It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Traffic Duplication for VPN Tunnels with SD-WAN

  • Last updated on

Traffic Duplication copies packets and sends them over the primary and secondary transport simultaneously to ensure that traffic continues uninterrupted even if one VPN transport goes down. At the other VPN endpoint, the packet stream is reassembled. Traffic Duplication should be used only for critical, real-time traffic using two transports with the same latency and bandwidth.

ti_traffic_replication.png

Limitations

  • Not available for transports using IPv6 VPN envelopes.
  • Latency (Round Trip Time) and bandwidth must be identical for both transports.

Before You Begin

Create a multi-transport VPN tunnel between two CloudGen Firewalls:

Step 1. Create a Custom Connection Object for the SD-WAN Primary

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.   
  2. In the left menu, click Connections.
  3. Right-click the table and select New Connection. The Edit/Create a Connection Object window opens.  
  4. Enter the Name.
  5. From the Translated Source IP list, select Original Source IP.
    sdwan_FEC_01.png
  6. To edit the SD-WAN VPN settings, click Edit/Show . The SD-WAN Settings window opens.
  7. Configure the Transport Policies:
    • Transport Selection Policy – Select Explicit Transport Selection.
    • SD-WAN Learning Policy – Select Primary
      ti_add_primary.png
  8. Configure the Explicit Transport Selection:
    • Primary Transport Class – Select the primary transport.
    • Primary Transport ID – Select the ID for the primary transport.
    • Secondary Transport Class  – Select the secondary transport.
    • Secondary Transport ID – Select the ID for the secondary transport.
  9. From the Error Protection drop-down list, select Traffic Duplication.
    sdwan_fprim.png
  10. Click OK.
  11. Click Send Changes and Activate.

Step 3. Create a Custom Connection Object for the SD-WAN Secondary

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.   
  2. In the left menu, click Connections.
  3. Right-click the table and select New Connection. The Edit/Create a Connection Object window opens.  
  4. Enter the Name.
  5. From the Translated Source IP list, select Original Source IP.
    sdwan_FEC_01.png
  6. To edit the SD-WAN VPN settings, click Edit/Show. The SD-WAN Settings window opens.
  7. From the SD-WAN Learning Policy drop-down list, select Secondary.
  8. Configure the Explicit Transport Selection settings.
  9. From the Error Protection drop-down list, select Traffic Duplication.
    sdwan_fsec.png
  10. Click OK.
  11. Click Send Changes and Activate.

Step 4. Modify Access Rule on the Firewall Acting as SD-WAN Primary

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Right-click the ruleset and select New > Rule to create an access rule to match the VPN traffic you want to balance:
    • Action – Select Pass.
    • Bi-Directional – Select the check box to apply the rule in both directions.
    • Source – Select a network object for all local networks. 
    • Service – Select a service object from the list.
    • Destination – Select the network object containing the remote networks.
    • Connection Method – Select the connection object for the SD-WAN primary created in Step 2.
    sdwan_FEC_04a.png
  4. Click OK.
  5. Click Send Changes and Activate.

Step 5. Modify Access Rule on the Firewall Acting as SD-WAN Secondary

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Right-click the ruleset and select New > Rule to create an access rule to match the VPN traffic you want to balance:  
    • Action – Select Pass.
    • Bi-Directional – Select the check box to apply the rule in both directions.

    • Source – Select a network object for all local networks. 
    • Service – Select a service object from the list.
    • Destination – Select the network object containing the remote networks.
    • Connection Method – Select the connection object for the SD-WAN secondary created in Step 3.
    sdwan_FEC_04.png
  4. Click OK.
  5. Click Send Changes and Activate.

Traffic matching these access rules is now duplicated on the primary and secondary transport. Failure of one of the transports is completely transparent and no packet is dropped. In the VPN tab, Traffic Duplication is not visualized. Traffic Duplication can be tested very easily by disabling one transport. If traffic fails over instantly with no packets dropped and with no delay, Traffic Duplication is working correctly.