Issue with VXLAN traffic passing through the firewall

Showing results for 
Search instead for 
Did you mean: 

Issue with VXLAN traffic passing through the firewall

L3 Networker

Hi Team, 


We have an SDWAN box placed behind the firewall and the SD_WAN box need to communicate with the controllers which is located on the internet.


The topology is given below:

SD_WAN Box<--->F/W LAN interface<--->F/W ISP interface <--> Internet <---->Controllers.


The SD_WAN Box is trying to establish VXLAN connectivity to the Controllers located on the internet.


On the traffic logs and the session browsers we could see the traffic flow b/n the  SD_WAN Box and the VXLAN is being allowed by the firewall and the application is being correctly identified as "VXLAN". 


We had configured only source NAT on the firewall but we could see on the log that the destination port is being translated to 511 from 4789



Why the firewall is translating the destination port even though the DNAT is not configured. 



Cyber Elite
Cyber Elite


Have you run a test nat-policy-match against the traffic to verify that it's actually hitting the NAT policy that you expect. IF the firewall is modifying the port, sounds like you're hitting a DIPP entry that you might not be expecting. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!