VXLAN - Reverse path check whet traffic passes DCs

Question

Hello Team,i have configured VXLAN over VPN  with MP-BGP EVPNVLANs that are part of VXLAN have VRRP enabled .VXLAN  and VRRP are working as expectedThe problem is when traffic is traversing the DCs (From the Secondary DC to the Primary DC - VRRP-wise) ,At the destination DC, the traffic is not returning as there is no routing pointing to VXLAN for the return traffic.There is BGP between DC and the network that is trying to reach the VXLAN IP, which is advertised over the IPSEC.The strange thing is that when i runed POC on FG 7.4.7 it was working. attached the config:

vasilisgogos · Accepted Answer

Solution found by myself.If presenting VXLAN as possible  destination (over bgp) it works .

vasilisgogos · Answer

DC2:edit "vlan598-strech"set vdom "DMZ"set member "VlanID598" "vxlan.598"nextendconfig system interfaceedit "naf.DMZ"set vdom "DMZ"set type tunnelset src-check disableset snmp-index 50nextedit "l2t.DMZ"set vdom "DMZ"set type tunnelset snmp-index 51nextedit "ssl.DMZ"set vdom "DMZ"set type tunnelset alias "SSL VPN interface"set snmp-index 52nextedit "DMZ-Loopback"set vdom "DMZ"set ip 172.22.0.1 255.255.255.255set allowaccess pingset type loopbackset alias "BGP_Loopback"set role lanset snmp-index 198set ip-managed-by-fortiipam disablenextedit "Vlan501- DMZ"set vdom "DMZ"set ip 172.21.1.4 255.255.255.248set allowaccess ping speed-testset type emac-vlanset role lanset snmp-index 110set ip-managed-by-fortiipam disableset interface "Vlan501"nextedit "DCI_IPSEC_DMZ"set vdom "DMZ"set type tunnelset snmp-index 121nextedit "VlanID598"set vdom "DMZ"set alias "DMZ Test VLAN"set role lanset snmp-index 122set interface "Middle-Earth"set vlanid 598nextedit "vxlan.598"set vdom "DMZ"set type vxlanset snmp-index 123set interface "DMZ-Loopback"nextedit "vlan598-strech"set vdom "DMZ"set ip 172.21.254.3 255.255.255.0set allowaccess pingset type switchset alias "DMZ Test VLAN"set device-identification enableset lldp-transmission enableset vrrp-virtual-mac enableconfig vrrpedit 1set version 3set vrgrp 509set vrip 172.21.254.1set vrdst 172.21.254.2nextendset role lanset snmp-index 124set ip-managed-by-fortiipam disablenextedit "test_vlan"set vdom "DMZ"set ip 1.2.3.1 255.255.255.252set allowaccess pingset device-identification enableset role lanset snmp-index 125set ip-managed-by-fortiipam disableset interface "Middle-Earth"set vlanid 1234nextendconfig system adminendconfig system zoneedit "DCI_VXLAN_ZONE"set interface "DCI_IPSEC_DMZ"nextedit "DMZ Test VLAN"set interface "vlan598-strech"nextendconfig system sdwanset status enableconfig zoneedit "virtual-wan-link"nextedit "DCI_ZONE"nextendconfig membersedit 1set interface "Vlan501- DMZ"set zone "DCI_ZONE"set gateway 172.21.1.3nextedit 2set interface "Vlan502-DMZ"set zone "DCI_ZONE"set gateway 172.21.1.11nextedit 3set interface "Vlan503-DMZ"set zone "DCI_ZONE"set gateway 172.21.1.19nextedit 4set interface "Vlan504-DMZ"set zone "DCI_ZONE"set gateway 172.21.1.27nextedit 5set interface "Vlan505-DMZ"set zone "DCI_ZONE"set gateway 172.21.1.35nextendconfig health-checkedit "DCI_SLA"set server "172.20.0.1"set update-static-route disableset members 1 2 3 4 5config slaedit 1set link-cost-factor latency packet-lossset latency-threshold 200set packetloss-threshold 5nextendnextendendconfig vpn ipsec phase1-interfaceedit "DCI-1_IPSEC"set interface "Vlan501- DMZ"set ike-version 2set keylife 28800set peertype anyset net-device disableset exchange-interface-ip enableset exchange-ip-addr4 172.22.0.1set aggregate-member enableset proposal aes256-sha256set dpd on-idleset dhgrp 14set remote-gw 172.21.1.3set psksecret ENC 1331uPjF3nZ3jKIsEFdFJENmnpDSskBvXpUsIhZP4gfrhK4U+qAo3R3q+oyrPxpih4RYsXZOchxfIqI6e1FhfbH62I1oE9BdGl8+5hCTLxp/6fsrUuwQ2GdFXFGxJbuqHhyOMGo2sdNhvWuoQRNOcKBH50psQW4YAJps0nqCpHJ2c9/FkBWH8N4jcoggZEutDr5bPHe/nllmMjY3dkVAnextedit "DCI-2_IPSEC"set interface "Vlan502-DMZ"set ike-version 2set keylife 28800set peertype anyset net-device disableset exchange-interface-ip enableset exchange-ip-addr4 172.22.0.1set aggregate-member enableset proposal aes256-sha256set dpd on-idleset dhgrp 14set remote-gw 172.21.1.11set psksecret ENC 1233l9O79X4UGnByd0xUuTf7Sy9p6a+Bk312NAXWuZh/JX7joAvD7258r25jORrYz9bey1YMrL7XxF3RCPRP9KedDZ56zn7qvUxSfrbK0EO6F5ubyRrvLPcJIEf6JgvKxSN8knk2Em/pEFCFzI/RqFsaoKR5caM0LzTFqoI7uYFy8cU73LnFAT8HpIGb9JMvp3MqQIcUmllmMjY3dkVAnextedit "DCI-3_IPSEC"set interface "Vlan503-DMZ"set ike-version 2set keylife 28800set peertype anyset net-device disableset exchange-interface-ip enableset exchange-ip-addr4 172.22.0.1set aggregate-member enableset proposal aes256-sha256set dpd on-idleset dhgrp 14set remote-gw 172.21.1.19set psksecret ENC 13113D+sZx1ZsdkTyYLQ13143W2+FRt13UDPf9NSneuRSFov97F2CECXS2Pt66BabUovyw6ARrRLG21v8pKxoZ0/W7Gg0NNGrT/zSg3LmpnT1d1Hi9wUo4MTBN6p0ypFCmMmMeYd124SkBpbP9/R+UNtGCqJ+6xPUx11TpNhJ4vqhgXERR1x7LC19Jn8Ye6ZqNm/3R2mrFq9jbtFlmMjY3dkVAnextedit "DCI-4_IPSEC"set interface "Vlan504-DMZ"set ike-version 2set keylife 28800set peertype anyset net-device disableset exchange-interface-ip enableset exchange-ip-addr4 172.22.0.1set aggregate-member enableset proposal aes256-sha256set dpd on-idleset dhgrp 14set remote-gw 172.21.1.27set psksecret ENC FgnPGpkWaACzKpy3+pl133rM3r/8mn269131ks72ev9roZ8AZJsMhWeQPRK53TTKD1B9DA2vK7jEkV/NtDD6Y7jVyEUJAEGWnE/MknV0XOK5NQnFf1EjHAXAgQAwebXpVoXXfvkJOmuQPjQNutZ7MJE+/3QlJfCv3SyXxKGe5GUzS0Z+y9XzrYyGGBDkaR4Xl+ogNHsvLmPFlmMjY3dkVAnextedit "DCI-5_IPSEC"set interface "Vlan505-DMZ"set ike-version 2set keylife 28800set peertype anyset net-device disableset exchange-interface-ip enableset exchange-ip-addr4 172.22.0.1set aggregate-member enableset proposal aes256-sha256set dpd on-idleset dhgrp 14set remote-gw 172.21.1.35set psksecret ENC t/zFITiL26MdMtDTeW131LepL/sMu1313UZP4/fgA6aNATZssHduDN+XQQNlWmnji7x36EmNi9B12oeJfwrsvAn3OCreFvzCB/1uvpz+IUaqCG9ilNjVvNU9qlKlzxsvNsfeA8EOLPEn+BTepraW/sr3Or7eFYiNi3YefTJCaTNgyD8VtfMQc/5uF46N1K6uHyx0j7gfheu61lmMjY3dkVAnextendconfig vpn ipsec phase2-interfaceedit "DCI-1_IPSEC.p2"set phase1name "DCI-1_IPSEC"set proposal aes256-sha256set dhgrp 14set auto-negotiate enableset keylifeseconds 3600nextedit "DCI-2_IPSEC.p2"set phase1name "DCI-2_IPSEC"set proposal aes256-sha256set dhgrp 14set auto-negotiate enableset keylifeseconds 3600nextedit "DCI-3_IPSEC.p2"set phase1name "DCI-3_IPSEC"set proposal aes256-sha256set dhgrp 14set auto-negotiate enableset keylifeseconds 3600nextedit "DCI-4_IPSEC.p2"set phase1name "DCI-4_IPSEC"set proposal aes256-sha256set dhgrp 14set auto-negotiate enableset keylifeseconds 3600nextedit "DCI-5_IPSEC.p2"set phase1name "DCI-5_IPSEC"set proposal aes256-sha256set dhgrp 14set auto-negotiate enableset keylifeseconds 3600nextendconfig system evpnedit 598set rd "598:598"set import-rt "598:598"set export-rt "598:598"set ip-local-learning enableset arp-suppression enablenextendconfig system ipsec-aggregateedit "DCI_IPSEC_DMZ"set member "DCI-1_IPSEC"set algorithm weighted-round-robinnextendconfig system vxlanedit "vxlan.598"set interface "DMZ-Loopback"set vni 598set evpn-id 598nextendconfig router prefix-listedit "advertised.vxlan.dmz.subnets"config ruleedit 1set prefix 1.2.3.0 255.255.255.252unset geunset lenextendnextendconfig router route-mapedit "deny_any"config ruleedit 1set action denyunset set-ip-prefsrcnextendnextedit "advertise.vxlan.dmz.route-map"config ruleedit 1set match-ip-address "advertised.vxlan.dmz.subnets"unset set-ip-prefsrcnextendnextendconfig router ripconfig redistribute "connected"endconfig redistribute "static"endconfig redistribute "ospf"endconfig redistribute "bgp"endconfig redistribute "isis"endendconfig router ripngconfig redistribute "connected"endconfig redistribute "static"endconfig redistribute "ospf"endconfig redistribute "bgp"endconfig redistribute "isis"endendconfig router ospfconfig redistribute "connected"endconfig redistribute "static"endconfig redistribute "rip"endconfig redistribute "bgp"endconfig redistribute "isis"endendconfig router ospf6config redistribute "connected"endconfig redistribute "static"endconfig redistribute "rip"endconfig redistribute "bgp"endconfig redistribute "isis"endendconfig router bgpset as 65000set ebgp-multipath enableset ibgp-multipath enableset network-import-check disableset additional-path enableset graceful-restart enableset additional-path-select 4config neighboredit "172.20.0.1"set ebgp-enforce-multihop enableset next-hop-self enableset next-hop-self-vpnv4 enableset soft-reconfiguration enableset soft-reconfiguration-vpnv4 enableset soft-reconfiguration-evpn enableset interface "DCI_IPSEC_DMZ"set remote-as 65000set route-map-out "advertise.vxlan.dmz.route-map"set keep-alive-timer 10set holdtime-timer 30set update-source "DMZ-Loopback"set route-reflector-client enableset route-reflector-client-evpn enablenextendconfig networkedit 60set prefix 1.2.3.0 255.255.255.252nextendconfig redistribute "connected"endconfig redistribute "rip"endconfig redistribute "ospf"endconfig redistribute "static"endconfig redistribute "isis"endconfig redistribute6 "connected"endconfig redistribute6 "rip"endconfig redistribute6 "ospf"endconfig redistribute6 "static"endconfig redistribute6 "isis"endendconfig router isisconfig redistribute "connected"endconfig redistribute "rip"endconfig redistribute "ospf"endconfig redistribute "bgp"endconfig redistribute "static"endconfig redistribute6 "connected"endconfig redistribute6 "rip"endconfig redistribute6 "ospf"endconfig redistribute6 "bgp"endconfig redistribute6 "static"endendconfig router multicastend

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded