Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fdsantos
Staff
Staff

Created on ‎08-30-2024 01:30 AM

Article Id 337770

Technical Tip: SD-WAN Performance SLA is showing interface failing even if the destination is reachable

Description

This article describes why the health check is showing the specific SD-WAN member down even if the destination is reachable to the member interface.
Scope

FortiGate.
Solution

Configured are two IPsec interfaces in the SD-WAN but IPSEC-2 is showing down.

 

1.jpg

 

When testing reachability from FortiGate, both interfaces can reach the destination without any issues.

 

2.jpg

 

Running a packet capture shows there is a reply on IPSEC-1.

 

3.jpg

 

However, in IPSEC-2 the reply packets are not returning to the correct interface.

 

4.jpg

 

SD-WAN health check detects the interface as ‘DOWN’ if the traffic is not returning to the correct interface even if the traffic is successful.

 

Once the traffic is returned to the correct interface, the SD-WAN health check will now detect the interface as UP.

 

5.jpg

 

6.jpg

 

7.jpg
Labels:
200
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.