Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amrit
Staff
Staff

Created on ‎06-16-2024 09:54 PM

Article Id 320814

Technical Tip: Routing Problem ADVPN Hub with single WAN link and spoke with Dual WAN

Description This article describes that Asymmetric routing is experienced when a backup tunnel on ADVPN Spoke has the same tunnel IDs as the primary tunnel.
Scope FortiGate v7.0.x, v7.2.x, v7.4.x.
Solution

Example :

HUB(TunnelID:10.10.10.1)----Ipsec Primary Tunnel(VPN1)-----(10.10.10.2) Wan1Spoke

HUB(TunnelID:10.10.10.1)----Ipsec Secondary Tunnel(VPN2)---(10.10.10.3)Wan2Spoke

 

In the above scenario, both the tunnels from the spoke are connected to the same dial-up VPN on the hub.

If the primary goes down, the BGP neighbor will remain on the secondary tunnel. However, when the primary tunnel is back the spoke will send the traffic via VPN1 but the HUB will still have the best route via the secondary tunnel because the hub will not be able to differentiate the routes. Due to this asymmetric routing will be observed.

 

Example:

The ICMP ping from the spoke  will leave from VPN1 and Reply will be received from VPN2 on the spoke

 

Solution:

Configuring the same tunnel ID subnet on two tunnels is not recommended. So assign different tunnel ID subnets on each tunnel. This can be achieved in multiple ways by creating a separate tunnel for VPN2 on the HUB.

 

  1. Using peer ID and local ID feature in IKEV1(on the hub): Technical Tip: Use of PeerID and LocalID in IPsec VPN between two FortiGates
  2. Creating IPsec tunnels with network overlay id's on the hub(only supported in IKEV2): Technical Tip: How to establish more than one IPsec tunnel with same pair of IP
  3. To avoid creating a separate VPN tunnel on the hub, use the tunnel monitor feature on the spokes: Technical Tip: IPsec VPN: Site-to-Site tunnel monitor

 

443
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.