Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Reshans
New Contributor

Created on ‎06-12-2025 11:26 AM

How to automatic disable static route in ipsec tunnel when tunnel goes down

In our FortiGate environment, both BGP and static routes are configured for the same destination. However, the system currently prefers the static route, which remains active at all times. As a result, during an IPsec tunnel failure, traffic does not automatically fail over to the BGP route. At present, we are required to manually disable the static route on both ends to allow BGP to take over. We are seeking a solution that enables automatic failover from the static route to the BGP route when the IPsec tunnel goes down.

 

Ipsec tunnel not showing in interfaces

 

 

Labels:
1443
0 Kudos
5 REPLIES 5
funkylicious
SuperUser
SuperUser

Created on ‎06-12-2025 11:37 AM

why not just delete the static route, which will take precedence always?

other options would be to either do a automation stitch to delete/disable the static route when a event for the ipsec is down or https://community.fortinet.com/t5/FortiGate/Technical-Tip-Link-Monitor-Explained/ta-p/197504 

"jack of all trades, master of none"
"jack of all trades, master of none"
1436
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎06-12-2025 11:51 AM Edited on ‎06-12-2025 11:56 AM

With FGTs, even if you put the same admin distance on the static route with BGP, like 20 for eBGP/200 for iBGP, it doesn't place both routes as parallel routes in the routing table. Instead, the newly introduced route wins.

You didn't explain the whole topology including both paths. But eventually the best option is to set up BGP through the primary IPsec path as well so that you can set local-preference to prefer primary IPsec path at the BGP level.

Otherwise you have to use link-monitor as @funkylicious suggests. It's quite ugly to have both static routing path and BGP routing path for the same destination when the static side is the primary. 

Toshi 

1432
0 Kudos
Reshans
New Contributor
In response to Toshi_Esumi

Created on ‎06-12-2025 12:01 PM

Veerakesari SDWAN HLD.jpg

 

This is my topology and so Tunnel 3 for used sttaic route tunnel 3 separate tunnel in for NAS server access i need when tunnel 3 goes down need to automatic disable this sttaic routes

1421
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Reshans

Created on ‎06-12-2025 12:20 PM

It doesn't show the topology of the BGP domain. Which ones are BGP neighbors?

 

Toshi 

1415
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Reshans

Created on ‎06-12-2025 07:04 PM

Or, if all routing devices are FGTs, there is no reason you can't set up BGP neighboring through all paths to have same parallel routes in a local FGT's routing table. Then use SD-WAN rules to set path preference per type of traffic if you want to. BGP itself can do only fail-over for all types of traffic.

Toshi

1332
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.