Troubleshooting

Some SD-WAN policy route problems and solutions are below:

Traffic between networks connected to internal ports is being routed to the WAN interface

If traffic between directly connected networks, such as networks or subnets connected to the LAN or DMZ ports flows through the WAN interface instead of passing directly to the internal network, do as follows:

  • Check if an SD-WAN policy route has Destination networks set to Any.

    Change the setting from Any to a specific choice (example: WAN) from the list. Setting it to Any forces XG Firewall to forward internal traffic also to the WAN interface.

  • If you want to retain the above generic policy route, create an SD-WAN policy route with a specific choice for the destination network. Place this route above the Any policy route. Policy routes are enforced in the order shown.
  • Alternatively, go to Routing > SD-WAN policy routing and view the route precedence in the box below the menu.

    Static routes include directly connected networks. To allow XG Firewall to forward internal network traffic directly, the route precedence must be static route, then SD-WAN policy route. Change the route precedence from the command-line console:

    Example: console> system route_precedence set static sdwan_policyroute vpn

Lost access to XG Firewall after creating an SD-WAN policy route

If you lost access to the web admin and SSH consoles of XG Firewall, check if all the following scenarios occurred. To regain access, you need to change any one of the settings.

  • Route precedence set to SD-WAN policy route before static route.

    To view the route precedence, go to Routing > SD-WAN policy routing and see the box below the menu. The route precedence must be static route, then SD-WAN policy route. You can change the route precedence from the command-line console:

    Example: console> system route_precedence set static sdwan_policyroute vpn

  • Destination networks set to Any in the newly created SD-WAN policy route for a specific internal subnet. You can change the setting to a specific choice.
  • SD-WAN policy routing turned on for system-generated traffic.

    Go to the command-line console and use this command: show routing sd-wan-policy-route system-generate-traffic

    You can turn off SD-WAN policy routing for system-generated traffic.

  • SD-WAN policy routing turned on for reply packets.

    Go to the command-line console and use this command: show routing sd-wan-policy-route reply-packet

    You can turn off SD-WAN policy routing for reply packets.

If all these scenarios occur, XG Firewall enforces the generic SD-WAN policy route before static routes and implements it on system-generated traffic and reply packets too. Access to the web admin and SSH consoles is lost from the internal subnet specified in the policy route. However, access is available from other subnets.

An SD-WAN policy route doesn't show in the policy route table

If a migrated SD-WAN policy route or a route you created doesn't show any longer, do as follows:

  • Check if you deleted the primary gateway specified in the route. Deleting an SD-WAN policy route's primary gateway deletes the route.
  • If it's a migrated route, check if you deleted the associated firewall rule.

    Routing settings in firewall rules are migrated from 17.5 or earlier to 18.0 as migrated SD-WAN policy routes. These are associated with the original firewall rule. If you delete the firewall rule, the associated route is deleted.