As an example, a network administrator has implemented the below SD-WAN IPSec topology:

• The spoke FortiGate has two connections over the internet and the hub only has one.
• Each spoke FortiGate creates two dynamic tunnels which are being terminated towards the central hub's VPN.

In such scenarios, it can be observed that the hubs receive the traffic correctly over the main VPN connection. However, from the spoke's point of view, health check traffic or any other related traffic is received only from the primary VPN tunnel.

This occurs due to the fact that the hub's dial-up IPsec connection is configured with 'set-device' as disabled. Even if there are multiple tunnels from the same spoke, the hub always chooses the tunnel with the higher route priority even if the traffic was received from the other tunnel, causing traffic asymmetry.

In order to solve the issue, implement the following command on the VDOM system settings of the spoke FortiGate:

config system settings

set location-id X.X.X.X <-- X.X.X.X can be replaced with a number in the form of an IP address.

end

Then, during a maintenance window, on both the spoke & hub units' tunnels needs to flushed and the IKE service must be restarted with the following commands:

diagnose vpn ike gateway flush
diagnose vpn ike restart