Skip to main content
Carlosc
Carlosc
New Member
April 14, 2025
Question

SD WAN Issue routing

  • April 14, 2025
  • 1 reply
  • 2752 views

Hello

I've configured an SDWAN with three different ISPs, but outgoing traffic always goes out the same interface. Download traffic, on the other hand, comes in through any of the interfaces.
Checking, I've seen that if I send internet requests from my ISP2, they come out through ISP1 (pinging from the same FortiGate).

I have disabled asymroute and auxiliary-sessions. But they still go out through my ISP1. It uses NAT from ISP2 and ISP3 to exit through ISP1, which causes packet loss.
My static routes 0.0.0.0/0 point to the SDWAN interface, not to the members.

If I check the SDWAN monitor, my ISP2 and ISP3 interfaces have some download traffic, but the outbound traffic is very low. Meanwhile, my ISP1 interface is saturated with outbound traffic.

The Forti version I'm using is 7.4.7 with Central NAT enabled.
In my Central NAT rule, I have my local and outgoing interfaces, the three interfaces that make up the SDWAN, and three IP pools assigned to the corresponding interfaces.

If anyone could guide me, I would appreciate it.
Thank you very much.

1 reply

atakannatak
atakannatak
Explorer
April 14, 2025

Hi @Carlosc ,

 

You're running into a typical SD-WAN egress path selection issue on FortiGate, especially in a multi-ISP setup with Central NAT and IP Pools. Here's an explanation how to fix it:

 

  1. SD-WAN Service Rules: Create and apply service rules for 0.0.0.0/0 traffic using appropriate load balancing methods (e.g., volume-based, session-based, or SLA-based). Ensure that outbound internet traffic is handled according to defined performance or cost-based criteria. This helps optimize traffic distribution across available WAN links based on the defined strategy (such as latency, jitter, or bandwidth thresholds).
  2. Central NAT Matching: Verify that each defined IP Pool in Central NAT is correctly associated with its respective outgoing interface. This ensures that NAT is applied properly for traffic exiting different WAN links. Incorrect IP pool-to-interface mapping may result in failed connections or mismatched NAT policies.
  3. Interface Priority & SLA: Configure health checks (e.g., ping, HTTP, DNS) for each interface and assign priority levels to member interfaces within SD-WAN service rules. This ensures that SD-WAN intelligently selects the best-performing interface based on real-time link health and user-defined priority, maintaining application availability and performance.
  4. Routing Table & Monitoring: Confirm that traffic is routed according to SD-WAN rules rather than default static routes or fallbacks. Use tools like the FortiGate Forwarding Table (get router info routing-table all) or SD-WAN Monitor to validate that the intended paths are being used, and not bypassed due to misconfiguration.

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

Carlosc
CarloscAuthor
New Member
April 14, 2025

I'm checking the points you mentioned.

These are my routes:
S* 0.0.0.0/0 [1/0] via 77.225.xxx.xx, Vodafone_300mb, [1/0]
[1/0] via 188.87.xxx.xxx, Vodafone_600mb, [1/0]
[1/0] via 192.168.0.1, Movistar_100mb, [1/0]

For the Movistar_100mb interface, I have created a source NAT in the NAT center using an associated IP pool.
For the other two interfaces, I have an outbound NAT center with interface IPs.
All are separate, one rule per interface.

My SDWAN configuration is as follows

onfig service
edit 1
set name "internet_cadit"
set load-balance enable
set mode sla
set dst "all"
set src "users_lan" "fondos_lan" "server_lan" "outsourcing_lan" "monitoring_lan" "ubscont_lan" "sslvpn_subnet_int"
sla config
edit "ping_dns_google"
set id 1
next
end
set priority-zone "internet_sdwan"
next
end

My SDWAN routes are

0.0.0.0/0 1 192.168.0.1 20 (movistar_100mb)
0.0.0.0/0 1 77.225.xxx.xxx 21 (vodafone_300mb)
0.0.0.0/0 1 188.87.xxx.xxx 34 (Vodafone_600mb)

But all traffic goes out through the Movistar_100mb interface. The other download interfaces have traffic, but not outgoing ones.

I'm very confused. I've followed the manual to the letter, but I can't find the key.

Thank you very much.

Terms & ConditionsAccessibility statement