Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pacionet
New Contributor II

Created on ‎12-04-2025 11:54 PM

Fortigate 1100E - SDWAN and policy route issue

Hi,

on Fortigate 1100e (7.4.9) we set up an SDWAN like this

 

SDWAN.jpg

 

We would OpenNMS pinging a public ip (8.8.8.8) through the line of ROUTER1 and another public IP (8.8.4.4) through the line of ROUTER2. So we set up these policy routes:

 

SOURCE         DESTINATION      GATEWAY

OPENNMS      8.8.8.8                  ROUTER1

OPENNMS      8.8.4.4                  ROUTER2

 

In static routes we have:

0.0.0.0/0      SDWAN

 

In SDWAN policy we have the default (selected members by source IP)

 

When both interfaces WAN1 and WAN2 are up all works, but:

  • If we disable WAN2 interface both ping works
  • If we disable WAN1 interface both ping not works

when both interface are up, traceroute show that the routes are correct  (the ping towards 8.8.8.8 choose WAN1 , while the pings toward 8.8.4.4 choose WAN2)

 

Any ideas?

 

Thanks

 

Labels:
79
0 Kudos
3 REPLIES 3
funkylicious
SuperUser
SuperUser

Created on ‎12-05-2025 12:03 AM

hi,

do you do NAT on the FGT or on the routers ?

diagnose firewall proute list - shows correctly what you have configured / can you post it ?

"jack of all trades, master of none"
"jack of all trades, master of none"
74
pacionet
New Contributor II
In response to funkylicious

Created on ‎12-05-2025 12:30 AM Edited on ‎12-05-2025 12:32 AM

NAT is on the FGT

Policy routes (gateway are masked):

 

id=1(0x01) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=16(port4)
path(1): oif=66(WAN1) gwy=X.Y.W.Z path_last_used=2025-12-05 09:22:33
source wildcard(1): 10.93.233.229/255.255.255.255
destination wildcard(1): 8.8.8.8/255.255.255.255
hit_count=14065 rule_last_used=2025-12-05 09:22:33

 

id=2(0x02) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=16(port4)
path(1): oif=87(WAN2) gwy=A.B.C.D path_last_used=2025-12-05 09:21:54
source wildcard(1): 10.93.233.229/255.255.255.255
destination wildcard(1): 8.8.4.4/255.255.255.255
hit_count=3925 rule_last_used=2025-12-05 09:21:54

 

Both policy work when both interface are up, but If we deactivated WAN1, both pings not work

70
0 Kudos
funkylicious
SuperUser
SuperUser
In response to pacionet

Created on ‎12-05-2025 12:35 AM Edited on ‎12-05-2025 12:35 AM

do you have auxiliary-session enabled? if not, try enabling it and see if it solves the issue.

 

config system settings
    set auxiliary-session enable
end 
"jack of all trades, master of none"
"jack of all trades, master of none"
66
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.