FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
SassiVeeran
Staff
Staff
Article Id 307099
Description This article describes when IPSEC overlay members are added to SD-WAN and have issues with performance SLA being down.
Scope FortiGate SD-WAN SLA.
Solution

FortiGate can still ping the detect server. But the SLA is showing 'dead' for one of the members.

The IPSEC overlay member is configured with a similar source interface (Fortigate LAN interface).

 

Example:

 

FGTA:

A health check shows that ISP18 and ISP19 are alive.

 

FGTA.PNG

 

FGTB:

A health check shows ISP18 is dead and ISP19 is alive.

 

FGTB.PNG

 

Packet capture on ISP18 VPN interface shows no ICMP reply packet for probe sent by 10.250.3.172--->10.220.3.102.

 

icmp capture ISP18.PNG

 

This is due to asymmetric routing enabled in FGTA which causes icmp probe packet in/out via different interfaces. 

 

Note:

When the asymmetric route is enabled, the performance SLA will show UP at one end as per FGTA, while the other end FGTB shows as DOWN.

 

asymetric.PNG

 

To solve the issue, disable the asymmetric routing in FortiGate (FGTA).

 

config system settings
    set asymroute enable
<----- Disable.
end

 

Related article:

Technical Tip: Differences between asymmetric routing and auxiliary sessions