Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: ADVPN - Dual WAN connectivity on spokes
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ADVPN - Dual WAN connectivity on spokes
Hi all,
This is my first post on these forums, so hello to everybody :)
I'm going to start by asking a question i don't expect many people to be able to answer but i hope somebody who is familiar with BGP and ADVPN can crack this one. I have labbed up the below scenario and its working great. Hub/spoke topology with direct spoke to spoke connectivity on demand.
http://cookbook.fortinet.com/configuring-advpn-in-fortios-5-4-dynamic-hub-and-spoke-vpns/
I have got abit more adventurous and added a secondary WAN connection to each firewall and added a second round of ADVPN config/VPN's to establish tunnels over the new WAN connection in a bid to achieve ADVPN redundancy should the primary VPN's fail.
The interesting bit is that it does work (kind of) - If i shut the VPN's down on the hub it works, both spokes will speak to the hub via the second VPN tunnel and agree new spoke to spoke connectivity over the secondary connection. However it does not work if i shut the VPN tunnel down on the spokes themselves, i seem to get a recursive lookup error.
This is the BGP table showing routes for spoke to spoke flow with both VPN's up.
OFFICE-FG-ADVPN-IBGP # get router info routing-table bgp B 10.1.1.0/24 [200/0] via 172.16.1.1, ADVPN, 00:00:01 B 10.2.2.0/24 [200/0] via 172.16.1.2, ADVPN_0, 00:00:01
After i shut the primary WAN VPN down on the hub, it fails over to use the secondary
OFFICE-FG-ADVPN-IBGP # get router info routing-table bgp B 10.1.1.0/24 [200/0] via 172.16.2.1, ADVPN-MPLS, 00:01:42 B 10.2.2.0/24 [200/0] via 172.16.2.2, ADVPN-MPLS_0, 00:00:01
And this is the issue when all VPN's are up o nthe hub and i shut down a VPN on one of the spokes.
OFFICE-FG-ADVPN-IBGP # get router info routing-table bgp B 10.1.1.0/24 [200/0] via 172.16.2.1, ADVPN-MPLS, 00:00:17 B 10.2.2.0/24 [200/0] via 172.16.1.2 (recursive is directly connected, unknown), 00:00:16
The issue looks to be because the route for 10.2.2.0/24 (other spoke) is been learned from the hub but with the next hop (172.16.1.2) that is routed over the same VPN tunnel i just shutdown. So there is no way it can use 172.16.1.2 as a next hop as there is a static route saying route 172.16.1.0/24 over the VPN interface which is down. (this route is required according to the above article)
"This is an important special step for the spokes as they need a summary route that identifies all tunnel IP used over your topology to point towards the ADVPN interface. In our example, we use 10.10.10.0/24 (if our network planning expects less than 255 sites). Be sure to adequately plan this IP range as it needs to be hardcoded in the spokes."
I have logged this with TAC support but doubt they will help me with this. Does anyone know who to fix my issue?
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mattmans
I was wondering how you ever made out with this. We have about 20 sites around the country that are connected via traditional IPSEC, and I'd like to investigate ADVPN for the full-mesh functionality. All locations have dual-WAN, so we'd want the ability for each office to be able to connect to another office using any combination of wan1 & wan2:
wan1 to wan1
wan1 to wan2
wan2 to wan1
wan2 to wan2
I'm not finding any good documentation on this, and don't have access to any good lab setup at this time to experiment. So, if you ever got your setup completely working, please share any details.
Thanks
- « Previous
-
- 1
- 2
- Next »
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would it be possible to just set a monitor on the secondary ADVPN to monitor the primary on the Spoke?
config vpn ipsec phase1-interface
edit Secondary_ADVPN
set monitor Primary_ADVPN
Could it be that easy for redundancy on the spokes?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has anyone found a fix for this yet on FortiOS 6.0.4? I have tried the static routes, blackhole enable, and setting the secondary ADVPN interface to monitor the primary - nothing seems to work when failing WAN1 on the spoke side.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Pdxwolf,
Well we didn't. Even with support and other experts we were not able to build a proper working solution.
We discarded the ADVPN concept and are using plain redundant VPN tunnels now which work like a charm.
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the same issue and managed to resolve it.
in short, this was as a result of the remote-gateway IP subnet. on one of my Spoke I configured 10.10.10.1/32 as my remote-gateway instead of 10.10.10.1/24. Check on the below route line, instead of it specifying the next hope to that network it is saying unknown and then referencing it to my default-gateway (Public !B 10.12.2.0/24 [200/0] via 10.254.0.12, unknown (recursive via 196.181.154.225), 00:39:11
and one thing you need to make sure is that when you check your routing table you should be able to see your hub and spoke network as connect route pointing to your ADVPN main interface.
!C 10.254.0.14/32 is directly connected, ADVPN_P1 you need to ensure that your subnet accommodate all the IP range of your other spokes including the Hub. which makes sense if you restudy the concept of recursive route. This means that the router is receiving routes but it does not know how to get to the host/network. I hope the post will bring some clarity and fixes. Thanks.
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- ADVPN Tunnel Packet Loss Issues 202 Views
- BGP Flapping / Carrier issue 477 Views
- FortiManager unset mode config for dynamic... 404 Views
- How to achieve zero packet loss... 489 Views
- What FortiOS Event Logs should i... 1341 Views
Labels
-
FortiGate
8,399 -
FortiClient
1,699 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
539 -
FortiSwitch
455 -
FortiAP
451 -
6.0
416 -
FortiClient EMS
401 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
5.0
196 -
FortiWeb
196 -
IPsec
181 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiGateCloud
100 -
FortiSIEM
99 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
82 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
53 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
28 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCarrier
6 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1640 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.