7.2 version ADVPN on Hybrid underlay scenarios

Hello rajamanickam, 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

Thanks, 

Hello,

We are still looking for an answer to your question.

We will come back to you ASAP.

Thanks,

Hello again Rajamanickam,

I found this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Policy-route-on-ADVPN-HUB-with-multiple-overlays/ta-p/225484

Can you tell me if it can help you?

Thanks!

Hello rajamanickam and thanks for your patience!

I spoke with several engineers and the best approach would be to open a ticket over a remote session so we can help you better with this issue :)

Thanks a lot for your patience and do not hesitate if you have anymore questions.

Hi Rajamanickam,

we are also in a process of implementing ADVPN on two hybrid transports. Internet SDWAN configuration completed - and now will be approaching to MPLS ADVPN - 

I also faced the same issue for the return traffic, when one of the spokes failovers to different transport. to resolve this, PBR can be utilized,  

like, if spoke1, fails over to MPLS from Internet - then you can have PBR on hub, saying, whatever traffic comes from Spoke1 MPLS-ADVPN Interface - should go out with MPLS-ADVPN interface from HUB - 

other way is to use to communities i believe -  

let me know if you already got any solution for same - 

Hi,

  This PBR is for overlay stickiness and initially few packets from spoke1 will use MPLS to form ADVPN with spoke 2 on MPLS link but later once internet ADVPN child tunnel gets flushed (since one side internet is down), traffic on spoke 1 will be shifting to internet link since your sdwan rule has internet as preferred member over MPLS.. Now traffic from Spoke 1 will internet and reach hub, hub then routes that traffic over MPLS to spoke 2 (Since spoke 2 inet is down), now spoke 2 receives this packet and since it dont have spoke 1 branch route learnt through MPLS parent tunnel (Parent tunnel will be masked since we have child tunnel already formed with MPLS), it causes RPF at spoke 2 and packet gets dropped..

Solution I could think of it to avoid RPF is to have default route for all overlay interfaces to avoid this scenario (MPLS and Inet overlay interfaces). Of course in hybrid setup there will be use cases to have central internet breakout as backup solution for local internet breakout... In this scenario you should either have a default static route to overlay zone or have default route advertised from hub through all overlay paths to spoke over BGP..

Another option when you dont want to have default route, is to change the SDWAN rule order to have MPLS to be preferred once we seen inet child tunnel gets flushed. Instead of doing this manually, automation stitch with event logs as trigger can be used to change the sdwan rule order when spoke 2 inet goes down..