We manage several Fortigates that are utilizing the SD-Wan features to control failover between a primary(WAN1) and secondary(WAN2) internet connection. We have also allowed management on these interfaces, but limited the access to only from our office IP.
While WAN1 is the active internet connection, we have no issues connecting to it for management or sending pings to that interface. This same goes for when WAN2 is active. However, when WAN1 is active, we cannot ping the WAN2 interface, or connect to the management GUI. Again this is also true for WAN1 if WAN2 is active.
We have tried to resolve this with several ways including policy routes and SD-WAN rules, but no joy. The inability to ping the inactive interface is particularly frustrating for our monitoring as WAN2 always shows down, unless it becomes the active SD-WAN interface.
Any thoughts on how to resolve this?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Policy routes wouldn't apply to access to the FGT itself from outside. It's about what kind of default routes do you have toward both interfaces. With SD-WAN, the common setup is to have the same default route without any metric differences to all member interfaces, then control outgoing traffic based on SD-WAN rules. You sounded like you did something differently to make only one side is used while the other side is just a backup.
So first question is do you have the default route to both circuits in your routing table? Check with "get router info routing-t all" and at the top you should have default route like below:
fg40f-utm (root) # get router info routing-t all
<snip>
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via x.x.x.x, ppp3, [1/20]
[1/0] via SFOviaCentu tunnel y.y.y.y, [1/1]
[1/0] via z.z.z.z, a, [1/1]
Toshi
Hi @Toshi_Esumi ,
I believe you need to refer to this KB: https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-an...
It will explain about the routing behavior.
Hope that helps.
Created on 07-11-2024 08:32 PM Edited on 07-11-2024 08:39 PM
@Muhammad_Haiqalyes, you're right in case SD-WAN is not in picture. But with SD-WAN, there are multiple options to make one circuit as primary (most of the situation) while the other circuits are still active and workable.
In my example above, as you can see I set weight 20 on the primary PPPoE circuit (ppp3) while the other internet options have weight 1 with the implicit/default rule so it would load balance session basis. But mostly the primary circuit is used if the traffic doesn't match other specific rules. All three default routes have the same Priority 1 as in the routing-table.
I was not sure what the OP's SD-WAN setting was because it was not clearly described so just asked about the default routes which would be the deciding factor why the OP can't access the FGT via the secondary circuit at the time.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.