Create an Error Correction Profile

Create an Error Correction profile to apply Forward Error Correction (FEC) or packet duplication for applications specified in an SD-WAN policy rule.
Forward error correction (FEC) is a method of correcting certain data transmission errors that occur over noisy communication lines, thereby improving data reliability without requiring retransmission. FEC is helpful for applications that are sensitive to packet loss or corruption, such as audio, VoIP, and video conferencing. With FEC, the receiving firewall can recover lost or corrupted packets by employing parity bits that the sending encoder embeds in an application flow. Repairing the flow avoids the need for SD-WAN data to fail over to another path or for TCP to resend packets. FEC can also help with UDP applications by recovering the lost or corrupt packets, since UDP does not retransmit packets.
SD-WAN FEC supports branch and hub firewalls acting as encoders and decoders. The FEC mechanism has the encoder add redundant bits to a bitstream, and the decoder uses that information to correct received data if necessary, before sending it to the destination.
SD-WAN also supports packet duplication as an alternative method of error correction. Packet duplication performs a complete duplication of an application session from one tunnel to a second tunnel. Packet duplication requires more resources than FEC and should be used only for critical applications that have low tolerance for dropped packets.
Modern applications that have their own embedded recovery mechanisms may not need FEC or packet duplication. Apply FEC or packet duplication only to applications that can really benefit from such a mechanism; otherwise, much additional bandwidth and CPU overhead are introduced without any benefit. Neither FEC nor packet duplication is helpful if your SD-WAN problem is congestion.
FEC and packet duplication functionality require Panorama to run PAN-OS 10.0.2 or a later release and SD-WAN Plugin 2.0 or a later release that is compatible with the PAN-OS release. The encoder and decoder must both be running PAN-OS 10.0.2 or a later release. If one branch or hub is running an older software release than what is required, traffic with an FEC or packet duplication header is dropped at that firewall.
Beginning with PAN-OS 10.0.3, FEC and packet duplication are supported in a full mesh topology, in addition to the hub-spoke topology already supported.
Neither FEC nor packet duplication should be used on DIA links; they are only for VPN tunnel links between branches and hubs.
FEC and packet duplication is supported only for SD-WAN enabled PAN-OS firewalls. FEC and packet duplication is not supported for Prisma Access Hubs.
To configure FEC or packet duplication on the encoder (the side that initiates FEC or packet duplication), use Panorama to:
  • Create an SD-WAN Interface Profile that specifies
    Eligible for Error Correction Profile interface selection
    and apply the profile to one or more interfaces.
  • Create an Error Correction Profile to implement FEC or packet duplication.
  • Apply the Error Correction Profile to an SD-WAN policy rule and specify a single application to which the rule applies.
  • Push the configuration to encoders. (The decoder [the receiving side] requires no specific configuration for FEC or packet duplication; the mechanisms are enabled by default on the decoder as long as the encoder initiates the error correction.)
FEC and packet duplication support an MTU of 1,340 bytes. A packet larger than that will not go through the FEC or packet duplication process.
  1. Configure an SD-WAN Interface Profile, where you select
    Eligible for Error Correction Profile interface selection
    to indicate that the firewall can automatically use the interfaces (where the SD-WAN Interface Profile is applied) for error correction. Whether this option defaults to selected or not depends on the
    Link Type
    you select for the profile.
    You can have
    Eligible for Error Correction Profile interface selection
    unchecked in a profile and apply the profile to an expensive 5G LTE link, for example, so that costly error correction is never performed on that link.
  2. Configure a Physical Ethernet Interface for SD-WAN and apply the SD-WAN Interface Profile that you created to an Ethernet interface.
  3. Create an Error Correction Profile for FEC or packet duplication.
    1. Select
      Objects
      SD-WAN Link Management
      Error Correction Profile
      .
    2. Add
      an Error Correction profile and enter a descriptive
      Name
      of up to 31 alphanumeric characters; for example, EC_VOIP.
    3. Select
      Shared
      to make the Error Correction profile available to all device groups on Panorama and to the default vsys on a single-vsys hub or branch, or to vsys1 on a multi-vsys hub or branch to which you push this configuration.
      Panorama can reference a Shared Error Correction profile in the firewall configuration validation and successfully commit and push the configuration to branches and hubs. The commit fails if Panorama cannot reference an Error Correction profile.
    4. Specify the
      Activate when packet loss exceeds (%)
      setting—When packet loss exceeds this percentage, FEC or packet duplication is activated for the configured applications in the SD-WAN policy rule where this Error Correction profile is applied. Range is 1 to 99; the default is 2.
    5. Select
      Forward Error Correction
      or
      Packet Duplication
      to indicate which error correction method the firewall uses when an SD-WAN policy rule references this SD-WAN Interface Profile; the default is Forward Error Correction. If you select Packet Duplication, SD-WAN selects an interface over which to send duplicate packets. (SD-WAN selects one of the interfaces you configured with
      Eligible for Error Correction Profile interface selection
      in the prior step.)
    6. (
      Forward Error Correction only
      ) Select the
      Packet Loss Correction Ratio
      :
      10% (20:2)
      ,
      20% (20:4)
      ,
      30% (20:6)
      ,
      40% (20:8)
      , or
      50% (20:10)
      —Ratio of parity bits to data packets; the default is 10% (20:2). The higher the ratio of parity bits to data packets that the sending firewall (encoder) sends, the higher the probability that the receiving firewall (decoder) can repair packet loss. However, a higher ratio requires more redundancy and therefore more bandwidth overhead, which is a tradeoff for achieving error correction. The parity ratio applies to the encoding firewall’s outgoing traffic. For example, if the hub firewall parity ratio is 50% and the branch firewall parity ratio is 20%, the hub firewall will receive 20% and the branch firewall will receive 50%.
    7. Specify the
      Recovery Duration (ms)
      —Maximum number of milliseconds that the receiving firewall (decoder) can spend performing packet recovery on lost data packets using the parity packets it received (range is 1 to 5,000; default is 1,000). The firewall immediately sends data packets it receives to the destination. During the Recovery Duration, the decoder performs packet recovery for any lost data packets. When the recovery duration expires, all the parity packets are released. You configure the recovery duration in the Error Correction Profile for the encoder, which sends the Recovery Duration value to the decoder. A Recovery Duration setting on the decoder has no impact.
      Start by using the default Recovery Duration setting and adjust it if necessary, based on your testing with normal and intermittent brown-outs.
    8. Click
      OK
      .
  4. Configure an SD-WAN Policy Rule, reference the
    Error Correction Profile
    you created in the rule, and specify a critical application to which the rule applies.
    Specify only one application in the SD-WAN policy rule when configuring FEC or packet duplication. You should not combine multiple applications in a single policy rule for FEC or packet duplication.
  5. Commit
    and
    Commit and Push
    your configuration changes to the encoding firewalls (branches and hubs).

Recommended For You