Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Help with WAN Additional IPs and Testing

Hey team,


My setup is:

FG100E on 7.0.10

wan1 - with additional IPs routed

wan2 - with additional IPs routed

static route - via gateway - priority 10

static route - via gateway - priority 20

services setup as firewall policies using Virtual IPs on just fine


Ever since this FG100E was setup, I have been suspicious of the additional IPs on actually working.

The plan would be, if wan1 goes down for an extended period of time, outbound internet is fine as the link monitor disables the route to wan1, but we would then manually change DNS to point to IPs on, matching preconfigured firewall policies.


I wanted to setup a test, to prove I can use them.

Picked one test device. Configured a Policy Route to point its traffic out of wan2. Then a Firewall Policy to NAT its outbound traffic using IP Public what is my IP pages show the correct IP.

Then I configured a Firewall Policy and Virtual IP pointing to this device for port 3389 (something that I know works right now).

I can't get through.

Looking at diag sniffer and diag debug flow shows that the traffic is hitting the FGT, but gives me:


2023-03-20 16:46:22 id=20085 trace_id=1 func=init_ip_session_common line=6024 msg="allocate a new session-009ab520, tun_id="
2023-03-20 16:46:22 id=20085 trace_id=1 func=get_new_addr line=1225 msg="find DNAT: IP-, port-0(fixed port)"
2023-03-20 16:46:22 id=20085 trace_id=1 func=fw_pre_route_handler line=181 msg="VIP-, outdev-wan2"
2023-03-20 16:46:22 id=20085 trace_id=1 func=__ip_session_run_tuple line=3489 msg="DNAT>"
2023-03-20 16:46:22 id=20085 trace_id=1 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2023-03-20 16:46:22 id=20085 trace_id=1 func=ip_session_handle_no_dst line=6110 msg="trace"


And my online research tells me, it can be due to FGT not having a route back to the source.

And I don't, when checking get router info routing-table all. But I also don't for any IP in, and their traffic is working ok.


So, what should I do? Configure a route for the additional IPs to ... where?

This can't be routing to the destination, because it has one.

Or maybe this should be a question of, what is the proper/correct way to configure additional routed IPs into a FGT?

Contributor III

I would suggest creating an SD-WAN zone w/ those 2, wan1 and wan2 and that might solve your issue.


How does an SDWAN help?


Found a solution? No. I know where SDWAN is, but am not prepared to put it into production without understanding it further.

One thing I have found but haven't tested yet, is that on a WAN interface you can specify 'Secondary IP address'. Couldn't find much online about it and it's interaction with routing and the error I am getting.

Esteemed Contributor III

It generally means your link-monitor is somehow not removing the default route to wan1. Did you confirm it's not there any more when wan1 was down?
Also make sure you have below configured:

config system global
  set snat-route-change enable  (by default it's disabled)




For my tests, I intended to design it so that no wan link needs to go down. So, no, wan1 was never down.

Esteemed Contributor III

I think if you shut down wan1 it would work because the FGT currently seems to be seeing the wan1 should be the returning path. So once wan1 is gone, it would be forced to use wan2.

But even when wan1 is up, I don't see a particular reason your test setting doesn't work.


I would try below then test again.

# diag sys session filter src <your_test_source_IP>

# diag sys session clear

then make sure:

# diag sys session list
total session 0


If still doesn't work after this, I have no other idea so I would open a ticket at TAC.



Top Kudoed Authors