Technical Tip: FortiGuard update fails when having IPsec tunnel in SD-WAN members

Rosalyn · ‎05-22-2022

Description

This article describes how to avoid FortiGuard update failed using SD-WAN IPsec tunnel.

Scope

By default, FortiGate will randomly pick one of the SD-WAN member to connect the FortiGuard server and it will cause update fail when
the IPsec tunnel is selected.

To avoid this, it is possible to set the IPsec tunnel with bigger priority value.

Solution

Before the change.

FGT# get router info routing-table all
Routing table for VRF=0
S *> 0.0.0.0/0 [1/0] via 192.168.1.1, wan2
*> [1/0] via 12.64.91.141, wan1
*> [1/0] via 10.10.10.9, test_IPsec_tunnel

FGT# config system sdwan
FGT# config member
FGT# show full
# config members
edit 1
set interface "wan2"
set zone "virtual-wan-link"
set gateway 192.168.1.1
set source 0.0.0.0
set gateway6 ::
set source6 ::
set cost 0
set priority 0 <----- Default value is 0.
set status enable
set comment ''
next
edit 2
set interface "wan1"
set zone "virtual-wan-link"
set gateway 12.64.91.141
set source 0.0.0.0
set gateway6 ::
set source6 ::
set cost 0
set priority 0
set status enable
set comment ''
next
edit 3
set interface "test_IPsec_tunnel"
set zone "virtual-wan-link"
set gateway 10.10.10.9
set source 0.0.0.0
set gateway6 ::
set source6 ::
set cost 0
set priority 5 <----- Change the value bigger than 0.
set status enable
set comment ''
FGT# end
FGT# end

Routing table output after the change.

FGT# get router info routing-table all
Routing table for VRF=0
S *> 0.0.0.0/0 [1/0] via 192.168.1.1, wan2
*> [1/0] via 12.64.91.141, wan1
*> [1/0] via 10.10.10.9, test_IPsec_tunnel, [5/0]

Note that FortiGate priority preference is lowest value is preferred for the routing table.

For more info regarding the routing priority preference, refer to:

https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-an...