SD-WAN VPN policies on MX in One-Armed Concentrator Mode
if a MX is used in One-Armed Concentrator Mode (terminating tunnels from MPLS and Internet) and traffic is sourced from a network behind the Layer3 Device on which this MX is connected on - on which decision base would the Auto-VPN Tunnel for that traffic be chosen?
This question arises for the reason because on the Branch Site there`s a SD-WAN policy configured which e.g. force RDP/Citrix Traffic only be routed through the Tunnel which is using a private MPLS as underlay (the second one is a Internet Link)!
Re: SD-WAN VPN policies on MX in One-Armed Concentrator Mode
@whistleblower : An MX Security Appliance operating in one-armed concentrator mode sends and receives traffic on a singular interface. This interface will always be the the first Internet or WAN port on the unit. A secondary port is not supported when deployed as a VPN concentrator.
Regards Inderdeep Singh www.thenetworkdna.com ( Awarded by Cisco IT Blogs award 2020)
The summary is that the Concentrator doesn’t know which AutoVPN tunnel to use, so it initially just picks one. However, when the Spoke replies it will make its choice based on the defined rules, and then the Concentrator will switch to use whichever AutoVPN tunnel the Spoke replied on.