Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Sadhi_Jayz
New Contributor III

Created on ‎10-13-2025 05:20 AM

ADVPN/SD-WAN – Forcing Return Traffic to Use the Same Tunnel

Hello Fortinet Community,

 

I have an SD-WAN deployment where a branch site establishes two IPsec tunnels to the head office.

 

The SD-WAN rule at the branch is configured so that traffic destined for the head office uses Tunnel 1 by default, and Tunnel 2 is only preferred if Tunnel 1 is unavailable.

 

SP1.png

 

During a recent incident, we noticed that a printer management server at the head office attempted to communicate with a branch printer.

 

Screenshot Taken from Head Office FGScreenshot Taken from Head Office FG

(Printer MGMT server in Head Office - 10.128.0.220 & Printer in Branch - 10.242.89.19)  

 

In this case, the head office firewall selected Tunnel 2 as the outbound path. The branch firewall, however, responded via Tunnel 1, which caused the session to fail.

As a temporary workaround, we disabled Tunnel 2 on the branch firewall, and communication was restored. Obviously, this is not an ideal long-term solution.

 

My question is:
Is there a way to configure the branch firewall so that it returns traffic through the same tunnel it was received on?

 

Additional context:

 

  • Routing is handled using OSPF (not BGP)

 

Any advice or best practices would be greatly appreciated.

 

Thank you.

Labels:
91
0 Kudos
4 REPLIES 4
AEK
SuperUser
SuperUser

Created on ‎10-13-2025 05:34 AM

Hi Sadhi

In case Tunnel 1 is down on site 1, then it should goes automatically down on site 2 as well, right? And then SD-WAN will send the traffic only through Tunnel 2 from both sides, right?

AEK
AEK
82
Sadhi_Jayz
New Contributor III
In response to AEK

Created on ‎10-13-2025 05:51 AM

Hi AEK,

 

Thanks for the reply.

 

Yes, when either IPSec1 or IPSec2 goes down at the branch, the printer and the printer management server can communicate via the remaining tunnel without any issue.

The problem occurs when both IPSec1 and IPSec2 are up. We configured the branch firewall to prioritize IPSec1 using an SD-WAN manual rule, since it has the better underlying ISP. However, all sessions initiated from the head office to the branch are still being sent through IPSec2 from the hub (head office) firewall. Because of this, the session between the printer server and the printer does not get established. In the head office firewall logs, return bytes show as 0, and on the branch firewall there are no logs at all for this session. If I disable either IPSec tunnel at the branch, communication works as expected.

What I need is to ensure this communication continues to work while keeping both tunnels up.

75
0 Kudos
funkylicious
SuperUser
SuperUser

Created on ‎10-13-2025 07:07 AM

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Usage-of-overlay-stickiness-in-multiple-ov... 

"jack of all trades, master of none"
"jack of all trades, master of none"
63
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎10-13-2025 07:25 AM

Hi Sadhi

I understand.

By default in FortiGate, the reply traffic is always sent back through the same interface from which the request traffic has entered. And in my understanding this should be also the case for IPsec/SD-WAN. Unless you enabled asymmetric routing or auxiliary sessions. Did you enable one of them?

AEK
AEK
57
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.