Configure SD-WAN to use Automatic Tunnel Configuration

Introduction

This document describes how to configure SD-WAN to use an Automatic Tunnel Configuration.

Overview

You can configure SD-WAN to use an Automatic Tunnel Configuration, as seen here.

This configuration allows the device(s) to automatically connect to SWG and perform the selection automatically. It uses these DNS records to check this destination:

global-a.vpn.sig.umbrella.com
global-b.vpn.sig.umbrella.com

This returns the closest DC based on their Region Code.  It is helpful to refer to our Datacenter Documentation in order to be able to predict which resolvers you get.

In the case of a customer in Paris:

• Global A (Primary) returns:  146.112.102.8 (Paris)
• Global B (Secondary) returns: 146.112.103.8 (Prague)

This makes logical sense as Paris is closer.  When a customer is located in Prague, they receive the same information as they are connecting to EU-2.

Connect_to_Cisco_Umbrella_Through_Tunnel.png

This means that despite the fact that the hypothetical customer is located in Prague, when they set up an Auto-Tunnel in SD-WAN, they have Paris as their Primary Tunnel. 

For clarity, in Prague, the customer can expect the same records since they are in the same "Region Code":

• Global A (Primary) returns:  146.112.102.8 (Paris)
• Global B (Secondary) returns: 146.112.103.8 (Prague)

This can result in some confusion since it would appear that we are not routing to the most optimal Datacenter.

Remidiation

It is important to stress that this is not a bug, this is functioning as designed.

There are a couple options available:

• Upgrade to the latest version of SD-WAN which allows you to reverse the DC selection 
• Use the instructions for manual tunnel configuration (V-Edge | C-Edge )

UPDATE: The latest version of vManage actually allows you to specify which DCs you want to select exactly via autotunnel.

Screen_Shot_2022-07-20_at_2.41.36_PM.png