Re: Unexpected Traffic Routing Through SD-WAN Router despite AAR Confi

yutashimamura2920 · ‎08-21-2024

Although we have configured all traffic to route through Private1(SD-WAN Router 1) using AAR, there is still some traffic passing through biz-int. We have built the SD-WAN environment with the configuration shown in the attached image.

On the vSmart, we have implemented the following settings to ensure that all data traffic is routed through Private1 using AAR.

app-route-policy Site01_AAR

vpn-list VPN3301

sequence 9999

action

count AAR_Sequence_9999

sla-class SLA_Class_0 preferred-color private1

policy

sla-class SLA_Class_0

loss 100

!

However, when checking with Zabbix (a network monitoring tool), we observed that there is traffic (about 20Mbps) passing through the WAN(Biz-internet) interface of SD-WAN Router 2.

Our expectation was that all traffic would be routed through the WAN of SD-WAN Router 1.

Do you have any idea why this might be happening? Could the traffic bursts observed in Zabbix be related to this issue?

dijix1990 · ‎08-22-2024

Did you do aar policy for branch and DC? or just for branch? (because aar needs to be aply both sites for traffic between from service side)

for example, I have two AAR policy:

For my Branch

vpn-list VPN12-Voice
sequence 1
match
source-ip 10.10.0.0/16
destination-ip 10.10.232.0/23
action
count aar-voip-cc_-1495326817
backup-sla-preferred-color biz-internet public-internet
sla-class Realtime
no sla-class strict
sla-class preferred-color mpls metro-ethernet

For DC

vpn-list VPN12-Voice
sequence 1
match
source-ip 10.10.232.0/23
destination-ip 10.10.0.0/16
action
count aar-voip-cc_-1495326817
backup-sla-preferred-color biz-internet public-internet
sla-class Realtime
no sla-class strict
sla-class preferred-color mpls metro-ethernet

MHM Cisco World · ‎08-22-2024

Show sdwan policy <<- since you use counter you can use it to see if your policy seq have count any packet or not

Share here if you can

MHM

dijix1990 · ‎08-22-2024

Or via Web, Sdwan has troubleshooting features for Aar - device - troubleshooting - Simulate Flows easier way to check policy

MHM Cisco World · ‎08-22-2024

Friend I know, one by one this trouble

Troubleshooting is process of checking many items, so one by one let see where is issue

Thanks

MHM

yutashimamura2920 · ‎08-22-2024

Thank you for you guys comments!
We configure AAR for both of DC and edge.
And, the current problem is outgoing traffic of edge router. So, AAR of Edge router is related with this.

I gave the show sdwan policy command on SD-WAN Router2 .

SD-WAN-Router-2#show sdwan policy access-list-counters
NAME COUNTER NAME PACKETS BYTES
--------------------------------------------------------------------------------------------
REMOTE_INET_acl REMOTE-INET_drop 8417 509394
REMOTE-INET_seq6 0 0
REMOTE-INET_seq7 0 0
REMOTE-INET_seq8 745685 73125340
REMOTE-INET_seq9 119876 10351450
REMOTE-INET_accept 0 0
Spoofing_Prefix_drop 0 0
default_action_count 2810460709 727008821743
From_Tunnel_Remark_acl class-default 1457924204 1788895586480
FTR_seq11_Queue0_cm 998596585 203685141373
default_action_count 0 0
SDWAN-Control-Packet_acl vB-packet-counter 249384 15461808
vM-packet-counter 101794782 40757439836
default_action_count 1458851453 1789061762769
other-control-packet-counter 1704341024 302818148717

SD-WAN-Router-2#

MHM Cisco World · ‎08-22-2024

SD-WAN-Router-2#show sdwan policy data-pol

You need to see counter name you use in AAR

MHM

yutashimamura2920 · ‎08-22-2024

@MHM Cisco World
How can i check AAR policy counter?
I checked show sdwan policy data-policy-filter.
I see the counter for my data policy(DP_Sequence_9999), but can not find AAR policy counter(AAR_Sequence_9999) that i configured.

SD-WAN-Router-2#show sdwan policy data-policy-filter
data-policy-filter VPN3301_Site30307005_DP
data-policy-vpnlist VPN3301
data-policy-counter DP_Sequence_9999
packets 211731396
bytes 208800210140
data-policy-counter default_action_count
packets 0
bytes 0

SD-WAN-Router-2#

yutashimamura2920 · ‎08-22-2024

@MHM Cisco World
Oh, I got the counter for AAR.

SD-WAN-Router-2#show sdwan policy app-route-policy-filter
NAME NAME COUNTER NAME PACKETS BYTES
-----------------------------------------------------------------------------------------------------
VPN3301_Site30307005_AAR VPN3301 AAR_Sequence_9999 280130664 295674158592
default_action_count 0 0

SD-WAN-Router-2#

Only "AAR_Sequence_9999" counter is up, and no counter is up for default_action_count..

dijix1990 · ‎08-22-2024

So you aar policy seems correct, and it applied both to dc and branches and both from service side only, is it correct?, and as I understood you have data policy for same vpn, can you share config?

Oh and can you do Simulate flow (monitor - devices - choose device - troubleshooting - Simulate flow) for traffic from vpn 3301 from both edge routers?

yutashimamura2920 · ‎08-22-2024

@dijix1990
>So you aar policy seems correct, and it applied both to dc and branches and both from service side only, is it correct?,
Yes, correct.

data policy configuration is the following.

SD-WAN-Router2#show sdwan policy from-vsmart                                                                                                                                               
from-vsmart sla-class SLA_Class_0                                                                                                                                                                      
 loss 100                                                                                                                                                                                              
from-vsmart data-policy VPN3301_Site30307005_DP                                                                                                                                                        
 direction from-service                                                                                                                                                                                
 vpn-list VPN3301                                                                                                                                                                                      
  sequence 9999                                                                                                                                                                                        
   action accept                                                                                                                                                                                       
    count  DP_Sequence_9999                                                                                                                                                                            
    cflowd                                                                                                                                                                                             
    log                                                                                                                                                                                                
  default-action accept                                                                                                                                                                                
from-vsmart cflowd-template VPN3301_netflow                                                                                                                                                            
 flow-active-timeout    600                                                                                                                                                                            
 flow-inactive-timeout  60                                                                                                                                                                             
 template-refresh       60                                                                                                                                                                             
 flow-sampling-interval 1000                                                                                                                                                                           
 protocol               ipv4                                                                                                                                                                           
 customized-ipv4-record-fields                                                                                                                                                                         
  no collect-tos                                                                                                                                                                                       
  no collect-dscp-output                                                                                                                                                                               
 collector vpn 3301 address 10.122.242.243 port 2055 transport transport_udp                                                                                                                           
from-vsmart app-route-policy VPN3301_Site30307005_AAR                                                                                                                                                  
 vpn-list VPN3301                                                                                                                                                                                      
  sequence 9999                                                                                                                                                                                        
   action                                                                                                                                                                                              
    count AAR_Sequence_9999                                                                                                                                                                            
    sla-class       SLA_Class_0                                                                                                                                                                        
    no sla-class strict                                                                                                                                                                                
    sla-class preferred-color private1                                                                                                                                                                 
from-vsmart lists vpn-list VPN3301                                                                                                                                                                     
 vpn 3301                                                                                                                                                                                              
                                                                                                                                                                                                       
SD-WAN-Router2#

>Oh and can you do Simulate flow (monitor - devices - choose device - troubleshooting - Simulate flow) for traffic from vpn 3301 from both edge routers?

Yes, I can, I did simulation flow from both SD-WAN Router1 and 2 to the LAN IP address (VPN3301) of SD-WAN ROuter in another site.
SD-WAN ROuter 1

SD-WAN Router2

The traffic goes through private1 in both SD-WAN Router.

dijix1990 · ‎08-22-2024

Good! simulate traffic shows us that everything correct. I thought that data policy overwrite or policy (if you have the same aar policy and data policy and colors there doesn't match beetwen them than data policy has priority by colors from data policy)

Maybe you have another vpn's which can goes via biz-int?

Try to watch what traffic goes via biz-int - for example via command sh flow monitor sdwan_flow_monitor cache format table | i your biz-internet interface

Oh For my experience AAR + Data Policy with feature pkt-dup (loss correction) work don't correctly (Just to know)

yutashimamura2920 · ‎08-22-2024

Thank you for your quick response, appreciate!
There are no info related with traffic..
"show flow monitor sdwan_flow_monitor cache format table" this command is for vEdge?
My device is IOS-XE 17.6.5 cEdge.

SD-WAN-Router2#show flow monitor sdwan_flow_monitor cache format table                        
  Cache type:                               Normal (Platform cache)                                       
  Cache size:                                80000                                                        
  Current entries:                               0                                                        
  High Watermark:                               75                                                        
                                                                                                          
  Flows added:                              295706                                                        
  Flows aged:                               295706                                                        
    - Active timeout      (    60 secs)         23                                                        
    - Inactive timeout    (    10 secs)     295683                                                        
                                                                                                          
There are no cache entries to display.                                                                    
                                                                                                          
SD-WAN-Router2#

We don't have another VPN except for 3301.

dijix1990 · ‎08-22-2024

Yes, command for cEdges (ios-xe)

I saw you have configuration for your collector

cflowd-template

Can you check in local policy for these routers if netflow was enabled for checkbox, I think because of it you don't see netflow in cli

yutashimamura2920 · ‎08-22-2024

Where is the checkbox in GUI? and Do you know what the configuration for CLI?
My netflow configuration for this router is the following.

Router

flow exporter sdwan_flow_exporter_0
 description export flow and application visibility records to vManage
 destination local sdwan
 mtu 1280
 transport udp 5458
 export-protocol ipfix
 option drop-cause-table
!
!
flow exporter sdwan_flow_exporter_1
 description export flow records to collector
 destination 10.122.242.243 vrf 3301
 mtu 1280
 transport udp 2055
 export-protocol ipfix
 template data timeout 60
 option interface-table timeout 60
 option sampler-table timeout 60
 option application-table timeout 60
 option application-attributes timeout 60
 option tunnel-tloc-table timeout 60
!
!
flow monitor sdwan_flow_monitor
 description monitor flows for vManage and external collectors
 exporter sdwan_flow_exporter_0
 exporter sdwan_flow_exporter_1
 cache timeout inactive 10
 cache timeout active 60
 cache entries 80000
 record sdwan_flow_record-002
!
sampler sdwan_flow_sampler
 mode random 1 out-of 1000
!

ip visibility global flow monitor sdwan_flow_monitor sampler sdwan_flow_sampler input
ip visibility policy flow monitor sdwan_flow_monitor sampler sdwan_flow_sampler input


vSmart

 site-list VPN3301_Site30307005
  control-policy VPN3301_Site30307005_control_in in
  control-policy VPN3301_Site30307005_control_out out
  data-policy VPN3301_Site30307005_DP from-service
  app-route-policy VPN3301_Site30307005_AAR
  cflowd-template  VPN3301_netflow

 cflowd-template VPN3301_netflow
  template-refresh       60
  flow-sampling-interval 1000
  collector vpn 3301 address 10.122.242.243 port 2055 transport transport_udp
 !

 data-policy VPN3301_Site30307005_DP
  vpn-list VPN3301
   sequence 9999
    action accept
     count  DP_Sequence_9999
     cflowd
     log
    !
   !
   default-action accept
  !

Unexpected Traffic Routing Through SD-WAN Router despite AAR Configu