SDWAN: Validation Error: At most 9 occurrences are allowed for interface/member

9676

Created On 09/08/22 03:43 AM - Last Modified 01/26/23 07:22 AM

SD-WAN

9.1

10.0

10.2

10.1

PAN-OS

Panorama

Next-Generation Firewall

Symptom

The Panorama commit will succeed but will fail when pushed to the firewalls.

Autogenerated SDWAN configuration
Validation Error:
At most 9 occurrences are allowed for interface/member
network -> interface -> sdwan -> units -> sdwan.903 -> interface is invalid
Commit failed

NOTE: most likely, the above will be encountered from the hub, although there is a slight chance that it may occur at the spoke.

Environment

Panorama version 10.1.6
SD-WAN plugin version 2.2
Firewalls in a hub and spoke topology
PAN-OS version 10.1.6

Cause

Multiple topology combinations can be considered that lead to the error, one of which is based on the topology provided below.
To understand how the error is generated, we need to take into account the three contributing factors:

The first is based on the provisioned Link types, and as per doc

"
(ADSL/DSL, Cable modem, Ethernet, Fiber, LTE/3G/4G/5G, MPLS, Microwave/Radio, Satellite, WiFi, or Other). The firewall can support any CPE device that terminates and hands off as an Ethernet connection to the firewall; for example, WiFi access points, LTE modems, laser/microwave CPEs all can terminate with an Ethernet handoff.

Private, point-to-point link types (MPLS, satellite, microwave, and Other) will form tunnels with only the same link type; for example, MPLS-to-MPLS and satellite-to-satellite. Tunnels will not be created between an MPLS link and an Ethernet link, for example.
"

The second is based on the number of links added on a per link type basis.

The third is that if there is a point-to-point link types (MPLS, satellite, microwave, and Other) at the hub site, the ethernet interface will be added by the SDWAN-plugin to the sdwan interface (please refer to screenshots in 1.a.iv and 1.c.iv, where you can see the added ethernet interface in addition to the standard IPSEC tunnel interfaces).

With the above topology, the Hub and Branch_1 have four and two ethernet link types accordingly; each interface will form a tunnel to all interfaces on the remote having the same link type. Hence we'll have eight IPSEC tunnels over ethernet link type (4x2= 8).

In addition to the above, one tunnel will be formed for the MPLS link type, and one ethernet interface assigned with the MPLS link type will also be included in the sdwan interface, making a total of ten interfaces. Hence we'll have the error.

Resolution

Link Types; we'll be exploring at least three different combinations to address the error.
1. Ethernet link type only
  1. HUB's Interface configuration
  2. HUB's IPSEC tunnels towards Banch_1
  3. Hub's sdwan interface mapping to the IPSEC VPN with no ethernet interface.
  4. Branch_1's Interface configuration
  5. Branch_1's IPSEC tunnel's towards the Hub
  6. Branch_1's sdwan interface mapping to the IPSEC VPN
2. Ethernet and MPLS link types
  1. Hub's config from Panorama
  2. Hub's Interface configuration
  3. Hub's IPSEC tunnels towards Branch_1
  4. Hub's sdwan interface mapping to the IPSEC VPN and ethernet
  5. Branch_1's Interface configuration
  6. Branch_1's IPSEC tunnels towards the Hub
  7. Branch_1's sdwan interface mapping to the IPSEC VPN
3. Ethernet, MPLS, Microwave and Satellite link types
  1. Hub's config from Panorama
  2. Hub's interface configuration
  3. Hub's IPSEC VPN tunnels towards Branch_1
  4. Hub's sdwan interface mapping to the IPSEC VPN and ethernet
  5. Branch_1's interface configuration
  6. Branch_1's IPSEC tunnels towards the Hub
  7. Branch_1's sdwan interface mapping to the IPSEC VPN
Multi hubs; if the previous solutions provided were insufficient, you could configure up to four hubs to which the branches can connect. Enabling you to quadruple your interface mappings.

Using the last screen as a reference with only a single hub; highlighted below is the branch's sdwan interface to the four hubs.