rules (1:1 NAT)


1. Verify Configuration. Ensure that the NAT address corresponds to the correct interface and the IP address configured for the 1:1 NAT is in the same subnet as the WAN IP of the GE interface. 

Please note that all traffic will flow direct in these use cases. 

2. If the rules are not working as expected, it is best to start a constant ping from an outside destination to the appropriate outside IP address. 

3. Once the ping is started a packet capture should be initiated on the WAN interface. First verify, the traffic is being received here. 

4. If we can verify the ICMP traffic is being detected on the WAN interface, we need to move to the appropriate LAN interface. If traffic is not being detected on this interface, please ensure ping destination and interface configurations are correct. 

5. Initiate a PCAP on the Appropriate LAN interface for the egress or LAN destination IP address. If we do not see the ICMP traffic being passed through as the appropriate IP address please check: 
 
- The Appropriate segment is configured for the inbound rule. The inside IP address should be in the segment selected: 
 
     - Check the routing of the selected segment to ensure a route has been populated. Ensure that this matches on the segment information input into the respective rule. "Remote Diagnostics"  -> "Route Table Dump": 
 
-Another Item  to check under "Edge Firewall" would be the "Remote IP" section. Ensure if there are any configurations here, they allow for the source of the ICMP to be pass through to the edge. Leaving these empty should allow any traffic to pass to the edge: 
 
- Flushing the NAT flows (Remote Diagnostics -> "Flush NAT") may assist in clearing excessive NAT entries: 
6. If we see traffic being sent correctly from the LAN to the LAN client, the LAN client should be checked to ensure it is configured to respond to ICMP.

7. We can also check the flows of the edge (Remote Diagnostics -> "List Active Flows) which if working properly should show the return flow from the LAN Client to the Remote host: 
 


9. If there are any issues specifically with return traffic (return traffic is verified to be hitting edge, but not sent out), please make sure the "Outbound Traffic" checkbox is selected to allow egress traffic to pass through the edge: 
 


 

Inbound Rules (Port Forwarding)


1. Verify Configuration. Ensure correct interface is selected and outside IP is correct. 

Please note that all traffic will flow direct in these use cases. 

2. If the rules are not working as expected, it is best to initiate traffic from an outside destination to the appropriate outside IP address with the protocol/port configured. This can be done by using telnet to an specific TCP port ( telnet x.x.x.x 734) or using the nc utility for UDP traffic (nc -z -v -u x.x.x.x 734). 


3. Once the traffic is started a packet capture should be initiated on the WAN interface. First verify, the traffic is being received here. 

4. If we can verify the traffic is being detected on the WAN interface, we need to move to the appropriate LAN interface. If traffic is not being detected on this interface, please ensure the destination and interface configurations are correct. 

5. Initiate a PCAP on the Appropriate LAN interface for the egress or LAN destination IP address. If we do not see the traffic being passed through as the appropriate IP address please check. 


- The Appropriate segment is configured for the inbound rule. The inside IP address should be in the segment selected: 
 
 
       - Check the routing of the selected segment to ensure a route has been populated. Ensure that this matches on the segment information input into the respective rule. "Remote Diagnostics"  -> "Route Table Dump": 
 

-Another Item  to check under "Edge Firewall" would be the "Remote IP" section. Ensure if there are any configurations here, they allow for the source of the ICMP to be pass through to the edge. Leaving these empty should allow any traffic to pass to the edge: 
 

 
6. If we see traffic being sent correctly from the LAN to the LAN client, the LAN client should be checked to ensure it is configured to respond to this traffic.

7. We can also check the flows of the edge (Remote Diagnostics -> "List Active Flows) which if working properly should show the return flow from the LAN Client to the Remote host: 
 



If any unexpected behavior is still observed, please reach out to Velocloud SD-WAN Support. VMware SD-WAN – Support
 


Powered by Wolken Software