FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes a scenario where the SD-WAN SLA probe fails due to the route bypassing the tunnel and going through the HUB-VPN instead, and how to troubleshoot and resolve the issue.
Scope
FortiGate.
Solution
To troubleshoot the issue, follow these steps:
Verify the BGP configuration on the hub and spoke devices to ensure that the route is being advertised correctly.
Check the routing table on the spoke device to confirm that the route is being learned via the correct tunnel.
Use the command below to verify that the route is being advertised by the hub and is being received by the spoke
get router info bgp neighbors <neighbor_ip> advertised-routes | grep <route>
get router info bgp neighbors <neighbor_ip> received-routes | grep <route>
Use the command to verify that the route is being installed in the routing table as follows:
get router info routing-table all | grep <route>
If the route is not being installed, check the BGP configuration to ensure that the next-hop-self option is enabled. To enable next-hop-self, use the commands as below:
config router bgp
config neighbor
set next-hop-self enable
These steps help to identify and resolve issues where the SD-WAN SLA probe fails because the route bypasses the tunnel.
