Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NotMine
Contributor II

Created on ‎11-17-2014 12:08 AM

Default routes and WAN Load Balancing

Hello everyone,

 

Can someone explain to me why I can't add two default static routes with the destination 0.0.0.0/0.0.0.0 when there is a default route via a WAN Load Balancing "interface"?

 

For example, here's my WAN LB configuration:

 

 

Here's how the routing table looks like (please disregard the missing gateway):

 

This is how the new default route should look like:

 

 

And here's the error I get when I click OK on the previous screenshot:

 

 

This is the system info:

 

Thank you,

Slavko

NSE 7

All oppinions/statements written here are my own.

NSE 7 All oppinions/statements written here are my own.
16811
0 Kudos
2 Solutions
Dave_Hall
Honored Contributor
In response to NotMine

Created on ‎11-17-2014 06:35 AM

slavko wrote:

:) Tried that already. Won't let me. When I send the end, it prints out an error message. That's why I'm here. :)

This is odd.  What happens if you disable the load-balancing interface(s) first and/or load the config into a text editor, add the route, load it back into the fgt. 

 

I am assuming port10 is your backup link?  If it's not, I would set the dest IP/mask to the network (mask) used on that interface.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
5271
0 Kudos
Jzhang_FTNT
Staff
Staff
In response to NotMine

Created on ‎01-25-2017 11:06 AM

Wan Load Balance feature designed to load balancing outgoing traffic over its member interfaces per ECMP and load balancing algorithm. so usually a static/default required to configured over wan-load-balance/virtual-wan-link to make ECMP happened. 

If another default route allowed, may mean one more ECMP route added, FGT will face the dilemma of load balancing between Wan Load Balance member interfaces or with the one more interface.

if you just want add one more backup interface, you can put it into wan load balance with different distance or priority setting

 

I think this is the design idea.

View solution in original post

5271
0 Kudos
11 REPLIES 11
Dave_Hall
Honored Contributor

Created on ‎11-17-2014 05:11 AM

What does the routing monitor show?  Can you perform "show router static" on the CLI to see what entries are listed?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
4309
0 Kudos
NotMine
Contributor II

Created on ‎11-17-2014 05:16 AM

Sure, here it is:

 

And this is the routing table:

 

Please note that this is a test VM which I'm currently using.

NSE 7

All oppinions/statements written here are my own.

NSE 7 All oppinions/statements written here are my own.
4331
0 Kudos
Dave_Hall
Honored Contributor
In response to NotMine

Created on ‎11-17-2014 06:11 AM

Try adding the new route via the CLI; if you are able too, I would mark it down as a "bug" or glitch with the GUI or browser compatibly . 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
4321
0 Kudos
NotMine
Contributor II

Created on ‎11-17-2014 06:13 AM

:) Tried that already. Won't let me. When I send the end, it prints out an error message. That's why I'm here. :)

NSE 7

All oppinions/statements written here are my own.

NSE 7 All oppinions/statements written here are my own.
4321
0 Kudos
Dave_Hall
Honored Contributor
In response to NotMine

Created on ‎11-17-2014 06:35 AM

slavko wrote:

:) Tried that already. Won't let me. When I send the end, it prints out an error message. That's why I'm here. :)

This is odd.  What happens if you disable the load-balancing interface(s) first and/or load the config into a text editor, add the route, load it back into the fgt. 

 

I am assuming port10 is your backup link?  If it's not, I would set the dest IP/mask to the network (mask) used on that interface.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
5272
0 Kudos
Jzhang_FTNT
Staff
Staff
In response to NotMine

Created on ‎01-25-2017 11:06 AM

Wan Load Balance feature designed to load balancing outgoing traffic over its member interfaces per ECMP and load balancing algorithm. so usually a static/default required to configured over wan-load-balance/virtual-wan-link to make ECMP happened. 

If another default route allowed, may mean one more ECMP route added, FGT will face the dilemma of load balancing between Wan Load Balance member interfaces or with the one more interface.

if you just want add one more backup interface, you can put it into wan load balance with different distance or priority setting

 

I think this is the design idea.

5272
0 Kudos
Silver
New Contributor

Created on ‎06-25-2015 03:03 AM

Hi,

I got the same error me too while configured a route using device as wan- load balance. But i was already having a default route going out via another connection, while i removed the other default route then i was able to add the route with device wan load balance. But the problem i need the other default route also i have my email etc going out the this connection.

it may be a bug i don't know any solution plz

4321
0 Kudos
obfuscated
New Contributor II

Created on ‎06-26-2015 11:08 PM

 

 

I think this routing behaviour is by design.  Looking at the set up you have a bundled virtual link which you then point your default route pointed to.  As the Virtual link knows its gateways it then passes traffic to these gateways based on what kind of load balancing you apply.  You can then use link quality checking to ensure that all is healthy.

 

I think in the original post instead of 0.0.0.0 in the gateways section of the WAN Link LB you need to have the gateways of the ISP.  The default route then needs to point to 'virtual-wan-link'.  

 

This probably explains things better then me:-

 

http://cookbook.fortinet....ernet-connections-520/

 

 

Ob

 

 

 

 

4321
0 Kudos
Ali_Jassim
New Contributor III
In response to obfuscated

Created on ‎02-04-2016 04:44 AM

Hello !

[size="4"]I have same problem [&o] with Foritgate 200D OS 5.2.3 !! what is the solution ? [/size]

 

4321
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.