Troubleshooting Tip: SD-WAN SLA Probe Fails Due to...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 411809

Description

This article describes a scenario where the SD-WAN SLA probe fails due to the route bypassing the tunnel and going through the HUB-VPN instead, and how to troubleshoot and resolve the issue.

Scope

FortiGate.

Solution

To troubleshoot the issue, follow these steps:

Verify the BGP configuration on the hub and spoke devices to ensure that the route is being advertised correctly.
Check the routing table on the spoke device to confirm that the route is being learned via the correct tunnel.
Use the command below to verify that the route is being advertised by the hub and is being received by the spoke

get router info bgp neighbors <neighbor_ip> advertised-routes | grep <route>

get router info bgp neighbors <neighbor_ip> received-routes | grep <route>

Use the command to verify that the route is being installed in the routing table as follows:

get router info routing-table all | grep <route>

If the route is not being installed, check the BGP configuration to ensure that the next-hop-self option is enabled. To enable next-hop-self, use the commands as below:

config router bgp

config neighbor

set next-hop-self enable

These steps help to identify and resolve issues where the SD-WAN SLA probe fails because the route bypasses the tunnel.

171

Contributors

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Troubleshooting Tip: SD-WAN SLA Probe Fails Due to Route Bypassing Tunnel

You are leaving our website