|
Network:
FortiGate has two WAN interfaces - Port1 and Port2.
IP=10.47.1.80->10.47.1.80/255.255.240.0 index=3 devname=port1
IP=10.47.17.80->10.47.17.80/255.255.240.0 index=4 devname=port2
- Static Route or SD-WAN members have the same priority.
In this example, the priority of the route is 1 in both cases.
S* 0.0.0.0/0 [1/0] via 10.47.15.254, port1, [1/0]
[1/0] via 10.47.31.254, port2, [1/0]
Behavior:
A ping from FortiGate CLI sourcing from the respective IP addresses of Port1 and Port2 will work in both cases.
execute ping-options source 10.47.1.80
execute ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=58 time=4.0 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=3.7 ms
Packet sniffer output:
2024-02-14 08:18:26.314816 root out 10.47.1.80 -> 1.1.1.1: icmp: echo request
2024-02-14 08:18:26.314820 root in 10.47.1.80 -> 1.1.1.1: icmp: echo request
2024-02-14 08:18:26.314835 root out 1.1.1.1 -> 10.47.1.80: icmp: echo reply
2024-02-14 08:18:26.314836 root in 1.1.1.1 -> 10.47.1.80: icmp: echo reply
execute ping-options source 10.47.17.80
execute ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=58 time=3.8 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=5.0 ms
Packet sniffer output:
2024-02-14 08:19:46.946265 root out 10.47.17.80 -> 1.1.1.1: icmp: echo request
2024-02-14 08:19:46.946268 root in 10.47.17.80 -> 1.1.1.1: icmp: echo request
2024-02-14 08:19:46.946283 root out 1.1.1.1 -> 10.47.17.80: icmp: echo reply
2024-02-14 08:19:46.946284 root in 1.1.1.1 -> 10.47.17.80: icmp: echo reply
-
Static Route or SD-WAN members have different priorities.
In this example, Port1 has lower priority (1) compared to Port2 (10). Lower priority means that the route is preferred.
See Technical Tip: Routing behavior depending on distance and priority for static routes, and Policy Bas....
S* 0.0.0.0/0 [1/0] via 10.47.15.254, port1, [1/0]
[1/0] via 10.47.31.254, port2, [10/0]
Behavior:
Ping with the source IP of Port1 will work.
execute ping-options source 10.47.1.80
execute ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=58 time=6.3 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=3.7 ms
Packet sniffer output:
2024-02-14 08:21:19.478462 root out 10.47.1.80 -> 1.1.1.1: icmp: echo request
2024-02-14 08:21:19.478465 root in 10.47.1.80 -> 1.1.1.1: icmp: echo request
2024-02-14 08:21:19.478477 root out 1.1.1.1 -> 10.47.1.80: icmp: echo reply
2024-02-14 08:21:19.478479 root in 1.1.1.1 -> 10.47.1.80: icmp: echo reply
Ping with source IP of Port2 will fail since traffic will egress on Port1 (preferred) instead of Port2.
execute ping-options source 10.47.17.80
execute ping 1.1.1.1
^CPING 1.1.1.1 (1.1.1.1): 56 data bytes
--- 1.1.1.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
2024-02-14 23:09:39.835953 port1 out 10.47.17.80 -> 1.1.1.1: icmp: echo request
2024-02-14 23:09:40.836107 port1 out 10.47.17.80 -> 1.1.1.1: icmp: echo request
It is necessary to specify an outgoing interface in ping-options to make sure that ICMP traffic will egress to Port2.
execute ping-options source 10.47.17.80
execute ping-options interface port2
execute ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=58 time=5.6 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=2.3 ms
|
