Log in to ask questions, share your expertise, or stay connected to content. Don’t have a login? Join now.
Q:
What happens when health check IP is not reachable from SD-WAN BGW?
WAN Health Check is enabled by default on all BGW which continuously monitors the health check IP/URL to check the reachability to the internet from each uplink.
Aruba recommends using pqm.arubanetworks.com (configured by default). BGW uses ICMP/UDP probes to monitor the connection to the health check IP.
In case if the BGW is unable to reach the configured Health check IP/URL, it would assume that there is no internet connection and would stop using the particular WAN uplink for (underlay) client data traffic.
However, if the configured VPNC is reachable from the same uplink, the IPSEC tunnel would still be established and overlay traffic will pass through the particular uplink inside the ipsec tunnel.
(BGW2) #show uplink Uplink Manager: Enabled Uplink Health-check: Enabled FQDN: pqm.aruanetworks.com(Unresolved) Uplink Load-balancing:Enabled Mode: Round-robin Uplink Management Table ----------------------- Uplink Type Properties Uplink-id State Gateway Reachability WAN Type Speed Weight B/w utiln Max b/w ----------- ---------- --------- ----- ------- ------------ -------- ----- ------ --------- ------- Wired vlan 4094 uplink1_inet Connected 10.23.199.1 Reachble Internet 1.000 Gbps 10 0.00% 100% Wired vlan 302 APN_mpls Connected 14.79.43.13 Unreachable MPLS 1.024 Gbps 10 0.00% 100%
In the above uplink, Health-check IP is not reachable from mpls link (VLAN-302). This particular uplink (VLAN-302) will not be used for internet traffic for clients.
However, as per the below example, we can see that it has formed the ipsec tunnel with the VPNC and the overlay traffic towards the VPNC/Data-Centre will still pass through the ipsec tunnel.
show crypto ipsec sa Tunnel Service SA Information ----------------------------------- Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP ------------ ------------ ---------------- ----- --------------- -------- 14.79.43.14 21.15.10.11 1be8d900/30b84900 UTlt Sep 7 15:27:09 - 10.23.199.13 10.110.0.17 30a1a400/fb79c400 UTlt Sep 7 15:27:09 - 10.23.199.13 21.15.10.11 58357d00/38b87500 UTlt Sep 7 15:27:09 - 14.79.43.14 10.110.0.17 2ce0fc00/6acb0c00 UTlt Sep 7 16:31:20 - Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2 l = uplink load-balance t = Tunnel Service Total IPSEC SAs: 4
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.