Troubleshoot unintended policy rollback

Resolve problems when policy installation results in a rollback to the previously installed policy version.

Problem description: The policy installation reports that the Management Server can contact the engines and installs the new policy successfully. However, the policy installation results in a rollback to the previously installed policy version.

Reason: The rollback is a safety mechanism that prevents changing the engines’ policy in ways that cut the connectivity between the engines and the Management Server. After each policy installation, the engine contacts the Secure SD-WAN Manager using its new configuration and automatically reverts its policy if the contact does not succeed within a time-out period.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Make sure the policy and the configuration changes that you have made do not prevent communications between the Management Server and the engine.
    1. Check the IPv4 Access Rules and NAT rules (as applicable). You can also validate the policy to see if there are issues in it that prevent the policy installation. The rule search is useful for finding the first rule that matches the connections.
    2. Check the Routing. You can use the Route Query tool to check where the packets will be routed after a policy installation.
    3. Check the Locations and Contact Addresses of the Secure SD-WAN Manager components, which are required if NAT is applied to these system communications.
  2. The rollback occurs after a timeout set in the engine element’s advanced properties. If you are sure that there are no configuration or policy design issues, you can increase the timeout to allow for longer delays in contact. Increasing the timeout can help if the timeout is caused by poor network reliability or delays caused by processing a policy that is very large considering the engine’s available resources.