Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
random_guy
New Contributor III

Created on ‎05-18-2023 09:42 AM

ADVPN - Spoke config - redundancy

Currently running an ADVPN (BGP) with a couple dozen spokes. All the spokes are a single WAN connection. Now one of the sites wants to add a redundant WAN connection. There are two hubs at the 'hub' so if ISP 1 at the hub goes down, the spokes failover to Hub ISP 2. On the spokes, the backup hub monitors the first hub. How can I add a 3rd advpn connection from the spoke which would use spoke WAN2 if spoke WAN1 fails? 

 

 

 edit "ADVPN-PRIMARY"
    set interface "wan1"
    set peertype any
    set net-device enable
    set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
    set add-route disable
    set dpd on-idle
    set wizard-type spoke-fortigate-auto-discovery
    set auto-discovery-receiver enable
    set auto-discovery-shortcuts dependent
    set remote-gw <ISP1 at HUB>
next
edit "ADVPN-BACKUP"
    set interface "wan1"
    set peertype any
    set net-device enable
    set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
    set dpd on-idle
    set wizard-type spoke-fortigate-auto-discovery
    set auto-discovery-receiver enable
    set auto-discovery-shortcuts dependent
    set remote-gw <ISP2 at HUB>

 

 

Labels:
1741
0 Kudos
1 Solution
distillednetwork
Contributor III
In response to random_guy

Created on ‎05-18-2023 10:05 AM

I just assumed you were using SD-WAN since the tunnels were named ADVPN.  If you are just using routes and the fact the tunnel is up/down to control the traffic, you don't have to then, but SDWAN will give you a lot more control and monitoring capabilities.

 

You can create the two new tunnels I mentioned but use the option "set monitor <primary tunnel name>".  This will keep the tunnel down unless the primary tunnel specified goes down then it will try to build the tunnel on the secondary interface.  Its a slower process then if the tunnel was always up, but should accomplish the goal.

View solution in original post

1731
0 Kudos
3 REPLIES 3
distillednetwork
Contributor III

Created on ‎05-18-2023 09:49 AM

You will need to create two more tunnels like the one you have that use:

set interface "wan2"

(or what ever the second wan port is).  Then your policies will have four vpn overlay tunnels for SD-WAN rules.

1738
0 Kudos
random_guy
New Contributor III
In response to distillednetwork

Created on ‎05-18-2023 10:00 AM

Is SDWAN required on the spoke for this setup? I also don't want the backup connection to be in use unless the primary fails. 

1732
0 Kudos
distillednetwork
Contributor III
In response to random_guy

Created on ‎05-18-2023 10:05 AM

I just assumed you were using SD-WAN since the tunnels were named ADVPN.  If you are just using routes and the fact the tunnel is up/down to control the traffic, you don't have to then, but SDWAN will give you a lot more control and monitoring capabilities.

 

You can create the two new tunnels I mentioned but use the option "set monitor <primary tunnel name>".  This will keep the tunnel down unless the primary tunnel specified goes down then it will try to build the tunnel on the secondary interface.  Its a slower process then if the tunnel was always up, but should accomplish the goal.

1732
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.