Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rajamanickam
Contributor

ADVPN and SDWAN rules

Hi,

I was going through many document of Fortinet but couldn't able to find what are the SDWAN rules strategy works for ADVPN traffic. If there is ADVPN shortcut is established, SDWAN rule automatically adds the shortcut tunnel as subinterface of parent tunnel.  In a SDWAN rule, if I have two different overlay paths (Parent tunnel) and I need to use best path always, then I cant go with Manual option, i have to select best quality based on latency to pick the best overlay path. Now the problem is , if I select best quality then for some reasons (Like Hub and spoke in same city), my SLA towards Hub through Static parent tunnel will be always less and SLA towards shortcut tunnel will always have a higher latency and it might not be selected at all. (Since we are using DC loopback IP as healthcheck server). How to handle this situation? or for ADVPN to work,  Manual strategy is the only way to work in 6.4 version?. Any of you have faced this issue?

 

Regards

Raja

5 REPLIES 5
vtsonev
Staff
Staff

Hello Raja,

 

As far as I understand you experience an issue when using ADVPN+SDWAN on FortiOS 6.4.X, when they quality of the shortcut tunnel is worse than the parent tunnel, so SDWAN doesn't use the shortcuts to forward the traffic between the spokes?

 

The behavior described by you is actually expected when you use "best quality" as strategy for the SDWAN rule. The logic for Best Quality rules is “measure quality before using shortcut”. Traffic moves to the shortcut only after the SLA is measured and only if the shortcut has better SLA metrics than the other interfaces (its parent, other shortcuts, other parents).

 

I would recommend to use “mode sla (lowest cost)”. The logic for Lowest Cost rules is “use shortcut before measuring quality”. Traffic moves to the shortcut after its creation. SLA is measured only after (~10 seconds after). Setting “hold-down-time” allows to delay the failback from the least-preferred interface to the mostpreferred interface. 

 

Please try to change the mode of the SDWAN rules 

 

config service
edit 1
set name "example"
set mode sla <---

 

Link for reference:

https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/342836/lowest-cost-sla-strat...

 

If you experience any further issues, please share parts of your configuration, like :

"config sys sdwan

config service

show"

 

"diagnose sys sdwan service X" <- replace X with the ID of the sdwan rule that should match your traffic

 

 

Best regards,

Vasil

Fortinet Technical Team Lead
NSE 1-4,7 Certified
rajamanickam

Hi Vasil,

 

  I configured Manual method with one interface configured and could see ADVPN is working. I have created another redundant rule for the other interface so that if first rule fails due to inactive interface then this rule can be picked.

I couldnt able to test the low cost. But as per your logic, even if it is low cost, traffic from child tunnel may shift to parent tunnel post the hold down time since parent tunnel always has the better latency to DC server..  (SLA from spoke1 to spoke 2 through child tunnel may be higher since traffic will be from spok1 to spoke2 to DC)..

So is it only manual mode advised for ADVPN to work??

 

Regards

Raja

akristof

Hello,

 

Let me answer this. Manual mode is not only SDWAN rule that will work correctly with ADVPN. Manual rule however will always prefer shortcut interface before parent interface. Even SLA SDWAN rule will work, because as I said, even if parent interface has the best SLA, to be able to use selected interface, you need to have valid route via that interface in routing-table. If shortcut is formed iBGP will make sure that the destination subnet is available via shortcut (if you don't have default route via parent ADVPN interface). Because of that, lookup will fail and it will use next available interface in SDWAN rule:

https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/985659/advpn-and-shortcut-pa...

And also, in 7.0, new option for SDWAN rule was added to make decision based on best fib-match:

https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/584915/override-quality-comp...

Adrian
akristof
Staff
Staff

Hi,

 

Let me just add, that Maximize bandwidth and some best quality metrics are not supported with ADVPN.

And to add something to your original question. This is expected with SLA SDWAN rule. Because, even if overlay towards HUB is selected, in normal scenario, when shortcut is established, shortcut will be replaced in routing-table for parent tunnel. So even if parent tunnel is selected, there shouldn't be valid route in routing-table and as a result shortcut tunnel will be selected. But this may vary if you have default route via ADVPN tunnels.

Adrian
rajamanickam
Contributor

Thank you Vasil and Adrian. This really helps. Sorry I was busy in few other issues. Let me go through this once in my lab and come back here..

Labels
Top Kudoed Authors