Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nivedha
Staff
Staff

Created on ‎07-23-2024 11:08 PM

Article Id 327651

Technical Tip: Implications of using Latency Quality criteria on SD-WAN rule for ADVPN traffic

Description This article describes how latency quality criteria may affect traffic decisions when using SD-WAN for ADVPN traffic
Scope FortiGate v7.0.x +
Solution

Topology used in this scenario is as follows:


Topology.PNG

The primary IPSec tunnel is named advpn and the Secondary IpSec tunnel is named as advpn2.
An SD-WAN Performance SLA has been configured on SPoke pointing towards the loopback IP on Hub:

 

SDWAN config:

 

config system sdwan
    set status enable
        config zone
            edit "virtual-wan-link"
        next
            edit "IPSec"
        next
    end


config members
    edit 1
        set interface "port1"
        set gateway 20.0.0.254
    next
        edit 2
            set interface "port2"
            set gateway 30.0.0.254
        next
            edit 3
                set interface "advpn"
                set zone "IPSec"
            next
                edit 4
                    set interface "advpn2"
                    set zone "IPSec"
                next
            end


config health-check
    edit "Google"
        set server "8.8.8.8"
        set members 1 2
            config sla
                edit 1
            next
        end
    next
         edit "IPSEC"
         set server "192.168.99.99"
         set members 3 4
             config sla
                 edit 1
             next
          end
      next
  end


config service
    edit 1
        set name "Internal"
        set mode priority
        set dst "Private"
        set health-check "IPSEC"
        set priority-members 3 4
    next
        edit 2
            set name "Internet"
            set dst "all"
            set priority-members 1 2
        next
    end
end

 

If checking the performance SLA and the SLA status,  the latency that both advpn and advpn2 interfaces have:


Spoke1 # diag sys sdwan health-check
Health Check(Google):
Seq(1 port1): state(alive), packet-loss(0.000%) latency(0.878), jitter(0.114), bandwidth-up(9999989), bandwidth-dw(9999993), bandwidth-bi(19999982) sla_map=0x1
Seq(2 port2): state(alive), packet-loss(0.000%) latency(0.808), jitter(0.103), bandwidth-up(9999997), bandwidth-dw(9999997), bandwidth-bi(19999994) sla_map=0x1
Health Check(IPSEC):
Seq(3 advpn): state(alive), packet-loss(0.000%) latency(0.660), jitter(0.195), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x1
Seq(4 advpn2): state(alive), packet-loss(0.000%) latency(0.523), jitter(0.168), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x1

The latency for advpn is 0.660 and advpn2 is 0.523. Based on how the latency is, FortiGate can either select advpn or advpn2.

 

To always have the traffic out of the primary tunnel and traffic to use only the secondary tunnel when the primary is down, latency SD-WAN criteria should not be used. In such cases, use manual or lowest-cost SLA criteria (subject to the that SLA is always met by all members at all times)

Ensure that the SD-WAN performance SLA target is customized based on the Internet SLA (5ms latency and 5ms jitter is too low if the device does not have higher speed).
205
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.