Skip to main content
Sadhi_Jayz
Sadhi_Jayz
Explorer
October 13, 2025
Question

ADVPN/SD-WAN – Forcing Return Traffic to Use the Same Tunnel

  • October 13, 2025
  • 3 replies
  • 902 views

Hello Fortinet Community,

 

I have an SD-WAN deployment where a branch site establishes two IPsec tunnels to the head office.

 

The SD-WAN rule at the branch is configured so that traffic destined for the head office uses Tunnel 1 by default, and Tunnel 2 is only preferred if Tunnel 1 is unavailable.

 

SP1.png

 

During a recent incident, we noticed that a printer management server at the head office attempted to communicate with a branch printer.

 

Screenshot Taken from Head Office FGScreenshot Taken from Head Office FG

(Printer MGMT server in Head Office - 10.128.0.220 & Printer in Branch - 10.242.89.19)  

 

In this case, the head office firewall selected Tunnel 2 as the outbound path. The branch firewall, however, responded via Tunnel 1, which caused the session to fail.

As a temporary workaround, we disabled Tunnel 2 on the branch firewall, and communication was restored. Obviously, this is not an ideal long-term solution.

 

My question is:
Is there a way to configure the branch firewall so that it returns traffic through the same tunnel it was received on?

 

Additional context:

 

  • Routing is handled using OSPF (not BGP)

 

Any advice or best practices would be greatly appreciated.

 

Thank you.

3 replies

AEK
SuperUser
AEK
SuperUser
October 13, 2025

Hi Sadhi

In case Tunnel 1 is down on site 1, then it should goes automatically down on site 2 as well, right? And then SD-WAN will send the traffic only through Tunnel 2 from both sides, right?

AEK
    Sadhi_Jayz
    Sadhi_JayzAuthor
    Explorer
    October 13, 2025

    Hi AEK,

     

    Thanks for the reply.

     

    Yes, when either IPSec1 or IPSec2 goes down at the branch, the printer and the printer management server can communicate via the remaining tunnel without any issue.

    The problem occurs when both IPSec1 and IPSec2 are up. We configured the branch firewall to prioritize IPSec1 using an SD-WAN manual rule, since it has the better underlying ISP. However, all sessions initiated from the head office to the branch are still being sent through IPSec2 from the hub (head office) firewall. Because of this, the session between the printer server and the printer does not get established. In the head office firewall logs, return bytes show as 0, and on the branch firewall there are no logs at all for this session. If I disable either IPSec tunnel at the branch, communication works as expected.

    What I need is to ensure this communication continues to work while keeping both tunnels up.

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    October 13, 2025

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Usage-of-overlay-stickiness-in-multiple-overlay/ta-p/291157 

    "jack of all trades, master of none"
    AEK
    SuperUser
    AEK
    SuperUser
    October 13, 2025

    Hi Sadhi

    I understand.

    By default in FortiGate, the reply traffic is always sent back through the same interface from which the request traffic has entered. And in my understanding this should be also the case for IPsec/SD-WAN. Unless you enabled asymmetric routing or auxiliary sessions. Did you enable one of them?

    AEK
    Terms & ConditionsAccessibility statement