Duplication on-demand when SLAs in the configured service are matched

This information is also available in the FortiOS 7.2 Administration Guide:

Duplicate packets based on SD-WAN rules

SD-WAN packet duplication can be configured to be performed on-demand only when SLAs in the configured service are matched. When enabled, only the SLA health checks and targets that are used in the service rule are used to trigger the packet duplication.

config system sdwan
    config duplication
        edit 1
            set service-id 1
            set packet-duplication on-demand
            set sla-match-service {enable | disable}
        next
    end
end

In this example, two performance SLA health checks are configured, health1 and health2. The health1 SLA is used in an SD-WAN service rule called rule1. Packet duplication uses on-demand mode, so packets for duplication are matched based on rule1. It triggers duplication based on the status of the health checks.

Results are shown for various combinations of health check statuses when the SLA match service is enabled or disabled.

To configure SD-WAN:

config system sdwan
    set status enable
    set load-balance-mode usage-based
    config zone
        edit "virtual-wan-link"
        next
        edit "SASE"
        next
    end
    config members
        edit 1
            set interface "port5"
            set gateway 10.100.1.1
        next
        edit 2
            set interface "port4"
        next
    end
    config health-check
        edit "health1"
            set server "10.100.2.22"
            set members 0
            config sla
                edit 1
                next
            end
        next
        edit "health2"
            set server "10.100.2.23"
            set members 0
            config sla
                edit 1
                next
            end
        next
    end
    config service
        edit 1
            set name "rule1"
            set mode sla
            set dst "10.100.20.0"
            config sla
                edit "health1"
                    set id 1
                next
            end
            set priority-members 2 1
        next
    end
    config duplication
        edit 1
            set service-id 1
            set packet-duplication on-demand
            set sla-match-service enable
        next
    end
end

Results

When health1 (used in rule1) is out of SLA (sla_map=0x0) and health2 (not used) is in SLA (sla_map=0x1), the packet is duplicated (dup=0x1(dup)):

# diagnose sys sdwan health-check
Health Check(health1):
Seq(1 port5): state(alive), packet-loss(6.000%) latency(5.718), jitter(0.086), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x0
Seq(2 port4): state(alive), packet-loss(3.000%) latency(7.242), jitter(0.025), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x0
Health Check(health2):
Seq(1 port5): state(alive), packet-loss(0.000%) latency(0.700), jitter(0.075), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x1
Seq(2 port4): state(alive), packet-loss(0.000%) latency(0.244), jitter(0.021), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x1

# diagnose firewall proute list
id=2135031809(0x7f420001) vwl_service=1(rule1) vwl_mbr_seq=2 1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=12(port4) measure=0x0(not measured) dup=0x1(dup) oif=13(port5) measure=0x0(not measured) dup=0x1(dup)
destination(1): 10.100.20.0-10.100.20.255
source wildcard(1): 0.0.0.0/0.0.0.0

The sniffer output shows packets leaving from both interfaces in the zone:

# diagnose sniffer packet any "port 90" 4
interfaces=[any]
filters=[port 90]
2.403506 port2 in 172.16.205.11.59624 -> 10.100.20.33.90: syn 2098685816
2.403522 port5 out 10.100.1.250.59624 -> 10.100.20.33.90: syn 2098685816
2.403523 port4 out 10.100.1.250.59624 -> 10.100.20.33.90: syn 2098685816

# diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
 Tie break: cfg
  Gen(6), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
  Members(2):
    1: Seq_num(2 port4), alive, sla(0x0), gid(0), cfg_order(0), cost(0), selected
    2: Seq_num(1 port5), alive, sla(0x0), gid(0), cfg_order(1), cost(0), selected
  Dst address(1):
        10.100.20.0-10.100.20.255

When health1 (used in rule1) is in SLA (sla_map=0x1) and health2 (not used) is out of SLA (sla_map=0x0), the packet is not duplicated (dup=0x0(not dup)):

# diagnose sys sdwan health-check
Health Check(health1):
Seq(1 port5): state(alive), packet-loss(0.000%) latency(0.684), jitter(0.064), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x1
Seq(2 port4): state(alive), packet-loss(0.000%) latency(0.222), jitter(0.015), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x1
Health Check(health2):
Seq(1 port5): state(alive), packet-loss(6.000%) latency(2.911), jitter(2.328), mos(1.787), bandwidth-up(99995), bandwidth-dw(99996), bandwidth-bi(199990) sla_map=0x0
Seq(2 port4): state(alive), packet-loss(6.000%) latency(2.566), jitter(2.307), mos(1.786), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x0

# diagnose firewall proute list
id=2135031809(0x7f420001) vwl_service=1(rule1) vwl_mbr_seq=2 1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=12(port4) measure=0x0(not measured) dup=0x0(not dup) oif=13(port5) measure=0x0(not measured) dup=0x0(not dup)
destination(1): 10.100.20.0-10.100.20.255
source wildcard(1): 0.0.0.0/0.0.0.0

The sniffer output shows packets leaving from only one interface:

# diagnose sniffer packet any "port 90" 4
interfaces=[any]
filters=[port 90]
3.330376 port2 in 172.16.205.11.38318 -> 10.100.21.33.90: syn 381919014
3.330395 port5 out 10.100.1.2.38318 -> 10.100.21.33.90: syn 381919014
4.327851 port2 in 172.16.205.11.38318 -> 10.100.21.33.90: syn 381919014
4.327855 port5 out 10.100.1.2.38318 -> 10.100.21.33.90: syn 381919014

# diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
 Tie break: cfg
  Gen(4), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
  Members(2):
    1: Seq_num(2 port4), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
    2: Seq_num(1 port5), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected
  Dst address(1):
        10.100.20.0-10.100.20.255

When the SLA match service is disabled, packets are only duplicated with all of the health checks are out of SLA:

config system sdwan
    config duplication
        edit 1
            set service-id 1
            set packet-duplication on-demand
            set sla-match-service disable
        next
    end
end

When health1 is out of SLA (sla_map=0x0) and health2 is in SLA (sla_map=0x1), the packet is not duplicated (dup=0x0(not dup)):

# diagnose sys sdwan health-check
Health Check(health1):
Seq(1 port5): state(alive), packet-loss(5.000%) latency(6.587), jitter(0.096), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x0
Seq(2 port4): state(alive), packet-loss(3.000%) latency(3.365), jitter(0.085), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x0
Health Check(health2):
Seq(1 port5): state(alive), packet-loss(0.000%) latency(0.837), jitter(0.192), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x1
Seq(2 port4): state(alive), packet-loss(0.000%) latency(0.330), jitter(0.081), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x1

# diagnose firewall proute list
list route policy info(vf=root):

id=2135097345(0x7f430001) vwl_service=1(rule1) vwl_mbr_seq=2 1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=12(port4) measure=0x0(not measured) dup=0x0(not dup) oif=13(port5) measure=0x0(not measured) dup=0x0(not dup)
destination(1): 10.100.20.0-10.100.20.255
source wildcard(1): 0.0.0.0/0.0.0.0

# diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
 Tie break: cfg
  Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
  Members(2):
    1: Seq_num(2 port4), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
    2: Seq_num(1 port5), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected
  Dst address(1):
        10.100.20.0-10.100.20.255

When both health1 and health2 are out of SLA (sla_map=0x0), the packet is duplicated (dup=0x1(dup)).

If there are multiple targets in a performance SLA health check, and only one of the targets is used in the service that is defined in the duplication rule, and the SLA match service is disabled, then only that target triggers packet duplication. It is note required for all of the targets in the health check to miss SLA.

Duplication on-demand when SLAs in the configured service are matched

This information is also available in the FortiOS 7.2 Administration Guide:

Duplicate packets based on SD-WAN rules

config system sdwan
    config duplication
        edit 1
            set service-id 1
            set packet-duplication on-demand
            set sla-match-service {enable | disable}
        next
    end
end

Results are shown for various combinations of health check statuses when the SLA match service is enabled or disabled.

To configure SD-WAN:

config system sdwan
    set status enable
    set load-balance-mode usage-based
    config zone
        edit "virtual-wan-link"
        next
        edit "SASE"
        next
    end
    config members
        edit 1
            set interface "port5"
            set gateway 10.100.1.1
        next
        edit 2
            set interface "port4"
        next
    end
    config health-check
        edit "health1"
            set server "10.100.2.22"
            set members 0
            config sla
                edit 1
                next
            end
        next
        edit "health2"
            set server "10.100.2.23"
            set members 0
            config sla
                edit 1
                next
            end
        next
    end
    config service
        edit 1
            set name "rule1"
            set mode sla
            set dst "10.100.20.0"
            config sla
                edit "health1"
                    set id 1
                next
            end
            set priority-members 2 1
        next
    end
    config duplication
        edit 1
            set service-id 1
            set packet-duplication on-demand
            set sla-match-service enable
        next
    end
end

Results

When health1 (used in rule1) is out of SLA (sla_map=0x0) and health2 (not used) is in SLA (sla_map=0x1), the packet is duplicated (dup=0x1(dup)):

# diagnose sys sdwan health-check
Health Check(health1):
Seq(1 port5): state(alive), packet-loss(6.000%) latency(5.718), jitter(0.086), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x0
Seq(2 port4): state(alive), packet-loss(3.000%) latency(7.242), jitter(0.025), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x0
Health Check(health2):
Seq(1 port5): state(alive), packet-loss(0.000%) latency(0.700), jitter(0.075), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x1
Seq(2 port4): state(alive), packet-loss(0.000%) latency(0.244), jitter(0.021), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x1

# diagnose firewall proute list
id=2135031809(0x7f420001) vwl_service=1(rule1) vwl_mbr_seq=2 1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=12(port4) measure=0x0(not measured) dup=0x1(dup) oif=13(port5) measure=0x0(not measured) dup=0x1(dup)
destination(1): 10.100.20.0-10.100.20.255
source wildcard(1): 0.0.0.0/0.0.0.0

The sniffer output shows packets leaving from both interfaces in the zone:

# diagnose sniffer packet any "port 90" 4
interfaces=[any]
filters=[port 90]
2.403506 port2 in 172.16.205.11.59624 -> 10.100.20.33.90: syn 2098685816
2.403522 port5 out 10.100.1.250.59624 -> 10.100.20.33.90: syn 2098685816
2.403523 port4 out 10.100.1.250.59624 -> 10.100.20.33.90: syn 2098685816

# diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
 Tie break: cfg
  Gen(6), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
  Members(2):
    1: Seq_num(2 port4), alive, sla(0x0), gid(0), cfg_order(0), cost(0), selected
    2: Seq_num(1 port5), alive, sla(0x0), gid(0), cfg_order(1), cost(0), selected
  Dst address(1):
        10.100.20.0-10.100.20.255

When health1 (used in rule1) is in SLA (sla_map=0x1) and health2 (not used) is out of SLA (sla_map=0x0), the packet is not duplicated (dup=0x0(not dup)):

# diagnose sys sdwan health-check
Health Check(health1):
Seq(1 port5): state(alive), packet-loss(0.000%) latency(0.684), jitter(0.064), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x1
Seq(2 port4): state(alive), packet-loss(0.000%) latency(0.222), jitter(0.015), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x1
Health Check(health2):
Seq(1 port5): state(alive), packet-loss(6.000%) latency(2.911), jitter(2.328), mos(1.787), bandwidth-up(99995), bandwidth-dw(99996), bandwidth-bi(199990) sla_map=0x0
Seq(2 port4): state(alive), packet-loss(6.000%) latency(2.566), jitter(2.307), mos(1.786), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x0

# diagnose firewall proute list
id=2135031809(0x7f420001) vwl_service=1(rule1) vwl_mbr_seq=2 1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=12(port4) measure=0x0(not measured) dup=0x0(not dup) oif=13(port5) measure=0x0(not measured) dup=0x0(not dup)
destination(1): 10.100.20.0-10.100.20.255
source wildcard(1): 0.0.0.0/0.0.0.0

The sniffer output shows packets leaving from only one interface:

# diagnose sniffer packet any "port 90" 4
interfaces=[any]
filters=[port 90]
3.330376 port2 in 172.16.205.11.38318 -> 10.100.21.33.90: syn 381919014
3.330395 port5 out 10.100.1.2.38318 -> 10.100.21.33.90: syn 381919014
4.327851 port2 in 172.16.205.11.38318 -> 10.100.21.33.90: syn 381919014
4.327855 port5 out 10.100.1.2.38318 -> 10.100.21.33.90: syn 381919014

# diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
 Tie break: cfg
  Gen(4), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
  Members(2):
    1: Seq_num(2 port4), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
    2: Seq_num(1 port5), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected
  Dst address(1):
        10.100.20.0-10.100.20.255

When the SLA match service is disabled, packets are only duplicated with all of the health checks are out of SLA:

config system sdwan
    config duplication
        edit 1
            set service-id 1
            set packet-duplication on-demand
            set sla-match-service disable
        next
    end
end

When health1 is out of SLA (sla_map=0x0) and health2 is in SLA (sla_map=0x1), the packet is not duplicated (dup=0x0(not dup)):

# diagnose sys sdwan health-check
Health Check(health1):
Seq(1 port5): state(alive), packet-loss(5.000%) latency(6.587), jitter(0.096), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x0
Seq(2 port4): state(alive), packet-loss(3.000%) latency(3.365), jitter(0.085), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x0
Health Check(health2):
Seq(1 port5): state(alive), packet-loss(0.000%) latency(0.837), jitter(0.192), mos(4.404), bandwidth-up(99995), bandwidth-dw(99995), bandwidth-bi(199990) sla_map=0x1
Seq(2 port4): state(alive), packet-loss(0.000%) latency(0.330), jitter(0.081), mos(4.404), bandwidth-up(99998), bandwidth-dw(99999), bandwidth-bi(199997) sla_map=0x1

# diagnose firewall proute list
list route policy info(vf=root):

id=2135097345(0x7f430001) vwl_service=1(rule1) vwl_mbr_seq=2 1 dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=12(port4) measure=0x0(not measured) dup=0x0(not dup) oif=13(port5) measure=0x0(not measured) dup=0x0(not dup)
destination(1): 10.100.20.0-10.100.20.255
source wildcard(1): 0.0.0.0/0.0.0.0

# diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
 Tie break: cfg
  Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
  Members(2):
    1: Seq_num(2 port4), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
    2: Seq_num(1 port5), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected
  Dst address(1):
        10.100.20.0-10.100.20.255

When both health1 and health2 are out of SLA (sla_map=0x0), the packet is duplicated (dup=0x1(dup)).

SD-WAN New Features

Duplication on-demand when SLAs in the configured service are matched

Duplication on-demand when SLAs in the configured service are matched

To configure SD-WAN:

Results

Duplication on-demand when SLAs in the configured service are matched

To configure SD-WAN:

Results