Symptoms:

• SD-WAN Edge drops return traffic from other SD-WAN locations when Stateful Firewall is enabled.

• The firewall rule is configured with an specific VLAN in the source field.

• Traffic or flows specified in the firewall will intermittently show hitting the Deny_all rule without explanation or other deny rules.

VMware SD-WAN by VeloCloud
VMware SD-WAN

The issue is documented in bug #121998.

When there is an application classification, business policy table, or firewall policy table version change, SD-WAN performs a firewall lookup for flows on its next packet. Due to a timing issue, that packet could be one from the management traffic (VCMP) side. As a result, during a firewall policy lookup key creation, SD-WAN swaps the source Edge VLAN with the destination Edge VLAN and instead of matching the desired rule it matches the implicit 'Any' rule and traffic is dropped.

This issue is resolved in SD-WAN Edge version 5.0.1.5.
For information on how to upgrade please check the following article: VMware SD-WAN Software Upgrade FAQs

Workaround:

To workaround this issue if you do not want to upgrade, the source field on the firewall rule can be modified from an specific VLAN to 'Any'.