SD-WAN Backup Interface

SD-WAN working well using 2 VPN tunnels over different WAN connections. If one drops, user sessions are preserved and they don't notice any problem, as opposed to traditional failover. Even VOIP calls are not interrupted if I down one of the tunnels on the fly. So that piece is excellent.

However, the only tuning available on the group is latency, jitter, and packet loss. In general, both WAN connections are very solid, but one is much faster than the other. I added them to the SD-WAN group in order, but the SD-WAN is load balancing the traffic somehow without any consideration for speed. So the slower connection is often clearly in use, and you can see it if you grab a large file and download it and watch the download speed.

This works, and the speed isn't terrible, about 8-9Mbps. But the other connection maxes out at about 19Mbps, so I would rather use that unless it's in really bad shape.

The SD-WAN policies only allow me to measure latency, jitter, and packet loss. So I notice in the path selection profiles, there is something called a "Backup Interface". Can I use that to designate one of the interfaces as a backup interface, so it will always prefer the faster one unless it fails its probe? I cannot find any documentation on what that setting does. It WILL allow me to select one of the tunnels that is already part of the SD-WAN group, so I assume this is what I'm looking for. I could just test this on the fly but if there is documentation about that setting that anyone has found that would be helpful. Testing on the fly is difficult because the connection is always in use and I have to schedule down time, and because the traffic/speed is somewhat random. So I won't know right away if it's working, or if the SD-WAN connection just happens to be sending me over the faster tunnel at the moment.

Category: Mid Range Firewalls


  slansing

    Looks like the "Backup Interface" just tells SD-WAN which interface to use if both fail the metric tests, too much latency or jitter. So this will not address my problem. I have tested it, and since added backup interfaces to all of the SD-WAN paths.

    It looks like there is just no way to get SD-WAN to aggressively prefer the much faster path.

