FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Renante_Era
Staff
Staff
Article Id 332771
Description This article describes how to troubleshoot the secondary connection which failed to connect to the internet.
Scope FortiGate.
Solution

The following are the troubleshooting steps when a secondary (e.g. wan2) WAN connection with static IP address was added on the FortiGate but the internet connection through that interface does not work.

 

  1. Confirm whether the internet connection from that specific interface is not working: set the ping-options source to wan2's interface's public IP address and ping fortinet.com.

exec ping-options source <w.x.y.z> 

 

ping-options.jpg

 

exec ping fortinet.com

 

A successful ping means that the internet is working through that interface.

 

ping-FTNT.jpg

 

  1. Check the default route through the FortiGate CLI. Routes in Network -> Static Routes may not show the default route for WAN interfaces that were configured via DHCP.

 

get router info routing-table all | grep 0.0.0.0

 

The output should show that the default route of the WAN interface with the DHCP IP address has a distance of 5 and a priority of 1. Furthermore, the secondary WAN interface with a static IP address default route has a distance of 10 and a priority of 1.

 

Interface(s)

Distance

Priority

wan1 (DHCP IP Address)

5

1

wan2 (Static IP Address)

10

1

 

The solution is to modify the distance and priority of the wan2 interface or the wan1 interface. 

To make both default routes available on the routing table, they must have the same distance.

 

To make internet traffic use wan2 as the default route and maintain wan1 as failover, use the following configuration:

 

config system interface

    edit wan1

        set distance 10

        set priority 10

end

 

  • Priority preference: The lowest value is preferred for the routing table.
  • Distance preference: The lowest value is preferred for the routing table.

In summary, the ISP connection that obtained the IP address via DHCP will have a distance of 5 and a priority of 1 by default, while the ISP connection with a statically assigned IP address will have a distance of 10 and a priority of 1 by default.