Skip to main content
Umesh
Umesh
Explorer II
September 28, 2024
Question

SDWAN (with two ISP)

  • September 28, 2024
  • 3 replies
  • 3003 views

Dear All,

 

I have one stand alone Firewall and configured SDWAN (ISP1 & ISP2). The problem which I am facing is If ISP1 goes down then traffic is not flowing to another link (ISP2). 

 

I can see that in routing table there are two routes present in the routing table of the firewall but the link which are currently down route is not removing from the routing table. what can be issue however I have configured update static route.

 

FGT_Primeary # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 192.168.50.1, port1, [1/0]
[1/0] via 192.168.51.1, port2, [1/0]
C 10.1.1.0/24 is directly connected, port3
C 192.168.50.0/28 is directly connected, port1
C 192.168.51.0/28 is directly connected, port2
C 192.168.145.0/24 is directly connected, port10

 

FGT_Primeary # config system sdwan

FGT_Primeary (sdwan) # config health-check

FGT_Primeary (health-check) # edit "Internet"

FGT_Primeary (Internet) # show
config health-check
edit "Internet"
set server "8.8.8.8" "8.8.4.4"
set members 0
config sla
edit 1
next
end
next
end

FGT_Primeary (Internet) #

 

 

My question is if ISP1 is down then static route must be removed from the routing table. only ISP2 routing table should be there in the routing table.

 

 

Regards,

learner

 

 

3 replies

damianhlozano
damianhlozano
Explorer II
September 28, 2024

Hello Umesh,

I always configured sd-wan from gui, so I am not familiar with this code.

However, this seems to me that you missed select members in the health-check, I think you should select both WANs.

While testing, try to make sure, you have only 1 default route using the SD-WAN, NO one route for each WAN.

 

Regards,

Damián

    sbabu
    Staff
    sbabu
    Staff
    September 28, 2024

    HI @Umesh 
    I see that you have a query related to SD-WAN. In FortiGate, the route preference will be first policy route and then SD-WAN routes. 

    Hence you should have a default route pointing toward the SD-WAN virtual interface this will help to route traffic with other interfaces when one link fails.

     

    Please refer to the below article on how to configure an SD-WAN properly. 
    https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/218559/configuring-the-sd-wan-interface

    vbandha
    Staff
    vbandha
    Staff
    September 28, 2024

    Hello @Umesh 

    For your query make sure:

    1. Static route is pointing to SD WAN zone:
    https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/626338/adding-a-static-route

     

    2. Make sure the Performance SLA has the SD WAN members selected and 'update static route' enabled:
    https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/723056/link-monitoring-and-failover

     

    Regards,

    Varun

    Terms & ConditionsAccessibility statement