Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nishtha_Baria
Staff
Staff

Created on ‎09-24-2023 09:23 PM Edited on ‎08-16-2024 05:37 AM By Community Manager

Article Id 275457

Troubleshooting Tip: ADVPN with SD-WAN troubleshooting

Description

This article describes that ADVPN (Auto Discovery VPN) with SD-WAN (Software-Defined Wide Area Networking) is a powerful solution and provides methods for FortiGate ADVPN with SD-WAN.
Scope

FortiGate.
Solution

Verify the step-by-step configuration:

 

  • Check Phase1 and phase2 configuration of ADVPN:

 

show vpn ipsec phase1-interface

show vpn ipsec phase2-interface

 

  • Verify SD-WAN Configuration:

 

show system sdwan-link-interface

show system sdwan-link-load-balance

 

  • Monitor ADVPN and SD-WAN status:

 

diag vpn ike gateway list

diag vpn ike gateway summary

diag vpn ike gateway info <gateway-name>

 

  • Analyze SD-WAN Traffic:

 

diag sys sdwan link list

diag sys sdwan link info <link-name>

diag sys sdwan link-monitor <link-name>

 

  • Analyze SD-WAN members, health check status and sessions:

 

diag sys sdwan member
diag sys sdwan service
diag sys sdwan healt-check
diag firewall proute list

 

  • Review Logs and Debug Output:

 

diag debug enable

diag debug application sdwan -1

diag debug disable

 

  • Check that ADVPN peers are connected to the network:

Make sure that the SD-WAN and ADVPN configurations are consistent across all FortiGates.

Examine the firewall for any rules or regulations that could be preventing SD-WAN or ADVPN traffic.

 

If there is a routing problem, follow the below steps to determine where the issue lies:

 

To discover and fix the problem, the erroneous route selection for traffic in ADVPN with SD-WAN requires a methodical approach utilizing commands. It will efficiently identify and fix improper route selection by using the troubleshooting procedures described in this article and the available commands.

 

  • Inspect the traffic flow using packet capture:

 

diag sniffer packet <interface> <filter> 6 0 l

 

  • Examine Traffic Patterns:

Determine which traffic is being misrouted. Also, monitor traffic flow and routing behavior. Form the flow debugs determine incorrect route selection might be continuous or occasional:

 

diag debug flow filter addr <Source IP | Destination IP>

diag debug enable

 

  • Verify the active routing table:

 

get router info routing-table all

 

  • Review the firewall policies and policy route policy:

 

show firewall policy <----- View the configured firewall policies.

show router policy   <----- View the configured policy route.

 

Related article:

Technical Tip: SD-WAN support for ADVPN
3222
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.