FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 268117
Description This article describes behavior where the VIP does not work when configured on the secondary ISP connection. A workaround is offered.
Scope FortiGate.

There are some scenarios where a VIP is configured on secondary ISP and, even after completing configuration, debugging returns a 'reverse path check fail, drop' error.




To fix this issue:


It is most important to check the routing table of the FortiGate by running the following command:


get router info routing-table all




It is necessary for wan2 to be in an active routing table. To achieve this, both WAN1 and WAN2 should have the same AD value.


Note: In Failover scenarios, use the priority value to choose the best path. If both wan1 and wan2 have the same AD value and the same priority value, ECMP will be performed: it will work as load balancing using wan1 and wan2.


Note: The lower the priority value, the higher the route priority.


Refer to Technical Tip: Routing behavior depending on distance and priority for static routes and policy base... for more information regarding routing behavior based on the aforementioned variables.