Re: How to prevent loss traffic forward via overlay

dijix1990 · ‎07-07-2025

I try to find how to prevent traffic loss inside overlay.

For example last time I had problem inside sdwan tunnel. All my encrypted traffic which went via one of channell with traffic lossing but at the same time sdwan edge didn't see problem via bfd. Maybe there is special sla which works with service VPN?

Like if we have traffic loss inside vpn1 via biz-internet that we need to say that traffic need to go via public-internet

MHM Cisco World · ‎07-07-2025

You have mpls and internet WAN

The traffic inside mpls is lost

Bfd here can detect mpls VPN up or down but it can not auto shift traffic unless you have two path

One primary and other as backup

Are you sure you have two path?

MHM

dijix1990 · ‎07-07-2025

I have two internet channel. and I think its't bug, because when I disable and enable it after 2 minutes paket loss dissapears via tunnel

Loss via tunnel

The same time I didn't see any problem via bfd, at 11:15 PM I shutdown channel via vmanage and enable it again, after it the losses are gone.

MHM Cisco World · ‎07-07-2025

I will check QoS if this traffic is tcp.

In end edge will always send bfd because it control traffic

But for data traffic it can be drop due to congestion in queue.

Let me check command you can use to see real issue from where

MHM

MHM Cisco World · ‎07-07-2025

vManage > Monitor > Devices > Select Device > Real-Time > Interface Statistics / Queue Statistics

Check this please when it happened again

MHM

Dan Frey · ‎07-07-2025

There is enhanced BFD (eBFD) available that puts metadata in the SDWAN header and the fabric uses this to measure latency/loss/jitter when real traffic is sent on the network and not BFD probes. BFD probes are still used in the absence of real traffic. eBFD can detect threshold violations faster than traditional BFD.

bfd enhanced-app-route enable
bfd enhanced-app-route pfr-poll-interval 5000
bfd enhanced-app-route pfr-multiplier 2
bfd sla-dampening enable
bfd sla-dampening multiplier 12

For instance with this config the failover is 5000ms x 2 or 10 seconds. Fallback is 5000ms x 12.

There is also FEC (Forward Error Correction) that can send the same data over multiple transports. Data from either transport can be used by the receiving end

dijix1990 · ‎07-07-2025

Thanks, I will try it. Strange that without tunnel my 10000 packets between public ip went without any losses that why I thought it's bug

dijix1990 · ‎07-08-2025

I just enabled aggresive mode and is it normal that I see so many losses?

Maybe I need to tune it (bfd configuration maybe)?

SLA which I use for internet channels

tunnel sla-class 1
 sla-name    VDI-Data
 sla-loss    10
 sla-latency 300
 sla-jitter  100

Feature BFD and Feature system configuration

bfd color mpls
 hello-interval 500
 pmtu-discovery
 multiplier     2
 dscp           46
bfd color metro-ethernet
 hello-interval 500
 pmtu-discovery
 multiplier     2
 dscp           46
bfd color biz-internet
 hello-interval 500
 pmtu-discovery
 multiplier     2
bfd color public-internet
 hello-interval 500
 pmtu-discovery
 multiplier     2
bfd default-dscp 48
bfd app-route multiplier 2
bfd app-route poll-interval 300000
bfd enhanced-app-route enable
bfd enhanced-app-route pfr-poll-interval 10000
bfd enhanced-app-route pfr-multiplier 6
bfd sla-dampening enable
bfd sla-dampening multiplier 120

the same time int it interesting after enable eaar I noticed that losses for disable channel mpls are dissapeared but mpls for this device doesn't work so I suggest there is need to be losses

MHM Cisco World · ‎07-08-2025

I explain to you that

Bfd not effect packet loss'

With ebfd you only make bfd shift to other tunnel when jitter is reach specific value

You need to use load balance not redundacy.

MHM

dijix1990 · ‎07-08-2025

I don't understand you what do you mean?. in my pictures there's losses and of course when channel Fully non-compliance with SLA it use load balance and BFD is monitoring LOSS / LATENCY / JITTER for underlay, Enhanced BFD add inline checking for overlay.

https://www.youtube.com/watch?v=oZmd4ICEZEA

but it started work incorrectly because after eaar was enabled I can see that mpls channel which was shutdown is compatible for sla VDI-data and VDI-voip and it's not correct

gw#sh sdwan bfd sessions | i 192.168.101.90
10.80.249.102    107102      down        mpls             mpls             192.168.101.10                                  192.168.101.90                                  12346       ipsec  2           500            NA              0
gw#  sh sdwan tunnel sla | i 192.168.101.90
ipsec  192.168.101.10  192.168.101.90   12346  12346  10.80.249.102  mpls             mpls             0     0        0       0,1,2  __all_tunnels__, VDI-Data, VDI-Voip  None
ipsec  192.168.101.10  192.168.101.90   12346  12346  10.80.249.102  mpls             mpls             0     0        0       0,1,2  __all_tunnels__, VDI-Data, VDI-Voip  None
ipsec  192.168.101.10  192.168.101.90   12346  12346  10.80.249.102  mpls             mpls             0     0        0       0,1,2  __all_tunnels__, VDI-Data, VDI-Voip  None

AAR thinks that channel is good after enable eaar function

MHM Cisco World · ‎07-13-2025

Sorry for late reply but I dont have time to answer alot of Q (to be honest I focus in FW + VPN)

Anyway

As I mention bfd can not so help us here

We need to see which traffic is pass through interface

Monitor > app - visibility

Check real time traffic

Then we start to shift high rate for specific app to use other WAN

This can achieve little share load between two WAN

Check that

MHM

wajidhassan · ‎07-14-2025

You could try tightening your SLA thresholds and enable enhanced BFD for more accurate loss/jitter detection. I’ve had a similar case BFD didn’t detect anything, but real traffic was suffering. Using app-aware routing with priority for sensitive traffic helped shift load dynamically.