Technical Tip: Return/Reply traffic is not matching policy routes in SD-WAN setup
Description
This article explains about reply traffic which is not matching any of the configured policy routes or SD-WAN rules.
Solution
When traffic from the Internet to the LAN segment is initiated (behind FortiGate), the traffic enters through one interface and it is possible to observe the reply traffic going out of a different interface than the original incoming interface (if there are multiple routes to reach the actual source), even though a specific policy route or SD-WAN rule for the return traffic are configured.
From firmware 6.4.0 GA, the reply traffic not matching the configured policy routes or SD-WAN rules is expected due to a behavior change.
It should not affect the firmware 6.2.x. Verify the below configuration on FortiGate to mitigate this issue:
- Verify if there are multiple routes pointed to the actual source, either through multiple static routes or a single route pointed to SD-WAN.
- Check whether asymmetric routing is enabled. If there is VDOM configured, check inside the respective VDOM configuration.
show full system settings | grep asymroute
set asymroute disable
set asymroute-icmp disable
set asymroute6 disable
set asymroute6-icmp disable
Note:
As of v7.6.5 and later, the default setting for 'asymroute-icmp and asymroute6-icmp' has changed from disabled to enabled (in earlier FortiOS versions, the default setting for this was disabled).
- Check if auxiliary session is enabled or disabled. If there is VDOM configured, check inside the respective VDOM configuration.
show full system settings | grep aux
set auxiliary-session disable
Use case 1.
If asymmetric routing is enabled, whether the auxiliary session is enabled or disabled, the reply traffic would go out of any of the configured interface as per the routing table.
It is not necessary for the reply traffic to go out of the original incoming interface.
Because, with asymmetric routing enabled, traffic always looks for the best route in both directions.
Use case 2.
If asymmetric routing is disabled, even though there are multiple routes to reach the actual source, it is possible to force the reply traffic to go out of the original incoming interface by disabling the auxiliary session.
Note:
In any situation, the reply traffic does not search policy routes or SD-WAN rules in firmware 6.4.x.
The behavior of checking policy routes is retained in firmware 7.0.1, where the reply traffic will look for proute match.
Related document:
Controlling return path with auxiliary session