SD-WAN

Has anyone managed to redistribute default route towards branch gateways? I've been able to redistribute other routes, but default route doesn't seem to be working. It is learnt from BGP and I have enabled 'default information' under BGP settings.

Well, according to TAC redistributing default route via overlay is "really bad design" and "might cause loops". Really don't understand why but it's not supported if anyone is wondering.

Aruba also removed the ability to redistribute static routes that are towards null interface for the very same reasons. It was supported before but it was just dropped in a newer software versions.

Hi,

I think it is a bad idea to redistribute default route via the overlay as you might cause a routing loop. For example, the branch gateway might consider to reach the VPNC via the overlay (as learned from the overlay) instead of going through the underlay so the tunnel can be established. This can cause tunnel flapping.

However, we still support tunneling all traffic from the branch to the VPNC without the need for a default route. What are you trying to do? Why do you need a default route via the overlay?

I can create static default routes so it does not differ from a situation where I ust redistribute the default. Loop wise, I do not see how the "loop" would happen differently in these two cases.

Our use case for this would be trigger failover if VPNC loses internet connectivity. I think there is no way to do health checks over VPN tunnels. I can create something that monitors WAN uplink but not connectivity to for example internet via VPN. We have MPLS connectivity to the VPNC so the VPN tunnel stays up even if VPNC loses connectivity.

And also I don't like the idea that Aruba decides for us what is the correct way to route networks, especially when there are no good reasons to not to allow something.

Tried opening another ticket to get a workaround, but the response is still that it might cause loops. Which is really weird as  I just can configure static route towards the IPSec tunnel and route everything over that in any case? Shouldn't that "cause loops" too?

S*    0.0.0.0/0  [50/1] ipsec map data-vpnc-00:1a:1e:00:a0:a2-asdf_inet
                 [50/1] ipsec map data-vpnc-00:1a:1e:00:a2:e9-asdf_inet

And everything works. Though this is not solved by having manual static routes as they are considered equal currently and probably causes asymmetric routing and latency as the other DC is further away from the client.

Also because Central is very limited on the amount of WAN uplinks you can configure, all the WAN uplink configuration needs to be done on the device level. So it means that also default routes need to be done on the device level and this makes the whole configuration way too complicated. If I wanted to do maintenance on VPNC 1 I would need to go over each and every BGW and change the routing priorities from there, and also VPN priorities so that routing towards the core would change.

How to tunnel all traffic from branch to vpnc without route ?

We have mc-to-vpnc-to-branchmd up and running and also tunneling traffic to corporate network but do not get the "any"-traffic (internet / public ips) tunneled to vpnc

v8.10.7 

this full tunnel discussion is relevant to gateways/VPNCs running SD-WAN feature firmware and more prevalent firmware image AOS10. that bring the new architecture of AOS 10 and SD-WAN features into one.

Please open a new discussion

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------