When NAT Direct is configured on a routed interface, it is expected that all traffic sent direct via that interface (on the underlay) will be NAT'd using the routed interface's IP address. However, NAT is not applied for traffic to and from other IP addresses in the same subnet as the routed interface when the routed interface is a subinterface or uses a VLAN. This is not experienced if the destination is one or more hops away because the Edge is not enforcing NAT Direct and traffic will work (see below Note, for implications once an Edge uses a fixed version).

It is possible that an older version of the SASE Orchestrator inadvertently configured NAT Direct on a main interface with either a VLAN or subinterface configured. If that interface is sending direct traffic one or hops away, the customer would never observe an issue because the NAT Direct setting was not being applied. However, when an Edge is upgraded to 5.2.0 and later with a fix for this issue, there is a resulting change in routing behavior since this specific use case was not implemented in prior releases.

Because a 5.2.0 Edge now implements NAT Direct in the expected manner for all use cases, traffic that previously worked may now fail because customers never realized that NAT Direct was checked for an interface with a VLAN or subinterface configured.

https://techdocs.broadcom.com/us/en/vmware-sde/velocloud-sase/vmware-velocloud-sd-wan/5-2/vmware-velocloud-sdwan-520-release-notes.html#:~:text=It%20is%20possible%20that%20an%20older,has%20a%20VLAN%20or%20subinterface%20configured.

When customer is upgrading their Edge to Release 5.2.0 or later should first check their Profiles and Edge interface settings to ensure NAT Direct is configured only where they explicitly require it and to deactivate this setting where it is not, especially if that interface has a VLAN or subinterface configured.