Can we get an option on outbound policy to flush the connection tracking tables on apply?
It appears changing the outbound policy doesn’t apply to existing established sessions/flows at least that appeared to be the case with a sit tunnel on 8.1.2b01 where i’d changed a rule that should have moved that traffic to a different speedfusion subtunnel (Top of outbound policy and set to enforced)
Sometimes this also happens after a reboot if the subtunnel hasn’t come up quick enough as well (Traffic appears to end up on sub tunnel 1 with that peer)
When creating a new Enforced / Priority outbound policy rule, the affected conntracks will be cleared automatically, this should not require a flush manually.
For the checkbox “Terminate Sessions on Connection Recovery”, this doesn’t apply to Enforced rules because when the connection is unavailable (either the WAN is down or SpeedFusion connection is not connected yet), the packets will be dropped so no new conntrack will be created for those packets, there no need to “terminate sessions on connection recovery”.
@Steve +1 for me too, I was troubleshooting changing the tunnel traffic and forcing it to tunnel 2 which worked, but then when trying to force it back editing the same rule and doing tunnel 1 it didn’t work.
It should work the same way when you modify an existing outbound policy rule (Enforce / Priority).
Could you share the exact steps to reproduce the problem? The details of outbound policy rule, and which fields are being changed, etc.
Just one thing in my mind, if your outbound policy rule is matching Source MAC Address, then it won’t apply the same, because conntrack doesn’t have MAC address information so we can’t clear the related conntracks when you modify the outbound policy rule in this case.
It’s a sit tunnel going over the speedfusion tunnel, I’d changed the enforce rule from one sub-tunnel to another one on the same peer but the traffic didn’t move.
Enforce rule is based on the IPv4 endpoint for the V6 tunnel server, I’m wondering if it’s better to move the IPv6 tunnel outside of speedfusion or use something other than SIT, but then I’d have to handle the bonding/failover some other way.