Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fwilliams
Staff & Editor
Staff & Editor

Created on ‎12-17-2023 09:21 PM

Article Id 289733

Troubleshooting Tip: How to resolve 'Service disabled caused by no destination' SD-WAN rule issue

Description

This article explains how to resolve the issue with the SD-WAN rule that utilizes a 'dynamic destination ' but not functioning because of no destination error.  When this issue happens, the output of 'diagnose system sdwan service xxx', will return the rule disabled due to 'no destination'.
Scope FortiGate.
Solution

SD-WAN rules are technically a policy route, that expects certain parameters to be provided for it to function; among those parameters is the destination address (the network to have the policy route).

There are times or environments where using a static destination is either not efficient or it’s just not possible, this is where using a dynamic destination for the SD-WAN rule shines.

 

SD-WAN rule can use BGP learn routes to feed the destination portion of the rule, dynamically.

The example in this article showed the same set of routes/prefixes learned over two BGP paths (VPN-1 and VPN-2), SD-WAN is then configured (with dynamic destination provided by BGP) to choose which path to route traffic over based on performance SLA.

When the primary tunnel meets the SLA, SD-WAN routes traffic over VPN-1. However, when the primary tunnel failed SLA, SD-WAN failed to route traffic over VPN-2, and during troubleshooting, the SD-WAN rule showed that service-disabled is caused by no destination.

 

vpn_a1.JPG

 

The reason why BGP did not supply route/prefix to SD-WAN rule 200 (in this example) was that local preference was configured on the ROUTE-MAP attached to the BGP neighbor in the inward direction.

This made BGP set a local preference of 100 for routes received over VPN-1 and a local preference of 90 for routes received over VPN-2, and it eventually installed only the routes/prefixes over VPN_1 in the routing table. 

 

Note that the BGP peering is still up since VPN-1 is not down, it only failed SLA (a condition called brown out), and as such BGP still installed routes learned over VPN-1 as the best (due to higher local pref).

Therefore, there is no installed BGP route to pass to SD-WAN rule 200, since only routes with route-tag 90 can be passed to SD-WAN rule 200, and the ones installed in the routing table are of route-tag 100.

 

vpn_a2.JPG

 

vpn_a3.JPG

 

To fix this issue, configure either equal local preference in the route-map attached in the inward direction or just unset the route-map (default), so BGP routes will be installed over both links or paths, as shown below.

The secondary link will start working when or whenever the primary link fails SLA.

 

vpn_a4.JPG

 

vpn_a5.JPG
6774
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.