Skip to main content
Mattmans1
Mattmans1
New Member
October 6, 2017
Solved

ADVPN - Dual WAN connectivity on spokes

  • October 6, 2017
  • 3 replies
  • 50812 views

Hi all,

 

This is my first post on these forums, so hello to everybody :)

 

I'm going to start by asking a question i don't expect many people to be able to answer but i hope somebody who is familiar with BGP and ADVPN can crack this one.  I have labbed up the below scenario and its working great.  Hub/spoke topology with direct spoke to spoke connectivity on demand.

 

http://cookbook.fortinet.com/configuring-advpn-in-fortios-5-4-dynamic-hub-and-spoke-vpns/

 

I have got abit more adventurous and added a secondary WAN connection to each firewall and added a second round of ADVPN config/VPN's to establish tunnels over the new WAN connection in a bid to achieve ADVPN redundancy should the primary VPN's fail.

 

The interesting bit is that it does work (kind of) - If i shut the VPN's down on the hub it works, both spokes will speak to the hub via the second VPN tunnel and agree new spoke to spoke connectivity over the secondary connection.  However it does not work if i shut the VPN tunnel down on the spokes themselves, i seem to get a recursive lookup error. 

 

This is the BGP table showing routes for spoke to spoke flow with both VPN's up.

 

OFFICE-FG-ADVPN-IBGP # get router info routing-table bgp B 10.1.1.0/24 [200/0] via 172.16.1.1, ADVPN, 00:00:01 B 10.2.2.0/24 [200/0] via 172.16.1.2, ADVPN_0, 00:00:01

 

After i shut the primary WAN VPN down on the hub, it fails over to use the secondary

 

OFFICE-FG-ADVPN-IBGP # get router info routing-table bgp B 10.1.1.0/24 [200/0] via 172.16.2.1, ADVPN-MPLS, 00:01:42 B 10.2.2.0/24 [200/0] via 172.16.2.2, ADVPN-MPLS_0, 00:00:01

 

And this is the issue when all VPN's are up o nthe hub and i shut down a VPN on one of the spokes.

 

OFFICE-FG-ADVPN-IBGP # get router info routing-table bgp B 10.1.1.0/24 [200/0] via 172.16.2.1, ADVPN-MPLS, 00:00:17 B 10.2.2.0/24 [200/0] via 172.16.1.2 (recursive is directly connected, unknown), 00:00:16

 

The issue looks to be because the route for 10.2.2.0/24 (other spoke) is been learned from the hub but with the next hop (172.16.1.2) that is routed over the same VPN tunnel i just shutdown.  So there is no way it can use 172.16.1.2 as a next hop as there is a static route saying route 172.16.1.0/24 over the VPN interface which is down.   (this route is required according to the above article)

 

"This is an important special step for the spokes as they need a summary route that identifies all tunnel IP used over your topology to point towards the ADVPN interface. In our example, we use 10.10.10.0/24 (if our network planning expects less than 255 sites). Be sure to adequately plan this IP range as it needs to be hardcoded in the spokes."

 

I have logged this with TAC support but doubt they will help me with this.  Does anyone know who to fix my issue?

 

    Best answer by tom_maz

    Hi Mattmans

    I was wondering how you ever made out with this. We have about 20 sites around the country that are connected via traditional IPSEC, and I'd like to investigate ADVPN for the full-mesh functionality. All locations have dual-WAN, so we'd want the ability for each office to be able to connect to another office using any combination of wan1 & wan2:

    wan1 to wan1

    wan1 to wan2

    wan2 to wan1

    wan2 to wan2

     

    I'm not finding any good documentation on this, and don't have access to any good lab setup at this time to experiment. So, if you ever got your setup completely working, please share any details.

     

    Thanks

    3 replies

    Mattmans1
    Mattmans1Author
    New Member
    October 6, 2017

    I have managed to progress this slightly by adding a second route out the VPN interface.  I realized that when i shut the VPN interface down the route dropped out, so i added a higher cost route out the other VPN interface solves the recursive issue.  Now i have an issue with asymmetric routing.  If i drop the same tunnel on the spoke 2 as i did on spoke 3 it works.  

     

    edit 3 set dst 172.16.1.0 255.255.255.0 set device "ADVPN

    edit 5 set dst 172.16.2.0 255.255.255.0 set device "ADVPN-MPLS"

     

    edit 7 set dst 172.16.1.0 255.255.255.0 set distance 250 set device "ADVPN-MPLS"

     

    edit 8 set dst 172.16.2.0 255.255.255.0 set distance 250 set device "ADVPN"

    tom_maz
    tom_mazAnswer
    New Member
    March 1, 2018

    Hi Mattmans

    I was wondering how you ever made out with this. We have about 20 sites around the country that are connected via traditional IPSEC, and I'd like to investigate ADVPN for the full-mesh functionality. All locations have dual-WAN, so we'd want the ability for each office to be able to connect to another office using any combination of wan1 & wan2:

    wan1 to wan1

    wan1 to wan2

    wan2 to wan1

    wan2 to wan2

     

    I'm not finding any good documentation on this, and don't have access to any good lab setup at this time to experiment. So, if you ever got your setup completely working, please share any details.

     

    Thanks

    alex_buric
    alex_buric
    New Member
    April 27, 2018

    tom.maz wrote:

    Hi Mattmans

    I was wondering how you ever made out with this. We have about 20 sites around the country that are connected via traditional IPSEC, and I'd like to investigate ADVPN for the full-mesh functionality. All locations have dual-WAN, so we'd want the ability for each office to be able to connect to another office using any combination of wan1 & wan2:

    wan1 to wan1

    wan1 to wan2

    wan2 to wan1

    wan2 to wan2

     

    I'm not finding any good documentation on this, and don't have access to any good lab setup at this time to experiment. So, if you ever got your setup completely working, please share any details.

     

    Thanks

    We have some problems. There are 43 sites with two WAN connections on each. We have full-mesh network and it is awful huge thing to support it.

    There is good technology in Cisco (Dynamic Multipoint VPN (DMVPN) using GRE over IPSec) but transfer all our network to Cisco devices will be very expensive and no wise.

    Does anybody have expirience and want to share any documentations?

    MarcAbaya
    MarcAbaya
    New Member
    August 13, 2018

    There's already  cookbook recipe on how to do this:

    https://cookbook.fortinet.com/configuring-advpn-fortios-5-4-redundant-hubs-expert/

     

    It was created almost 2 years ago. Anybody tried this?

    MBR
    MBR
    New Member
    November 16, 2018

    Hi Mattmans,

     

    So did you finally fixed the recursive issue?

    if yes, could you please share it with us?

     

    Knox_122
    Knox_122
    New Member
    December 13, 2018

    Would it be possible to just set a monitor on the secondary ADVPN to monitor the primary on the Spoke? 

     

    config vpn ipsec phase1-interface

    edit Secondary_ADVPN

    set monitor Primary_ADVPN

     

    Could it be that easy for redundancy on the spokes?

    Pdxwolf
    Pdxwolf
    New Member
    January 28, 2019

    Has anyone found a fix for this yet on FortiOS 6.0.4? I have tried the static routes, blackhole enable, and setting the secondary ADVPN interface to monitor the primary - nothing seems to work when failing WAN1 on the spoke side.

    Terms & ConditionsAccessibility statement