New Member

Question

SD WAN Problems with 3 Internet Accesses - One is not routing out

Forum|Forum|1 year ago
July 10, 2024
4 replies
1803 views

Hi,

I have a FG60F with 7.4.4 and 3 Internet Accesses with a SD WAN. I have a SD WAN Implicit Rule with 40-40-20% for Volume. Checking Performance SLAs all of them seem OK but since I have the implict rule, I dont apply SLA.

Now I saw that WAN1 just had like 2 sessions all the time so I checked directly on the router and I get like 1GB. Than I disconnected WAN2 and Internal5 which are in the SD WAN and I can ping from the FG but NOT from LAN.

Sniffing the ping to 8.8.8-8 I see that traffic is not going out to SD WAN

XXX-XXX # diag sniffer packet any "host 10.10.14.25" 4
interfaces=[any]
filters=[host 10.10.14.25]
0.131501 lan in 10.10.14.25.57343 -> 10.10.14.1.444: psh 3371949728 ack 4293014073
0.131567 lan out 10.10.14.1.444 -> 10.10.14.25.57343: ack 3371949814
0.142213 lan out 10.10.14.1.444 -> 10.10.14.25.57343: psh 4293014073 ack 3371949814
0.142847 lan out 10.10.14.1.444 -> 10.10.14.25.57343: psh 4293014619 ack 3371949814
0.142987 lan in 10.10.14.25.57343 -> 10.10.14.1.444: ack 4293014650

Checking Routing I get with only WAN1 connected:

XXX-XX # get router info routing-table static
Routing table for VRF=0
S 10.177.0.0/17 [254/0] is a summary, Null, [1/0]
S 192.168.0.0/24 [254/0] is a summary, Null, [1/0]

Routing table for VRF=1
S* 0.0.0.0/0 [1/0] via 192.168.168.1, wan1, [10/0]

But I cant get out to the internet from the hosts.

Again connecting WAN2 and Internal5 I get:

XX-XXX # get router info routing-table static
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 192.168.0.1, wan2, [10/0]
[1/0] via 10.80.40.1, internal5, [10/0]
S 10.10.15.0/24 [10/0] via XXX tunnel 10.0.0.1, [1/0]
S 10.10.16.0/24 [10/0] via XX tunnel 10.0.0.4, [1/0]
S 10.177.0.0/17 [254/0] is a summary, Null, [1/0]
S 88.10.121.20/32 [10/0] via 192.168.0.1, wan2, [1/0]

Routing table for VRF=1
S* 0.0.0.0/0 [1/0] via 192.168.168.1, wan1, [10/0]

Any suggestions why i dongt get out of WAN1? Again, I checked with a notebook behind the router and everything OK and also the FG with only WAN1 connected can ping 8.8.8.8

Thanks,

Quint021

Staff

Hello @RolandBaumgaertner72,

To diagnose connectivity from your LAN to WAN1 traffic, can you collect a debug flow for your source and destination IPs? This will display how the traffic is being processed. Please refer to the link below.

Reference: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connectivity/ta-p/192560

Kind Regards,

RolandBaumgaertner72Author

New Member

Hi,

thanks but it is not so easy to cancel access and debug with only WAN1. Routing/NAT and everything is fine, I just see a difference in the routing table. WAN2 and Internal5 are working fine and are in VRF=0 and WAN1 is in VRF=1

Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 192.168.0.1, wan2, [10/0]
[1/0] via 10.80.40.1, internal5, [10/0]
S 10.10.15.0/24 [10/0] via XXX tunnel 10.0.0.1, [1/0]
S 10.10.16.0/24 [10/0] via XX tunnel 10.0.0.4, [1/0]
S 10.177.0.0/17 [254/0] is a summary, Null, [1/0]
S 88.10.121.20/32 [10/0] via 192.168.0.1, wan2, [1/0]

Routing table for VRF=1
S* 0.0.0.0/0 [1/0] via 192.168.168.1, wan1, [10/0]

Any ideas?

RolandBaumgaertner72Author

New Member

OK I found the problem. WAN1 was connected some time ago in a VLAN and I didnt check the interface just the routing and subnet mask. I moved it also to VRF=0 and now it works fine.

Cheers

hbac

Staff

Hi @RolandBaumgaertner72,

Why is WAN1 in VRF1? LAN and WAN1 must be in the same VRF if you want it to work.

Regards,

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded