Hi Expert,
I need your support as I have configred Ipsec over SDWAN configuration between HQ to branch office.
phase 1 & phase 2 tunnels are showing up but performance SLA is showing down. I have put so many effort but no luck succeded. that's the reason I came here for help. Until perfomance SLA comes up I will not able to set traffic from HQ to Branch.
Head_Office_Firewall #
Head_Office_Firewall # get router info routing-table details 192.168.2.0
Routing table for VRF=0
Routing entry for 192.168.2.0/24
Known via "static", distance 220, metric 0, best
* directly connected, Null
Routing entry for 192.168.2.0/24
Known via "static", distance 1, metric 0
via H2B1_VPN1 tunnel 10.10.30.2 inactive
via H2B1_VPN2 tunnel 10.10.40.2 inactive
Head_Office_Firewall #
Head_Office_Firewall (members) # show
config members
edit 1
set interface "port1"
set gateway 10.10.10.1
next
edit 2
set interface "port2"
set gateway 10.10.20.1
next
edit 3
set interface "H2B1_VPN1"
set zone "VPN_ZONE"
set source 192.168.1.1
next
edit 4
set interface "H2B1_VPN2"
set zone "VPN_ZONE"
set source 192.168.1.1
next
end
Head_Office_Firewall (members) #
=========================================
Branch_Firewall # get router info routing-table details 192.168.1.0
Routing table for VRF=0
Routing entry for 192.168.1.0/24
Known via "static", distance 1, metric 0
via B2HO_VPN1 tunnel 10.10.10.2 inactive
via B2HO_VPN2 tunnel 10.10.20.2 inactive
Routing entry for 192.168.1.0/24
Known via "static", distance 220, metric 0, best
* directly connected, Null
Branch_Firewall #
===============================
Branch_Firewall (members) # show
config members
edit 1
set interface "port1"
set gateway 10.10.30.1
next
edit 2
set interface "port2"
set gateway 10.10.40.1
next
edit 3
set interface "B2HO_VPN1"
set zone "VPN_ZONE"
set source 192.168.2.1
next
edit 4
set interface "B2HO_VPN2"
set zone "VPN_ZONE"
set source 192.168.2.1
next
end
=======================================
Configuration files are attached with it.
is 192.168.1.0/24 a local network in HQ ?
where should 192.168.2.0/24 be located? i would guess in branch.
are these networks permitted in the ipsec selectors and are routes correctly instaled in RIB for them, also firewall rules in place ?
the format you gave is kinda off, but i think you have routes towards them via Null ?
Head_Office_Firewall # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
Routing table for VRF=0
S *> 0.0.0.0/0 [1/0] via 10.10.10.1, port1, [1/0]
*> [1/0] via 10.10.20.1, port2, [1/0]
S 0.0.0.0/0 [5/0] is directly connected, port10, [1/0]
S *> 1.1.1.0/30 [5/0] via H2B1_VPN1 tunnel 10.10.30.2, [1/0]
C *> 1.1.1.1/32 is directly connected, H2B1_VPN1
C *> 2.2.2.1/32 is directly connected, H2B1_VPN2
S *> 2.2.2.2/32 [5/0] via H2B1_VPN2 tunnel 10.10.40.2, [1/0]
C *> 10.10.10.0/27 is directly connected, port1
C *> 10.10.20.0/27 is directly connected, port2
C *> 192.168.1.0/24 is directly connected, port3
S 192.168.2.0/24 [1/0] via H2B1_VPN1 tunnel 10.10.30.2 inactive, [1/0]
[1/0] via H2B1_VPN2 tunnel 10.10.40.2 inactive, [1/0]
S *> 192.168.2.0/24 [220/0] is a summary, Null, [1/0]
C *> 192.168.11.0/24 is directly connected, port3
C *> 192.168.145.0/24 is directly connected, port10
branch====
Routing table for VRF=0
S *> 0.0.0.0/0 [1/0] via 10.10.30.1, port1, [1/0]
*> [1/0] via 10.10.40.1, port2, [1/0]
S 0.0.0.0/0 [5/0] is directly connected, port10, [1/0]
S *> 1.1.1.0/30 [5/0] via B2HO_VPN1 tunnel 10.10.10.2, [1/0]
C *> 1.1.1.2/32 is directly connected, B2HO_VPN1
S *> 2.2.2.1/32 [5/0] via B2HO_VPN2 tunnel 10.10.20.2, [1/0]
C *> 2.2.2.2/32 is directly connected, B2HO_VPN2
C *> 10.10.30.0/27 is directly connected, port1
C *> 10.10.40.0/27 is directly connected, port2
S 192.168.1.0/24 [1/0] via B2HO_VPN1 tunnel 10.10.10.2 inactive, [1/0]
[1/0] via B2HO_VPN2 tunnel 10.10.20.2 inactive, [1/0]
S *> 192.168.1.0/24 [220/0] is a summary, Null, [1/0]
C *> 192.168.2.0/24 is directly connected, port3
C *> 192.168.12.0/24 is directly connected, port3
C *> 192.168.145.0/24 is directly connected, port10
Branch_Firewall #
S 192.168.2.0/24 [1/0] via H2B1_VPN1 tunnel 10.10.30.2 inactive, [1/0]
[1/0] via H2B1_VPN2 tunnel 10.10.40.2 inactive, [1/0]
S *> 192.168.2.0/24 [220/0] is a summary, Null, [1/0]
routes are showing inactive
S 192.168.1.0/24 [1/0] via B2HO_VPN1 tunnel 10.10.10.2 inactive, [1/0]
[1/0] via B2HO_VPN2 tunnel 10.10.20.2 inactive, [1/0]
S *> 192.168.1.0/24 [220/0] is a summary, Null, [1/0]
try disabling in the SLA update static-route and lets see if it installs/marks the routes correctly and try some pings towards that dest afterwards enable it back.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1843 | |
1130 | |
769 | |
447 | |
258 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.