SD-WAN VPN traffic takes wrong route

Forum|Forum|5 years ago
September 15, 2020
2 replies
3182 views

I have configured SD-WAN for the Internet links and working as expected for more than a year now. I have also configured the VPN tunnel (Named as SITE-A & SITE-B) in SD-WAN recently and it is working as expected. However, at times, the Internet traffic takes route via the SITE-A or SITE-B. I understand this is due to these 2 tunnels are also member of SD-WAN hence it takes a route. Is there a way that I should ONLY educate the Fortigate to take SITE-A & SITE-B routes only if it is matching the remote site's network segment (e.g. 172.16.0.0/24 & 172.17.0.0/24) and NOT all the Internet traffic? I also see COST in the SD-WAN which by default for the WAN links as 0. What cost should I mention for the VPN tunnel when it is member of SD-WAN?

Fullmoon

New Member

hi would you mind to share your FORTIOS version?

Anand_NarayanaAuthor

Explorer

FG-300D, v.6.4.0

ac1

Explorer III

The problem could be caused by persistence of some sessions so the traffic remains "stuck" with the old route.

To avoid this problem it is possible to create a route from the lan to the Internet interface (virtual-wan-link) where in destination we insert all private networks and set deny. Sessions if they pass by mistake from the virtual-wan-link interface will perforce be reset.

This action is also useful if the VPNs are in a different SD-WAN zone from the Internet.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded