|
The following configuration is assumed:
- SD-WAN zone has as a member, a dynamic IPsec tunnel configured with 'set net device disable'.
- Health-check configure to monitor the reachability of a server over the tunnel.
- The static route over the tunnel and 'set update-static-route enable'.
If the monitored server is not reachable anymore, over that particular tunnel, it is seen that the static route is not removed.
This is expected behavior for dynamic tunnels configured with 'set net-device disable'.
The workaround would be to configure the tunnel with 'set net-device enable'.
This is not recommended and, as of FortiOS v7.0.8 and v7.2.1, a check has been introduced and it is not possible anymore to add an IPsec tunnel configured with 'set net-device enable' as a member of an SD-WAN zone.
When attempting to enable net-device on an IPsec interface a part of the SD-WAN zone, the following error, 'This interface is used by vwl' is displayed.
HQ-FW # config vpn ipsec phase1-interface
HQ-FW (phase1-interface) # edit HQ-ADVPN
HQ-FW (HQ-ADVPN) # set net-device enable
This interface is used by vwl.
node_check_object fail! for net-device enable
value parse error before 'enable'
Command fail. Return code -23
HQ-FW (HQ-ADVPN) #
This means that the IPsec tunnel interface is being used by a virtual wan link. In order to enable net-device on the IPsec tunnel interface, it will be required to remove all SD-WAN references (SD-WAN Zone, SD-WAN Rules, and Performance SLAs).
|
