FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff
Article Id 197595

Description

 

This article describes how to identify any routes marked as inactive in the routing table using the CLI command get router info routing-table database.

 

Scope

 

FortiGate.

Solution

 

Distance or administrative distance is a number used by routers to determine which route is preferred for a particular destination.
If there are two routes to the same destination, the one with the smaller distance is considered better and used for routing.

The routes with higher distances are inactive and not added to the routing table.
If an interface is down, or FortiGate does not have Layer 2 connectivity to a subnet, that route is also considered inactive and will not be added to the routing table.


The command get router info routing-table details does not show inactive routes and displays only the one with the lowest distance (the active one).

For example, when two static routes to the same destination subnet have different distances, the one with the lower distance is active.
The one with the higher distance is inactive.

If the conditions to get a route into the routing table are not met, then the route is set by the FortiGate as inactive in the output of the get router info routing-table database.


The following routes will appear as inactive:

 

  • A static route on an interface with a static IP address is defined where the static IP address is in a different subnet than the default gateway.
  • DHCP interface where the DHCP IP address of the interface is in a different subnet than the default gateway (i.e. due to an incorrectly configured DHCP server).
  • Static routes on any interface configured with a failed link monitor (also known as the link health monitor/gateway detect / dead gateway detection feature).
  • Static route on an IPSec VPN tunnel interface that is down (i.e. Phase 1 is down).
  • Static route on any interface that is configured in Performance SLA with a failed link.


In the example below, the default static route is marked as inactive because its default gateway (8.8.8.8) is in a different subnet than the static IP address configured for the wan1 interface (10.10.10.1).

 

 get router info routing-table database

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       > - selected route, * - FIB route, p - stale info

S       0.0.0.0/0 [10/0] via 8.8.8.8, wan1 inactive
C    *> 3.3.3.0/24 is directly connected, internal
C    *> 10.10.10.0/24 is directly connected, wan1
C    *> 192.168.5.0/24 is directly connected, wifi

 

To view IPv6 routes, execute the below command:

 

get router info6 routing-table database

 

Example:

 

HUB # get router info6 routing-table database
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, B - BGP, V - BGP VPNv6
> - selected route, * - FIB route, p - stale info
Timers: Uptime

Routing table for VRF=0
S ::/0 [10/0] via 2001:db8:3c4d:15::1a2f:1a2b, port4 inactive, 00:24:47, [1024/0]

 

To view the active routes, execute the below command:

 

get router info routing-table details

 

Example: 

 

HUB # get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.9.15.254, port1, [1/0]
C 10.9.0.0/20 is directly connected, port1
S 10.10.10.0/24 [254/0] is a summary, Null, [1/0]
C 10.253.240.0/20 is directly connected, wqt.root

 

To view the route for a specific destination, execute the below command:

 

get router info routing-table details x.x.x.x   <----- Here x.x.x.x is the destination IP.

 

Example:

 

HUB # get router info routing-table details 192.168.1.187

Routing table for VRF=0
Routing entry for 192.168.1.0/24
Known via "connected", distance 0, metric 0, best
* is directly connected, port2

 

Related document:
Routing Concepts


Related articles:

Technical Tip: FortiGate routing table conditions

Technical Tip: Routing in FortiGate (route-lookup-process)

Technical Note: Routing behavior depending on distance and priority for static routes, and Policy Ba...