Limitations and Precautions for Intelligent Uplink Selection

Read limitations and precautions before configuring intelligent uplink selection.

Hardware Requirements

The intelligent uplink selection function is supported by all models.

All models except USG6635E/6655E, USG6680E and USG6712E/6716E can apply health check and link quality indicators in the global route selection policy or multi-ISP PBR.

Only the USG6610E/6620E, USG6630E/6650E, USG6680E and USG6712E/6716E support the function of automatically disabling the backup interface (using the standby-interface status down command).

License Requirements

The smart DNS function is content security component license-controlled. For details about the license control scopes, see the License Control Items.

The global route selection policy, PBR, ISP link selection, DNS transparent proxy, and health check are not license-controlled.

Component package Requirements

To use the smart DNS function, you need to load the content security component package. For details about the component package, see Dynamic Loading.

You do not need to load the component package for the global route selection policy, PBR, ISP link selection, DNS transparent proxy, and health check.

Intelligent Uplink Selection Limitations

The FW does not perform global intelligent uplink selection for traffic received and sent from itself.
Intelligent uplink selection for IPv6 traffic is not supported. When an interface receives both IPv4 and IPv6 traffic, the intelligent uplink selection module only collects statistics on and processes IPv4 traffic.
If overload protection is configured on an intelligent uplink selection interface and both IPv4 and IPv6 traffic exists on the interface, the intelligent uplink selection module does not collect IPv6 traffic statistics. As a result, it is possible that the overload protection function fails to take effect even if the interface has already been overloaded.
If traffic does not match a NAT policy and a link does not meet link quality requirements, the link is excluded from intelligent uplink selection for new traffic regardless of whether the sticky session function is enabled. The device then selects a link among those meeting link quality requirements.
When DNS transparent proxy and the global route selection policy or PBR-based intelligent uplink selection are used together, you are advised to select other routing modes instead of load balancing by link quality. If load balancing by link quality is selected, load balancing is based on link bandwidth.
PBR supports IPv6, but multi-egress PBR does not support IPv6 packet forwarding.
PBR can be configured for inter-virtual system forwarding, but only the root system administrator can configure packet forwarding between virtual systems based on policy-based routes. Virtual system administrators do not have this permission. They cannot run the action pbr vpn-instance vpn-instance-name command but can run the undo action pbr vpn-instance vpn-instance-name command.
PBR does not support forwarding IPv6 packets across virtual systems.
DNS transparent proxy and smart DNS do not support IPv6.

Intelligent Uplink Selection Precautions

PBR-based intelligent uplink selection cannot be used together with the IP spoofing attack defense or URPF function. If the IP spoofing attack defense or URPF function is enabled, the FW may discard packets.
In the intelligent uplink selection scenario where traffic is load balanced by link bandwidth, if the link of the outbound interface is Down, overloaded, or does not meet link quality requirements, the FW excludes the link. When the FW selects links among the remaining available links, traffic may be unevenly distributed for the established sessions.
The global route selection policy checks all outbound interfaces of equal-cost routes. If the outbound interface of an equal-cost route is not configured as a route selection member, the global route selection policy does not take effect.
Enabling the sticky session function affects intelligent uplink selection. For example:
- When an intelligent uplink selection interface is Down, the FW deletes all sticky session entries, and all traffic matches the intelligent route selection policy is forwarded by another intelligent uplink selection interface. When the interface is Up again, only the traffic of new users may select this interface. Therefore, the volume of traffic forwarded by this interface will grow very slowly. In such cases, you may need to manually clear the sticky session table, which may cause link switchover for some users.
- When the intelligent uplink selection mode is set to active/standby backup by link priority, once the traffic forwarded by a high-priority interface reaches the overload protection threshold or the link where the interface resides does not meet the link quality requirements, the traffic of new users will be forwarded by a low-priority interface. In this case, the low-priority interface may always have traffic.
- When the intelligent uplink selection mode is set to active/standby backup by link priority, if the function of automatically disabling the backup interface is enabled, the sticky session function may be limited. In this case, the low-priority interface is Up only when the high-priority interface is Down or overloaded. When the high-priority interface restores normal, the low-priority interface becomes Down. Therefore, the link for the traffic forwarded by the low-priority interface will be switched.
- When enabling sticky load balancing, properly set the number of subnet mask bits based on the network traffic model. Otherwise, traffic is not evenly load balanced among links. For example, if source IP address-based sticky load balancing is enabled and the number of source subnet mask bits is set to 16, the flows with the source IP addresses (mask length is 16) from the same network source segment are always forwarded by the same outbound interface. If most source IP addresses of flows belong to the same network segment (namely, the mask length is 16), most flows are forwarded over the same link.
When the FW functions as an egress gateway and a DNS server is deployed on the enterprise intranet, the DNS transparent proxy function does not take effect, because DNS query messages are forwarded to the intranet DNS server for domain name analysis, and the FW is not used for DNS transparent proxy on these DNS query messages.
When the DNS transparent proxy function and intelligent uplink selection function are used together and if the health check of the DNS transparent proxy and the health check on the intelligent uplink selection interface both need to be enabled, you are advised to set the detection destination address to the DNS server address bound to the interface and set the detection protocol to DNS. This is to ensure that the two health check results are the same and the DNS proxy can always be supported when the interface link is normal, preventing service access failures caused by DNS request failures.
Generally, DNS transparent proxy and ISP Link Selection must be used together. DNS transparent proxy implements load balancing on DNS requests, and ISP link selection guides the packets to specific ISP links. ISP link selection ensures that users access a server through the ISP network where the server resides, preventing cross-ISP network access.
Smart DNS modifies DNS reply packets based on the smart DNS mapping table. The mapping table records the mapping between outbound interfaces and the substituted DNS server addresses. The substituted DNS server addresses must be public IP addresses.
When configuring the protocol and port for health check, ensure that the protocol and port have been enabled on the peer. Otherwise, the check will fail. If the peer is a network device, ICMP is recommended.
Probe packets for health check are not subject to security policies and are permitted by default. Therefore, you do not need to configure security policies.
After you specify the outbound interface of link health check, the outbound interface of health probe packets may be inconsistent with the inbound interface of reply packets. Fro the two interfaces to be same, run the source-ip ip-address command to specify the source IP address of probe packets as the IP address of the outbound interface.
After configuring health check, ensure that the probe packets and response packets can be properly routed.
Health check supports the detection of IPv6 addresses using only the ICMPv6 protocol. In addition, the source IP address of detection packets cannot be specified and is the IPv6 address of the outbound interface by default.
To prevent IP-Link and health check detection packets from being discarded due to a high CPU usage or overloaded interface, the device preferentially processes detection packets of the first 10 detection items of IP-Link and health check in a non-virtual system scenario. The device processes detection packets of the excess detection items according to the normal process. However, in a virtual system scenario, the public system and virtual systems share the specification of 10 detection items whose detection packets are preferentially processed. To prevent IP-Link and health check status flapping in virtual systems, for detection packets forwarded across the public system, configure a traffic diversion table (using the firewall import-flow public or firewall ipv6 import-flow public command) in the public system to divert packets destined for the IP address in a virtual system to the corresponding virtual system. This delivers the same effect as in a non-virtual system scenario; for detection packets forwarded across a non-public virtual system, the device does not preferentially process the detection packets of the first 10 detection items but process them according to the normal process.
In load balancing based on link quality, the first packet that matches the PBR rule for the first time is forwarded in equal-cost route mode because the link quality detection entry (displayed using the display priority-of-link-quality table command) has not been generated. In addition, a session entry is created. Subsequent packets that matches the session entry will be directly forwarded. Those subsequent packets are forwarded based on policy-based routing only after link quality detection entries are generated and the session entry created for the first packet is aged.