Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mnemonictech
New Contributor

Fortigate60D issue with secondary gateway

We have a Fortigate 60D running 6.0.9

We have two internet lines.

One is connected to 60D via WAN1

The other one is used by a Cisco router (which is in the same subnet with the 60D / 60D has 192.168.1.10 and Cisco has 192.168.1.1 respectively)

We can add static rule both for 60D (and the line that's in WAN1) with

0.0.0.0/0   gateway 85.xx.xx.xx (the static ip of the ISPs equipment)

0.0.0.0/0   gateway 192.168.1.1 (the lan ip of the Cisco router)

but no traffic seems to get through this static route.

If we add a static route for a specific site it does gets through the Cisco router.

Any help ?

3 REPLIES 3
Toshi_Esumi
Esteemed Contributor II

I'm assuming you're trying to do ECMP load balancing between them.

1. Check routing table with "get router info routing-table static". Do you see two default routes existing with the same distance and same priority.

2. What kind of policies do you have? It require two policies to each directions.

3. If the source you're generating the internet-bound traffic from is in the same LAN subnet, it would not work well when the FGT forwarded it to the Cisco because outgoing is 192.168.1.x(source)->192.168.1.10(FGT)->192.168.1.1(Cisco), but for returning the Cisco 192.168.1.1 sends directly to the source 192.168.1.x. The FGT doesn't like it and might block following TCP outgoing packets due to only one way traffic.

You might need to set a VLAN between FGT and Cisco then assign a /30 subnet. Then you can have a proper policy toward the VLAN interface, in addition to the policy toward WAN1.

mnemonictech

We've managed to solve this issue

Made one static route 0.0.0.0/0 with gateway 213.xxx.xxx.xxx which is the next hop in the line which is connected via the cisco router, and an extra static route that for goint to 213.xxx.xxx.xxx ip the gateway is 192.168.1.1 (cisco router lan ip).

So far it seems that is working..

mnemonictech

Well it seems to work in some computers but not to others. But it must be a case of misconfigured DNS server.. Machines with DHCP work ok, but if they have static ip address they can't use both external lines depending on the fortigate's policies. The static ip pc's can access internet only via the line on WAN port..