Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BWiebe
Contributor

Assymetric Routing Issue / Question

Working with a client that has the following setup.

 

1) Data Centre with SonicWall Cluster.

2) Remote Office with Fortigate Cluster (in progress of being added), and a Cisco Router and ASA.

 

The Remote office has servers with default gateway of 10.103.202.13, which is the Cisco Router, and the ASA (which we are in progress of replacing) is at 10.103.202.44.

 

The Fortinet has an IP of 10.103.202.1.

 

There's a site-to-site tunnel between the SonicWall cluster and the Fortigate Cluster to allow transit of 10.150.9.0/24 to 10.103.202.0/24 networks.  From the 10.103.202.0/24 network, there's no issues accessing the 10.150.9.0/24 network.

 

From the 10.150.9.0/24 network, low-level protocols, like ping, DNS, work fine, but anything TCP-heavy, does not.

 

I sniffed traffic and can see that the traffic has TCp-Retransmission issues.

 

The path from the Data Centre to the server is - DataCentre Server -> SonicWall -> Fortigate -> Remote Server

The return path back is - Server -> Router -> Fortigate -> SonicWall -> DataCentre Server

 

I found a workaround and CAN confirm that if I put route add statements on the remote servers for the 10.150.9.0/24 with a gateway of 10.103.202.1, the traffic flow works.

 

We had the service provider add a route to the Router to do the same thing, but that only seems to work for traffic sourced at the remote site.

 

The ROUTE ADD statements work, but I'd like to know if there's another option that doesn't involve hitting all the servers directly for this.

 

Something I've overlooked?

 

Thanks!

3 REPLIES 3
Jeff_FTNT
Staff
Staff

<I found a workaround and CAN confirm that if I put route add statements on the remote servers for the 10.150.9.0/24 with a gateway of 10.103.202.1, the traffic flow works.>

You may try enable "icmp-redirect" on Cisco router, Cisco Router's default gw point to ForitGate 10.103.202.1

BWiebe

Sorry - need to add - we have no access to modify the Cisco devices.  They are managed by a 3rd party.

 

Jeff_FTNT

You may try enable NAT on FGT IPsec policy.

Labels
Top Kudoed Authors