Traceroute for remote address across the VPN showing the incorrect second hop. The second hop is going through the 'mgmt' 'DMZ' 'wifi-controller' interface. This happens because the VPN interface has an IP address of 0.0.0.0 so the FortiGate uses the first interface according to the ifindex number.
Does this matter or what interface should i set it too? i have multiple vlans however I use one vlan for all internal connection traffic.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
When the ipsec-virtual-interface is set to 0.0.0.0 it cannot be used in route table, thats when FGT selects the interface with the highest interface-index in the traceroute hop-count, but that entry in the table doesnot mean that the traffic is routed through that wrong interface that is displayed in the table. If you wish to see the correct vpn interface in the tracert, then you can configure the vpn-interface with an ip-address
Regards Anil Nayak
sid dawg wrote:Uhm this shouldn't be the case.This happens because the VPN interface has an IP address of 0.0.0.0 so the FortiGate uses the first interface according to the ifindex number.
Even if your interface has an 0.0.0.0/0.0.0.0 IP it shouldn't be in the routing table at all and a static route (or a dynamic route from your ISP) should override it regardless
I don't see this behavior on my FGT, and I've never 'numbered' my VPN interfaces.
Check the routing table (Routing > Monitor) for the remote network. Where does the default route point to?
Hello,
When the ipsec-virtual-interface is set to 0.0.0.0 it cannot be used in route table, thats when FGT selects the interface with the highest interface-index in the traceroute hop-count, but that entry in the table doesnot mean that the traffic is routed through that wrong interface that is displayed in the table. If you wish to see the correct vpn interface in the tracert, then you can configure the vpn-interface with an ip-address
Regards Anil Nayak
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.