Troubleshooting SD-WAN "Backhaul Only" / "Prioritize Local Breakout"

For background information, seeSD-WAN Connection Type - "Internet".

In Infinity Portal > Quantum SD-WAN application, create this rule in the Network view > SD-WAN Policy page and click Enforce at the top:

Name

Source

Destination

Services & Applications

Behavior

Enforcement

Backhaul bypass encryption

Security Gateway object

SD-WAN Internet

Applicable objects

Steering behavior object that is configured with one of these:

  • Local Breakout Only

  • Prioritize Local Breakout

Security Gateway object

Notes:

  • This configuration only overrides the encryption for local connections.

  • To send traffic for local connections, the Security Gateways uses the Gaia OS routing table (not the "Local Breakout" mechanism).

When in the Star VPN Community > VPN Routing page you select the option "To center, or through the center to other satellites, to internet and other VPN targets", the Security Gateway expect all traffic that originates from outside its VPN Domain to be encrypted.

To allow specific traffic to your Security Gateway from the Internet, these options are available:

  • Exclude specific ports, if applicable, in the Star VPN Community > Excluded Services page.

  • Follow sk25675.

Important - If you use SD-WAN "Overlay - VPN", then do NOT select the option "Exclude gateway's external IP addresses from the VPN Domain" in the Security Gateway object > "Network Management" section > "VPN Domain" page. This option interrupts the "Overlay - VPN" probing mechanism.

Follow these steps in SmartConsole:

  1. Configure the Network object:

    1. Open the Network object that represents your Branch LAN network.

    2. In the left panel, click the NAT page.

    3. Select Add automatic address translation rules.

    4. In the Translation method field, select Hide.

    5. Select Hide behind the gateway.

    6. In the Install on gateway field, select All (to include the Branch Gateway and the Center Gateway).

    7. Click OK.

    Best Practice - applies only to R82 and higher, and to R81.20 Jumbo Hotfix Accumulator, Take 41 or higher:

    If it is necessary for the Center Gateway to detect the original source IP address of the Branch local connections, then in the VPN Community object > Advanced page, select the option Disable NAT inside the VPN community.

  2. Configure the Access Control for the Branch Gateway:

    Allow traffic from the Branch network to the Internet.

  3. Configure the Access Control for the Center Gateway:

    Allow traffic from the Branch network to the Internet.

  4. Install the Access Control policy for the Branch Gateway.

  5. Install the Access Control policy for the Center Gateway.

If it is necessary to perform Hide NAT on the Branch Gateway when it sends traffic to the Internet (towards the Center Gateway):

  1. Configure the VPN Community object:

    1. Open the VPN Community object.

    2. On the Advanced page, clear the option Disable NAT inside the VPN community.

    3. Click OK.

  2. Configure the Access Control for the Center Gateway:

    Allow traffic from the Branch Gateway to the Internet.

  3. Configure the Branch Gateway object:

    1. Open the Branch Gateway object.

    2. In the NAT section, click the Advanced page.

    3. Select Add automatic address translation rules to hide this Gateway behind another Gateway.

    4. In the Translation method field, select Hide.

    5. Select Hide behind Gateway.

    6. In the Install on gateway field, select All (to include the Branch Gateway and the Center Gateway).

    7. Click OK.

  4. Install the Access Control policy for the Branch Gateway.

  5. Install the Access Control policy for the Center Gateway.

  1. Examine the VPN connections and their VPN tunnels - is the traffic to Infinity Portal sent encrypted?

    1. Connect to the command line on the Branch Gateway.

    2. Log in to the Expert mode.

    3. Run this command with the applicable filters:

      vpn tu conn <Source IP> <Source Port> <Destination IP> <Destination Port> <Protocol>

      Note - The minus character "-" is a wildcard "any".

      For more information, refer to the CLI Reference Guide for your version > Chapter "VPN Commands" > Section "vpn" > Section "vpn tu".

  2. If the traffic is encrypted, then investigate why does not it pass (a VPN tunnel is down? traffic is dropped? and so on).

  3. If the VPN tunnel is down, and you must make changes in the policy, then you can:

    1. Completely unload the current security policy.

    2. Make the required changes in the policy.

    3. Install the policy on the Branch Gateway.

    Steps:

    1. Connect to the command line on the Branch Gateway - either through the Console port, or through the LOM Card if installed.

    2. Log in.

    3. Disconnect all networks from the Branch Gateway, except the connection to the Internet (to Infinity Portal).

    4. Unload the current security policy:

      fw unloadlocal

      Warnings:

      • The "fw unloadlocal" command prevents all traffic from passing through the Security Gateway (Cluster Member), because it disables the IP Forwarding in the Linux kernel on the Security Gateway (Cluster Member).

      • The "fw unloadlocal" command removes all policies from the Security Gateway (Cluster Member). This means that the Security Gateway (Cluster Member) accepts all incoming connections destined to all active interfaces without any filtering or protection enabled.

      For more information, refer to the CLI Reference Guide for your version > Chapter "Security Gateway Commands" > Section "fw" > Section "fw unloadlocal".

    5. Make the required changes in the policy.

    6. Install the policy on the Branch Gateway.

    7. Examine the Access Control policy information on the Branch Gateway:

      cpstat -f policy fw

    8. Connect all networks to the Branch Gateway.