Description | This article describes that the Website will not able to be accessed after sign-in caused of incorrect source IP with multiple WAN interfaces. |
Scope | FortiGate v7.0 and v7.2. |
Solution |
In this case, the configuration has been applied to the three WAN interfaces as SD-WAN members however the WAN links (WAN1, WAN2, WAN3) configured in SD-WAN with volume ratios 0,3,3 (%)it not fulfill 100(%).
config system sdwan
Tracing packet flow by running the commands below:
Debug flow logs.
diag debug reset
Then replicate the issue to generate a log, and disable debugging once done:
diag deb dis
Output:
192.168.1.100 <----- Source IP. 59.127.175.225 <----- Destination IP.
id=65308 trace_id=6 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=6, 192.168.1.100:52623->59.127.175.225:80) tun_id=0.0.0.0 from lan. flag [S], seq 268208240, ack 0, win 65535"
A better approach to keep sessions stable and which overcomes this problem is to change the load-balance method of the SD-WAN setting.
config system sdwan
config system sdwan (sdwan) # set load-balance-mode source-ip-based <----- Source IP load balancing. All traffic from a source IP is sent to the same interface. weight-based <----- Weight-based load balancing. Interfaces with higher weights have higher priority and get more traffic. usage-based <----- Usage-based load balancing. All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spill-over limit new traffic is sent to the next interface. source-dest-ip-based <----- Source and destination IP load balancing. All traffic from a source IP to a destination IP is sent to the same interface. measured-volume-based <----- Volume-based load balancing. Traffic is load-balanced based on traffic volume (in bytes). More traffic is sent to interfaces with higher volume ratios. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.