Static source NAT fails for outgoing through different gateways with SDWAN
Hi, SDWAN guys,
We are using Forti400e with FortiOS v6.4.4; the Fortigate 400E HA-pair has three ISP links ( ISP01, ISP02 and ISP03) and it uses the SD-WAN rules "Maximize Bandwidth (SLA)", and the SD-WAN configuration is as below:
Forti400E_2 # get sys sdwan status : enable load-balance-mode : source-dest-ip-based duplication-max-num : 3 neighbor-hold-down : disable neighbor-hold-down-time: 0 neighbor-hold-boot-time: 0 fail-detect : disable
My finding is similar to the following issue ( but we are using SD-WAN -- modern term :(
The Fortigate tools used:
1. sniffier
Forti400E_2 # diagnose sniffer packet any 'host 139.162.19.237' 4 interfaces=[any] filters=[host 139.162.19.237] ... port2 out 212.00.00.5.51646 -> 139.162.19.237.443: syn 3266995216 port4 out 212.00.00.5.51627 -> 139.162.19.237.443: syn 134275028 port15 out 212.00.00.5.51645 -> 139.162.19.237.443: syn 2660092068
port15 in 139.162.19.237.443 -> 212.00.00.5.51628: syn 453013466 ack 2660092069
...
2. session list ( nothing helpful )
Forti400E_2 # diag debug disable
Forti400E_2 # diag debug flow filter addr 139.162.19.237
Forti400E_2 # diag debug flow trace start 500
Forti400E_2 # diag debug enable
3. route table ( all are correct )
by "diag ip rtcache list"
by " get router info routing-table all"
..
Problem ( it should be the ISP line problem, but not the Fortigate SD-WAN issue :(
When I tested different ISP IP( for outgoing NAT ) by "IP pools" from "Policy & Object"...some ISP lines do not let traffic out;
My questions:
1. I would like to search for the knowledge in depth of the SDWAN algorithm, any recommendation ?
2. Any fortigate built-in tool for inspecting this issue ?
Any advice and recommendation ?
Many thanks in advance