Version:

Version:


Table of Contents

New Features

Download PDF
Copy Link

Duplication on-demand when SLAs in the configured service are matched

SD-WAN packet duplication can be configured to be performed on-demand only when SLAs in the configured service are matched. When enabled, only the SLA health checks and targets that are used in the service rule are used to trigger the packet duplication.

config system sdwan
    config duplication
        edit 1
            set service-id 1
            set packet-duplication on-demand
            set sla-match-service {enable | disable}
        next
    end
end

sla-match-service {enable | disable}

Enable/disable packet duplication matching health check SLAs in service rules (matching all SLAs of the current defined service).

In this example, two performance SLA health checks are configured, health1 and health2. The health1 SLA is used in an SD-WAN service rule called rule1. Packet duplication uses on-demand mode, so packets for duplication are matched based on rule1. It triggers duplication based on the status of the health checks.

Results are shown for various combinations of health check statuses when the SLA match service is enabled or disabled.

To configure SD-WAN:
config system sdwan
    set status enable
    set load-balance-mode usage-based
    config zone
        edit "virtual-wan-link"
        next
        edit "SASE"
        next
    end
    config members
        edit 1
            set interface "port5"
            set gateway 10.100.1.1
        next
        edit 2
            set interface "port4"
        next
    end
    config health-check
        edit "health1"
            set server "10.100.2.22"
            set members 0
            config sla
                edit 1
                next
            end
        next
        edit "health2"
            set server "10.100.2.23"
            set members 0
            config sla
                edit 1
                next
            end
        next
    end
    config service
        edit 1
            set name "rule1"
            set mode sla
            set dst "10.100.20.0"
            config sla
                edit "health1"
                    set id 1
                next
            end
            set priority-members 2 1
        next
    end
    config duplication
        edit 1
            set service-id 1
            set packet-duplication on-demand
            set sla-match-service enable
        next
    end
end

Results

  • When health1 (used in rule1) is out of SLA (sla_map=0x0) and health2 (not used) is in SLA (sla_map=0x1), the packet is duplicated (dup=0x1(dup)):

    # diagnose sys sdwan health-check
    Health Check(health1):
    Seq(1 port5): state(alive), packet-loss(6.000%) latency(5.718), jitter(0.086), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x0
    Seq(2 port4): state(alive), packet-loss(3.000%) latency(7.242), jitter(0.025), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x0
    Health Check(health2):
    Seq(1 port5): state(alive), packet-loss(0.000%) latency(0.700), jitter(0.075), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x1
    Seq(2 port4): state(alive), packet-loss(0.000%) latency(0.244), jitter(0.021), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x1
    # diagnose firewall proute list
    id=2135031809(0x7f420001) vwl_service=1(rule1) vwl_mbr_seq=2 1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=12(port4) measure=0x0(not measured) dup=0x1(dup) oif=13(port5) measure=0x0(not measured) dup=0x1(dup)
    destination(1): 10.100.20.0-10.100.20.255
    source wildcard(1): 0.0.0.0/0.0.0.0

    The sniffer output shows packets leaving from both interfaces in the zone:

    # diagnose sniffer packet any "port 90" 4
    interfaces=[any]
    filters=[port 90]
    2.403506 port2 in 172.16.205.11.59624 -> 10.100.20.33.90: syn 2098685816
    2.403522 port5 out 10.100.1.250.59624 -> 10.100.20.33.90: syn 2098685816
    2.403523 port4 out 10.100.1.250.59624 -> 10.100.20.33.90: syn 2098685816
    # diagnose sys sdwan service
    
    Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
     Tie break: cfg
      Gen(6), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
      Members(2):
        1: Seq_num(2 port4), alive, sla(0x0), gid(0), cfg_order(0), cost(0), selected
        2: Seq_num(1 port5), alive, sla(0x0), gid(0), cfg_order(1), cost(0), selected
      Dst address(1):
            10.100.20.0-10.100.20.255
  • When health1 (used in rule1) is in SLA (sla_map=0x1) and health2 (not used) is out of SLA (sla_map=0x0), the packet is not duplicated (dup=0x0(not dup)):

    # diagnose sys sdwan health-check
    Health Check(health1):
    Seq(1 port5): state(alive), packet-loss(0.000%) latency(0.684), jitter(0.064), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x1
    Seq(2 port4): state(alive), packet-loss(0.000%) latency(0.222), jitter(0.015), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x1
    Health Check(health2):
    Seq(1 port5): state(alive), packet-loss(6.000%) latency(2.911), jitter(2.328), mos(1.787), bandwidth-up(99995), bandwidth-dw(99996), bandwidth-bi(199990) sla_map=0x0
    Seq(2 port4): state(alive), packet-loss(6.000%) latency(2.566), jitter(2.307), mos(1.786), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x0
    # diagnose firewall proute list
    id=2135031809(0x7f420001) vwl_service=1(rule1) vwl_mbr_seq=2 1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=12(port4) measure=0x0(not measured) dup=0x0(not dup) oif=13(port5) measure=0x0(not measured) dup=0x0(not dup)
    destination(1): 10.100.20.0-10.100.20.255
    source wildcard(1): 0.0.0.0/0.0.0.0

    The sniffer output shows packets leaving from only one interface:

    # diagnose sniffer packet any "port 90" 4
    interfaces=[any]
    filters=[port 90]
    3.330376 port2 in 172.16.205.11.38318 -> 10.100.21.33.90: syn 381919014
    3.330395 port5 out 10.100.1.2.38318 -> 10.100.21.33.90: syn 381919014
    4.327851 port2 in 172.16.205.11.38318 -> 10.100.21.33.90: syn 381919014
    4.327855 port5 out 10.100.1.2.38318 -> 10.100.21.33.90: syn 381919014
    # diagnose sys sdwan service
    
    Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
     Tie break: cfg
      Gen(4), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
      Members(2):
        1: Seq_num(2 port4), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
        2: Seq_num(1 port5), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected
      Dst address(1):
            10.100.20.0-10.100.20.255
  • When the SLA match service is disabled, packets are only duplicated with all of the health checks are out of SLA:

    config system sdwan
        config duplication
            edit 1
                set service-id 1
                set packet-duplication on-demand
                set sla-match-service disable
            next
        end
    end
    • When health1 is out of SLA (sla_map=0x0) and health2 is in SLA (sla_map=0x1), the packet is not duplicated (dup=0x0(not dup)):

      # diagnose sys sdwan health-check
      Health Check(health1):
      Seq(1 port5): state(alive), packet-loss(5.000%) latency(6.587), jitter(0.096), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x0
      Seq(2 port4): state(alive), packet-loss(3.000%) latency(3.365), jitter(0.085), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x0
      Health Check(health2):
      Seq(1 port5): state(alive), packet-loss(0.000%) latency(0.837), jitter(0.192), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x1
      Seq(2 port4): state(alive), packet-loss(0.000%) latency(0.330), jitter(0.081), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x1
      # diagnose firewall proute list
      list route policy info(vf=root):
      
      id=2135097345(0x7f430001) vwl_service=1(rule1) vwl_mbr_seq=2 1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=12(port4) measure=0x0(not measured) dup=0x0(not dup) oif=13(port5) measure=0x0(not measured) dup=0x0(not dup)
      destination(1): 10.100.20.0-10.100.20.255
      source wildcard(1): 0.0.0.0/0.0.0.0
      # diagnose sys sdwan service
      
      Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
       Tie break: cfg
        Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
        Members(2):
          1: Seq_num(2 port4), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
          2: Seq_num(1 port5), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected
        Dst address(1):
              10.100.20.0-10.100.20.255
    • When both health1 and health2 are out of SLA (sla_map=0x0), the packet is duplicated (dup=0x1(dup)).

    Note

    If there are multiple targets in a performance SLA health check, and only one of the targets is used in the service that is defined in the duplication rule, and the SLA match service is disabled, then only that target triggers packet duplication. It is note required for all of the targets in the health check to miss SLA.

Duplication on-demand when SLAs in the configured service are matched

SD-WAN packet duplication can be configured to be performed on-demand only when SLAs in the configured service are matched. When enabled, only the SLA health checks and targets that are used in the service rule are used to trigger the packet duplication.

config system sdwan
    config duplication
        edit 1
            set service-id 1
            set packet-duplication on-demand
            set sla-match-service {enable | disable}
        next
    end
end

sla-match-service {enable | disable}

Enable/disable packet duplication matching health check SLAs in service rules (matching all SLAs of the current defined service).

In this example, two performance SLA health checks are configured, health1 and health2. The health1 SLA is used in an SD-WAN service rule called rule1. Packet duplication uses on-demand mode, so packets for duplication are matched based on rule1. It triggers duplication based on the status of the health checks.

Results are shown for various combinations of health check statuses when the SLA match service is enabled or disabled.

To configure SD-WAN:
config system sdwan
    set status enable
    set load-balance-mode usage-based
    config zone
        edit "virtual-wan-link"
        next
        edit "SASE"
        next
    end
    config members
        edit 1
            set interface "port5"
            set gateway 10.100.1.1
        next
        edit 2
            set interface "port4"
        next
    end
    config health-check
        edit "health1"
            set server "10.100.2.22"
            set members 0
            config sla
                edit 1
                next
            end
        next
        edit "health2"
            set server "10.100.2.23"
            set members 0
            config sla
                edit 1
                next
            end
        next
    end
    config service
        edit 1
            set name "rule1"
            set mode sla
            set dst "10.100.20.0"
            config sla
                edit "health1"
                    set id 1
                next
            end
            set priority-members 2 1
        next
    end
    config duplication
        edit 1
            set service-id 1
            set packet-duplication on-demand
            set sla-match-service enable
        next
    end
end

Results

  • When health1 (used in rule1) is out of SLA (sla_map=0x0) and health2 (not used) is in SLA (sla_map=0x1), the packet is duplicated (dup=0x1(dup)):

    # diagnose sys sdwan health-check
    Health Check(health1):
    Seq(1 port5): state(alive), packet-loss(6.000%) latency(5.718), jitter(0.086), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x0
    Seq(2 port4): state(alive), packet-loss(3.000%) latency(7.242), jitter(0.025), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x0
    Health Check(health2):
    Seq(1 port5): state(alive), packet-loss(0.000%) latency(0.700), jitter(0.075), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x1
    Seq(2 port4): state(alive), packet-loss(0.000%) latency(0.244), jitter(0.021), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x1
    # diagnose firewall proute list
    id=2135031809(0x7f420001) vwl_service=1(rule1) vwl_mbr_seq=2 1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=12(port4) measure=0x0(not measured) dup=0x1(dup) oif=13(port5) measure=0x0(not measured) dup=0x1(dup)
    destination(1): 10.100.20.0-10.100.20.255
    source wildcard(1): 0.0.0.0/0.0.0.0

    The sniffer output shows packets leaving from both interfaces in the zone:

    # diagnose sniffer packet any "port 90" 4
    interfaces=[any]
    filters=[port 90]
    2.403506 port2 in 172.16.205.11.59624 -> 10.100.20.33.90: syn 2098685816
    2.403522 port5 out 10.100.1.250.59624 -> 10.100.20.33.90: syn 2098685816
    2.403523 port4 out 10.100.1.250.59624 -> 10.100.20.33.90: syn 2098685816
    # diagnose sys sdwan service
    
    Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
     Tie break: cfg
      Gen(6), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
      Members(2):
        1: Seq_num(2 port4), alive, sla(0x0), gid(0), cfg_order(0), cost(0), selected
        2: Seq_num(1 port5), alive, sla(0x0), gid(0), cfg_order(1), cost(0), selected
      Dst address(1):
            10.100.20.0-10.100.20.255
  • When health1 (used in rule1) is in SLA (sla_map=0x1) and health2 (not used) is out of SLA (sla_map=0x0), the packet is not duplicated (dup=0x0(not dup)):

    # diagnose sys sdwan health-check
    Health Check(health1):
    Seq(1 port5): state(alive), packet-loss(0.000%) latency(0.684), jitter(0.064), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x1
    Seq(2 port4): state(alive), packet-loss(0.000%) latency(0.222), jitter(0.015), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x1
    Health Check(health2):
    Seq(1 port5): state(alive), packet-loss(6.000%) latency(2.911), jitter(2.328), mos(1.787), bandwidth-up(99995), bandwidth-dw(99996), bandwidth-bi(199990) sla_map=0x0
    Seq(2 port4): state(alive), packet-loss(6.000%) latency(2.566), jitter(2.307), mos(1.786), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x0
    # diagnose firewall proute list
    id=2135031809(0x7f420001) vwl_service=1(rule1) vwl_mbr_seq=2 1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=12(port4) measure=0x0(not measured) dup=0x0(not dup) oif=13(port5) measure=0x0(not measured) dup=0x0(not dup)
    destination(1): 10.100.20.0-10.100.20.255
    source wildcard(1): 0.0.0.0/0.0.0.0

    The sniffer output shows packets leaving from only one interface:

    # diagnose sniffer packet any "port 90" 4
    interfaces=[any]
    filters=[port 90]
    3.330376 port2 in 172.16.205.11.38318 -> 10.100.21.33.90: syn 381919014
    3.330395 port5 out 10.100.1.2.38318 -> 10.100.21.33.90: syn 381919014
    4.327851 port2 in 172.16.205.11.38318 -> 10.100.21.33.90: syn 381919014
    4.327855 port5 out 10.100.1.2.38318 -> 10.100.21.33.90: syn 381919014
    # diagnose sys sdwan service
    
    Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
     Tie break: cfg
      Gen(4), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
      Members(2):
        1: Seq_num(2 port4), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
        2: Seq_num(1 port5), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected
      Dst address(1):
            10.100.20.0-10.100.20.255
  • When the SLA match service is disabled, packets are only duplicated with all of the health checks are out of SLA:

    config system sdwan
        config duplication
            edit 1
                set service-id 1
                set packet-duplication on-demand
                set sla-match-service disable
            next
        end
    end
    • When health1 is out of SLA (sla_map=0x0) and health2 is in SLA (sla_map=0x1), the packet is not duplicated (dup=0x0(not dup)):

      # diagnose sys sdwan health-check
      Health Check(health1):
      Seq(1 port5): state(alive), packet-loss(5.000%) latency(6.587), jitter(0.096), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x0
      Seq(2 port4): state(alive), packet-loss(3.000%) latency(3.365), jitter(0.085), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x0
      Health Check(health2):
      Seq(1 port5): state(alive), packet-loss(0.000%) latency(0.837), jitter(0.192), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x1
      Seq(2 port4): state(alive), packet-loss(0.000%) latency(0.330), jitter(0.081), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x1
      # diagnose firewall proute list
      list route policy info(vf=root):
      
      id=2135097345(0x7f430001) vwl_service=1(rule1) vwl_mbr_seq=2 1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=12(port4) measure=0x0(not measured) dup=0x0(not dup) oif=13(port5) measure=0x0(not measured) dup=0x0(not dup)
      destination(1): 10.100.20.0-10.100.20.255
      source wildcard(1): 0.0.0.0/0.0.0.0
      # diagnose sys sdwan service
      
      Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
       Tie break: cfg
        Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
        Members(2):
          1: Seq_num(2 port4), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
          2: Seq_num(1 port5), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected
        Dst address(1):
              10.100.20.0-10.100.20.255
    • When both health1 and health2 are out of SLA (sla_map=0x0), the packet is duplicated (dup=0x1(dup)).

    Note

    If there are multiple targets in a performance SLA health check, and only one of the targets is used in the service that is defined in the duplication rule, and the SLA match service is disabled, then only that target triggers packet duplication. It is note required for all of the targets in the health check to miss SLA.