Description | This article describes how VPN HA routing works against SD-WAN. |
Scope | FortiGate. |
Solution |
Backgrounds:
The user has two VPN tunnel setups with auto-negotiate enabled:
edit 1 edit 8
When a VPN tunnel is established with a static route and at the same time exists within the SD-WAN member.
1) When there is no health-check for IPsec tunnel(SDWAN member) with 'update-static-route enable' required: - When VPN-A is down. - System will detect VPN-A is down. - Static route on VPN-A will be removed from the routing table. - Traffic will flow to VPN-B using the static route on VPN-B. - So that in this scenario the failover of the traffic is triggered by a static route updated on the VPN interface, not from SD-WAN even if the member is included in the SD-WAN.
2) When there is a health-check for IPsec tunnel (SD-WAN member) with 'update-static-route enable' required.
config system sdwan
- When VPN-A is down. - SDWAN health check will notice the VPN-A is down. - Traffic will be routed to VPN-B. - In this case the failover is triggered by SD-WAN
3) If the customer does not want to be involved in SD-WAN: - Customer can set up a link-monitor to trigger the failover:
config system link-monitor |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.