Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nishtha_Baria
Staff
Staff

Created on ‎09-24-2023 09:23 PM Edited on ‎09-16-2025 04:28 AM By Moderator

Article Id 275457

Troubleshooting Tip: ADVPN with SD-WAN troubleshooting

Description

This article describes that ADVPN (Auto Discovery VPN) with SD-WAN (Software-Defined Wide Area Networking) is a powerful solution and provides methods for FortiGate ADVPN with SD-WAN.
Scope

FortiGate.
Solution

Verify the step-by-step configuration:

 

  • Check Phase1 and phase2 configuration of ADVPN:

 

show vpn ipsec phase1-interface

show vpn ipsec phase2-interface

 

  • Verify SD-WAN Configuration:

 

show system sdwan-link-interface

show system sdwan-link-load-balance

 

  • Monitor ADVPN and SD-WAN status:

 

diagnose vpn ike gateway list

diagnose vpn ike gateway summary

diagnose vpn ike gateway info <gateway-name>

 

  • Analyze SD-WAN Traffic:

 

diagnose sys sdwan link list

diagnose sys sdwan link info <link-name>

diagnose sys sdwan link-monitor status

diagnose sys sdwan link-monitor <link-name>

 

  • Analyze SD-WAN members, health check status, and sessions:

 

diagnose sys sdwan member
diagnose sys sdwan service4 | diagnose sys sdwan service6 <-- IPv4, respectively IPv6 rules.
diagnose sys sdwan health-check
diagnose sys session filter ? <----- Define a filter of the session list to not output the potentially huge session list.
diagnose sys session list

 

Note: More details on filter options may be found here: Technical Tip: Using filters to clear sessions on a FortiGate in the CLI.

 

  • Review Logs and Debug Output:

 

diagnose debug reset

diagnose debug enable

diagnose debug application sdwan -1
diagnose debug application link-monitor -1 (for real-time link monitor debugging)

diagnose debug disable

 

  • Check that ADVPN peers are connected to the network:

Make sure that the SD-WAN and ADVPN configurations are consistent across all FortiGates.

Examine the firewall for any rules or regulations that could be preventing SD-WAN or ADVPN traffic.

 

If there is a routing problem, follow the steps below to determine where the issue lies:

 

To discover and fix the problem, the erroneous route selection for traffic in ADVPN with SD-WAN requires a methodical approach utilizing commands. It will efficiently identify and fix improper route selection by using the troubleshooting procedures described in this article and the available commands.

 

  • Inspect the traffic flow using packet capture:

 

diagnose sniffer packet <interface> <filter> 6 0 l

 

  • Examine Traffic Patterns:

Determine which traffic is being misrouted. Also, monitor traffic flow and routing behavior. Visualize the policy evaluation and route selection to see more details about route changes that might appear at random:

 

diagnose debug flow filter addr <Source IP | Destination IP>

diagnose debug enable
diagnose debug flow trace start N <----- Starts capturing N packets.

 

  • Verify the active routing table:

 

get router info routing-table all

 

  • Review the firewall policies and policy route policy:

 

show firewall policy <----- View the configured firewall policies.

show router policy   <----- View the configured policy routes.

diagnose firewall proute list <-----  View the policy routes generated by SD-WAN rules.

 

Related article:

Technical Tip: SD-WAN support for ADVPN
Labels:
6338
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.