Description
This article describes when the client on the left (private IP 192.168.10.10) needs to access the host on the right (IP 192.168.20.20) via IPsec tunnel configured on the FortiGate.
Only traffic to the 192.168.20.20 will be routed to the IPsec tunnel while all other Internet traffic goes via the local WAN1. SNAT is performed by FortiGate-A.
The option 'snat-route-change' can control what action the existing SNAT session needs to take after route change.
By default, it is disabled. So after a routing change, sessions with SNAT keep using the same outbound interface, as long as the old route is still active.
config system global
set snat-route-change disable
set snat-route-change disable
end
So when the FortiGate is first powered up, or the WAN port is restored after failure, it may happens that FGT-A mistakenly uses its WAN port IP (192.168.0.100) instead of the IPsec tunnel IP(192.168.50.50) as the public IP for the SNAT because it is the only route to the destination before the IPsec tunnel is successfully set up.
Even after the IPsec tunnel has been successfully set up, connectivity to the host 192.168.20.20 is still lost because it keeps using the old SNAT session with wrong IP.
Before the IPsec tunnel is up, FGT-A tries to reach the host 192.168.20.20 via the default route WAN1.
Before the IPsec tunnel is up, FGT-A tries to reach the host 192.168.20.20 via the default route WAN1.
FGT-A(root) # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [5/0] via 192.168.0.1, wan1
FG81EPTK19-----7 (root) # diagnose sys session list
session info: proto=17 proto_state=00 duration=24 expire=155 timeout=0 flags=00000000 sockflag=00000000 sockport=5060 av_idx=6 use=6
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=sip vlan_cos=0/255
state=redir log local may_dirty npu nlb ha_replicate f00 inherit_sockport
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=36->5/5->36 gwy=192.168.0.1/0.0.0.0
hook=post dir=org act=snat 192.168.10.10:5060->192.168.20.20:5060(192.168.0.100:65476)
hook=pre dir=reply act=dnat 192.168.20.20:5060- >192.168.0.100:65476(192.168.10.10:5060) (Before IPsec is up, WAN IP 192.168.0.100 is used)
hook=post dir=reply act=noop 192.168.20.20:5060->192.168.10.10:5060(0.0.0.0:0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=0000168b tos=6e/6e app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: redir-to-av
total session 1
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [5/0] via 192.168.0.1, wan1
FG81EPTK19-----7 (root) # diagnose sys session list
session info: proto=17 proto_state=00 duration=24 expire=155 timeout=0 flags=00000000 sockflag=00000000 sockport=5060 av_idx=6 use=6
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=sip vlan_cos=0/255
state=redir log local may_dirty npu nlb ha_replicate f00 inherit_sockport
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=36->5/5->36 gwy=192.168.0.1/0.0.0.0
hook=post dir=org act=snat 192.168.10.10:5060->192.168.20.20:5060(192.168.0.100:65476)
hook=pre dir=reply act=dnat 192.168.20.20:5060- >192.168.0.100:65476(192.168.10.10:5060) (Before IPsec is up, WAN IP 192.168.0.100 is used)
hook=post dir=reply act=noop 192.168.20.20:5060->192.168.10.10:5060(0.0.0.0:0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=0000168b tos=6e/6e app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: redir-to-av
total session 1
Scope
FortiGate.
Solution
When 'snat-route-change' is enabled, after a routing change, routing information is flushed from existing SNAT sessions; so, the existing SNAT sessions can use the new best route which in this case is the IPsec interface. To enable 'snat-route-change', run the following commands in the CLI:
config system global
set snat-route-change enable
end
After the IPsec tunnel is up, there is a more-specific route to 192.168.20.20 via IPsec and FGT-A can automatically correct its existing SNAT session to use the new routing.
FG81EPTK19-----7 (root) # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [5/0] via 192.168.0.1, wan1
S 192.168.0.0/16 [15/0] via 200.10.10.100, p1-tunnel
FG81EPTK19-----7 (root) # diagnose sys session lis
session info: proto=17 proto_state=01 duration=4 expire=175 timeout=0 flags=00000000 sockflag=00000000 sockport=5060 av_idx=6 use=7
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=p1-kltac/ helper=20 vlan_cos=0/255
state=redir local may_dirty npu npd nlb ha_replicate inherit_sockport
statistic(bytes/packets/allow_err): org=1924/3/1 reply=1796/3/1 tuples=3
tx speed(Bps/kbps): 434/3 rx speed(Bps/kbps): 405/3
orgin->sink: org pre->post, reply pre->post dev=36->37/37->36 gwy=210.19.8.106/192.168.10.10
hook=post dir=org act=snat 192.168.10.10:5060->192.168.20.20:5060(192.168.50.50:65476)
hook=pre dir=reply act=dnat 192.168.20.20:5060->192.168.50.50:65476(192.168.10.10:5060) (Now the SNAT session can automatically update to use the IPsec IP for SNAT)
hook=post dir=reply act=noop 192.168.20.20:5060->192.168.10.10:5060(0.0.0.0:0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=0000191f tos=6e/6e app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=0x3100000
npu info: flag=0x82/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: redir-to-av offload-denied helper
total session 1
Alternative solution:
To avoid global changes to FortiGate, an alternative solution is to add static routing for a specific subnet to route it via a Blackhole interface (formerly known as null0) with high administrative distance. This will ensure that traffic to the remote subnet will never reach it until the IPsec tunnel is UP. For an example covering the above scenario in the CLI, see the following:
config router static
edit 10 <----- Just a routing ID entry.
set dst 192.168.20.0 255.255.255.0
set distance 254
set comment "Blackhole"
set blackhole enable
set vrf 0
next
end
Related article:
Troubleshooting Tip: Routing Changes and SNAT (snat-route-change)
