Technical Tip: Asymmetric traffic observed with IPsec over TCP in an SD-WAN dual WAN setup

Two WAN interfaces, wan1 and wan2, have been set up in SD-WAN:

wan1 IP: 10.1.1.2/30

wan2 IP: 172.16.1.2/30

SD-WAN configuration: 

config system sdwan
    set status enable
    config zone
        edit "Underlay"
        next
    end
    config members
        edit 1
            set interface "wan1"
            set zone "Underlay"
            set gateway 10.1.1.1
        next
        edit 2
            set interface "wan2"
            set zone "Underlay"
            set gateway 172.16.1.1
        next

This issue occurs with TCP. The tunnel configuration is shown below.

config vpn ipsec phase1-interface
    edit "Tunnel_with_wan1"
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set add-route disable
        set localid "wan1"
        set wizard-type static-fortigate
        set auto-discovery-receiver enable
        set auto-discovery-shortcuts dependent
        set network-overlay enable
        set network-id 1
        set remote-gw 192.168.1.2
        set assign-ip disable

              set transport tcp
        set psksecret ENC xxxxxx
    next
    edit "Tunnel_with_wan2"
        set interface "wan2"
        set ike-version 2
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set add-route disable
        set localid "wan2"
        set wizard-type static-fortigate
        set auto-discovery-receiver enable
        set auto-discovery-shortcuts dependent
        set network-overlay enable
        set network-id 2
        set remote-gw 192.168.1.2
        set assign-ip disable

              set transport tcp
        set psksecret ENC xxxxxx
    next

During tunnel negotiation, it was observed that the SYN packets come in on one interface (wan1) while the SYN/ACK packets go out through another interface (wan2).

2025-06-23 03:05:11.766062 wan1 in 192.168.1.2.51717 -> 10.1.1.2.443: syn 164043747

2025-06-23 03:05:11.766215 wan2 out 10.1.1.2.443 -> 192.168.1.2.51717: syn 3416450666 ack 164043748
2025-06-23 03:05:12.780219 wan1 in 192.168.1.2.51717 -> 10.1.1.2.443: syn 164043747
2025-06-23 03:05:12.780281 wan2 out 10.1.1.2.443 -> 192.168.1.2.51717: syn 3416450666 ack 164043748

This behavior has been observed when using any ike-tcp-port.

The behavior has been reported in engineering case 1172040 and has been resolved in v7.4.9, v7.6.4, and v8.0.0.

The workaround in the current version is as follows:

• Create a policy route with the parent interface:

config router policy

edit 1

set src 10.1.1.2/255.255.255.254
set output-device "wan1"

next 

end

• Enable the 'ike-policy-route':

config system setting

set ike-policy-route enable

end

Related article:

Troubleshooting Tip: IKE over TCP sessions fail due to asymmetric return traffic in dual WAN environments