Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jera
Staff
Staff

Created on ‎12-17-2025 11:40 PM Edited on ‎12-17-2025 11:50 PM By Community Manager

Article Id 423560

Technical Tip: FortiGate is unable to route the traffic correctly due to IP conflict with administratively down interface

Description

This article indicates why a network conflict with an administratively down interface prevents FortiGate from properly routing traffic.
Scope FortiGate.
Solution

Sample Topology:

DMZ port 1 <> FortiGate <> IPSEC Tunnel <> (Remote Subnet) 10.10.10.3 (Server)

 

DMZ interface (10.10.10.1/24) and the IPSec remote network (10.10.10.3) are in the same subnet. FortiGate will never forward that traffic into an IPSec tunnel.

 

Scenario:

DMZ interface is administratively down/down.  IPSEC tunnel is up.

 

Explanation:

  • FortiGate will still treat 10.10.10.0/24 as a connected subnet, not something that should be routed through IPSEC.
  • The FortiGate routing behavior precedence:
    • Connected Routes.
    • Static Routes.
    • Dynamic Routes.

 

Since 10.10.10.0/24 is/was directly connected, FortiGate tries to ARP 10.10.10.3 and will never consider IPSEC as a valid path.

 

This happens even when the interface is down/admin down, because the subnet still exists in the routing table logic. 

 

To Fix:

Use a different subnet on each side.
89
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.