Technical Tip : Behaviour Change of SD-WAN Member Order using Lowest Cost (SLA) Algorithm

darisandy · ‎08-22-2023

Description

This article describes the behavior modification of how FortiOS determines the SD-WAN member order when using the Lowest Cost (SLA) Algorithm.

Scope

FortiGate v6.4.10 and v 7.0.9 and later.

Solution

The scenario is as explained below:

topo dual hub.png

Spoke will establish an IPSec tunnel to both hubs on both ISP links, so Spoke will have 4 IPSec tunnels.

There are HUB1-ISP1, HUB1-ISP1, HUB2-ISP1, HUB2-ISP2.

2 Performances SLA created on Spoke to the server behind each HUB:

Spoke # dia sys sdwan health-check
Health Check(HUB1):
Seq(1 HUB1-ISP1): state(alive), packet-loss(0.000%) latency(0.394), jitter(0.046), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x1
Seq(2 HUB1-ISP2): state(alive), packet-loss(0.000%) latency(0.295), jitter(0.040), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x1
Health Check(HUB2):
Seq(3 HUB2-ISP1): state(alive), packet-loss(0.000%) latency(0.298), jitter(0.045), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x1
Seq(4 HUB2-ISP2): state(alive), packet-loss(0.000%) latency(0.258), jitter(0.040), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x1

The expected order of SD-WAN members is:

1. HUB1-ISP1

2. HUB2-ISP1

3. HUB1-ISP2

4. HUB2-ISP2

int order.png

When both SLA targets are met, the order of the outgoing interface will follow the order of interface preference:

Spoke # dia sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Members(4):
1: Seq_num(3 HUB1-ISP1), alive, sla(0x3), gid(0), cfg_order(0), cost(0), selected
2: Seq_num(5 HUB2-ISP1), alive, sla(0x3), gid(0), cfg_order(1), cost(0), selected
3: Seq_num(4 HUB1-ISP2), alive, sla(0x3), gid(0), cfg_order(2), cost(0), selected
4: Seq_num(6 HUB2-ISP2), alive, sla(0x3), gid(0), cfg_order(3), cost(0), selected
Src address(1):
0.0.0.0-255.255.255.255

Dst address(1):
0.0.0.0-255.255.255.255

This is the behavior on version 6.4.10.

On version 7.0.9, the default order is changed. How to assign the SLA Target is also considered.

With the same configuration, this is the order:

Spoke # dia sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Gen(4), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Members(4):
1: Seq_num(1 HUB1-ISP1), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
2: Seq_num(2 HUB1-ISP2), alive, sla(0x1), gid(0), cfg_order(2), cost(0), selected
3: Seq_num(3 HUB2-ISP1), alive, sla(0x2), gid(0), cfg_order(1), cost(0), selected
4: Seq_num(4 HUB2-ISP2), alive, sla(0x2), gid(0), cfg_order(3), cost(0), selected
Src address(1):
0.0.0.0-255.255.255.255

Dst address(1):
0.0.0.0-255.255.255.255

If HUB2 SLA Target first is put, then the order will change:

Spoke # dia sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Members(4):
1: Seq_num(3 HUB2-ISP1), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected
2: Seq_num(4 HUB2-ISP2), alive, sla(0x1), gid(0), cfg_order(3), cost(0), selected
3: Seq_num(1 HUB1-ISP1), alive, sla(0x2), gid(0), cfg_order(0), cost(0), selected
4: Seq_num(2 HUB1-ISP2), alive, sla(0x2), gid(0), cfg_order(2), cost(0), selected
Src address(1):
0.0.0.0-255.255.255.255

Dst address(1):
0.0.0.0-255.255.255.255

To make sure that the order of the outgoing interface follows the order of interface preference on SD-WAN rules, it is necessary to change the 'sla-compare-method' option, from 'order' to 'number':

config system sdwan

config service

edit 1

set sla-compare-method

order <----- Compare SLA value based on the order of health-check.

number <----- Compare SLA value based on the number of satisfied health-check.