So here's my conundrum. I have 3 sites all with a private fiber connection to our network provider's datacenter, where they carved off a VDOM just for us to use. We run OSPF on a vlan between the 4 sites (network provider datacenter and 3 locations). I had a failover event this weekend where the circuit failed at the main site and it started running through the secondary site.
Everything was fine except for the traffic to the firewall itself, which means nobody was able to auth to the SSL VPN at the main site because the core switch at our main site saw the /24 as a connected VLAN and didn't have any way to hit the Fortigate IP directly anymore. My thought is why can't I redistribute a /32 to the Fortigate LAN IP through OSPF to make sure that fails over automatically. But I can't find anything on that anywhere.
I did see about redistributing a loopback through OSPF, but I can't get the SSLVPN auth to originate from a loopback interface as far as I can tell. So if anyone can tell me a way to redistribute that /32 interface IP or if there's another way to get this working otherwise, I would greatly appreciate it.
You absolutely can use a loopback for the SSL-VPN. Not sure I follow how it solves all this, but I know that can be done because I do it to solve multi-homed internet connections. I use an IP from my BGP-advertised space and created a VIP to point to the loopback interface where the SSL-VPN is listening.
So let me just make sure I'm understanding your setup.
You have a VIP for a public IP, let's just say it's 22.214.171.124 pointing to a loopback interface internal like 172.16.1.1 and then your LDAP/RADIUS or other auth server sees the SSLVPN traffic and SSLVPN auth traffic originating from 172.16.1.1?
The second link was the one that I needed. It took me a couple days to get a maintenance window, but I was able to go in last night and create a loopback interface, redistribute that IP for that interface through OPSF, and then use the second link you gave me to set it as the source IP for LDAP. I was able to test it with failover and it worked like a charm.