FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vjoshi_FTNT
Staff
Staff
Article Id 192526

Description

 

This article explains what happens to the traffic when the VPN tunnel goes down with respect to the routing on the FortiGate.


Solution

 

In this scenario, it is assumed that there is a site-to-site VPN between two FortiGates already configured and working.

There are two cases to consider:

 

  1. When the VPN tunnel is down.
  2.  When the VPN tunnel comes back up.

 

  • Usually, when the tunnel is up, the traffic between the two sites happens across the VPN tunnel.

Case 1: When the Tunnel is brought down:

 

  • Using ping to test the traffic.

On-Site A, ping is initiated from a PC:

  • The request reaches the FortiGate.
  •  On the FortiGate, route look-up is done. As the tunnel is down, the request is not sent out through the IPsec tunnel, however, the default route is chosen and sent out.
  •  ISP drops it as the remote host is a private IP.

Case 2: When the Tunnel is up:

  •  If there is a continuous ping request, it hits the same session on the FortiGate and uses the same route in the route cache.
  • Because of the initial request, there is a session created on the FortiGate, and will hold that session for a specific time (based on the session-TTL).
  • By default, the session-TTL for the ICMP is 1 minute.
  • So, if the ping request is re-initiated within this session-ttl time (1 min), the request hits the same session and will never be able to reach the actual destination.

The session can be cleared in this case or wait for the idle timeout to expire.

The solution to avoid such a situation to occur is as follows:

  • On a working site-to-site VPN configuration, there should be already a static route created for the remote destination.
  • Now, create a black hole route on the FortiGate for the same destination network with a higher distance than the original one (by default it takes a distance '10'). It's mandatory to note that you can't use AD of 255, because 255 is a special value which means that the route should never be used. (and always discards routes whose preference value is 255).

Syntax for the black hole route:


config router static
    edit {sequence_number>
        set blackhole enable
        set distance 50
        set dst [destination-address_ipv4mask>
    end


This route is active when the tunnel is down.
By adding this route the FortiGate is being told to drop the requests silently.

  • So, there are no sessions added on the FortiGate and hence the ping test or the actual traffic or probes should return an immediate response when the tunnel is up.

This also helps in making the network more secure because the traffic that is supposed to enter the encrypted tunnel is now not pushed to the default route (ISP) when the tunnel is down.

 
Note:
If the site-to-site VPN was configured using IPsec Wizard, the blackhole route will be created automatically with an administrative distance of 254. Due to hardware limitations, only a specific number of static routes can be created. The maximum number of static routes can be verified here.
To conserve the number of available static routes, it is possible to put all remote subnets of IPsec tunnels in a single address group and create only one black hole route. Under address/address group objects, make sure 'Static route configuration' is enabled. 
 
addgroup.PNG

 

blackhole.PNG