Description
In scenario below, the client on the left (private IP 192.168.10.10) needs to access the host on the right (IP 192.168.20.20) via IPSEC tunnel configured on the FortiGate.
Only traffic to the 192.168.20.20 will be routed to the IPSEC tunnel while all other Internet traffic goes via the local WAN1. SNAT is performed by FortiGate-A.
Solution
When 'snat-route-change' is enabled, after a routing change, routing information is flushed from existing SNAT sessions; so, the existing SNAT sessions can use the new best route which in this case is the IPSEC interface.
In scenario below, the client on the left (private IP 192.168.10.10) needs to access the host on the right (IP 192.168.20.20) via IPSEC tunnel configured on the FortiGate.
Only traffic to the 192.168.20.20 will be routed to the IPSEC tunnel while all other Internet traffic goes via the local WAN1. SNAT is performed by FortiGate-A.
The option 'snat-route-change' can control what action the existing SNAT session needs to take after route change.
By default, it is disabled. So after a routing change, sessions with SNAT keep using the same outbound interface, as long as the old route is still active.
# config system globalSo when the FortiGate is first powered up, or the WAN port is restored after failure, it may happens that FGT-A mistakenly uses its WAN port IP (192.168.0.100) instead of the IPSEC tunnel IP(192.168.50.50) as the public IP for the SNAT because it is the only route to the destination before the IPSEC tunnel is successfully set up.
set snat-route-change disable
Even after the IPSEC tunnel has been successfully set up, connectivity to the host 192.168.20.20 is still lost because it keeps using the old SNAT session with wrong IP.
Before the IPSEC tunnel is up, FGT-A tries to reach the host 192.168.20.20 via the default route WAN1.
Before the IPSEC tunnel is up, FGT-A tries to reach the host 192.168.20.20 via the default route WAN1.
FGT-A(root) # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [5/0] via 192.168.0.1, wan1
FG81EPTK19-----7 (root) # diagnose sys session list
session info: proto=17 proto_state=00 duration=24 expire=155 timeout=0 flags=00000000 sockflag=00000000 sockport=5060 av_idx=6 use=6
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=sip vlan_cos=0/255
state=redir log local may_dirty npu nlb ha_replicate f00 inherit_sockport
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=36->5/5->36 gwy=192.168.0.1/0.0.0.0
hook=post dir=org act=snat 192.168.10.10:5060->192.168.20.20:5060(192.168.0.100:65476)
hook=pre dir=reply act=dnat 192.168.20.20:5060- >192.168.0.100:65476(192.168.10.10:5060) (Before IPSEC is up, WAN IP 192.168.0.100 is used)
hook=post dir=reply act=noop 192.168.20.20:5060->192.168.10.10:5060(0.0.0.0:0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=0000168b tos=6e/6e app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: redir-to-av
total session 1
Solution
When 'snat-route-change' is enabled, after a routing change, routing information is flushed from existing SNAT sessions; so, the existing SNAT sessions can use the new best route which in this case is the IPSEC interface.
# config system globalNow after the IPSEC tunnel is up, there is a more-specific route to 192.168.20.20 via IPSEC and FGT-A can automatically correct its existing SNAT session to use the new routing.
set snat-route-change enable
FG81EPTK19-----7 (root) # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [5/0] via 192.168.0.1, wan1
S 192.168.0.0/16 [15/0] via 200.10.10.100, p1-tunnel
FG81EPTK19-----7 (root) # diagnose sys session lis
session info: proto=17 proto_state=01 duration=4 expire=175 timeout=0 flags=00000000 sockflag=00000000 sockport=5060 av_idx=6 use=7
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=p1-kltac/ helper=20 vlan_cos=0/255
state=redir local may_dirty npu npd nlb ha_replicate inherit_sockport
statistic(bytes/packets/allow_err): org=1924/3/1 reply=1796/3/1 tuples=3
tx speed(Bps/kbps): 434/3 rx speed(Bps/kbps): 405/3
orgin->sink: org pre->post, reply pre->post dev=36->37/37->36 gwy=210.19.8.106/192.168.10.10
hook=post dir=org act=snat 192.168.10.10:5060->192.168.20.20:5060(192.168.50.50:65476)
hook=pre dir=reply act=dnat 192.168.20.20:5060->192.168.50.50:65476(192.168.10.10:5060) (Now the SNAT session can automatically update to use the IPSEC IP for SNAT)
hook=post dir=reply act=noop 192.168.20.20:5060->192.168.10.10:5060(0.0.0.0:0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=0000191f tos=6e/6e app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=0x3100000
npu info: flag=0x82/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: redir-to-av offload-denied helper
total session 1
Related Articles
Troubleshooting Tip: Routing Changes and SNAT (snat-route-change)
