Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortDoog
New Contributor II

Created on ‎10-18-2023 02:33 AM Edited on ‎10-18-2023 02:41 AM

AWS IPSEC on BGP routing (how to control traffic preference for each tunnel?)

Good day guys.

I have the following setup.

  • 200F with dual WAN
  • 4 tunnels to AWS (the usual IPSEC with 2 tunnels).
  • Probably, next year, hopefully, I will have AWS Direct Connect.

Let´s begin with the IPSEC tunnels first:

I´m having issues with the ECMP on the AWS TGW, what I need is just failover between the tunnels, but I want to setup the priority in which they are used under normal conditions, like in the following graph:

 

AWS issue.jpg

 

I want to influence the traffic (inbound and outbound) so it has the Tunnels in this order of preference:

 

  1. Main_Tunnel01
  2. Main_Tunnel02
  3. Secondary_Tunnel01
  4. Secondary_Tunnel02

Or

  1. Main IPSEC
  2. Secondary IPSEC

Right now, what I´m having (with ECMP disabled) is that I´m loosing traffic partially if I lose a Tunnel. If I enable ECMP, I get traffic through all the tunnels, and I do not want that.

 

I found the Technical Tip : Difference between asymmetric routing and auxiliary sessions., I will testing that also, but right now I´m confussed with this AWS documentation: 

 

IF I understood correctly the AWS docs, I should use:

  • Outbound traffic: Local Preference, if not, then I should use AS_Path
  • Inbound traffic: Local Preference, if not, MED, if not, then I should use AS_Path

Meaning that I would need two sets of route maps (right?) they would identical in prefix list (my case), but they will differ regarding the Local Preference, MED and AS_Path.

 

My questions are:

  • do I need to setup Local Preference, MED and AS_Path for AWS IPSEC routing inffluencing (all of them, meaning more route maps)?
  • or can I use just one of them? meaning, just two route maps, one with more influence than the other,
  • if so, which one should I use (Local Preference, MED or AS_Path)???

 

Keep in mind that I have to leave the space for the future implementation of the Direct Connect, so, whatever I use, I have to leave it so that in case that the Direct Connect fails, the failover SHOULD be Main IPSEC, if the Main IPSEC fails too, then Secondary IPSEC.

 

Please, I need guidance, oh Wise People of the Community, Help. (FWI: english is my second language, that´s why I´m getting a little confused, sorry about that).

"Well, hello there"
"Well, hello there"
Labels:
2545
0 Kudos
27 REPLIES 27
BillH_FTNT
Staff
Staff

Created on ‎02-07-2024 09:39 AM

Hi,

Hi FortDoog,
I think what you planned to do with BGP prefixes was right. However, to work with the prefix list, I believe you should change it slightly.
I think the common rule for prefix-list is "len <GE <=LE"
In your case the prefix you configured a.b.c.d 255.224.0.0 ==> the len is 8+7 =15 (225 use 8 bits, 224 use 7 bits)
==> It should be "ge 15"
1. you can do "ge 15" only.
2. or ge 15 le 25
(In your first case, ge 11 is an invalid one, I think)
HTH
Bill

360
FortDoog
New Contributor II
In response to BillH_FTNT

Created on ‎02-07-2024 10:56 AM

If I understood correctly, the subnet mask should match the filter ge then? (remember, simple terms, since this is all in english)

"Well, hello there"
"Well, hello there"
348
0 Kudos
BillH_FTNT
Staff
Staff
In response to FortDoog

Created on ‎02-07-2024 11:10 AM

 a.b.c.d 255.224.0.0

=> Subnet mask len is 15

So, the "ge" must be greater 15. 

 

340
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎02-07-2024 12:08 PM

ge and le length need to be longer than the network length. The error message says it all

FGTxxxxx1 (1) # next
Invalid prefix range -- make sure: len < ge-value <= le-valueobject check operator error, -650, discard the setting
Command fail. Return code 1

I think this is common with other routers like Cisco. Or FTNT copied this spec from Cisco.

Toshi

331
FortDoog
New Contributor II

Created on ‎02-08-2024 08:35 AM

Ok, now I understand.

 

For posterity or anyone reading this. The filters (ge and or le) MUST be different than the subnet you are trying to filter.

 

Like Bill and Toshi said:

 

  • set prefix a.b.c.d /20 for example.

The ge would NOT be 20, neither le.

It has to be:

  • in case of ge, 19. So it will take all network greater than 19, those will be, 20, 21, and so on.
  • Or the reverse of it,  in case of le, 21. Is kinda like a math equation.
"Well, hello there"
"Well, hello there"
302
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to FortDoog

Created on ‎02-08-2024 09:16 AM

I think 19 and 20 is prohibited if the network length is /20. Otherwise the error message the system gave me is wrong. Did you test and confirm as the fact?

 

Toshi

296
FortDoog
New Contributor II
In response to Toshi_Esumi

Created on ‎02-09-2024 04:26 AM

That´s the thing, it did NOT give me an error. Now, there is one big thing I believe I did not point out, and it was critital to say: the firmware is 6.x.x. (I don´t recall the exact number right now). So most probably, the whole problem was due an old forgotten bug probably. and most most probably corrected in newer versions.

 

I know, you will ask why in 2024 we are running a 200F firewall on 6.x.x firmware... ask my management about that... I decided just to do my best with what I got / what I am allowed to do.

"Well, hello there"
"Well, hello there"
283
0 Kudos
BillH_FTNT
Staff
Staff
In response to FortDoog

Created on ‎02-09-2024 09:52 AM

@FortDoog You should upgrade to a new one such as 7.0.13 or 7.2.6 

I think they are better

271
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.