Skip to main content
mateusguilherme
mateusguilherme
Explorer II
October 15, 2024
Solved

fortisandbox and SDWAN rules

  • October 15, 2024
  • 1 reply
  • 2996 views

Hello

 

I'm having problems with local traffic generated by Fortigate and SDWAN rules. When one of the links that make up our SDWAN goes offline, I receive the following error message:

 

"unable to connect to fortisandbox. Either the appliance is not reachable or this fortigate is not authorized"

 

Then users start receiving SSL certificate error messages when they try to access a web page, or a message like this:

 

"Web Page Blocked
An error occurred while trying to rate the website using the webfiltering service. Web Filter Service Error no correct FortiGuard information"

 

I tried the following commands (available at: link  ) but the problem persists:

 

config log fortiguard setting set interface-select-method sdwan end  config system fortiguard set interface-select-method sdwan end

 

I have a 60F with version 7.0.13 build 0566 (Mature)

Best answer by AEK

May be I'm misunderstanding something in your request but do you expect the traffic is still sent through PPPoE link even if it goes down?

When an interface goes down, any route through that interface is automatically removed from the routing table. That's the normal behavior, otherwise routing will not work properly. I don't think there is a way to change this behavior.

1 reply

asoni
Staff
asoni
Staff
October 15, 2024

Hello,

When one of the link goes down in SDWAN, does that default route getting removed ? 

You can check available default route using the following command:

# get router info routing-table details 0.0.0.0

 

Also, are you able to ping below FQDN when the issue occurs?

# exec ping service.fortiguard.net

# exec ping update.fortiguard.net

# exec ping guard.fortinet.net

 

For more details about Fortiguard server connectivity, please refer to following article:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Unable-to-connect-to-FortiGuard-servers/ta-p/226149

 

thank you

 



    mateusguilherme
    mateusguilhermeAuthor
    Explorer II
    October 16, 2024

    Apparently the problem only happens when the link involved is a PPPOE link. It seems that the performance SLA cannot disable the default route of this link when it is a PPPOE interface with a fixed gateway set. I will do some more tests.

    AEK
    SuperUser
    AEK
    SuperUser
    October 16, 2024

    In your PPPoE interface settings, try set route distance to something higher like 30. And in your SD-WAN settings, set the same interface gateway to dynamic.

    AEK
      Terms & ConditionsAccessibility statement