pkt-dup is seemed doesn't work

dijix1990 · ‎10-11-2023

I did simple policy for pkt-dup

cedge

from-vsmart data-policy _VPN-15_Branch-mngt_Packet-dup-data_from_str
 direction from-service
 vpn-list VPN-15_Branch-mngt
  sequence 1
   match
    source-ip                    172.26.194.0/24
    destination-data-prefix-list mngt_pkt-dup
   action accept
    loss-protection packet-duplication
    set
     local-tloc-list
      color biz-internet public-internet
      encap ipsec
  default-action accept

from-vsmart lists data-prefix-list mngt_pkt-dup
 ip-prefix 172.18.7.22/32
 ip-prefix 172.18.43.13/32
 ip-prefix 172.18.43.41/32
 ip-prefix 172.18.43.55/32
 ip-prefix 172.18.43.56/32

HUB

from-vsmart data-policy _VPN-1_Packet-dup-data-from-hub
 direction from-service
 vpn-list VPN-1
  sequence 1
   match
    source-data-prefix-list vdi-global
    source-port             443
   action accept
    loss-protection packet-duplication
    set
     local-tloc-list
      color    biz-internet public-internet
      encap    ipsec
      restrict
  sequence 11
   match
    source-ip   0.0.0.0/0
    source-port 22443
   action accept
    loss-protection packet-duplication
    set
     local-tloc-list
      color    biz-internet public-internet
      encap    ipsec
      restrict
  sequence 21
   match
    source-data-prefix-list mngt_pkt-dup
   action accept
    loss-protection packet-duplication
    set
     local-tloc-list
      color    biz-internet public-internet
      encap    ipsec
      restrict
  default-action accept

from-vsmart lists data-prefix-list mngt_pkt-dup
 ip-prefix 172.18.7.22/32
 ip-prefix 172.18.43.13/32
 ip-prefix 172.18.43.41/32
 ip-prefix 172.18.43.55/32
 ip-prefix 172.18.43.56/32

I try to ping 172.26.196.4 from 172.18.7.22 and while I'm pinging I disconect main channel. I thought that I shouldn't lose any icmp packets, but I lose about 10 packets.. strange

I can see that counters increase

from hub

sdwan-01# sh sdwan tunnel statistics pkt-dup 
tunnel stats ipsec 192.168.56.248 10.10.10.10 12346 12366
 pktdup-rx       45811
 pktdup-rx-other 2395
 pktdup-rx-this  44461
 pktdup-tx       10949
 pktdup-tx-other 3541
 pktdup-capable  true
tunnel stats ipsec 192.168.66.248 10.10.10.10 12366 12366
 pktdup-rx       2404
 pktdup-rx-other 5843
 pktdup-rx-this  2395
 pktdup-tx       3541
 pktdup-tx-other 1216
 pktdup-capable  true

tunnel stats ipsec 192.168.56.248 20.20.20.20 12346 12406
 pktdup-rx       943
 pktdup-rx-other 45
 pktdup-rx-this  943
 pktdup-tx       0
 pktdup-tx-other 540
 pktdup-capable  true
tunnel stats ipsec 192.168.66.248 20.20.20.20 12366 12406
 pktdup-rx       42
 pktdup-rx-other 5752
 pktdup-rx-this  42
 pktdup-tx       540
 pktdup-tx-other 1349
 pktdup-capable  true

from cedge

cedge-01# sh sdwan tunnel statistics pkt-dup 
tunnel stats ipsec 20.20.20.20 192.168.56.248 12366 12346
 pktdup-rx       11401
 pktdup-rx-other 3587
 pktdup-rx-this  11185
 pktdup-tx       52000
 pktdup-tx-other 2523
 pktdup-capable  true
tunnel stats ipsec 10.10.10.10 192.168.56.248 12406 12346
 pktdup-rx       0
 pktdup-rx-other 1015
 pktdup-rx-this  1
 pktdup-tx       1624
 pktdup-tx-other 87
 pktdup-capable  true

tunnel stats ipsec 20.20.20.20 192.168.66.248 12366 12366
 pktdup-rx       3587
 pktdup-rx-other 1217
 pktdup-rx-this  3587
 pktdup-tx       2561
 pktdup-tx-other 9563
 pktdup-capable  true
tunnel stats ipsec 10.10.10.10 192.168.66.248 12406 12366
 pktdup-rx       1027
 pktdup-rx-other 1864
 pktdup-rx-this  1027
 pktdup-tx       84
 pktdup-tx-other 8487
 pktdup-capable  true

dijix1990 · ‎10-12-2023

cedge and hub version 17.9.3a

hub has two channels with public IP

cedge has two channels one of them public anothe one behind PAT

dijix1990 · ‎10-23-2023

I think it's because of nat, if I use two public channels it works correctly

dijix1990 · ‎10-29-2023

So, I repeated this behaviour on another place. I got the same result pkt-dup works strange with nat