Create an Error Correction Profile
Table of Contents
Expand all | Collapse all
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
- Create a Path Quality Profile
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
- Configure Advanced Routing for SD-WAN
Create an Error Correction Profile
Create an Error Correction profile to apply Forward Error Correction (FEC) or packet duplication for applications specified in an SD-WAN policy rule.
Forward error correction (FEC) is a method of correcting certain data transmission errors that occur over noisy communication lines, thereby improving data reliability without requiring retransmission. FEC is helpful for applications that are sensitive to packet loss or corruption, such as audio, VoIP, and video conferencing. With FEC, the receiving firewall can recover lost or corrupted packets by employing parity bits that the sending encoder embeds in an application flow. Repairing the flow avoids the need for SD-WAN data to fail over to another path or for TCP to resend packets. FEC can also help with UDP applications by recovering the lost or corrupt packets, since UDP does not retransmit packets.
SD-WAN FEC supports branch and hub firewalls acting as encoders and decoders. The FEC mechanism has the encoder add redundant bits to a bitstream, and the decoder uses that information to correct received data if necessary, before sending it to the destination.
SD-WAN also supports packet duplication as an alternative method of error correction. Packet duplication performs a complete duplication of an application session from one tunnel to a second tunnel. Packet duplication requires more resources than FEC and should be used only for critical applications that have low tolerance for dropped packets.
Modern applications that have their own embedded recovery mechanisms may not need FEC or packet duplication. Apply FEC or packet duplication only to applications that can really benefit from such a mechanism; otherwise, much additional bandwidth and CPU overhead are introduced without any benefit. Neither FEC nor packet duplication is helpful if your SD-WAN problem is congestion.
FEC and packet duplication functionality require Panorama to run PAN-OS 10.0.2 or a later release and SD-WAN Plugin 2.0 or a later release that is compatible with the PAN-OS release. The encoder and decoder must both be running PAN-OS 10.0.2 or a later release. If one branch or hub is running an older software release than what is required, traffic with an FEC or packet duplication header is dropped at that firewall.
Beginning with PAN-OS 10.0.3, FEC and packet duplication are supported in a full mesh topology, in addition to the hub-spoke topology already supported.
Neither FEC nor packet duplication should be used on DIA links; they are only for VPN tunnel links between branches and hubs.
FEC and packet duplication is supported only for SD-WAN enabled PAN-OS firewalls. FEC and packet duplication is not supported for Prisma Access Hubs.
To configure FEC or packet duplication on the encoder (the side that initiates FEC or packet duplication), use Panorama to:
- Create an SD-WAN Interface Profile that specifiesEligible for Error Correction Profile interface selectionand apply the profile to one or more interfaces.
- Create an Error Correction Profile to implement FEC or packet duplication.
- Apply the Error Correction Profile to an SD-WAN policy rule and specify a single application to which the rule applies.
- Push the configuration to encoders. (The decoder [the receiving side] requires no specific configuration for FEC or packet duplication; the mechanisms are enabled by default on the decoder as long as the encoder initiates the error correction.)
FEC and packet duplication support an MTU of 1,340 bytes. A packet larger than that will not go through the FEC or packet duplication process.
- Configure an SD-WAN Interface Profile, where you selectEligible for Error Correction Profile interface selectionto indicate that the firewall can automatically use the interfaces (where the SD-WAN Interface Profile is applied) for error correction. Whether this option defaults to selected or not depends on theLink Typeyou select for the profile.You can haveEligible for Error Correction Profile interface selectionunchecked in a profile and apply the profile to an expensive 5G LTE link, for example, so that costly error correction is never performed on that link.
- Configure a Physical Ethernet Interface for SD-WAN and apply the SD-WAN Interface Profile that you created to an Ethernet interface.
- Create an Error Correction Profile for FEC or packet duplication.
- Select.ObjectsSD-WAN Link ManagementError Correction Profile
- Addan Error Correction profile and enter a descriptiveNameof up to 31 alphanumeric characters; for example, EC_VOIP.
- SelectSharedto make the Error Correction profile available to all device groups on Panorama and to the default vsys on a single-vsys hub or branch, or to vsys1 on a multi-vsys hub or branch to which you push this configuration.
- Specify theActivate when packet loss exceeds (%)setting—When packet loss exceeds this percentage, FEC or packet duplication is activated for the configured applications in the SD-WAN policy rule where this Error Correction profile is applied. Range is 1 to 99; the default is 2.
- SelectForward Error CorrectionorPacket Duplicationto indicate which error correction method the firewall uses when an SD-WAN policy rule references this SD-WAN Interface Profile; the default is Forward Error Correction. If you select Packet Duplication, SD-WAN selects an interface over which to send duplicate packets. (SD-WAN selects one of the interfaces you configured withEligible for Error Correction Profile interface selectionin the prior step.)
- (Forward Error Correction only) Select thePacket Loss Correction Ratio:10% (20:2),20% (20:4),30% (20:6),40% (20:8), or50% (20:10)—Ratio of parity bits to data packets; the default is 10% (20:2). The higher the ratio of parity bits to data packets that the sending firewall (encoder) sends, the higher the probability that the receiving firewall (decoder) can repair packet loss. However, a higher ratio requires more redundancy and therefore more bandwidth overhead, which is a tradeoff for achieving error correction. The parity ratio applies to the encoding firewall’s outgoing traffic. For example, if the hub firewall parity ratio is 50% and the branch firewall parity ratio is 20%, the hub firewall will receive 20% and the branch firewall will receive 50%.
- Specify theRecovery Duration (ms)—Maximum number of milliseconds that the receiving firewall (decoder) can spend performing packet recovery on lost data packets using the parity packets it received (range is 1 to 5,000; default is 1,000). The firewall immediately sends data packets it receives to the destination. During the Recovery Duration, the decoder performs packet recovery for any lost data packets. When the recovery duration expires, all the parity packets are released. You configure the recovery duration in the Error Correction Profile for the encoder, which sends the Recovery Duration value to the decoder. A Recovery Duration setting on the decoder has no impact.Start by using the default Recovery Duration setting and adjust it if necessary, based on your testing with normal and intermittent brown-outs.
- Configure an SD-WAN Policy Rule, reference theError Correction Profileyou created in the rule, and specify a critical application to which the rule applies.Specify only one application in the SD-WAN policy rule when configuring FEC or packet duplication. You should not combine multiple applications in a single policy rule for FEC or packet duplication.
- CommitandCommit and Pushyour configuration changes to the encoding firewalls (branches and hubs).