Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- I need help with routing on Fortigate.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need help with routing on Fortigate.
Dear all,
I have two internet links.
One of the links connects to a VPN with a partner and works perfectly, but on the second internet link, the VPN is intermittent, sometimes working and sometimes not...
WAN1 - 200.40.221.10 (VPN OK)
WAN2 - 187.23.200.38 (VPN Intermittent)
What I noticed:
When we are closing the VPN with WAN2 and I run the following traceroute:
exec traceroute-options source 187.23.200.38
exec traceroute 200.24.197.4(PARTNER)
The first hop is WAN1 and not WAN2, as if the routing were always sending through WAN1.
I have a route: 0.0.0.0/0 -> virtual-wan-link
Even though I am forcing SDWAN to use WAN2, the traceroute continues to go through WAN1.
SDWAN Rules:
VPN_PARTNER
SOURCE: PARTNER-NETWORK
DESTINATION: SERVERS
MEMBERS: WAN2
What could be happening?
Labels:
- Labels:
-
FortiGate
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unless both are NOT DHCP/PPPoE circuits (you sounded like), you have to configure separate GWs in two static default routes. Even DHCP/PPPoE where you don't need to configure static default routes, when you check your routing table, you should see two default routes. Below is mine with three default routes:
fg40f-utm (root) # get router info routing-t all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via x.x.x.x, a, [1/254]
[1/0] via SFOviaCentu tunnel x.x.x.x, [1/253]
[1/0] via x.x.x.x, ppp3, [100/255]
<snip>
What do you see in your routing table? The first one is DHCP, the second is static (from "0/0 to virtual-wan-link"), and the last is PPPoE.
Toshi
Created on ‎08-28-2025 10:48 AM Edited on ‎08-28-2025 11:42 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not DHCP, the two links are dedicated:
get router info routing-t all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 187.23.200.39, VLAN200, [1/0]
[1/0] via 200.40.221.11, VLAN201, [1/0]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks fine to me, except those .38 and .10 are GW IPs in your static default routes, not the IPs on the FGT's interfaces unless you modified the output of the command.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And those are on VLAN200 and VLAN201, not directly on wan1 and wan2.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is an aggregate, it is in a core switch links.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've corrected it, I put it wrong, the gw are actually .38 and .10 and the interfaces are .39 and .11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by "aggregate"? If they're VLANs, those are VLANs on top of physical interfaces like wan1 or LAG. And none of those physical interfaces would show in your SD-WAN member config, but VLAN interfaces should be the members.
So you're saying VPN from/to (you didn't say either site-to-site or remote access VPN) VLAN201 doesn't work? Is the IP consistently pingable from outside/over the internet? Or depending on the destinations?
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, a LAG.
The links are connected to the switch and pass through the trunk to the Fortigate.
I put WAN to make it easier to understand.
VPN with vlan200 (187.23.200.39) is intermittent, as if it were asymmetrical, sometimes it works and sometimes it doesn't.
And when I do a tracert from my Fortigate to my partner's Fortigate, the result is that it goes out through the other link, vlan201 (200.40.221.11).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So those are site-to-site VPNs then. At the partner side do they have static public IPs on the interface as well? If so, you can put a /32 static route to either vlan200 or vlan201 so that it won't flip-flop.
Also in the IPsec phase1-interface config, you needed to specify the outgoing interface either vlan200 or vlan201.
Toshi
Labels
-
FortiGate
10,526 -
FortiClient
2,139 -
FortiManager
886 -
5.2
687 -
FortiAnalyzer
675 -
5.4
638 -
FortiSwitch
581 -
FortiAP
558 -
FortiClient EMS
552 -
6.0
416 -
IPsec
413 -
SSL-VPN
373 -
FortiMail
371 -
5.6
362 -
FortiNAC
278 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
169 -
FortiGuard
159 -
5.0
152 -
Firewall policy
142 -
6.4
128 -
FortiGate-VM
127 -
FortiCloud Products
116 -
FortiSIEM
112 -
FortiGateCloud
112 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
73 -
SAML
71 -
DNS
71 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
fortilink
54 -
FortiSandbox
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
SNMP
25 -
SSID
25 -
Static route
25 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
Users
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2559 | |
| 1356 | |
| 795 | |
| 650 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.