Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pginete
Staff
Staff

Created on ‎06-12-2023 01:12 AM Edited on ‎01-06-2026 12:59 AM By Community Manager

Article Id 259836

Troubleshooting Tip: ICMP reply from Hub to Spoke is asymmetric for Performance SLA

Description

This article describes how to fix the asymmetric ICMP reply from the Hub to the Spoke.
Scope FortiGate.
Solution

The setup is a Dial-up IPsec VPN Hub and Spoke. Both are in SD-WAN and use static routes.

 

hub asymmetric network diagram.JPG 

The Hub has only one VPN tunnel that connects to multiple spokes that have multiple VPN tunnels each going to the same LAN network.

 

When using Performance SLA, the Hub ICMP reply is forwarded to the wrong Spokes VPN tunnel, which is asymmetric.

 

Spoke1 # diagnose sniffer packet any "host 10.249.2.102 and icmp" 4 0 l

Using Original Sniffing Mode

interfaces=[any]

filters=[host 10.249.2.102 and icmp]

1.153896 VPN1 out 10.99.3.54 -> 10.249.2.102: icmp: echo request

1.154027 VPN2 out 10.99.3.54 -> 10.249.2.102: icmp: echo request

1.155771 VPN1 in 10.249.2.102-> 10.99.3.54: icmp: echo reply

1.156438 VPN1 in 10.249.2.102-> 10.99.3.54: icmp: echo reply

 

Solution:

Step 1: Configure location-id on Spokes.

 

Purpose of location-id:

  • Introduced in FortiOS v7.0 per VDOM.
  • Groups all tunnels connected to the same Phase-1 interface with the same location-id.
  • Ensures symmetric replies by picking the original incoming tunnel for outgoing traffic from the group, rather than relying on the routing lookup.

 

Configuration Example:

 

config system settings
    set location-id <spoke-identifier-ip>
end

 

Notes:

  • A dummy IP can be used, but it is recommended to use a Spoke interface IP for clarity.
  • Must be configured per VDOM.

 

Step 2: Flush IKE on Hub and Spokes.

 

diagnose vpn ike gateway flush
diagnose vpn ike restart

 

This ensures the new location-id is applied and tunnels are re-initialized.

 

Step 3: Verify Symmetric ICMP Reply.

After applying the location-id, ICMP replies are sent via the same tunnel that received the request:

 

Spoke1 # diagnose sniffer packet any "host 10.249.2.102 and icmp" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.249.2.102 and icmp]

1.153896 VPN1 out 10.99.3.54 -> 10.249.2.102: icmp: echo request
1.154027 VPN2 out 10.99.3.54 -> 10.249.2.102: icmp: echo request
1.155771 VPN1 in 10.249.2.102 -> 10.99.3.54: icmp: echo reply
1.156438 VPN2 in 10.249.2.102 -> 10.99.3.54: icmp: echo reply

 

Example HUB tunnel info:

 

name=HUB1_0 ver=1 serial=8 172.16.10.254:500 -> 172.16.10.1:500 tun_id=172.16.10.1 dst_mtu=1500 dpd-link=on remote_location=1.1.1.1 weight=1

 

  • remote_location matches the Spoke location-id.
  • All tunnels with the same Phase-1 interface and location-id are grouped.
  • Ensures ICMP and other Performance SLA traffic remain symmetric.
1530
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.