Hello all, My company just bought 2 station wagons full of Fortigates with the intention of replacing existing VPN and firewall infrastructure with them. Main site is a 310B HA pair, remote sites are either 60B HA pairs, standalone 60Bs or 50Bs. Currently running the 4.0.2 build. We run OSPF in our network and the 310 cluster is receiving and sending OSPF routes correctly. The cluster also has 2 ISPs connected with the aim of having some redundancy with the remote sites. For the larger sites (with the 60B clusters) we want to run OSPF over the IPSEC VPN tunnels as those sites may have another sites behind them. That' s not a problem and it' s working (in the lab :) ) well enough. However, when I want to use static routing to a smaller site, I can' t get the route to come up on the OSPF routing table anywhere. We' ve dedicated a private /24 network for the VPN tunnel endpoints. From the core router (Cisco 3750) I can see that the route is in the database but it' s not added to the routing table. I found this Cisco tech note and from that I think that we' re hitting on reason #6, that is " Forwarding Address Known via an External Route" as the OSPF database lists the gw as the remote end of the IPSEC tunnel (ie. the address of the remote end) instead of the local address which is advertised and in the OSPF routing table. I' ve played with redistribute connected & redistribute static & everything else I' ve thought about and still no success. If I add a static route to the core router pointing to the FG cluster, traffic flows just fine. I' d just want to avoid the bother of changing static routes in the core every time a new tunnel is added or removed. Any ideas where to go from here? I' m happy to provide more information and/or command outputs if needed.