Description | This article describes behavior where the VIP does not work when configured on the secondary ISP connection. A workaround is offered. |
Scope | FortiGate. |
Solution |
There are some scenarios where a VIP is configured on secondary ISP and, even after completing configuration, debugging returns a 'reverse path check fail, drop' error.
To fix this issue:
It is most important to check the routing table of the FortiGate by running the following command:
get router info routing-table all
It is necessary for wan2 to be in an active routing table. To achieve this, both WAN1 and WAN2 should have the same AD value.
Note: In Failover scenarios, use the priority value to choose the best path. If both wan1 and wan2 have the same AD value and the same priority value, ECMP will be performed: it will work as load balancing using wan1 and wan2.
Note: The lower the priority value, the higher the route priority.
Refer to Technical Tip: Routing behavior depending on distance and priority for static routes and policy base... for more information regarding routing behavior based on the aforementioned variables. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.