Description
This article describes how to configure a source IP address for the Secure SDWAN Performance SLA feature.
For regular SD-WAN members which have an IP address configured, such as WAN interfaces, FortiOS will perform Performance SLA checking by using the interface’s IP address.
However, in secure SD-WAN, there are some VPN interfaces that do not have an IP address configured or there is an IP address configured but the IP address is not allowed in the IPsec Phase2 selector, then the FortiOS will encounter an issue when performing SD-WAN Performance SLA checking for these VPN interfaces.
Solution
By default, the VPN interface created in FortiOS does not have any IP address.
Besides, if the VPN interface is added to Secure SD-WAN members, then configure with Performance SLA to check the VPN tunnel status, the Performance SLA entry status is ‘down’ for the VPN interface, as below:
Therefore, set a source IP address for the VPN interface to allow FortiOS perform Performance SLA checking and validate the result, with CLI commands below:
# config system virtual-wan-link
config members
edit <ID> <<<< VPN Interface member ID
set source <IP address> <<<< Interface IP which allowed in IPSec Phase2 and Policy
end
config members
edit <ID> <<<< VPN Interface member ID
set source <IP address> <<<< Interface IP which allowed in IPSec Phase2 and Policy
end
Result:
Note: Starting from FortiOS 6.4.1, 'config system virtual-wan-link' is replaced with 'config system sdwan'.
# config system sdwan
config members
edit <ID> <<<< VPN Interface member ID
set source <IP address> <<<< Interface IP which allowed in IPSec Phase2 and Policy
end
