Troubleshooting Tip: SD-WAN health checks behavior with FQDN Server when FortiGate is unable to resolve DNS

nathan_h · ‎10-09-2024

Description

This article describes the behavior of SD-WAN health checks when using FQDN as the Health Check Server. FortiGate will use the last known IP address when there is no response to the DNS request.

Scope

FortiGate.

Solution

2024-09-30 16 38 38.png

Working Scenario:

DNS request to aws.amazon.com is responsive. Health checks will be performed on different IP addresses.

FGT-SDW-1 # diag test app dnsproxy 7
worker idx: 0
vfid=0, name=aws.amazon.com, ttl=60:28:1768
3.167.152.123 (ttl=60) 3.167.152.101 (ttl=60) 3.167.152.8 (ttl=60) 3.167.152.24 (ttl=60)

......

diag sniffer packet any 'port 80' 4 0 l

2024-09-30 16:37:59.648041 port1 out 198.18.11.1.8743 -> 3.167.152.123.80: syn 3067972178
2024-09-30 16:37:59.648126 port2 out 198.18.12.1.7663 -> 3.167.152.123.80: syn 593412131
2024-09-30 16:37:59.668411 port2 in 3.167.152.123.80 -> 198.18.12.1.7663: syn 4255893897 ack 593412132
2024-09-30 16:37:59.668446 port2 out 198.18.12.1.7663 -> 3.167.152.123.80: ack 4255893898
2024-09-30 16:37:59.668472 port1 in 3.167.152.123.80 -> 198.18.11.1.8743: syn 2756940580 ack 3067972179
2024-09-30 16:37:59.668482 port1 out 198.18.11.1.8743 -> 3.167.152.123.80: ack 2756940581
......
2024-09-30 16:39:00.798868 port1 out 198.18.11.1.8743 -> 3.167.152.123.80: fin 3067983215 ack 2756975549
2024-09-30 16:39:00.799299 port2 out 198.18.12.1.7663 -> 3.167.152.123.80: fin 593423168 ack 4255928866
2024-09-30 16:39:00.818867 port1 in 3.167.152.123.80 -> 198.18.11.1.8743: fin 2756975549 ack 3067983216
2024-09-30 16:39:00.818887 port1 out 198.18.11.1.8743 -> 3.167.152.123.80: ack 2756975550
2024-09-30 16:39:00.819557 port2 in 3.167.152.123.80 -> 198.18.12.1.7663: fin 4255928866 ack 593423169
2024-09-30 16:39:00.819569 port2 out 198.18.12.1.7663 -> 3.167.152.123.80: ack 4255928867

2024-09-30 16:39:01.670275 port1 out 198.18.11.1.10173 -> 3.167.152.24.80: syn 425549820
2024-09-30 16:39:01.670359 port2 out 198.18.12.1.1101 -> 3.167.152.24.80: syn 3414364338
2024-09-30 16:39:01.690594 port2 in 3.167.152.24.80 -> 198.18.12.1.1101: syn 3296354204 ack 3414364339
2024-09-30 16:39:01.690632 port2 out 198.18.12.1.1101 -> 3.167.152.24.80: ack 3296354205
2024-09-30 16:39:01.690657 port1 in 3.167.152.24.80 -> 198.18.11.1.10173: syn 4027361611 ack 425549821
2024-09-30 16:39:01.690667 port1 out 198.18.11.1.10173 -> 3.167.152.24.80: ack 4027361612
......
2024-09-30 16:40:02.861252 port2 out 198.18.12.1.1101 -> 3.167.152.24.80: fin 3414375375 ack 3296389173
2024-09-30 16:40:02.861588 port1 out 198.18.11.1.10173 -> 3.167.152.24.80: fin 425560857 ack 4027396580
2024-09-30 16:40:02.881607 port2 in 3.167.152.24.80 -> 198.18.12.1.1101: fin 3296389173 ack 3414375376
2024-09-30 16:40:02.881630 port2 out 198.18.12.1.1101 -> 3.167.152.24.80: ack 3296389174
2024-09-30 16:40:02.881655 port1 in 3.167.152.24.80 -> 198.18.11.1.10173: fin 4027396580 ack 425560858
2024-09-30 16:40:02.881664 port1 out 198.18.11.1.10173 -> 3.167.152.24.80: ack 4027396581

2024-09-30 16:40:03.683659 port1 out 198.18.11.1.12253 -> 3.167.152.8.80: syn 235742470
2024-09-30 16:40:03.683765 port2 out 198.18.12.1.6703 -> 3.167.152.8.80: syn 141435095
2024-09-30 16:40:03.704095 port2 in 3.167.152.8.80 -> 198.18.12.1.6703: syn 3202595203 ack 141435096
2024-09-30 16:40:03.704151 port2 out 198.18.12.1.6703 -> 3.167.152.8.80: ack 3202595204
2024-09-30 16:40:03.704224 port2 out 198.18.12.1.6703 -> 3.167.152.8.80: psh 141435096 ack 3202595204
2024-09-30 16:40:03.704289 port1 in 3.167.152.8.80 -> 198.18.11.1.12253: syn 2265124089 ack 235742471
2024-09-30 16:40:03.704304 port1 out 198.18.11.1.12253 -> 3.167.152.8.80: ack 2265124090
......
2024-09-30 16:41:04.881058 port1 out 198.18.11.1.12253 -> 3.167.152.8.80: fin 235753507 ack 2265159058
2024-09-30 16:41:04.881406 port2 out 198.18.12.1.6703 -> 3.167.152.8.80: fin 141446132 ack 3202630172
2024-09-30 16:41:04.900919 port1 in 3.167.152.8.80 -> 198.18.11.1.12253: fin 2265159058 ack 235753508
2024-09-30 16:41:04.900941 port1 out 198.18.11.1.12253 -> 3.167.152.8.80: ack 2265159059
2024-09-30 16:41:04.901958 port2 in 3.167.152.8.80 -> 198.18.12.1.6703: fin 3202630172 ack 141446133
2024-09-30 16:41:04.901970 port2 out 198.18.12.1.6703 -> 3.167.152.8.80: ack 3202630173

Non-Working Scenario:

DNS request to aws.amazon.com is not responsive. The health check will be performed on the last known IP address.

FGT-SDW-1 # diag test app dnsproxy 7
worker idx: 0

FGT-SDW-1 # diag sniffer packet any 'port 80' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[port 80]
2024-10-08 16:29:59.598627 port1 out 198.18.11.1.10599 -> 3.167.152.123.80: psh 872733841 ack 3103035009
2024-10-08 16:29:59.598678 port2 out 198.18.12.1.5045 -> 3.167.152.123.80: psh 2382546416 ack 4088071357
2024-10-08 16:29:59.621821 port2 in 3.167.152.123.80 -> 198.18.12.1.5045: psh 4088071357 ack 2382546594
2024-10-08 16:29:59.621862 port2 out 198.18.12.1.5045 -> 3.167.152.123.80: ack 4088071921
2024-10-08 16:29:59.621914 port1 in 3.167.152.123.80 -> 198.18.11.1.10599: psh 3103035009 ack 872734019
2024-10-08 16:29:59.621924 port1 out 198.18.11.1.10599 -> 3.167.152.123.80: ack 3103035573

......

2024-10-08 16:35:09.688257 port1 out 198.18.11.1.10599 -> 3.167.152.123.80: psh 872789021 ack 3103209849
2024-10-08 16:35:09.688303 port2 out 198.18.12.1.5045 -> 3.167.152.123.80: psh 2382601596 ack 4088246197
2024-10-08 16:35:09.711784 port2 in 3.167.152.123.80 -> 198.18.12.1.5045: psh 4088246197 ack 2382601774
2024-10-08 16:35:09.711804 port2 out 198.18.12.1.5045 -> 3.167.152.123.80: ack 4088246761
2024-10-08 16:35:09.711827 port1 in 3.167.152.123.80 -> 198.18.11.1.10599: psh 3103209849 ack 872789199
2024-10-08 16:35:09.711835 port1 out 198.18.11.1.10599 -> 3.167.152.123.80: ack 3103210413

......

There is a chance that the IP address may not be responsive.

FGT-SDW-1 # diag sniffer packet any 'port 80' 4 0 l

2024-10-08 16:44:15.935713 port2 out 198.18.12.1.2887 -> 3.167.152.123.80: syn 1598248510
2024-10-08 16:44:17.827273 port1 out 198.18.11.1.2289 -> 3.167.152.123.80: syn 4042613475
2024-10-08 16:44:17.827372 port2 out 198.18.12.1.5521 -> 3.167.152.123.80: syn 1214229871
2024-10-08 16:44:18.895644 port2 out 198.18.12.1.5521 -> 3.167.152.123.80: syn 1214229871
2024-10-08 16:44:18.895677 port1 out 198.18.11.1.2289 -> 3.167.152.123.80: syn 4042613475
2024-10-08 16:44:20.975661 port1 out 198.18.11.1.2289 -> 3.167.152.123.80: syn 4042613475
2024-10-08 16:44:20.975698 port2 out 198.18.12.1.5521 -> 3.167.152.123.80: syn 1214229871
2024-10-08 16:44:22.832656 port1 out 198.18.11.1.6947 -> 3.167.152.123.80: syn 2021660359
2024-10-08 16:44:22.832729 port2 out 198.18.12.1.4867 -> 3.167.152.123.80: syn 2455052647
2024-10-08 16:44:23.855656 port2 out 198.18.12.1.4867 -> 3.167.152.123.80: syn 2455052647
2024-10-08 16:44:23.855695 port1 out 198.18.11.1.6947 -> 3.167.152.123.80: syn 2021660359
2024-10-08 16:44:25.935654 port1 out 198.18.11.1.6947 -> 3.167.152.123.80: syn 2021660359
2024-10-08 16:44:25.935694 port2 out 198.18.12.1.4867 -> 3.167.152.123.80: syn 2455052647
2024-10-08 16:44:27.835845 port1 out 198.18.11.1.8015 -> 3.167.152.123.80: syn 4010393970
2024-10-08 16:44:27.836040 port2 out 198.18.12.1.6647 -> 3.167.152.123.80: syn 761146524
2024-10-08 16:44:28.895647 port2 out 198.18.12.1.6647 -> 3.167.152.123.80: syn 761146524
2024-10-08 16:44:28.895681 port1 out 198.18.11.1.8015 -> 3.167.152.123.80: syn 4010393970
2024-10-08 16:44:30.975656 port1 out 198.18.11.1.8015 -> 3.167.152.123.80: syn 4010393970
2024-10-08 16:44:30.975692 port2 out 198.18.12.1.6647 -> 3.167.152.123.80: syn 761146524

Troubleshooting Tip: SD-WAN health checks behavior with FQDN Server when FortiGate is unable to resolve DNS

Description

Scope

Solution

You are leaving our website