FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Atul_S
Staff & Editor
Staff & Editor
Article Id 411809
Description This article describes a scenario where the SD-WAN SLA probe fails due to the route bypassing the tunnel and going through the HUB-VPN instead, and how to troubleshoot and resolve the issue.
Scope FortiGate.
Solution

To troubleshoot the issue, follow these steps:

  1. Verify the BGP configuration on the hub and spoke devices to ensure that the route is being advertised correctly.
  2. Check the routing table on the spoke device to confirm that the route is being learned via the correct tunnel.
  3. Use the command below to verify that the route is being advertised by the hub and is being received by the spoke

 

get router info bgp neighbors <neighbor_ip> advertised-routes | grep <route>

get router info bgp neighbors <neighbor_ip> received-routes | grep <route>

 

Use the command to verify that the route is being installed in the routing table as follows:

 

get router info routing-table all | grep <route>

 

If the route is not being installed, check the BGP configuration to ensure that the next-hop-self option is enabled. To enable next-hop-self, use the commands as below:

 

config router bgp

    config neighbor 

    set next-hop-self enable


These steps help to identify and resolve issues where the SD-WAN SLA probe fails because the route bypasses the tunnel.

Contributors