Description
This article describes how to add the VPN interface to the SD-WAN and how to configure the SD-WAN performance SLA for the VPN interface.
Solution
Add the VPN interfaces to the SD-WAN is necessary to load balance the remote network Traffic.
After adding the VPN interface to the SD-WAN, when the performance SLA is created for VPN interface, performance SLA status shows down.
However, under IPsec monitor VPN tunnel status shows up.
The root cause of the issue is, for performance SLA monitor, FortiGate itself act as the source device and it will take
the IPsec VPN outgoing interface (WAN) interface IP as source.
This source and destination address will not match the phase2 selector and ping request will get dropped at FortiGate itself.
# dia vpn tunnel list
name=HO_port1_2 ver=1 serial=1 10.40.16.57:0->10.40.16.20:0
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=1 child_num=0 refcnt=20 ilast=0 olast=0 ad=/0
stat: rxp=352 txp=453 rxb=42240 txb=27180
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=5
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=HO_port1_2 proto=0 sa=1 ref=2 serial=2
src: 0:172.31.192.0/255.255.240.0:0
dst: 0:172.31.128.0/255.255.240.0:0
SA: ref=3 options=10226 type=00 soft=0 mtu=1438 expire=42225/0B replaywin=2048
seqno=1c6 esn=0 replaywin_lastseq=00000161 itn=0
life: type=01 bytes=0/0 timeout=42901/43200
dec: spi=e04e9478 esp=aes key=16 73cb7c9658e2b3bf3f9eddbf3e966514
ah=sha1 key=20 1c990b12c0ef9df9721f550924cc69e2ceadcbcc
enc: spi=276713b0 esp=aes key=16 83199cc34061a388045e59a157827281
ah=sha1 key=20 6ebe8070d5f7105ec4a70da6eb4e1e467a701463
dec:pkts/bytes=352/21120, enc:pkts/bytes=453/54360
------------------------------------------------------
name=HO_port2_3 ver=1 serial=2 10.40.48.57:0->10.40.48.20:0
bound_if=4 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=1 child_num=0 refcnt=17 ilast=0 olast=0 ad=/0
stat: rxp=343 txp=443 rxb=41160 txb=26580
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=4
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=HO_port2_3 proto=0 sa=1 ref=2 serial=2
src: 0:172.31.192.0/255.255.240.0:0
dst: 0:172.31.128.0/255.255.240.0:0
SA: ref=3 options=10226 type=00 soft=0 mtu=1438 expire=42224/0B replaywin=2048
seqno=1bc esn=0 replaywin_lastseq=00000158 itn=0
life: type=01 bytes=0/0 timeout=42897/43200
dec: spi=e04e9479 esp=aes key=16 02b54e277607488456b277146f4d1429
ah=sha1 key=20 eaf940619730b89e85224178d7f2de33c3550e9e
enc: spi=276713b1 esp=aes key=16 9007a2942009fae3673649b9d87efe60
ah=sha1 key=20 36d1fa1945112b4baa003b6610d562608e093f07
dec:pkts/bytes=343/20580, enc:pkts/bytes=443/53160
# dia sniffer packet any "host 172.31.128.20 and icmp" 4
interfaces=[any]
filters=[host 172.31.128.20 and icmp]
0.630359 HO_port1_2 out 10.40.16.57 -> 172.31.128.20: icmp: echo request
0.630388 HO_port2_3 out 10.40.16.57 -> 172.31.128.20: icmp: echo request
1.640399 HO_port1_2 out 10.40.16.57 -> 172.31.128.20: icmp: echo request
1.640444 HO_port2_3 out 10.40.16.57 -> 172.31.128.20: icmp: echo requestFlow filter logs shows 'No matching IPsec selector, drop'.
id=20085 trace_id=3 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=1, 10.40.16.57:257->172.31.128.20:2048) from local. type=8, code=0, id=257, seq=50."
id=20085 trace_id=3 func=resolve_ip_tuple_fast line=5597 msg="Find an existing session, id-00001308, original direction"
id=20085 trace_id=3 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-HO_port1_2"
id=20085 trace_id=3 func=ipsec_common_output4 line=804 msg="No matching IPsec selector, drop" <-----
id=20085 trace_id=4 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=1, 10.40.16.57:258->172.31.128.20:2048) from local. type=8, code=0, id=258, seq=33."
id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5597 msg="Find an existing session, id-0000130a, original direction"
id=20085 trace_id=4 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-HO_port2_3"
id=20085 trace_id=4 func=ipsec_common_output4 line=804 msg="No matching IPsec selector, drop" <----- Solution.
To overcome this issue, configure source IP for the VPN interface in sdwan setting.
Add FortiGate local interface IP as source ip for VPN in SD-WAN and make sure that it is part of the phase2 selectors.
Add FortiGate local interface IP as source ip for VPN in SD-WAN and make sure that it is part of the phase2 selectors.
# config system virtual-wan-link
# config members
edit <id>
set source x.x.x.x <----- Lan interface IP.
next
endExample.
# config system virtual-wan-link
(virtual-wan-link) # config members
(members)edit ? <----- Use question mark to get the interface ID.
seq-num <----- Sequence number(1-255).
1 port1
2 HO_port1_2
3 HO_port2_3
4 port2(members) # edit 2
(2)set source 172.31.192.57
(2)next
(members)edit 3
(3)set source 172.31.192.57
(3)end
(virtual-wan-link)endAfter configuring source IP, FortiGate will use the same IP to ping remote server.
# dia sniffer packet any "host 172.31.128.20 and icmp" 4
interfaces=[any]
filters=[host 172.31.128.20 and icmp]
1.679274 HO_port1_2 out 172.31.192.57 -> 172.31.128.20: icmp: echo request
1.679735 HO_port1_2 in 172.31.128.20 -> 172.31.192.57: icmp: echo reply
1.799248 HO_port2_3 out 172.31.192.57 -> 172.31.128.20: icmp: echo request
1.799707 HO_port2_3 in 172.31.128.20 -> 172.31.192.57: icmp: echo reply
