Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
KC_Hing
Staff
Staff

Created on ‎01-05-2023 02:07 AM Edited on ‎01-05-2023 02:07 AM By Community Manager

Article Id 242074

Technical Tip: Troubleshoot SD-WAN link failover not working with host VIP configured

Description

This article describes an issue with SD-WAN link failover when the specific server has a Virtual IP address (VIP) enabled.
Scope

FortiGate.
Solution

In this scenario, the internal web server has an external VIP mapped with < 'Any'> interface and a problem sending out traffic in the event the SD-WAN link failover is triggered.

 

# config firewall vip

   edit "VIP"

        set extip 10.47.18.100

        set mappedip "10.10.10.100"

        set extintf "any"    <-----

    next

end

 

Before link failover, the WAN1  interface is selected as the outgoing interface while accessing to external website www.example.com and server outgoing traffic is working.

 

#  diag ip proute match 93.184.216.34 10.10.10.100 port3 6 443

dst=93.184.216.34 src=10.10.10.100 smac=00:00:00:00:00:00 iif=17 protocol=6 dport=443

id=7f000003 type=SDWAN

seq-num=3 oif=7(wan1)

 

# diag sniffer packet any 'host 93.184.216.34' 4 0 l

interfaces=[any]

filters=[host 93.184.216.34]

52.774144 port3 in 10.10.10.100 -> 93.184.216.34: icmp: echo request

52.774221 wan1 out 10.47.18.100 -> 93.184.216.34: icmp: echo request

52.964093 wan1 in 93.184.216.34 -> 10.47.18.100: icmp: echo reply

 

After link failover, the SD-WAN failover is working as the WAN2 interface being selected as the outgoing interface but the server starts encountering issues with accessing external websites.

 

#  diag ip proute match 93.184.216.34 10.10.10.100 port3 6 443

dst=93.184.216.34 src=10.10.10.100 smac=00:00:00:00:00:00 iif=17 protocol=6 dport=443

id=7f000003 type=SDWAN

seq-num=3 oif=8(wan2)

 

# diag sniffer packet any 'host 93.184.216.34' 4

interfaces=[any]

filters=[host 93.184.216.34]

4.361605 port3 in 10.10.10.100 -> 93.184.216.34: icmp: echo request

4.361695 wan2 out 10.47.18.100 -> 93.184.216.34: icmp: echo request   

 

With packet sniffer outputs, the firewall still uses WAN1 mapped IP  (10.47.18.100) sending out traffic through the WAN2 interface. 

As a result, the outgoing connection failed without ICMP reply packet.

 

By default, the VIP static DNAT is a one-to-one mapping that applies on both incoming and outgoing connections and this applies to both WAN interfaces as VIP configured with < 'Any'>.

 

Workaround:

 

Configure VIP with a specified external interface.

 

edit "VIP"

        set extip 10.47.18.100

        set mappedip "10.10.10.100"

        set extintf "WAN1"

    next

end
308
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.