This article provides detail about Routing Changes with existing SNAT sessions on a FortiGate.
When troubleshooting if after a routing change (For instance, setting up a VPN with corresponding added routes) a session for a particular communication goes via the wrong interface and/or firewall policy, it is probably due to keepalive traffic. The result is that sessions do not expire and by default the FortiGate does not flush routing information for those sessions.Solution
1. Routing Changes without Source NAT (SNAT)
After a routing change, routing information is flushed from the affected sessions where source NAT (SNAT) is not applied.
Example of a session just after a routing change:
- Routing lookups are done again for the next packets.
- Route cache entries are removed.
- RPF check is done again for the first packet in the original direction.
- Session is flagged as dirty.
The gateways in both directions change to 0.0.0.0/0 and the interfaces to 0, indicating that this information must be learned again. In addition, the dirty flag is added.
2. Routing Changes and SNAT (snat-route-change)
In sessions where SNAT is applied, the action depends on the following setting (which is disabled by default):
config system global
set snat-route-change [disable|enable]
When this setting is enabled, the routing information is flushed from the session table, just like it is when SNAT is not applied to a session.
- Troubleshooting: In order to flush the table, you could delete and add the new route again or change it.
When this setting is disabled (by default), after a routing change, established sessions with SNAT keep using the same outbound interface, as long as the old route is still active or they expire (even though the route is no longer the best).
- Troubleshooting: In order to update routing information, those sessions must be cleared. (See related articles)
Technical Tip: Using filters to clear sessions on a FortiGate unit
Troubleshooting Tip: FortiGate session table information