Create an Error Correction Profile
Table of Contents
Expand all | Collapse all
-
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
-
- Create a Path Quality Profile
-
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure Multiple Virtual Routers on SD-WAN Hub
- Configure Multiple Virtual Routers on SD-WAN Branch
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
- Configure Advanced Routing for SD-WAN
Create an Error Correction Profile
Create an Error Correction profile to apply Forward Error
Correction (FEC) or packet duplication for applications specified
in an SD-WAN policy rule.
Forward error correction (FEC) is a method
of correcting certain data transmission errors that occur over noisy
communication lines, thereby improving data reliability without
requiring retransmission. FEC is helpful for applications that are
sensitive to packet loss or corruption, such as audio, VoIP, and
video conferencing. With FEC, the receiving firewall can recover
lost or corrupted packets by employing parity bits that the sending
encoder embeds in an application flow. Repairing the flow avoids
the need for SD-WAN data to fail over to another path or for TCP
to resend packets. FEC can also help with UDP applications by recovering
the lost or corrupt packets, since UDP does not retransmit packets.
SD-WAN
FEC supports branch and hub firewalls acting as encoders and decoders.
The FEC mechanism has the encoder add redundant bits to a bitstream, and
the decoder uses that information to correct received data if necessary,
before sending it to the destination.
SD-WAN also supports
packet duplication as an alternative method of error correction.
Packet duplication performs a complete duplication of an application session
from one tunnel to a second tunnel. Packet duplication requires
more resources than FEC and should be used only for critical applications
that have low tolerance for dropped packets.
Modern
applications that have their own embedded recovery mechanisms may
not need FEC or packet duplication. Apply FEC or packet duplication
only to applications that can really benefit from such a mechanism; otherwise,
much additional bandwidth and CPU overhead are introduced without
any benefit. Neither FEC nor packet duplication is helpful if your
SD-WAN problem is congestion.
FEC and packet duplication
functionality require Panorama to run PAN-OS 10.0.2 or a later release
and SD-WAN Plugin 2.0 or a later release that is compatible with
the PAN-OS release. The encoder and decoder must both be running
PAN-OS 10.0.2 or a later release. If one branch or hub is running
an older software release than what is required, traffic with an
FEC or packet duplication header is dropped at that firewall.
Beginning
with PAN-OS 10.0.3, FEC and packet duplication are supported in
a full mesh topology, in addition to the hub-spoke topology already
supported.
Neither FEC nor packet duplication should be used
on DIA links; they are only for VPN tunnel links between branches
and hubs.
FEC and packet duplication is supported only
for SD-WAN enabled PAN-OS firewalls. FEC and packet duplication
is not supported for Prisma Access Hubs.
To configure
FEC or packet duplication on the encoder (the side that initiates FEC
or packet duplication), use Panorama to:
- Create an SD-WAN Interface Profile that specifies Eligible for Error Correction Profile interface selection and apply the profile to one or more interfaces.
- Create an Error Correction Profile to implement FEC or packet duplication.
- Apply the Error Correction Profile to an SD-WAN policy rule and specify a single application to which the rule applies.
- Push the configuration to encoders. (The decoder [the receiving side] requires no specific configuration for FEC or packet duplication; the mechanisms are enabled by default on the decoder as long as the encoder initiates the error correction.)
FEC and packet duplication support an MTU of
1,340 bytes. A packet larger than that will not go through the FEC
or packet duplication process.
- Log in to the Panorama Web Interface.Configure an SD-WAN Interface Profile, where you select Eligible for Error Correction Profile interface selection to indicate that the firewall can automatically use the interfaces (where the SD-WAN Interface Profile is applied) for error correction. Whether this option defaults to selected or not depends on the Link Type you select for the profile.You can have Eligible for Error Correction Profile interface selection unchecked in a profile and apply the profile to an expensive 5G LTE link, for example, so that costly error correction is never performed on that link.Configure a Physical Ethernet Interface for SD-WAN and apply the SD-WAN Interface Profile that you created to an Ethernet interface.Create an Error Correction Profile for FEC or packet duplication.
- Select ObjectsSD-WAN Link ManagementError Correction Profile.Add an Error Correction profile and enter a descriptive Name of up to 31 alphanumeric characters; for example, EC_VOIP.Select Shared to make the Error Correction profile available to all device groups on Panorama and to the default vsys on a single-vsys hub or branch, or to vsys1 on a multi-vsys hub or branch to which you push this configuration.Specify the Activate when packet loss exceeds (%) setting—When packet loss exceeds this percentage, FEC or packet duplication is activated for the configured applications in the SD-WAN policy rule where this Error Correction profile is applied. Range is 1 to 99; the default is 2.Select Forward Error Correction or Packet Duplication to indicate which error correction method the firewall uses when an SD-WAN policy rule references this SD-WAN Interface Profile; the default is Forward Error Correction. If you select Packet Duplication, SD-WAN selects an interface over which to send duplicate packets. (SD-WAN selects one of the interfaces you configured with Eligible for Error Correction Profile interface selection in the prior step.)(Forward Error Correction only) Select the Packet Loss Correction Ratio: 10% (20:2), 20% (20:4), 30% (20:6), 40% (20:8), or 50% (20:10)—Ratio of parity bits to data packets; the default is 10% (20:2). The higher the ratio of parity bits to data packets that the sending firewall (encoder) sends, the higher the probability that the receiving firewall (decoder) can repair packet loss. However, a higher ratio requires more redundancy and therefore more bandwidth overhead, which is a tradeoff for achieving error correction. The parity ratio applies to the encoding firewall’s outgoing traffic. For example, if the hub firewall parity ratio is 50% and the branch firewall parity ratio is 20%, the hub firewall will receive 20% and the branch firewall will receive 50%.Specify the Recovery Duration (ms)—Maximum number of milliseconds that the receiving firewall (decoder) can spend performing packet recovery on lost data packets using the parity packets it received (range is 1 to 5,000; default is 1,000). The firewall immediately sends data packets it receives to the destination. During the Recovery Duration, the decoder performs packet recovery for any lost data packets. When the recovery duration expires, all the parity packets are released. You configure the recovery duration in the Error Correction Profile for the encoder, which sends the Recovery Duration value to the decoder. A Recovery Duration setting on the decoder has no impact.Start by using the default Recovery Duration setting and adjust it if necessary, based on your testing with normal and intermittent brown-outs.Click OK.Configure an SD-WAN Policy Rule, reference the Error Correction Profile you created in the rule, and specify a critical application to which the rule applies.Specify only one application in the SD-WAN policy rule when configuring FEC or packet duplication. You should not combine multiple applications in a single policy rule for FEC or packet duplication.Commit and Commit and Push your configuration changes to the encoding firewalls (branches and hubs).