What happens when health check IP is not reachable from SD-WAN BGW?


What happens when health check IP is not reachable from SD-WAN BGW?


WAN Health Check is enabled by default on all BGW which continuously monitors the health check IP/URL to check the reachability to the internet from each uplink.

Aruba recommends using pqm.arubanetworks.com (configured by default). BGW uses ICMP/UDP probes to monitor the connection to the health check IP. 

In case if the BGW is unable to reach the configured Health check IP/URL, it would assume that there is no internet connection and would stop using the particular WAN uplink for (underlay) client data traffic. 

However, if the configured VPNC is reachable from the same uplink, the IPSEC tunnel would still be established and overlay traffic will pass through the particular uplink inside the ipsec tunnel. 


(BGW2) #show uplink 

Uplink Manager: Enabled
Uplink Health-check: Enabled  FQDN: pqm.aruanetworks.com(Unresolved)
Uplink Load-balancing:Enabled  Mode: Round-robin  

Uplink Management Table
Uplink Type  Properties  Uplink-id     State      Gateway      Reachability  WAN Type   Speed       Weight  B/w utiln  Max b/w
-----------  ----------  ---------     -----      -------      ------------  --------   -----       ------  ---------  -------
Wired        vlan 4094   uplink1_inet  Connected  Reachble      Internet  1.000 Gbps     10   0.00%        100%
Wired        vlan 302    APN_mpls      Connected  Unreachable   MPLS      1.024 Gbps     10   0.00%        100%    


In the above uplink, Health-check IP is not reachable from mpls link (VLAN-302). This particular uplink (VLAN-302) will not be used for internet traffic for clients. 

However, as per the below example, we can see that it has formed the ipsec tunnel with the VPNC and the overlay traffic towards the VPNC/Data-Centre will still pass through the ipsec tunnel. 


show crypto ipsec sa

Tunnel     Service    SA Information
Initiator IP Responder IP       SPI(IN/OUT)           Flags      Start Time Inner IP
------------ ------------ ---------------- ----- --------------- --------     1be8d900/30b84900     UTlt      Sep 7 15:27:09 -     30a1a400/fb79c400     UTlt      Sep 7 15:27:09 -     58357d00/38b87500     UTlt      Sep 7 15:27:09 -​     2ce0fc00/6acb0c00     UTlt      Sep 7 16:31:20 -

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2
l = uplink load-balance t = Tunnel Service

Total IPSEC SAs: 4
Version history
Revision #:
2 of 2
Last update:
‎09-26-2019 02:07 AM
Updated by:
Labels (1)