FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
anderson_yee
Staff
Staff
Article Id 337774
Description

This article describes why the health check is showing the specific SD-WAN member down even if the destination is reachable to the member interface.

Scope

FortiGate.

Solution

Configured are two IPsec interfaces in the SD-WAN but IPSEC-2 is showing down.

 

1.jpg

 

When testing reachability from FortiGate, both interfaces can reach the destination without any issues.

 

2.jpg

 

Running a packet capture shows there is a reply on IPSEC-1.

 

3.jpg

 

However, in IPSEC-2 the reply packets are not returning to the correct interface.

 

4.jpg

 

SD-WAN health check detects the interface as ‘DOWN’ if the traffic is not returning to the correct interface even if the traffic is successful.

 

Once the traffic is returned to the correct interface, the SD-WAN health check will now detect the interface as UP.

 

5.jpg

 

6.jpg

 

7.jpg