Conditional Backhaul (CBH) is a feature designed for Hybrid SD-WAN branch deployments that have at least one Public and one Private link.

Use case 1: Public Internet Link Failure

Whenever there is a Public Internet link failure on a VMware SD-WAN Edge, tunnels to VMware SD-WAN Gateway, Cloud Security Service (CSS), and Direct breakout to Internet are not established. In this scenario, the Conditional Backhaul feature, if activated, makes use of the connectivity through Private links to designated Backhaul Hubs, giving the SD-WAN Edge the ability to failover Internet-bound traffic over Private overlays to the Hub and provides reachability to Internet destinations.

Whenever Public Internet link fails and Conditional Backhaul is activated, the Edge can failover the following Internet-bound traffic types:

  1. Direct to Internet
  2. Internet via SD-WAN Gateway
  3. Cloud Security Service traffic

Under normal operations, the Public link is UP and Internet-bound traffic will flow normally either Direct or via SD-WAN Gateway as per the Business Policies configured.

When the Public Internet link goes DOWN, or the SD-WAN Overlay path goes to QUIET state (no packets received from Gateway after 7 heartbeats), the Internet-bound traffic is dynamically backhauled to the Hub.

The Business Policy configured on the Hub will determine how this traffic is forwarded once it reaches the hub. The options are:​
  • Direct from Hub​
  • Hub to Gateway and then breakout from the Gateway

When the Public Internet link comes back, CBH will attempt to move the traffic flows back to the Public link. To avoid an unstable link causing traffic to flap between the Public and Private links, CBH has a default 30 seconds holdoff timer. After the holdoff timer is reached, flows will be failed back to the Public Internet link.

Use case 2: Cloud Security Service (CSS) Link Failure

Whenever there is a CSS (Zscaler) link failure on an SD-WAN Edge, while the Public Internet is still up, tunnels to CSS are not established and it causes traffic to get black-holed. In this scenario, the Conditional Backhaul feature, if activated, will allow the business policy to perform conditional backhaul and route the traffic to the Hub.

The Policy-based Conditional Backhaul provides the SD-WAN Edge the ability to failover Internet-bound traffic that use CSS link based on the status of CSS tunnel, irrespective of the status of the public links.

CBH will be effective only if:
  • CSS tunnels on all the segment goes down in the VPN profile.
  • While primary CSS tunnel goes down and if secondary CSS tunnel is configured then Internet traffic will not be conditional backhauled, instead traffic will go through the secondary CSS tunnel.
When the CSS link goes DOWN and Public Internet link is UP, the Internet-bound traffic that use CSS link is dynamically backhauled to the Hub, irrespective of the status of the public link.

When the tunnels to CSS link come back, CBH will attempt to move the traffic flows back to the CSS and the traffic will not be Conditionally Backhauled.

Behavioral Characteristics of Conditional Backhaul

  • When Conditional Backhaul is activated, by default all Business Policy rules at the branch level are subject to failover traffic through CBH. You can exclude traffic from Conditional Backhaul based on certain requirements for selected policies by deactivating this feature at the selected business policy level.
  • Conditional Backhaul will not affect existing flows that are being backhauled to a Hub already if the Public link(s) goes down. The existing flows will still forward data using the same Hub.
  • If a branch location has backup Public links, the backup Public link will take precedence over CBH. Only if the primary and backup links are all inoperable then the CBH gets triggered and uses the Private link.
  • If a Private link is acting as backup, traffic will fail over to Private link using CBH feature when active Public link fails and Private backup link becomes Active.
  • In order for the feature to work, both Branches and Conditional Backhaul Hubs need to have the same Private Network name assigned to their Private links. (The Private tunnel will not come up otherwise.)

Configuring Conditional Backhaul

At the Profile level, in order to configure Conditional Backhaul, you should activate Cloud VPN, and then establish VPN connection between Branch and SD-WAN Hubs by performing the following steps:
  1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles.
  2. Select a profile or click the View link in the Device column. The Device settings page for the selected profile appears.
  3. From the Segment drop-down menu, select a profile segment to configure Conditional Backhaul. By default, Global Segment [Regular] is selected.
    Note: The Conditional Backhaul feature is Segment-aware and therefore must be activated at each Segment where it is intended to work.
  4. Go to VPN Services area and activate Cloud VPN by turning the toggle button to On.
  5. Select the Enable Branch to Hubs check box.
  6. Click the Edit Hubs link. The Add Hubs window for the selected profile appears.

    From Hubs area, select the Hubs to act as Backhaul Hubs and move them to Backhaul Hubs area by using the arrows.

  7. To activate Conditional Backhaul, select the Enable Conditional BackHaul check box.
    With Conditional Backhaul activated, the SD-WAN Edge can failover:
    • Internet-bound traffic (Direct Internet traffic, Internet via SD-WAN Gateway and Cloud Security Traffic via IPsec) to MPLS links whenever there is no Public Internet links available.
    • Internet-bound CSS traffic to the Hub whenever there is a CSS (Zscaler) link failure on the SD-WAN Edge, while the Public Internet link is still up.
    Conditional Backhaul, when activated will apply for all Business Policies by default. If you want to exclude traffic from Conditional Backhaul based on certain requirements, you can deactivate Conditional Backhaul for selected policies to exclude selected traffic (Direct, Multi-Path, and CSS) from this behavior by selecting the Turn off Conditional Backhaul check box in the Action area of the Configure Rule screen for the selected business policy. For more information, see Configure Network Service for Business Policy Rule.

    Note:
    • Conditional Backhaul and SD-WAN Reachability can work together in the same Edge. Both Conditional Backhaul and SD-WAN reachability support failover of Cloud-bound Gateway traffic to MPLS when Public Internet is down on the Edge. If Conditional Backhaul is activated and there is no path to Gateway and there is a path to hub via MPLS then both direct and Gateway bound traffic apply Conditional Backhaul. For more information about SD-WAN reachability, see SD-WAN Service Reachability via MPLS.
    • When there are multiple candidate hubs, Conditional Backhaul uses the first hub in the list unless the Hub has lost connectivity to Gateway.
  8. Click Save Changes.

Troubleshooting Conditional Backhaul

Consider a user with Business Policy rules created at the Branch level. You can check if the constant pings to each of these destination IP addresses are active for the Branch by running the List Active Flows command from the Remote Diagnostics section.

For more information, see the Remote Diagnostic Tests on Edges section in the VMware SD-WAN Troubleshooting Guide published at https://docs.vmware.com/en/VMware-SD-WAN/index.html.

If extreme packet loss occurs in the Public link of the Branch and the link is down then the same flows toggle to Internet Backhaul at the Branch.
Note: The Business Policy on the Hub determines how the Hub forwards the traffic. As the Hub has no specific rule for these flows, they are categorized as default traffic. For this scenario, a Business Policy rule can be created at the Hub level to match the desired IPs or Subnet ranges to define how flows from a specific Branch are handled in the event when Conditional Backhaul becomes operational.