策略路由不生效
2025/10/29大约 2 分钟
策略路由不生效
问题现象
配置的策略路由如下。
config router policy edit 1 set input-device "lan" set src "192.168.100.77/255.255.255.255" set dst "223.5.5.5/255.255.255.255" set gateway 10.10.12.1 set output-device "wan1" next end实际使用中该策略路由不生效,查看策略路由列表(
diagnose firewall proute list),该条策略路由有disable标记,但该策略路由配置中未 disable。
问题原因
可能是由于配置了 link-monitor 或 SD-WAN 的健康检查功能,默认配置下
update-policy-route为开启状态,当 link-monitor 的检查状态由 UP 变为 DOWN 后,会将相应出接口的策略路由禁用。config system link-monitor edit "test" set srcintf "wan1" set server "10.10.12.1" set update-cascade-interface enable //默认开启// set update-static-route enable //默认开启// set update-policy-route enable //默认开启// next end查看 link-monitor 的状态为 DOWN,导致对应出接口的策略路由为 disable 状态。
FW1_FGT101F # diagnose sys link-monitor status Link Monitor: test, Status: dead, Server num(1), HA state: local(dead), shared(dead) Flags=0x9 init log_downgateway, Create time: Wed Apr 24 16:19:13 2024 Source interface: wan1 (7) VRF: 0 Interval: 500 ms Service-detect: disable Diffservcode: 000000 Class-ID: 0 Peer: 10.10.12.1(10.10.12.1) Source IP(10.10.12.2) Route: 10.10.12.2->10.10.12.1/32, gwy(10.10.12.2) protocol: ping, state: dead Packet lost: 100.000% MOS: 4.350 Number of out-of-sequence packets: 0 Recovery times(0/5) Fail Times(1/5) Packet sent: 1231, received: 287, Sequence(sent/rcvd/exp): 1232/475/476
解决方法
关闭 link-monitor 中的
update-policy-route。config system link-monitor edit "test" set update-policy-route disable next end再次查看对应出接口的策略路由状态,disable 标记消失,流量可以正确匹配该策略路由。
FW1_FGT101F # diagnose firewall proute list list route policy info(vf=root): id=1(0x01) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=48(lan) dport=0-65535 path(1) oif=7(wan1) gwy=10.10.12.1 source wildcard(1): 192.168.100.77/255.255.255.255 destination wildcard(1): 223.5.5.5/255.255.255.255 hit_count=1 last_used=2024-04-24 16:32:24