Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sparchuri
Staff
Staff

Created on ‎08-10-2025 11:41 PM

Article Id 405811

Troubleshooting Tip: Member state actions under SD-WAN

Description This article describes a possible action the FortiGate takes when it declares an SD-WAN link member down
Scope FortiGate, SD-WAN.
Solution

The example on this slide shows the status of two SD-WAN members, HUB1-VPN1 and HUB1-VPN2. The two members are alive, and therefore, the static routes that match the member gateway are assigned an active status. The result is that the static routes are installed in the routing table.

 

      

sparchuri_0-1754882936392.png

 

diagnose sys sdwan health-check status
Health Check(HUB1_HC):
Seq(3 HUB1-VPN1): state(alive), packet-loss(0.000%), latency(0.336), jitter(0.058), mos(4.404), bandwidth-up(9999996), bandwidth-dw(9999999), bandwidth-bi(19999995), sla_map=0x1
Seq(4 HUB1-VPN2): state(alive), packet-loss(0.000%), latency(0.274), jitter(0.060), mos(4.404), bandwidth-up(9999996), bandwidth-dw(9999999), bandwidth-bi(19999995), sla_map=0x1


get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 10.9.15.254, port1, [1/0]
....

....
S 192.168.111.0/24 [1/0] via HUB1-VPN1 tunnel 10.10.30.2, [1/0]
                   [1/0] via HUB1-VPN2 tunnel 10.10.40.2, [10/0]

 

If a member is determined dead, the static routes that match the member gateway become inactive. The result is that the routes are not installed in the routing table.

 

sparchuri_1-1754883126260.png

 

diagnose sys sdwan health-check status
Health Check(HUB1_HC):
Seq(3 HUB1-VPN1): state(dead), packet-loss(46.000%), sla_map=0x0
Seq(4 HUB1-VPN2): state(alive), packet-loss(0.000%), latency(0.238), jitter(0.037), mos(4.404), bandwidth-up(9999996), bandwidth-dw(9999999), bandwidth-bi(19999995), sla_map=0x1

 

get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 10.9.15.254, port1, [1/0]
....

....
S 192.168.111.0/24 [1/0] via HUB1-VPN2 tunnel 10.10.40.2, [10/0]
131
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.