| In the forward traffic logs of FortiGate, the SD-WAN Quality Interface is shown as IPSEC2 when the traffic is sent out of the destination interface IPSEC1.
date=2024-09-02 time=14:40:38 id=7138854284459770175 itime="2024-09-02 14:40:38" euid=3 epid=1042 dsteuid=3 dstepid=1469 logflag=32 logver=700060366 type="traffic" subtype="forward" level="notice" action="accept"
policyid=1073741844 sessionid=3707771 srcip=10.55.116.15 dstip=10.11.116.70 srcport=56219 dstport=64475 trandisp="noop" duration=80608 proto=6 sentbyte=1263487 rcvdbyte=5458 sentdelta=9660 rcvddelta=0 sentpkt=8480
rcvdpkt=21 logid=0000000020 service="tcp/64475" app="tcp/64475" appcat="unscanned" srcintfrole="undefined" dstintfrole="undefined" policytype="policy" shapingpolicyid=1073741844 eventtime=1662144038449865840 vwlid=2
poluuid="a5c9052-4933-51ec-d07e-211fe8dff" srccountry="Reserved" dstcountry="Reserved" srcintf="port2" dstintf="IPSEC1" vpntype="ipsecvpn" policyname="R_WAN_Traffic" vwlquality="Seq_num(3 IPSEC2),
alive, latency: 24.989, selected" tz="-0400" vwlname="SDWAN-DATA" psrcport=61358 pdstport=135 devid="FG100FTKXXXXXXX" vd="root" dtime="2024-09-02 14:40:38" itime_t=1662144038 devname="fortinet"
When reply traffic is received on a different interface (IPSEC2) rather than the original outgoing interface (IPSEC1), FortiGate does not update the destination interface in the traffic log. This can occur due to factors such as SD-WAN SLA changes on the remote firewall.
2024-03-26 11:56:32.997585 lan2 in 10.10.9.89.59405 -> 10.23.10.111.161: udp 394
2024-03-26 11:56:32.997650 IPSEC1 out 10.10.9.89.59405 -> 10.23.10.111.161: udp 394
2024-03-26 11:56:33.009436 IPSEC2 in 10.23.10.111.161 -> 10.10.9.89.59405: udp 488 <----- Reply traffic arrived on a different interface than IPSEC1.
if=IPSEC1 family=00 type=768 index=56 mtu=1420 link=0 master=0
ref=54 state=start present fw_flags=10000000 flags=up p2p run noarp multicast
if=IPSEC2 family=00 type=768 index=57 mtu=1420 link=0 master=0
ref=47 state=start present fw_flags=10000000 flags=up p2p run noarp multicast
diag sys session list
session info: proto=6 proto_state=01 duration=747379 expire=3575 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=6
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=3 shaping_policy_id=10741844 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log npu netflow-origin netflow-reply intree
statistic(bytes/packets/allow_err): org=4279336/30272/1 reply=74937/227/1 tuples=2
tx speed(Bps/kbps): 10/0 rx speed(Bps/kbps): 1/0
orgin->sink: org pre->post, reply pre->post dev=12->56/57->12 gwy=38.111.181.254/10.55.65.5
hook=post dir=org act=noop 10.55.116.15:56914->10.11.116.70:51900(0.0.0.0:0)
hook=pre dir=reply act=noop 10.11.116.70:51900->10.55.116.15:56914(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
Starting from v7.2.9 and v7.4.1, new log fields 'replysrcintf' and 'replydstintf' are added to describe the potential asymmetric route cases. - 'replysrcintf' explains the source interface for the reply route.
- 'replydstintf' explains the destination interface for the reply route.
- 'srcintf' explains the source interface for the origin route.
- 'dstintf' explains the destination interface for the origin route.
| 
