Citrix SDWAN: Local internet breakout traffic is always been sent via Secondary link despite Primary link is up.

Citrix SDWAN: Local internet breakout traffic is always been sent via Secondary link despite Primary link is up.

book

Article ID: CTX297032

calendar_today

Updated On:

Description

Customer has two WAN links bound to Internet Services. One link is Primary and another links is Secondary.

The internet traffic is always going via Secondary WAN link despite Primary link is UP.

Due to this, when Secondary link goes down, the internet access is getting lost for all the users.

Resolution



On MCN > Configuration co-ordinator >Select Sites > Select respective Branch Site > Interface groups > Virtual interfaces > Select the Primary WAN link > Select Firewall Zone as Untrusted_Internet_Zone > Save the changes >  Stage and Activate the configuration. 

Problem Cause

Configuration issue. Primary WAN link was configured as TRUSTED rather than UNTRUSTED. Thus the Outbound NAT rule was not created for Primary WAN link. Hence the internet traffic was always getting NAT'ed with Secondary WAN link ip address.

Please refer the below document:

https://docs.citrix.com/en-us/citrix-sd-wan/10-2/use-cases-sd-wan-virtual-routing/best-practices.html   -- Refer the below statement

> Allow the Internet to be defined as UNTRUSTED interfaces which automatically create a dynamic NAT for breakout and source NAT the connection so the response comes back to SD-WAN.
Powered by Wolken Software