Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
SassiVeeran
Staff
Staff

Created on ‎03-28-2024 11:00 PM

Article Id 307099

Technical Tip: FortiGate SD-WAN performance SLA shows down

Description This article describes when IPSEC overlay members are added to SD-WAN and have issues with performance SLA being down.
Scope FortiGate SD-WAN SLA.
Solution

FortiGate can still ping the detect server. But the SLA is showing 'dead' for one of the members.

The IPSEC overlay member is configured with a similar source interface (Fortigate LAN interface).

 

Example:

 

FGTA:

A health check shows that ISP18 and ISP19 are alive.

 

FGTA.PNG

 

FGTB:

A health check shows ISP18 is dead and ISP19 is alive.

 

FGTB.PNG

 

Packet capture on ISP18 VPN interface shows no ICMP reply packet for probe sent by 10.250.3.172--->10.220.3.102.

 

icmp capture ISP18.PNG

 

This is due to asymmetric routing enabled in FGTA which causes icmp probe packet in/out via different interfaces. 

 

Note:

When the asymmetric route is enabled, the performance SLA will show UP at one end as per FGTA, while the other end FGTB shows as DOWN.

 

asymetric.PNG

 

To solve the issue, disable the asymmetric routing in FortiGate (FGTA).

 

config system settings
    set asymroute enable <----- Disable.
end

 

Related article:

Technical Tip: Differences between asymmetric routing and auxiliary sessions
Labels:
353
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.