Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
paradoxum
New Contributor

Firewall policy switching on IPSec tunnel rebuild or WAN down/up

Hi,

Here is the scenario:

 

- I have a site-to-site IPSec tunnel between two 60D's which carry video in the tunnel

 

- I have the following policies setup on the sending unit:     1) internal to VPN (Encoder_local_LAN to Decoder_remote_LAN  ALL)     2) VPN to internal (Decoder_remote_LAN to Encoder_local_LAN  ALL)     3) ssl.root to any (user group restricted portal access)     4) internal to wan1 (ALL) - My video traffic is always supposed to use policy #1 and does when the tunnel is first established The issue I'm occasionally seeing is that on IPSec key refresh, tunnel rebuild of wan down/up policy #4 is chosen instead of #1.  When this happens the VPN tunnel appears healthy, but the video payload is being sent directly out wan1 instead of the tunnel.  I have several of these setups and some work for months without a hiccup, others will run for a few days before the issue occurs.  Disabling policy #4 immediately fixes the problem, but I need the policy for non-VPN traffic. Currently I have two 60D's at the same remote location exhibiting the same behavior, one is running fw v5.2.3b670 and the other fw v5.0b318

Has anyone seen this before?

 

I'm attaching a sanitized config of one of the remote units.

5 REPLIES 5
ede_pfau
SuperUser
SuperUser

Hi,

 

the remedy to this scenario is "blackhole routes". You can find detailed info on this topic here in the forums.

 

Basically, you define a route for the private LAN behind the remote VPN tunnel end pointing to the tunnel, and another one with less priority pointing to the waste bin/blackhole. If the VPN is down, it's route will be removed and the bh route takes over - discarding the traffic. So there won't be a session established via the WAN interface, and no data loss.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
paradoxum

Thanks for the tip, I will give it a try.

ede_pfau
SuperUser
SuperUser

Scroll down to my post here: https://forum.fortinet.com/tm.aspx?m=123360 for an explanation and a preconfigured batch cmd file for installing blackhole routes to all RFC1918 private networks.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
paradoxum

Thanks.  I've setup a blackhole route for this particular setup.  We will see how it works after a few days.

 

IP                SN                           GW                   INT                         DISTANCE      0.0.0.0         0.0.0.0                    xx.xx.xx.xx       wan1                        10 10.4.22.0     255.255.255.0                                  VegasVPN2                5 10.4.22.0     255.255.255.0                                  None (Blackhole)         7 For reference, I'm attaching your script for others.

ede_pfau
SuperUser
SuperUser

Just to be on the safe side, set the bh route's distance to the maximum allowed, 254. Regardless of how you later add any routes you could never inadvertedly make the bh route preferable to a real one.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors