This article describes the behavior of the SD-WAN rules configured in manual mode when the performance SLA for the interface is failing.
If all health-check is indicating that an interface is dead, even if it is used in manual mode, this SD-WAN rule will be void.
# config system sdwan set status enable config zone edit "virtual-wan-link" next end # config members edit 1 set interface "port9" set gateway 10.109.31.254 next end # config health-check edit "sla" set server "184.108.40.206" set update-static-route disable set members 1 next end # config service edit 1 set name "rule" set dst "220.127.116.11/32" set priority-members 1 next end end
When the SLA is failing the interface is marked as dead.
FortiGate-1000D # di sys sdwan health-check Health Check(sla): Seq(1 port9): state(dead), packet-loss(45.000%) sla_map=0x0
The rule is disabled:
FortiGate-1000D # diagnose sys sdwan service Service(1): Address Mode(IPV4) flags=0x200 Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Service disabled caused by no outgoing path. <----- Members(1): 1: Seq_num(1 port9), dead Dst address(1): 18.104.22.168-22.214.171.124
To avoid this behavior in case the configured SLA is used in a different rule and to have the manual rule to be matched, it is possible to configure an SLA which will monitor different servers and will still be up.
This behavior can cause issues when there are multiple rules and in some of them, SLA is configured.
But it is also necessary to have rules in manual mode which need to be always matched. Example: in order to tag the traffic.