Yes, auto-discovery-forwarder is to allow forwarding advpn control messages between hubs. I am not sure what you mean by cross-tunneling concept. If you mean cross-overlay shortcuts (shortcuts between different tunnels) this works, if you have same access, e.g. internet. If you have internet and mpls, you will have problems. But it is always better to keep shortcuts on same overlay whenever it is possible and allow cross-overlay shortcuts only when primary overlay is not available.
SPOKE to SPOKE communication should happen via SPOKE1- OL3 to SPOKE2 -OL2 , But this is not happening.
To test the scenario, I manually bring down the OL2 tunnel but WAN 1 is still up, due to that its getting recursive route via WAN link, to resolve this one created static route pointing to OL3 tunnel. Now routing table updated with correct info in SPOKE 1, also created OL2 to OL3 and vice versa policy in Hub device.
Now, the communication happening like, SPOKE1 OL3-->HUB-OL3-->OL2--->SPOKE2 OL2 , But SPOKE2 is learning the SPOKE1 LAN subnet via OL3 link using iBGP, so its trying to reply via OL3. due to this there is no reply from SPOKE2 to SPOKE1. SPOKE shows the below error message.
SPOKE2 # id=65308 trace_id=1 func=print_pkt_detail line=5875 msg="vd-root:0 received a packet(proto=1, 10.101.6.1:27655->10.102.5.1:2 048) tun_id=126.96.36.199 from INET_OL2. type=8, code=0, id=27655, seq=0." id=65308 trace_id=1 func=init_ip_session_common line=6049 msg="allocate a new session-011599d0, tun_id=188.8.131.52" id=65308 trace_id=1 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
- verify that they have routing-table entry for all remaining overlays. Also, spoke1 should have route for OL2 subnet, when its own OL2 is down. It can be static route via OL1 and OL3 as a backup.
- On HUB verify that you have all routes via all available overlays
- Check how Spokes are sending traffic. Which overlay they are selecting? If traffic is leaving OL3, check if HUB is forwarding traffic also over OL3 (you should have basic policy routes on HUB to have overlay stickiness). I would recommend to enable debug flow on all 3 devices at the same time, send 1 ping and you will see where is the problem.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.