In this case, If the traffic needs to be sent via the Multipath then the we need to stop advertising this destination route via GE6 interface
Troubleshooting Unexpected Business Policy Behavior in VeloCloud SD-WAN
Article ID: 368346
Updated On:
Products
VMware VeloCloud SD-WAN
Issue/Introduction
- Business Policy is configured with Network Service = Direct but the traffic is actually following the "Multipath" (routed through a VeloCloud Gateway).
- Business Policy is configured with Network Service = Multipath but the traffic is actually taking "Direct" Path
Resolution
Edge will forward the traffic via the Multipath (Branch to Branch or Cloud via Gateway depending on the route) irrespective of the business policy configured to send the traffic via the Direct path, if the Edge has received secured default routes or more specific secure routes from the Partner gateway or another Edge.
For example, the Edge is configured with a business policy- Test Rule to send the traffic to destination IP - 2.2.2.2 via the "Direct" path as shown below.
But the traffic to destination-2.2.2.2 is going via the Multipath due to the Secure Edge route which is an expected behavior. Edge prefers the secure routes over business policy. As you can see in the List Active flow screenshot below, the business policy is matching the Test Rule but the traffic is actually taking the Branch to Branch route using multipath.
The Edge has more specific Branch to Branch route for the subnet- 2.2.2.2/32. This can be verified from the Remote Diagnostics -> Route Table Dump
The same behavior can be observed even if the secure route -2.2.2.2/32 is coming from the partner gateway. In that case the List active flow will display the route - Cloud via Gateway even though the traffic hits the correct business policy - Test Rule.
The route table dump will display the secure routes from the Partner gateway as shown below.
If for any reason, the traffic needs to be sent via the DIrect path, these are the options.
- Branch to Branch routes are secured so this will be always preferred. So the only option to choose direct path is to stop advertising branch to branch route for the destination IP (In this example -2.2.2.2/32)
- In the Partner Gateway, the routes can be configured as secure routes or nonsecure routes. If the routes are non secure routes, the business policy will be honored. The settings for the Secure routing configuration are as mentioned below. If the highlighted section is unchecked, the routes will be non-secure routes
Sometimes the Business Policy is configured to Send the traffic via the "Multipath" but the secure routes are received on the Edge as underlay routes, In this case the Edge will forward the traffic "Direct" even though the business policy is configured as "Multipath" as below.
This Edge receives the destination route -5.5.5.5/32 as Secure BGP route from the Interface GE6 so it forward the traffic direct out of the GE6 interface.
The List Active Flows will display the flow as "Direct " Flow as shown below.
Feedback
Yes
No
Powered by
