Good day guys.
I have the following setup.
Let´s begin with the IPSEC tunnels first:
I´m having issues with the ECMP on the AWS TGW, what I need is just failover between the tunnels, but I want to setup the priority in which they are used under normal conditions, like in the following graph:
I want to influence the traffic (inbound and outbound) so it has the Tunnels in this order of preference:
Or
Right now, what I´m having (with ECMP disabled) is that I´m loosing traffic partially if I lose a Tunnel. If I enable ECMP, I get traffic through all the tunnels, and I do not want that.
I found the Technical Tip : Difference between asymmetric routing and auxiliary sessions., I will testing that also, but right now I´m confussed with this AWS documentation:
IF I understood correctly the AWS docs, I should use:
Meaning that I would need two sets of route maps (right?) they would identical in prefix list (my case), but they will differ regarding the Local Preference, MED and AS_Path.
My questions are:
Keep in mind that I have to leave the space for the future implementation of the Direct Connect, so, whatever I use, I have to leave it so that in case that the Direct Connect fails, the failover SHOULD be Main IPSEC, if the Main IPSEC fails too, then Secondary IPSEC.
Please, I need guidance, oh Wise People of the Community, Help. (FWI: english is my second language, that´s why I´m getting a little confused, sorry about that).
Solved! Go to Solution.
Hi, I share something about BGP over IPSec from On-prem to Cloud.
- Support that you use only one VDOM. And in each Tunnel, you have a BPP session. then
1. If you want to influence traffic from AWS back to you through the Tunnel you want, you should use BGP AS-Path. You can use ROute-map to Append more AS into the AS path list and advertise through BGP neighbor. Neighbors with less AS number in the AS Path list will be used to send traffic back to you.
2. For traffic from Fortinet to AWS , the easy way to do is Local preference.
Brs/Bill
If I understood correctly, the subnet mask should match the filter ge then? (remember, simple terms, since this is all in english)
a.b.c.d 255.224.0.0
=> Subnet mask len is 15
So, the "ge" must be greater 15.
ge and le length need to be longer than the network length. The error message says it all
FGTxxxxx1 (1) # next
Invalid prefix range -- make sure: len < ge-value <= le-valueobject check operator error, -650, discard the setting
Command fail. Return code 1
I think this is common with other routers like Cisco. Or FTNT copied this spec from Cisco.
Toshi
Ok, now I understand.
For posterity or anyone reading this. The filters (ge and or le) MUST be different than the subnet you are trying to filter.
Like Bill and Toshi said:
The ge would NOT be 20, neither le.
It has to be:
I think 19 and 20 is prohibited if the network length is /20. Otherwise the error message the system gave me is wrong. Did you test and confirm as the fact?
Toshi
That´s the thing, it did NOT give me an error. Now, there is one big thing I believe I did not point out, and it was critital to say: the firmware is 6.x.x. (I don´t recall the exact number right now). So most probably, the whole problem was due an old forgotten bug probably. and most most probably corrected in newer versions.
I know, you will ask why in 2024 we are running a 200F firewall on 6.x.x firmware... ask my management about that... I decided just to do my best with what I got / what I am allowed to do.
@FortDoog You should upgrade to a new one such as 7.0.13 or 7.2.6
I think they are better
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.