Hi,
This question is tied to this issue I had earlier.
Solved: Connectivity Issue Between 2 Fortigate ?! - Fortinet Community
I have the below network, the 192.168.9.181/182 is a 1Gbps physical link, and the 192.168.10.181/182 is a 10Gbps physical link. The 1Gbps physical link is for Management traffic, and the 10Gbps link is for Storage, and vMotion. Not all VLANs are shown here.
BGP is setup as below.
FW1
Routing table for VRF=0 C 10.11.30.0/24 is directly connected, VLAN30 C 10.11.40.0/24 is directly connected, VLAN40 B 10.21.30.0/24 [20/0] via 192.168.9.182 (recursive is directly connected, port1), 00:18:07, [1/0] B 10.21.40.0/24 [20/0] via 192.168.10.182 (recursive is directly connected, port2), 00:17:40, [1/0] C 192.168.9.0/24 is directly connected, port1 C 192.168.10.0/24 is directly connected, port2
FW2
Routing table for VRF=0 B 10.11.30.0/24 [20/0] via 192.168.9.181 (recursive is directly connected, port1), 00:18:47, [1/0] B 10.11.40.0/24 [20/0] via 192.168.10.181 (recursive is directly connected, port2), 00:18:15, [1/0] C 10.21.30.0/24 is directly connected, VLAN2130 C 10.21.40.0/24 is directly connected, VLAN2140 C 192.168.9.0/24 is directly connected, port1 C 192.168.10.0/24 is directly connected, port2
The initial issue was that VM behind FW1 with IP 10.11.30.200 would not ping VM with IP 10.21.40.200 behind FW2. After much reading I got to know about Symmetric and Asymmetric routing, and that this issue seems to be due to Asymmetric routing.
If I enable Asymmetric setting in Fortigate VMs can talk to each other without issues, but Fortigate says the below in the link above.
If this solves the blocked traffic issue, asymmetric routing is the cause.
However, allowing asymmetric routing is not an ideal solution because it reduces the security of the network.
For a long-term or permanent solution, it is recommended to change the routing configuration or change how the FortiGate connects to the network.
Can someone advise how to overcome this issue, what routing configuration needs to be changed, or how to setup Fortigate correctly to connect to the network to make it work without enabling asymmetric Routing.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes, perfectly normal. Think about it this way. You might be ingress to Google via Cox, but the best route back to you from Google might be via another ISP. Symmetric paths on the internet are VERY rare in multi-homed environments https://mobdro.bio/ .
Created on 06-11-2024 03:34 AM Edited on 06-11-2024 03:34 AM
Thanks @wormenhi
I got to know of an alternate solution to this issue, BGP AS Path Prepending, I'm understanding how it works, and how it can be used..
Hi,
Based on the routing output, I assume the issue is an RPF (reverse path forwarding) failure. The IP 10.11.30.200 behind FW1 is reaching FW2 via Port2; however, for FW2, the best path to reach the source IP is via Port1. Consequently, the RPF check fails, and the packet is dropped.
There are different ways to solve this issue. Since you are using EBGP neighborship between the firewalls, one of the easiest solutions is enabling ebgp-multipath in the BGP configuration. This will help install both interfaces for the same destination (assuming that both routes are advertised over both links but only one link is selected as the best path)
config router bgp set ebgp-multipath enable
end
However this will do a load-balance of the traffic therefore traffic may flow through any interface. If you need to route traffic over spesific interface then you may need to use a PBR (assuming that you don't have SDWAN, otherwise SDWAN rules are fine).
Thanks @sanjayputhalath_FTNT
I have not configured ebgp-multipath I will need to check this, and Policy Based Routing as well..
I don't recommend PBR but do recommend SDWAN. The PBR defeats the purpose of having a routing protocol/BGP to be redundant. If the link goes down but a PBR is pointing the traffic to the down link, the traffic dies there. Never reroute to the other link even the routes are there.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.