|
Explanation:
ADVPN tunnel IP address should be same for the main ADVPN tunnel & Shortcut tunnels, if the IP addresses are different, then the communication to that spoke will break.
Run the command 'diag ip address list'
# diag ip address list
IP=10.254.0.85->10.254.0.85/255.255.252.0 index=36 devname=ADVPN_PRI
IP=10.254.0.79->10.254.0.49/255.255.255.255 index=89 devname=ADVPN_PRI_0
IP=10.254.0.85->10.254.0.49/255.255.255.255 index=108 devname=ADVPN_PRI_1
In the above output, the ADVPN_PRI & ADVPN_PRI_1 has 10.254.0.85, but the ADVPN_PRI_0 has 10.254.0.79.
The BGP Route shows as below:
# get router info routing-table details 10.120.130.0/18
Routing table for VRF=0
Routing entry for 10.120.130.0/18
Known via "bgp", distance 200, metric 0, best
Last update 00:06:17 ago
* 10.254.0.49, via ADVPN_PRI_0 distance 0 <<<<<<<<<<<<<<-------------- shows via 'ADVPN_PRI_0', instead it should be 'ADVPN_PRI_1'
* 10.254.0.49, via ADVPN_PRI_0 distance 0 <<<<<<<<<<<<<<-------------- shows via 'ADVPN_PRI_0', instead it should be 'ADVPN_PRI_1'
Solution:
set 'auto-discovery-shortcuts dependent' on all the spokes.
auto-discovery-shortcuts:- Control deletion of child short-cut tunnels when the parent tunnel goes down.
independent (Default) - Short-cut tunnels remain up if the parent tunnel goes down.
dependent - Short-cut tunnels are brought down if the parent tunnel goes down.
So, when the Primary tunnel goes down for some reason, comes back with a different IP assigned by mode-cfg to the Spoke Device VPN tunnel, 'dependent' option helps to delete the short-cut tunnels, when the parent tunnel goes down.
In FortiOS 7.2.0 'dependent' is the Default Option.
|
