- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- First time 60E user, need help with SDWAN, VPN ple...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First time 60E user, need help with SDWAN, VPN please
Hi there - I'm setting up the first Fortinet I'd like to use for deploying to about 30 or 40 clinics.
The clinics VPN back to a Juniper SSG firewall in the datacenter.
I am trying to setup:
Failover from WAN1 to the LTE modems (this works using SDWAN perfectly)
Fail back when service returns (this does not work if there is demand on the circuit. If I stop pinging, it will failback as programmed)
VPN tunnel to the datacenter (works but flaps, drops 5 or 10 pings out of 100) on the WAN1 interface with failover to the LTE Modem (failover of the VPN does not work. Phase 1 completes to the datacenter firewall but Phase 2 never does; doesn't even try).
VPN tunnel automatically connects and stays connected after disconnect / power cycle (This does not work - I usually have to click the "bring up" and it connects about 20 seconds after that).
The offices may or may not have NAT in front of the firewall so NAT-T is enabled.
I've attached the config file from the 60E; I removed the default settings to shorten what folks have to look at and sanitized a couple IP's and passphrases with X or x.x.x.x
I would think this would be a pretty common scenario, so if anyone has a working config please let me know. I updated it to the latest firmware since I rarely touch these after deployment unless there's a serious security issue with the firmware itself. Any help greatly appreciated; I've been trying different configurations (primarily with the routing cost and preference, but that didn't really make any difference) for about a week on and off now and just can't get it.
For the fortinet folks - really would suggest you finish the cookbook on SDWAN VPN. If I could tie the VPN tunnel to the SDWAN interface this would be 100x easier.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I assume therefore this doesn't work.
Instead what I did was setup wan1 and wwan, with policies to permit the traffic and tunnel interfaces bound to each of the physical interfaces. I setup default routes with different preferences / routing distances to prefer the WAN1 connection.
The failover isn't automatic, but if you unplug WAN1 this works, and immediately fails back when you plug the interface back in.
So I guess the SDWAN isn't quite ready for prime time yet (in the current version of 5.6 firmware anyway), which is conceivably why the cookbook hasn't been published yet I would guess.
If anyone has a better solution or can tell me how to get the interface to disable when it is not working without using SDWAN that would of course be appreciated.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is one other caveat. If the USB LTE modem loses connection at any point, the failover will no longer work. This can be worked around by rebooting the firewall. Not ideal, but failures are rare, but that should be fixed in a future firmware update IMO.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm really suprised that the failover is not detected at all. Have you tried enabling the following command in the virtual-wan-link configuration?
set fail-detect enable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regarding the VPN tunnel not coming up or not failing over correct: Please enabled DPD on idle on both VPNs, otherwise I noticed some weird behavior also on 5.4
There were same issues that the VPN stays up all the time although the tunnel is long gone - DPD on idle fixed the problem for me.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recommend to install blackhole routes for all private IP address ranges (RFC1918) to help VPN tunnel re-establishment.
Background: in case a VPN tunnel goes down, the route to the remote network is either deleted or it might have a higher distance as the default route. Then, traffic for the remote private subnet is sent out the WAN port.
When the tunnel is renegotiated, there is already a session for this in the session table. Traffic across the VPN tunnel will only start to flow after this session is expired. Having blackhole routes in the routing table prevents sessions from being established via default route in the first place.
Attached is a batch command file with these routes; you can find the same info in the forums ("blackhole").
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
- Convert IPSEC interfaces to SDWAN 87 Views
- ADVPN Network Security 65 Views
- Webfilter license won't work despite having... 135 Views
- SD-WAN Rule Best quality with Packet... 100 Views
- SDWAN design question 118 Views
Labels
-
FortiGate
6,754 -
FortiClient
1,344 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
346 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
86 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
FortiSOAR
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.