Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rk1
Staff
Staff

Created on ‎05-25-2021 11:33 PM Edited on ‎12-29-2025 04:36 AM By Community Manager

Article Id 198348

Technical Tip: Return/Reply traffic is not matching policy routes in SD-WAN setup

Description

 

This article explains about reply traffic which is not matching any of the configured policy routes or SD-WAN rules.

Solution

 

When traffic from the Internet to the LAN segment is initiated (behind FortiGate), the traffic enters through one interface and it is possible to observe the reply traffic going out of a different interface than the original incoming interface (if there are multiple routes to reach the actual source), even though a specific policy route or SD-WAN rule for the return traffic are configured.

From firmware 6.4.0 GA, the reply traffic not matching the configured policy routes or SD-WAN rules is expected due to a behavior change.
It should not affect the firmware 6.2.x. Verify the below configuration on FortiGate to mitigate this issue:

  1. Verify if there are multiple routes pointed to the actual source, either through multiple static routes or a single route pointed to SD-WAN.

  2. Check whether asymmetric routing is enabled. If there is VDOM configured, check inside the respective VDOM configuration.

 

 

show full system settings | grep asymroute
    set asymroute disable
    set asymroute-icmp disable
    set asymroute6 disable
    set asymroute6-icmp disable

 

Note:

As of v7.6.5 and later, the default setting for 'asymroute-icmp and asymroute6-icmp' has changed from disabled to enabled (in earlier FortiOS versions, the default setting for this was disabled).

 

 

  1. Check if auxiliary session is enabled or disabled. If there is VDOM configured, check inside the respective VDOM configuration.

 

 

show full system settings | grep aux
    set auxiliary-session disable

 

Use case 1.
If asymmetric routing is enabled, whether the auxiliary session is enabled or disabled, the reply traffic would go out of any of the configured interface as per the routing table.
It is not necessary for the reply traffic to go out of the original incoming interface.

Because, with asymmetric routing enabled, traffic always looks for the best route in both directions.

Use case 2.
If asymmetric routing is disabled, even though there are multiple routes to reach the actual source, it is possible to force the reply traffic to go out of the original incoming interface by disabling the auxiliary session.

Note:
In any situation, the reply traffic does not search policy routes or SD-WAN rules in firmware 6.4.x.
The behavior of checking policy routes is retained in firmware 7.0.1, where the reply traffic will look for proute match.

Related document:
Controlling return path with auxiliary session

Labels:
20919
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.