Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aruns
Staff
Staff

Created on ‎06-29-2022 08:26 AM Edited on ‎12-09-2024 10:44 AM By Moderator

Article Id 216255

Technical Tip: ADVPN shortcut tunnels has multiple IPs which breaks the communication between spokes

Description

This article describes the reason why sometimes ADVPN shortcut tunnels will be up, but communication fails between them.
Scope ADVPN with Mode-cfg + BGP Routing.
Solution

Explanation:

 

ADVPN tunnel IP address should be same for the main ADVPN tunnel & Shortcut tunnels, if the IP addresses are different, then the communication to that spoke will break.

 

Run the command 'diag ip address list'

 

# diag ip address list

 

IP=10.254.0.85->10.254.0.85/255.255.252.0 index=36 devname=ADVPN_PRI

IP=10.254.0.79->10.254.0.49/255.255.255.255 index=89 devname=ADVPN_PRI_0

IP=10.254.0.85->10.254.0.49/255.255.255.255 index=108 devname=ADVPN_PRI_1

 

In the above output, the ADVPN_PRI & ADVPN_PRI_1 has 10.254.0.85, but the ADVPN_PRI_0 has 10.254.0.79.

 

The BGP Route shows as below:

 

# get router info routing-table details 10.120.130.0/18

 

Routing table for VRF=0

Routing entry for 10.120.130.0/18

  Known via "bgp", distance 200, metric 0, best

  Last update 00:06:17 ago

  * 10.254.0.49, via ADVPN_PRI_0 distance 0 <<<<<<<<<<<<<<-------------- shows via 'ADVPN_PRI_0', instead it should be 'ADVPN_PRI_1'

  * 10.254.0.49, via ADVPN_PRI_0 distance 0 <<<<<<<<<<<<<<-------------- shows via 'ADVPN_PRI_0', instead it should be 'ADVPN_PRI_1'

 

Solution:

 

set 'auto-discovery-shortcuts dependent' on all the spokes.

 

auto-discovery-shortcuts:- Control deletion of child short-cut tunnels when the parent tunnel goes down.

 

independent (Default) - Short-cut tunnels remain up if the parent tunnel goes down.

dependent - Short-cut tunnels are brought down if the parent tunnel goes down.

 

So, when the Primary tunnel goes down for some reason, comes back with a different IP assigned by mode-cfg to the Spoke Device VPN tunnel, 'dependent' option helps to delete the short-cut tunnels, when the parent tunnel goes down.

 

In FortiOS 7.2.0 'dependent' is the Default Option.

 

Note:

As of FortiOS 7.0.8 and 7.2.0, 'auto-discovery-shortcuts independent' cannot be set on an IPsec tunnel when 'set mode-config enable' is also set. This is because mode-config uses the hub FortiGate to assign dynamic IP addresses to spoke FortiGates. If a spoke were to receive a different tunnel overlay IP address from the hub FortiGate after reconnecting to the hub, then any existing shortcut tunnels would break.
8944
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.