In a Cisco SD-WAN deployment, data traffic is blackholed due to a missing or incorrect data policy affecting service VPN traffic. What is the most likely cause?

In Cisco SD-WAN, how data traffic is treated on the data plane is defined by data policies. Service VPN traffic needs a data policy that specifies how those packets should be matched and what should be done with them (forward, drop, NAT, etc.). If that policy is missing or misconfigured, the data plane has no proper instruction for handling service VPN traffic, so those packets aren’t forwarded correctly and effectively get blackholed. The control plane and tunnels may be up, but without a correct data policy directing service VPN traffic, the data-path treatment fails. Other issues described are separate problems: STP root inconsistency affects Layer 2 topology and can cause forwarding loops or uplink blocking; CAPWAP fragmentation relates to wireless tunnel encapsulation; VLAN pruning affects which VLANs are carried to devices. None of these specifically explain a scenario where service VPN traffic is dropped because there’s no proper data policy guiding its forwarding.