Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wdeloraine_FTNT
Staff
Staff

Created on ‎06-10-2025 02:06 AM Edited on ‎06-10-2025 02:21 AM By Community Manager

Article Id 395694

Technical Tip: Use dynamic routing and IPSEC load-balance on FortiGate-6000 and 7000 series

Description This article describes the behavior when dynamic routing is used along with IPSEC load-balance on chassis-based FortiGate.
Scope FortiGate-6000 and 7000 series.
Solution

Prerequisites:

  • Dynamic routing traffic, such as OSPF, BGP, or RIP, is not load-balanced on chassis-based FortiGate.
  • This traffic is always handled by either the master FortiPrivateCloud (6K) or master FPM (7K).

Considering the following scenario:

  • VPN1 and VPN2 are terminated on a non master blade.
  • In the example, the VPN is hosted on FPC4, and the master FortiPrivateCloud is FPC1.
  • BGP peering is established over the IPSEC tunnel.

dyn-routing-ipsec.png

Information about the worker bound to each VPN can be found here:

 

FG-6KF (root) # diagnose vpn ike gateway list | grep "name\|LB“

name: to-vm1-lo

IPSec LB: IKE-master esp-worker: FPC04

name: to-vm2-lo

IPSec LB: IKE-master esp-worker: FPC04

 

Status of the BGP peering could be displayed as well:

 

FG-6KF (root) # get router info bgp summary

Slot: 1  Module SN: FPC6KFT021900120

VRF 0 BGP router identifier 192.168.2.1, local AS number 65001

Neighbor    V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

192.168.1.2 4      65002     236     240        2    0    0 03:25:19        4

192.168.2.2 4      65003     235     238        3    0    0 03:25:24        4

Slot: 3  Module SN: FPC6KFT021900113

Slot: 4  Module SN: FPC6KFT021900073

Slot: 5  Module SN: FPC6KFT021900075

 

The VPNs are established on FPC4, but the BGP peering is running on FPC1. This traffic debug flow output shows how the BGP traffic is handled by the FPC4.

 

[FPC04]  id=20085 trace_id=7 func=print_pkt_detail line=6233 msg="vd-root:0 src_slot:4 received a packet(proto=6, 192.168.1.2:6092->192.168.1.1:179) from to-vm1-lo. flag [.], seq 3526966677, ack 395374808, win 11"[FPC04]  id=20085 trace_id=7 func=resolve_ip_tuple_fast line=6337 msg="Find an existing session, id-0005d449, original direction"[FPC04]  id=20085 trace_id=7 func=lb_fpm_localin4 line=1586 msg="forward packet to master-worker slot-1"

 

The BGP traffic is forwarded by the FPC4 to the FPC1, where it can be processed. The data traffic over the VPN can go through FPC4. Only the BGP traffic will go to FPC1.

 

FG-6KF (root) # diagnose sniffer packet any 'host 1.2.3.4'  4 0 l

interfaces=[any]

filters=[host 1.2.3.4]

[FPC04] 2023-10-02 04:39:32.087978 port1 in 10.1.133.126 -> 1.2.3.4: icmp: echo request

[FPC04] 2023-10-02 04:39:32.088019 to-vm2-lo out 10.1.133.126 -> 1.2.3.4: icmp: echo request

[FPC04] 2023-10-02 04:39:32.088867 to-vm2-lo in 1.2.3.4 -> 10.1.133.126: icmp: echo reply

[FPC04] 2023-10-02 04:39:32.088881 port1 out 1.2.3.4 -> 10.1.133.126: icmp: echo reply

[FPC04] 2023-10-02 04:39:33.079342 port1 in 10.1.133.126 -> 1.2.3.4: icmp: echo request

[FPC04] 2023-10-02 04:39:33.079357 to-vm2-lo out 10.1.133.126 -> 1.2.3.4: icmp: echo request

[FPC04] 2023-10-02 04:39:33.079681 to-vm2-lo in 1.2.3.4 -> 10.1.133.126: icmp: echo reply

[FPC04] 2023-10-02 04:39:33.079692 port1 out 1.2.3.4 -> 10.1.133.126: icmp: echo reply
102
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.