UDP based applications may get affected when traffic processing is disabled on the SDWAN
Article ID: CTX237920
Updated On:
Description
On the video conference tool based of IPSEC (UDP), Master node isn't able to see the remote nodes sitting behind the SDWAN-WanOP. This tool uses dynamic IPSEC tunnels over the WAN and passes through our WanOP.
Resolution
On an SDX platform, the NetScaler component maintains the connections before forwarding to WanOP component. When traffic processing was abruptly disabled on the appliance, NetScaler component kept forwarding the traffic to WanOPT component.
For any other traffic this will lead to traffic disruption and the end application will restart the communication. The new connection will not be forwarded to WanOPT component and will be bypassed at NetScaler level (since traffic processing was disabled).
However, in this customer used case traffic(which was blocked), the application always uses same combination of client and server IP/port (port 500). Due to this NetScaler connection entry is never cleared and the traffic continues to be forwarded to WanOPT component leading to traffic blockage since WanOPT traffic processing is disabled.
On an SDX platform, the NetScaler component maintains the connections before forwarding to WanOP component. When traffic processing was abruptly disabled on the appliance, NetScaler component kept forwarding the traffic to WanOPT component.
For any other traffic this will lead to traffic disruption and the end application will restart the communication. The new connection will not be forwarded to WanOPT component and will be bypassed at NetScaler level (since traffic processing was disabled).
However, in case this case the traffic which was blocked, the application always uses same combination of client and server IP/port (port 500). Due to this NetScaler connection entry is never cleared and the traffic continues to be forwarded to WanOPT component leading to traffic blockage since WanOPT traffic processing is disabled.
Recommendation
Do not disable Traffic processing, this will lead to dropping accelerated connections and traffic blockage for applications that use persistent ip/ports.
For rare conditions, if we want to bypass optmization we should do it in following steps:
1) Disable Advance acceleration features
2) Use NetScalar ACLs to selectively bypass the traffic
For Immediate relief:
Use Netscaler ACLs to bypass UDP 500 traffic.
Or bypass any UDP port which is affected.
For any other traffic this will lead to traffic disruption and the end application will restart the communication. The new connection will not be forwarded to WanOPT component and will be bypassed at NetScaler level (since traffic processing was disabled).
However, in this customer used case traffic(which was blocked), the application always uses same combination of client and server IP/port (port 500). Due to this NetScaler connection entry is never cleared and the traffic continues to be forwarded to WanOPT component leading to traffic blockage since WanOPT traffic processing is disabled.
On an SDX platform, the NetScaler component maintains the connections before forwarding to WanOP component. When traffic processing was abruptly disabled on the appliance, NetScaler component kept forwarding the traffic to WanOPT component.
For any other traffic this will lead to traffic disruption and the end application will restart the communication. The new connection will not be forwarded to WanOPT component and will be bypassed at NetScaler level (since traffic processing was disabled).
However, in case this case the traffic which was blocked, the application always uses same combination of client and server IP/port (port 500). Due to this NetScaler connection entry is never cleared and the traffic continues to be forwarded to WanOPT component leading to traffic blockage since WanOPT traffic processing is disabled.
Recommendation
Do not disable Traffic processing, this will lead to dropping accelerated connections and traffic blockage for applications that use persistent ip/ports.
For rare conditions, if we want to bypass optmization we should do it in following steps:
1) Disable Advance acceleration features
2) Use NetScalar ACLs to selectively bypass the traffic
For Immediate relief:
Use Netscaler ACLs to bypass UDP 500 traffic.
Or bypass any UDP port which is affected.
Problem Cause
The UDP mapping between the NS instance and the wanop isn't retained when the traffic processing is disabled.Issue/Introduction
UDP-based-applications-may-get-affected-when-traffic-processing-is-disabled-on-the-SDWAN. This issue is specific to SDX based platforms (4000/5000)
Was this article helpful?
Yes
No
Powered by
