Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Dhruvin_patel
Staff
Staff

Created on ‎08-17-2025 09:53 PM Edited on ‎08-24-2025 09:28 PM By Community Manager

Article Id 406864

Technical Tip: Asymmetric traffic observed with IPsec over TCP in an SD-WAN dual WAN setup

Description The article discusses asymmetric traffic observed during IPsec over TCP tunnel negotiation in an SD-WAN dual WAN setup.
Scope FortiGate.
Solution

Two WAN interfaces, wan1 and wan2, have been set up in SD-WAN:

 

wan1 IP: 10.1.1.2/30

wan2 IP: 172.16.1.2/30

 

SD-WAN configuration: 

 

config system sdwan
    set status enable
    config zone
        edit "Underlay"
        next
    end
    config members
        edit 1
            set interface "wan1"
            set zone "Underlay"
            set gateway 10.1.1.1
        next
        edit 2
            set interface "wan2"
            set zone "Underlay"
            set gateway 172.16.1.1
        next

 

This issue occurs with TCP. The tunnel configuration is shown below.

 

config vpn ipsec phase1-interface
    edit "Tunnel_with_wan1"
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set add-route disable
        set localid "wan1"
        set wizard-type static-fortigate
        set auto-discovery-receiver enable
        set auto-discovery-shortcuts dependent
        set network-overlay enable
        set network-id 1
        set remote-gw 192.168.1.2
        set assign-ip disable

              set transport tcp
        set psksecret ENC xxxxxx
    next
    edit "Tunnel_with_wan2"
        set interface "wan2"
        set ike-version 2
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set add-route disable
        set localid "wan2"
        set wizard-type static-fortigate
        set auto-discovery-receiver enable
        set auto-discovery-shortcuts dependent
        set network-overlay enable
        set network-id 2
        set remote-gw 192.168.1.2
        set assign-ip disable

              set transport tcp
        set psksecret ENC xxxxxx
    next

 

During tunnel negotiation, it was observed that the SYN packets come in on one interface (wan1) while the SYN/ACK packets go out through another interface (wan2).

 

2025-06-23 03:05:11.766062 wan1 in 192.168.1.2.51717 -> 10.1.1.2.443: syn 164043747

2025-06-23 03:05:11.766215 wan2 out 10.1.1.2.443 -> 192.168.1.2.51717: syn 3416450666 ack 164043748
2025-06-23 03:05:12.780219 wan1 in 192.168.1.2.51717 -> 10.1.1.2.443: syn 164043747
2025-06-23 03:05:12.780281 wan2 out 10.1.1.2.443 -> 192.168.1.2.51717: syn 3416450666 ack 164043748

 

This behavior has been observed when using any ike-tcp-port.

The behavior has been reported in engineering case 1172040 and has been resolved in v7.4.9, v7.6.4, and v8.0.0.

 

The workaround in the current version is as follows:

  • Create a policy route with the parent interface:

 

config router policy

edit 1

set src 10.1.1.2/255.255.255.254
set output-device "wan1"

next 

end

 

  • Enable the 'ike-policy-route':

 

config system setting

set ike-policy-route enable

end

 

Related article:

Troubleshooting Tip: IKE over TCP sessions fail due to asymmetric return traffic in dual WAN environ...
191
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.