Skip to main content
jd653687
jd653687
Visitor III
April 10, 2017
Question

Routing goes wrong

  • April 10, 2017
  • 1 reply
  • 6612 views

Hello All,

I have a Site-to-Site VPN and when the VPN is not connected and we try to open a browser to open a site on the branche-office we get a time-out and when the vpn is rebuild and try again, we still get a time-out.  When debug this on the Fortigate we see that it is looking for an already made session and reuses that session again. But this session goes out over the WAN and not the VPN. We need to clear the session so it takes the right path.

The priority for the WAN is 10 and the VPN is 5. Running a Fortigate 51E with firmware 5.4.1

Is there a way to force the connection use the VPN route and not the WAN?

And if it uses the WAN connection and the VPN is reconnected then force the VPN path?

 

Thanks in advance.

    1 reply

    Somashekara_Hanumant
    Staff & Editor
    Somashekara_Hanumant
    Staff & Editor
    April 10, 2017

    Hi,

     

    You can configure the policy route, please refer the below KB article.

     

    http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD38790&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=104169309&stateId=0%200%20104167684

     

    Regards,

    Somu

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    April 10, 2017

    No, "policy route" totally misses the point here.

     

    You need to prevent the FGT from creating a session for traffic which is aimed at a VPN tunnel in the first place. The key here is "blackhole routing".

    This has been discussed quite a few times in the forums. Please see https://forum.fortinet.com/tm.aspx?m=132141 for an explanation and the remedy.

    Terms & ConditionsAccessibility statement