Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
MichaelTorres
Staff
Staff

Created on ‎07-21-2025 12:08 AM

Article Id 402144

Troubleshooting Tip: SLAs SD-WAN VPN health checks not working in a redundant HUB and Spoke Topology

Description

This article describes a behavior where users deploy an SD-WAN VPN redundant HUB and Spoke topology, but the Health checks are not working, although the user is using the correct destination addresses.
Scope SD-WAN VPN Redundant HUB and Spoke topology.
Solution

Users may deploy a topology with redundant VPN tunnels from Spokes to HUBs:

 

image.png

 

Both VPNs in the Spoke are using SD-WAN SLA Healthchecks, and the destination configured is the IP 192.168.24.1 on the HUB's side. However SLA of VPN1 is working, butthe  SLA of VPN2 is not working.

 

From the HUB side, the HUB is answering the pings from SLA VPN2 using VPN1. This is not the default behavior, as HUB should answer through the same VPN interface the ping is coming

 

Solution:

On the HUB side, validate if the feature asymmetric route feature is enabled and disable it: Technical Tip: How the FortiGate behaves when asymmetric routing is enabled 


config system settings
    set asymroute disable
end
end

 

This will force FortiGate HUB to always answer the health check through the same VPN incoming interface.
221
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.