Hi,

Unfortunatelly my topology is much different that the one in example.

The problem is that I inherited this setup and not sure if all has been set correctly. 

I have two HUBs which this firewall is connecting to. This is main difference.

The wan2 link being down didn't switched VPN interface to wan1 which is up.

The only setting I suspect which may be reason for it is the "Update static route" which is disabled in the VPNs performance SLA. But Im not sure.

Hello,

Have you maybe found a solution for the problem? I have the same problem of SLA not failing over and TAC is saying that it is normal and I need to wait for BGP to fall for it to failover(why use Perf SLA then at all?!).

Any tip would be helpful!

Kind regards,

fista3015

Hi,

Yes you need to enable update static route as it will remove the route from those interface whose sla is down

refer below link for more details.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SD-WAN-Update-static-route-behavior-...

Hello,

Thanks for reply Joshi!

What do you do when you have BGP routes coming from Hub, you can't delete them with Update static route command?

I have another question regarding dirty sessions. So, session is tagged dirty if we have routing change, that should count policy routes, right? If I have SD-WAN rule with Perf SLA that's doing HC towards Hub, and primary link goes down, shouldn't the change in policy route cause all sessions affected by it to go dirty, flushing the interface and gateway parameters?

This is what I understood was happening from SD-WAN 7.2 study guide. Please correct me if I am wrong!

Kind regards,

fista3015

What do you do when you have BGP routes coming from Hub, you can't delete them with Update static route command?
>> it will not help with bgp routing

For your 2nd thing yes sdwan rule are consider policy route
In this case it is not the interface going down but the link failure.If it was a static route with the help of perf sla update static route, a route change does occur

Sorry if I am being redundant, but how it is done then when you have BGP between Hub and Spoke? There is gotta be some way since this is recommended config from Fortinet.

I have spun up Demo's on FNDN and their configuration isn't much different than mine, and I still had no succes trying to replicate it. I am using SD-WAN ADVPN with BGP self-healing with route-tags for Hub. For Spokes, I am letting SLA+Rules do it's thing with snat-route-change for internet access(which works nicely).

Thanks a lot for taking your time to answer my questions!

Kind regards,

fista3015

Hi,

BGP Self healing should work

Mind going through below article once

https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-self-healing-with-bgp/559415/overview

There is also Embedded SD-WAN SLA information in ICMP probes

Refer:-

https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/848259/embedded-sd-wan-sla-i...

Hello,

Thanks for quick response!

What I am having problem with is Spoke not redirecting sessions that are active to another interface once the primary in SLA goes down. It actually waits for interface to go down before it redirects it.

Hub is working fine once it gets information about link going offline on Spoke location.

If push comes to shove, I am gonna run the dpd parameters to the ground, but that is my last resort, especially since the demo showed sub-second failover...

Kind regards,

fista3015