Technical Tip: Management traffic is not matching to specific interface even when route is available

• In many cases route will be active with multiple interfaces; however, traffic will not be routed to a specific interface even though a policy route or SDWAN rule is configured for management traffic.
• For management traffic, traffic will not match to Policy route, SD-WAN rule, or Policies configured. Based on the available kernel routes, it will route the traffic to a specific interface.
  
  

Example:

192.168.1.0/24 network route is available for multiple tunnels i.e. spoke 1, spoke 2, and spoke 3. There is FortiManager IP(192.168.1.4), where the requirement is that FortiManager traffic should be routed to the spoke 3 tunnel.

• As routes are active for tunnel spoke 1, spoke 2, and spoke 3, traffic will randomly route the traffic to spoke 1, spoke 2, spoke 3 tunnel, even though there is a policy route configured to spoke 3.
• To resolve this, create a static route with destination 192.168.1.4/32 and with tunnel interface spoke 3, so always the traffic will always be routed to tunnel interface spoke 3 for FortiManager IP when the route is active.

An alternative approach, beyond configuring the tunnel interface IP address, available in FortiOS 7.4.0 and later, involves setting the preferred source (see Technical Tip: Configuring preferred-source in source IP for local-out traffic) in static routes or SD-WAN members. The newly specified preferred-source address will be applied to all local-out management traffic routed through that path.

To check the debug flow, follow the instructions in Technical Tip: Debug flow tool.

To identify active and inactive routes in the firewall, follow the instructions in Technical Tip: How to identify inactive routes in the Routing Table.