[email protected]
0
[email protected]

Shopping cart

Subtotal:

$0.00
View cartCheckout

NSE7_SDW-7.2 SD-WAN troubleshooting

SD-WAN troubleshooting

Detailed list of NSE7_SDW-7.2 knowledge points

SD-WAN Troubleshooting Detailed Explanation

Troubleshooting is a critical skill for maintaining the stability and reliability of an SD-WAN deployment. It involves diagnosing and resolving issues that affect network performance, traffic flow, or device functionality.

5.1 Common Issues

1. Rule Misconfiguration

  • What It Is:
    SD-WAN rules define how traffic is routed. Misconfigured rules can lead to unexpected traffic behavior, such as:
    • Traffic being routed to incorrect paths.
    • Certain applications not functioning as intended.
  • Troubleshooting Steps:
    1. Verify the rule’s matching conditions (source/destination IP, application type, services).
    2. Check the rule priority to ensure higher-priority rules are not overriding lower-priority ones.
    3. Test the rule with specific traffic to confirm proper matching.

2. SLA Violations

  • What It Is:
    SLA (Service Level Agreement) violations occur when a link fails to meet performance thresholds (e.g., latency, jitter, or packet loss).
  • Troubleshooting Steps:
    1. Monitor the SLA metrics for each link.
    2. Identify problematic links with consistent SLA breaches.
    3. Adjust path selection rules or reroute traffic to better-performing links.

3. Routing Anomalies

  • What It Is:
    Dynamic routing protocols (e.g., OSPF, BGP) may fail due to misconfigurations, causing routing loops or unreachable destinations.
  • Troubleshooting Steps:
    1. Check the status of routing neighbors (e.g., OSPF adjacency or BGP peers).
    2. Verify the routing table for missing or incorrect routes.
    3. Look for mismatched network advertisements between devices.

5.2 Diagnostic Tools

CLI Commands

  1. diag sys sdwan:

    • Purpose: View the status of SD-WAN members and rules.

    • Usage Example:

      diag sys sdwan

      Output shows the status of each WAN link, SLA metrics, and path usage.

  2. diag debug application sdwan:

    • Purpose: Analyze rule matching and traffic distribution.

    • Usage Example:

      diag debug application sdwan
diag debug enable

      Output provides real-time insights into how rules are applied to traffic.

Logs and Reports

  • Use tools like FortiAnalyzer to review historical logs and performance data:
    • Traffic Logs: Analyze traffic flow and identify bottlenecks.
    • SLA Reports: View link performance trends over time.

5.3 Troubleshooting Workflow

Step 1: Scope the Issue

  • Goal: Determine if the issue is related to SD-WAN rules, link performance, or device hardware.
  • Example:
    • If traffic is not reaching its destination, check rules first.
    • If SLA metrics are failing, focus on link performance.

Step 2: Apply Temporary Fixes

  • Goal: Quickly mitigate the impact of the issue while investigating the root cause.
  • Actions:
    • Adjust rule conditions or priorities to reroute traffic.
    • Manually switch traffic to an alternate WAN link if one is degraded.

Step 3: Analyze Root Cause

  • Goal: Identify the underlying problem to implement a permanent solution.
  • Examples:
    • Misconfigured rules: Correct the matching conditions.
    • Faulty link: Contact the ISP or replace faulty hardware.

Practical Application

Scenario 1: Simulate Link Failures

  1. Temporarily disconnect one WAN link to simulate a failure.
  2. Observe how SD-WAN reroutes traffic to the backup link.
  3. Verify that critical applications remain operational during the failover.

Scenario 2: Analyze Historical Data

  1. Use FortiAnalyzer to review logs for the past week.
  2. Identify patterns of SLA violations on specific links.
  3. Adjust SD-WAN policies to prioritize better-performing links.

Key Takeaways

  1. Common Issues:
    Troubleshooting often involves correcting rule misconfigurations, resolving SLA violations, or addressing routing anomalies.
  2. Diagnostic Tools:
    Use CLI commands for real-time analysis and tools like FortiAnalyzer for historical insights.
  3. Workflow:
    Follow a systematic approach: scope the issue, apply temporary fixes, and identify the root cause.
  4. Practical Skills:
    Simulate scenarios like link failures to practice troubleshooting and ensure the network behaves as expected under stress.

SD-WAN Troubleshooting (Additional Content)

Effective SD-WAN troubleshooting requires a structured approach, covering physical connectivity, WAN link performance, SD-WAN rule validation, VPN-related issues, and historical analytics.

1. Physical and WAN Link-Level Troubleshooting

Before diagnosing SD-WAN policy or routing issues, ensure the underlying WAN connection is stable.

1.1 Checking Interface Status

Use the following command to verify WAN interface connectivity:

get system interface
  • What to check?
    • The status of WAN interfaces (up/down).
    • The assigned IP address (ensure it is obtained from the ISP).
    • The link speed and duplex mode (mismatches can cause performance degradation).

1.2 Detecting Link Jitter and Packet Loss

Run the following commands to check WAN stability:

  • Ping test to check packet loss:

    execute ping -c 50 <ISP_Gateway_IP>

  • Traceroute test to diagnose high latency:

    execute traceroute <destination_IP>

  • Key indicators of WAN issues:

    • High packet loss (>5%) indicates ISP issues or faulty WAN links.
    • High latency spikes suggest congestion or route inefficiencies.
    • Multiple unexpected hops in traceroute may indicate routing misconfiguration.

1.3 Verifying MTU/MSS Settings

Incorrect MTU (Maximum Transmission Unit) or MSS (Maximum Segment Size) settings can cause:

  • Packet fragmentation, leading to higher retransmissions.
  • Performance degradation in VPN tunnels.

To check MTU values, use:

diagnose sys mtu

  • If MTU is mismatched, adjust it:

    config system interface
    edit "wan1"
    set mtu 1500
end

  • For VPN tunnels, consider setting MSS clamping to avoid fragmentation:

    config vpn ipsec phase1-interface
    edit "vpn1"
    set mtu-override enable
    set mtu 1350
end

2. FortiGate SD-WAN Diagnostic CLI Commands

2.1 Checking Active SD-WAN Routes

To verify how traffic is being routed through SD-WAN, use:

get router info routing-table all
  • Ensures traffic is following the intended SD-WAN path.
  • Detects missing or incorrect routes that can cause packet drops.

2.2 Checking SD-WAN Health Status

To validate WAN SLA performance metrics, run:

diagnose sys sdwan health-check
  • Displays latency, jitter, and packet loss statistics for each WAN link.
  • Ensures SD-WAN policies fail over correctly when SLA violations occur.

2.3 Verifying SD-WAN Rule Matching

To check if traffic matches the correct SD-WAN rule, use:

diagnose sys sdwan service
  • Identifies which SD-WAN rule is applied to traffic.
  • Helps detect overridden or misprioritized rules.

2.4 Debugging Traffic Flow

To trace why traffic is not following expected SD-WAN routes, use:

diagnose debug flow filter addr <destination_IP>
diagnose debug enable
diagnose debug console timestamp enable
  • Helps determine if traffic is dropped, misrouted, or NAT-ed incorrectly.
  • Useful for troubleshooting firewall rule conflicts.

3. Advanced SD-WAN Troubleshooting

3.1 SD-WAN Rule Not Applied

  • Issue: Traffic is not following the expected SD-WAN rule.

  • Possible Cause: A higher-priority rule is overriding the intended policy.

  • Solution: Run:

    diagnose sys sdwan service
    • Identify the rule priority order.
    • Adjust rule weight or priority if necessary.

3.2 SLA Failover Not Triggering

  • Issue: SD-WAN is not switching WAN links despite SLA violations.

  • Possible Cause: SLA thresholds are set too high, preventing failover.

  • Solution: Adjust SLA parameters:

    config system sdwan
    config health-check
        edit "WAN_SLA_Check"
            set latency-threshold 100
            set packetloss-threshold 5
        next
    end
end

  • Reducing the latency threshold ensures failover happens sooner.

3.3 SD-WAN Load Balancing Not Working

  • Issue: Traffic is only using one WAN link despite load balancing settings.

  • Possible Cause: ECMP (Equal-Cost Multi-Path) is not configured.

  • Solution: Verify ECMP settings:

    get router info routing-table all

    • If only one route exists, enable ECMP:

      config router setting
    set ecmp-max-paths 4
end

4. SD-WAN VPN Troubleshooting

If SD-WAN is integrated with VPN tunnels, additional debugging is required.

4.1 IPsec Tunnel Not Establishing

  • Issue: SD-WAN cannot establish an IPsec VPN tunnel.

  • Possible Causes:

    • Phase 1/2 configuration mismatch.
    • IKE negotiation failure.

  • Solution:

    • Check active VPN tunnels:

      diagnose vpn tunnel list

    • Debug IKE negotiation:

      diagnose debug application ike -1

4.2 ADVPN Dynamic Tunnels Not Establishing

  • Issue: Branch offices cannot dynamically establish ADVPN tunnels.

  • Possible Cause: Routing issues in OSPF/BGP.

  • Solution: Verify dynamic routing:

    get router info bgp summary
get router info ospf neighbor

    • Ensure OSPF/BGP is advertising correct routes.

    • Restart dynamic VPN discovery:

      diagnose vpn ike gateway

5. FortiAnalyzer for Advanced Troubleshooting

FortiAnalyzer helps troubleshoot historical SD-WAN performance issues.

5.1 Analyzing SLA Violations

To check which WAN links frequently fail SLA checks:

  • Access FortiAnalyzer SD-WAN reports.
  • Identify WAN links exceeding latency or packet loss thresholds.

5.2 Traffic Path Analysis

To trace specific sessions through SD-WAN, use:

  • Log replay feature to view past traffic flows.
  • Identify incorrect SD-WAN routing decisions.

5.3 ISP-Specific Issue Correlation

  • If multiple branch offices report frequent disconnections, compare:
    • Multiple site logs in FortiAnalyzer.
    • Identify common ISP failures across locations.

Conclusion

Key Takeaways

  1. Physical and WAN Link Troubleshooting
  • Check interface status, run ping/traceroute tests, and verify MTU settings.
  1. FortiGate SD-WAN Diagnostic Commands
  • Use diagnose sys sdwan health-check to monitor SLA performance.
  • Use diagnose sys sdwan service to verify rule matching.
  • Use diagnose debug flow filter addr <destination_IP> to trace traffic.
  1. Advanced SD-WAN Troubleshooting
  • Fix SD-WAN rules by adjusting rule priority.
  • Ensure SLA-based failover triggers correctly.
  • Enable ECMP for proper load balancing.
  1. SD-WAN VPN Troubleshooting
  • Use diagnose vpn tunnel list to check active VPN sessions.
  • Verify BGP/OSPF routing to resolve ADVPN tunnel failures.
  1. FortiAnalyzer for Deep Analysis
  • Review SLA reports to identify problematic WAN links.
  • Use log replay to analyze historical SD-WAN routing behavior.
  • Correlate logs to detect ISP-related issues.

Frequently Asked Questions

Which command on FortiGate displays the health status of SD-WAN performance SLAs and link metrics such as latency, jitter, and packet loss?

Answer:

diagnose sys sdwan health-check

Explanation:

The command diagnose sys sdwan health-check displays the real-time status of all configured SD-WAN health checks. The output shows whether each member link is alive or dead and includes performance metrics such as packet loss, latency, and jitter. These values determine whether a link meets the SLA thresholds configured in the SD-WAN rule. If the metrics exceed the thresholds, the link is marked as failing the SLA and may be excluded from traffic forwarding depending on the rule strategy. Network engineers commonly use this command when troubleshooting unexpected path selection or link failover behavior. Understanding the output helps determine if the issue lies in the physical link, the SLA thresholds, or the SD-WAN rule logic controlling path selection.

Demand Score: 92

Exam Relevance Score: 95

Which FortiGate command displays all SD-WAN members and their current status?

Answer:

diagnose sys sdwan member

Explanation:

The diagnose sys sdwan member command shows the status of each SD-WAN member interface in the virtual-wan-link zone. The output lists the interface name, gateway, priority, and weight. When weight-based load balancing is used, it also displays the session count handled by each member. This command is useful when verifying whether interfaces were successfully added to SD-WAN and whether traffic distribution is functioning as expected. During troubleshooting, administrators often run this command alongside health-check diagnostics to confirm that interfaces are operational and participating in SD-WAN load balancing or failover decisions.

Demand Score: 88

Exam Relevance Score: 90

How can you determine which SD-WAN rule is matched for a specific traffic flow during troubleshooting?

Answer:

Use diag firewall proute list and correlate it with debug flow output.

Explanation:

When troubleshooting SD-WAN rule matching, engineers commonly run a debug flow capture to observe packet processing. The debug output includes a policy route ID that indicates which SD-WAN rule was evaluated. By running diag firewall proute list, administrators can view all SD-WAN policy routes and match the route ID from the debug flow with the rule ID in the proute list. This method allows engineers to identify exactly which SD-WAN rule handled the traffic. It is particularly useful when traffic unexpectedly bypasses a rule due to route lookup order, policy routing precedence, or incorrect rule conditions such as destination, service, or interface matching.

Demand Score: 85

Exam Relevance Score: 92

Why might traffic still use an SD-WAN member even when its Performance SLA is failing?

Answer:

Because the SD-WAN rule may not be configured to enforce SLA-based selection.

Explanation:

Performance SLAs only influence path selection if the SD-WAN rule references that SLA and uses a strategy that respects SLA results, such as lowest cost (SLA) or priority with SLA filtering. If the rule is configured with a manual strategy or does not include the SLA in its configuration, the FortiGate may continue sending traffic through that link even if the SLA metrics exceed thresholds. Another possible cause is that all members fail the SLA, forcing the rule to choose a link anyway. Engineers often encounter this behavior when configuring redundant ISP circuits and expecting automatic failover without correctly associating the SLA with the rule logic.

Demand Score: 80

Exam Relevance Score: 90

Which command displays the configured SD-WAN services (rules) and their status?

Answer:

diagnose sys sdwan service

Explanation:

The command diagnose sys sdwan service lists all configured SD-WAN services (rules) and provides details such as rule IDs, strategies, and member selection logic. This command helps administrators verify whether rules are configured correctly and which members are eligible for traffic forwarding. When troubleshooting routing decisions, this output helps confirm that the rule exists, the correct strategy is configured, and the appropriate members are included. It is particularly useful when diagnosing cases where traffic unexpectedly follows the implicit rule rather than the intended SD-WAN policy.

Demand Score: 84

Exam Relevance Score: 89

What is the purpose of the update static route option in an SD-WAN Performance SLA?

Answer:

It removes the associated static route when the SLA fails.

Explanation:

The update static route option dynamically modifies the routing table based on the status of a Performance SLA. When the SLA fails, the associated static route is withdrawn from the routing table. This prevents traffic from being forwarded through that link entirely. Without this option, the route remains in the routing table, but SD-WAN rules simply avoid using that member if it fails the SLA. Engineers must use this option carefully because removing routes can affect routing convergence and troubleshooting visibility. In many designs, administrators rely on SD-WAN rule logic rather than altering the routing table directly.

Demand Score: 78

Exam Relevance Score: 88

 NSE7_SDW-7.2 Study Plan NSE7_SDW-7.2 Study Methods And Exam Tips NSE7_SDW-7.2 Training Details
NSE7_SDW-7.2 Training Course
$68$29.99
Related Products
NSE7_SDW-7.2 Training Course