browse
Overview
SDWAN can be configured to using an Automatic Tunnel Configuration.
https://docs.umbrella.com/umbrella-user-guide/docs/dd-auto-tunnel-viptela
This configuration allows for the device(s) to be configured automatically to connect to SWG and performs the selection automatically. It uses the following DNS records to check this destination.
global-a.vpn.sig.umbrella.com
global-b.vpn.sig.umbrella.com
The above will return the closest DC based on their Region Code. It is helpful to refer to our Datacenter Documentation in order to be able to predict which resolvers the customer will get.
In the case of a customer in Paris:
Global A (Primary) should return: 146.112.102.8 (Paris)
Global B (Secondary) should return: 146.112.103.8 (Prague)
This makes logical sense as Paris is closer. When a customer is located in Prague, they will receive the same information as they are connecting to EU-2.
This means that despite the fact that the hypothetical customer is located in Prague, when they set up an Auto-Tunnel in SDWAN, they will have Paris as their Primary Tunnel. For clarity: in Prague, the customer should expect the same records since they are in the same "Region Code":
Global A (Primary) should return: 146.112.102.8 (Paris)
Global B (Secondary) should return: 146.112.103.8 (Prague)
This may result in some confusion since it would appear that we are not routing to the most optimal Datacenter.
Remediation
It is important to stress that this is not a bug, this is functioning as designed.
There are a couple options available.
- Upgrade to the latest version of SDWAN which allows the customer to reverse the DC selection
- Follow the instructions for manual tunnel configuration (V-Edge | C-Edge )
UPDATE: The latest version of vManage actually allows you to specify which DCs you want to select exactly via autotunnel.