Created on
07-23-2024
11:08 PM
Edited on
09-26-2025
05:02 AM
By
preetisingh
Description | This article describes how latency quality criteria may affect traffic decisions when using SD-WAN for ADVPN traffic |
Scope | FortiGate v7.0.x + |
Solution |
Topology used in this scenario is as follows: The primary IPSec tunnel is named advpn, and the Secondary IPSec tunnel is named advpn2. An SD-WAN Performance SLA has been configured on Spoke pointing towards the loopback IP on Hub:
SDWAN config:
config system sdwan
When checking the performance SLA and the SLA status, the latency that both advpn and advpn2 interfaces have:
The latency for advpn is 0.660, and advpn2 is 0.523. Based on how the latency is, FortiGate can either select advpn or advpn2. This would mean that traffic might fluctuate at any time and is not recommended during ADVPn setup.
To always have the traffic out of the primary tunnel and traffic to use only the secondary tunnel when the primary is down, latency SD-WAN criteria should not be used. In such cases, use manual or lowest-cost SLA criteria (subject to the that SLA is always met by all members at all times) |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.