Description | This article describes that Asymmetric routing is experienced when a backup tunnel on ADVPN Spoke has the same tunnel IDs as the primary tunnel. |
Scope | FortiGate v7.0.x, v7.2.x, v7.4.x. |
Solution |
Example : HUB(TunnelID:10.10.10.1)----Ipsec Primary Tunnel(VPN1)-----(10.10.10.2) Wan1Spoke HUB(TunnelID:10.10.10.1)----Ipsec Secondary Tunnel(VPN2)---(10.10.10.3)Wan2Spoke
In the above scenario, both the tunnels from the spoke are connected to the same dial-up VPN on the hub. If the primary goes down, the BGP neighbor will remain on the secondary tunnel. However, when the primary tunnel is back the spoke will send the traffic via VPN1 but the HUB will still have the best route via the secondary tunnel because the hub will not be able to differentiate the routes. Due to this asymmetric routing will be observed.
Example: The ICMP ping from the spoke will leave from VPN1 and Reply will be received from VPN2 on the spoke
Solution: Configuring the same tunnel ID subnet on two tunnels is not recommended. So assign different tunnel ID subnets on each tunnel. This can be achieved in multiple ways by creating a separate tunnel for VPN2 on the HUB.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.