Branch behind CGNAT & SDWAN overlay

fun4net

Hi community,

I've noticed that sometimes SDWAN branch behind NAT device can connect to another SDWAN branch behind NAT device, but sometimes not. If one SDWAN branch has a public IP then it can connect to any SDWAN branch.

Can you please explain why this behavior can happen and how I can troubleshoot or fix SDWAN connectivity between two branches behind NAT device?

thank you!

fun4net

any advise ?

Andrey

Hi fun4net,

I suspect that difference in the behavior between those branches comes from the fact that some of them are behind NAT devices with Endpoint Independent Mapping (EIM), and some - behind NAT devices with Endpoint Dependent Mapping (EDM). To ensure that SD-WAN branches behind NAT can establish tunnel with each other, it's suggested to have them both behind NAT with EIM enabled. At certain scenarios having one branch behind NAT with EIM, and another - behind NAT with EDM may also work. Having both branches behind NAT with EDM will cause a problem.

Endpoint Independent Mapping (EIM) is a characteristic of Carrier-Grade NAT (CGNAT) behavior that determines how the NAT device manages external ports in relation to internal (private) source IP addresses and ports.

When EIM is enabled, the NAT device assigns the same external port for all connections originating from the same internal source IP and port, regardless of the external destination. This creates a consistent mapping between the internal and external endpoints.

You can check SD-WAN tunnel establishment details using VOS cli command:

show orgs org <ORG_NAME> sd-wan detail <REMOTE_BRANCH_NAME>