Duplication on-demand when SLAs in the configured service are matched
SD-WAN packet duplication can be configured to be performed on-demand only when SLAs in the configured service are matched. When enabled, only the SLA health checks and targets that are used in the service rule are used to trigger the packet duplication.
config system sdwan config duplication edit 1 set service-id 1 set packet-duplication on-demand set sla-match-service {enable | disable} next end end
sla-match-service {enable | disable} |
Enable/disable packet duplication matching health check SLAs in service rules (matching all SLAs of the current defined service). |
In this example, two performance SLA health checks are configured, health1 and health2. The health1 SLA is used in an SD-WAN service rule called rule1. Packet duplication uses on-demand mode, so packets for duplication are matched based on rule1. It triggers duplication based on the status of the health checks.
Results are shown for various combinations of health check statuses when the SLA match service is enabled or disabled.
To configure SD-WAN:
config system sdwan set status enable set load-balance-mode usage-based config zone edit "virtual-wan-link" next edit "SASE" next end config members edit 1 set interface "port5" set gateway 10.100.1.1 next edit 2 set interface "port4" next end config health-check edit "health1" set server "10.100.2.22" set members 0 config sla edit 1 next end next edit "health2" set server "10.100.2.23" set members 0 config sla edit 1 next end next end config service edit 1 set name "rule1" set mode sla set dst "10.100.20.0" config sla edit "health1" set id 1 next end set priority-members 2 1 next end config duplication edit 1 set service-id 1 set packet-duplication on-demand set sla-match-service enable next end end
Results
-
When health1 (used in rule1) is out of SLA (
sla_map=0x0
) and health2 (not used) is in SLA (sla_map=0x1
), the packet is duplicated (dup=0x1(dup)
):# diagnose sys sdwan health-check Health Check(health1): Seq(1 port5): state(alive), packet-loss(6.000%) latency(5.718), jitter(0.086), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x0 Seq(2 port4): state(alive), packet-loss(3.000%) latency(7.242), jitter(0.025), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x0 Health Check(health2): Seq(1 port5): state(alive), packet-loss(0.000%) latency(0.700), jitter(0.075), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x1 Seq(2 port4): state(alive), packet-loss(0.000%) latency(0.244), jitter(0.021), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x1
# diagnose firewall proute list id=2135031809(0x7f420001) vwl_service=1(rule1) vwl_mbr_seq=2 1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=12(port4) measure=0x0(not measured) dup=0x1(dup) oif=13(port5) measure=0x0(not measured) dup=0x1(dup) destination(1): 10.100.20.0-10.100.20.255 source wildcard(1): 0.0.0.0/0.0.0.0
The sniffer output shows packets leaving from both interfaces in the zone:
# diagnose sniffer packet any "port 90" 4 interfaces=[any] filters=[port 90] 2.403506 port2 in 172.16.205.11.59624 -> 10.100.20.33.90: syn 2098685816 2.403522 port5 out 10.100.1.250.59624 -> 10.100.20.33.90: syn 2098685816 2.403523 port4 out 10.100.1.250.59624 -> 10.100.20.33.90: syn 2098685816
# diagnose sys sdwan service Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla Tie break: cfg Gen(6), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order Members(2): 1: Seq_num(2 port4), alive, sla(0x0), gid(0), cfg_order(0), cost(0), selected 2: Seq_num(1 port5), alive, sla(0x0), gid(0), cfg_order(1), cost(0), selected Dst address(1): 10.100.20.0-10.100.20.255
-
When health1 (used in rule1) is in SLA (
sla_map=0x1
) and health2 (not used) is out of SLA (sla_map=0x0
), the packet is not duplicated (dup=0x0(not dup)
):# diagnose sys sdwan health-check Health Check(health1): Seq(1 port5): state(alive), packet-loss(0.000%) latency(0.684), jitter(0.064), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x1 Seq(2 port4): state(alive), packet-loss(0.000%) latency(0.222), jitter(0.015), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x1 Health Check(health2): Seq(1 port5): state(alive), packet-loss(6.000%) latency(2.911), jitter(2.328), mos(1.787), bandwidth-up(99995), bandwidth-dw(99996), bandwidth-bi(199990) sla_map=0x0 Seq(2 port4): state(alive), packet-loss(6.000%) latency(2.566), jitter(2.307), mos(1.786), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x0
# diagnose firewall proute list id=2135031809(0x7f420001) vwl_service=1(rule1) vwl_mbr_seq=2 1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=12(port4) measure=0x0(not measured) dup=0x0(not dup) oif=13(port5) measure=0x0(not measured) dup=0x0(not dup) destination(1): 10.100.20.0-10.100.20.255 source wildcard(1): 0.0.0.0/0.0.0.0
The sniffer output shows packets leaving from only one interface:
# diagnose sniffer packet any "port 90" 4 interfaces=[any] filters=[port 90] 3.330376 port2 in 172.16.205.11.38318 -> 10.100.21.33.90: syn 381919014 3.330395 port5 out 10.100.1.2.38318 -> 10.100.21.33.90: syn 381919014 4.327851 port2 in 172.16.205.11.38318 -> 10.100.21.33.90: syn 381919014 4.327855 port5 out 10.100.1.2.38318 -> 10.100.21.33.90: syn 381919014
# diagnose sys sdwan service Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla Tie break: cfg Gen(4), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order Members(2): 1: Seq_num(2 port4), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected 2: Seq_num(1 port5), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected Dst address(1): 10.100.20.0-10.100.20.255
-
When the SLA match service is disabled, packets are only duplicated with all of the health checks are out of SLA:
config system sdwan config duplication edit 1 set service-id 1 set packet-duplication on-demand set sla-match-service disable next end end
-
When health1 is out of SLA (
sla_map=0x0
) and health2 is in SLA (sla_map=0x1
), the packet is not duplicated (dup=0x0(not dup)
):# diagnose sys sdwan health-check Health Check(health1): Seq(1 port5): state(alive), packet-loss(5.000%) latency(6.587), jitter(0.096), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x0 Seq(2 port4): state(alive), packet-loss(3.000%) latency(3.365), jitter(0.085), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x0 Health Check(health2): Seq(1 port5): state(alive), packet-loss(0.000%) latency(0.837), jitter(0.192), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x1 Seq(2 port4): state(alive), packet-loss(0.000%) latency(0.330), jitter(0.081), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x1
# diagnose firewall proute list list route policy info(vf=root): id=2135097345(0x7f430001) vwl_service=1(rule1) vwl_mbr_seq=2 1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=12(port4) measure=0x0(not measured) dup=0x0(not dup) oif=13(port5) measure=0x0(not measured) dup=0x0(not dup) destination(1): 10.100.20.0-10.100.20.255 source wildcard(1): 0.0.0.0/0.0.0.0
# diagnose sys sdwan service Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla Tie break: cfg Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order Members(2): 1: Seq_num(2 port4), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected 2: Seq_num(1 port5), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected Dst address(1): 10.100.20.0-10.100.20.255
-
When both health1 and health2 are out of SLA (
sla_map=0x0
), the packet is duplicated (dup=0x1(dup)
).
If there are multiple targets in a performance SLA health check, and only one of the targets is used in the service that is defined in the duplication rule, and the SLA match service is disabled, then only that target triggers packet duplication. It is note required for all of the targets in the health check to miss SLA.
-