In a data policy scenario, traffic is correctly routed via the preferred transport but is not NATed at one site. What is the most likely cause?

In SD-WAN, NAT for data traffic is applied by centralized data policy rules at the egress. Routing can send traffic over the preferred transport, but NAT happens only if a matching NAT rule exists for that site and the rule order allows it. If traffic reaches the site but isn’t NATed, the most likely cause is a missing NAT rule for that site or a misordered rule where the traffic matches a different rule that doesn’t perform NAT. Check that a site-specific NAT rule exists, that it matches the traffic correctly (source, destination, interfaces), and that the rule order ensures NAT is applied to this traffic path. The other options would impact connectivity or transport characteristics rather than the data policy NAT behavior: an OSPF neighbor issue would affect routing adjacencies, a VLAN mismatch on the WAN interface would disrupt transport tagging, and an STP failure would impact LAN switching rather than centralized NAT policy.