To explore the scenarios where a business policy rule sending traffic Multipath won't work.

VMware VeloCloud SD-WAN supported versions

To verify the problem:

- Check debug --flow_dump, either locally on the SD-WAN edge Secure CLI or via the diag bundle. It will show whether or not a specific flow is being sent direct or via the gateway

- Check the flow dump in Remote Diagnostics. It will specifically state which business policy is being hit. One reason the traffic may be going direct is it's hitting a different BP rule than the one you expected. In those scenarios you need to troubleshoot why the flow is matching what you consider an unexpected Business Policy rule.

For scenarios where it's matching the right Business Policy rule and still going Direct, there are a few possibilities: ​

• If the appmap flag mustNotUseGateway is set for the application in question, the traffic will go direct regardless of whether the BP is set to Multipath or not. Caveat: If the route the traffic is hitting is a secure route, that will override the appmap flag and the traffic will in fact go Multipath. So if we were to summarize the priority it would be:  Secure Route > mustNotUseGateway flag > BP rule.
• Routes will override the Business Policy rule. So if there's a static or dynamic [OSPF,BGP] route learned locally on the edge, the traffic will be sent direct according to that route. If you think about it, it makes sense. There is no possible multipath route to reach those destinations, so it must go direct. Note - if the static/dynamic route is learned on another edge, then the traffic will be sent multipath to that other edge. The rule that traffic matching these types of routes must be sent direct is only applicable for routes learned locally on the edge.
• A third possibility is that the VCMP tunnel to the primary gateway has flapped recently, or is currently down. When the tunnel to the primary GW goes down Cloud traffic is sent Direct, and when the tunnel comes back up those flows stay going Direct. Only new flows created after the tunnel came back up will go through the GW. (Yet another caveat: If the application has the mustUseGateway appmap flag configured, those flows will actually move back to the gateway when the tunnel comes back up.)
• If the failing Multipath rule is supposed to go through a Partner Gateway. It could be the appropriate route was not configured on the PG. 
• Finally, if Cloud Security Service is enabled, some types of traffic may be sent direct regardless of the BP.