Ipsec over SDWAN performance SLA is showing down

Umesh · ‎02-04-2025

Hi Expert,

I need your support as I have configred Ipsec over SDWAN configuration between HQ to branch office.

phase 1 & phase 2 tunnels are showing up but performance SLA is showing down. I have put so many effort but no luck succeded. that's the reason I came here for help. Until perfomance SLA comes up I will not able to set traffic from HQ to Branch.

Head_Office_Firewall #
Head_Office_Firewall # get router info routing-table details 192.168.2.0

Routing table for VRF=0
Routing entry for 192.168.2.0/24
Known via "static", distance 220, metric 0, best
* directly connected, Null

Routing entry for 192.168.2.0/24
Known via "static", distance 1, metric 0
via H2B1_VPN1 tunnel 10.10.30.2 inactive
via H2B1_VPN2 tunnel 10.10.40.2 inactive

Head_Office_Firewall #

Head_Office_Firewall (members) # show
config members
edit 1
set interface "port1"
set gateway 10.10.10.1
next
edit 2
set interface "port2"
set gateway 10.10.20.1
next
edit 3
set interface "H2B1_VPN1"
set zone "VPN_ZONE"
set source 192.168.1.1
next
edit 4
set interface "H2B1_VPN2"
set zone "VPN_ZONE"
set source 192.168.1.1
next
end

Head_Office_Firewall (members) #

=========================================

Branch_Firewall # get router info routing-table details 192.168.1.0

Routing table for VRF=0
Routing entry for 192.168.1.0/24
Known via "static", distance 1, metric 0
via B2HO_VPN1 tunnel 10.10.10.2 inactive
via B2HO_VPN2 tunnel 10.10.20.2 inactive

Routing entry for 192.168.1.0/24
Known via "static", distance 220, metric 0, best
* directly connected, Null

Branch_Firewall #

===============================

Branch_Firewall (members) # show
config members
edit 1
set interface "port1"
set gateway 10.10.30.1
next
edit 2
set interface "port2"
set gateway 10.10.40.1
next
edit 3
set interface "B2HO_VPN1"
set zone "VPN_ZONE"
set source 192.168.2.1
next
edit 4
set interface "B2HO_VPN2"
set zone "VPN_ZONE"
set source 192.168.2.1
next
end

=======================================

Configuration files are attached with it.

performance sla showing down.jpg

funkylicious · ‎02-04-2025

is 192.168.1.0/24 a local network in HQ ?

where should 192.168.2.0/24 be located? i would guess in branch.

are these networks permitted in the ipsec selectors and are routes correctly instaled in RIB for them, also firewall rules in place ?

the format you gave is kinda off, but i think you have routes towards them via Null ?

"jack of all trades, master of none"

Umesh · ‎02-04-2025

Head_Office_Firewall # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info

Routing table for VRF=0
S *> 0.0.0.0/0 [1/0] via 10.10.10.1, port1, [1/0]
*> [1/0] via 10.10.20.1, port2, [1/0]
S 0.0.0.0/0 [5/0] is directly connected, port10, [1/0]
S *> 1.1.1.0/30 [5/0] via H2B1_VPN1 tunnel 10.10.30.2, [1/0]
C *> 1.1.1.1/32 is directly connected, H2B1_VPN1
C *> 2.2.2.1/32 is directly connected, H2B1_VPN2
S *> 2.2.2.2/32 [5/0] via H2B1_VPN2 tunnel 10.10.40.2, [1/0]
C *> 10.10.10.0/27 is directly connected, port1
C *> 10.10.20.0/27 is directly connected, port2
C *> 192.168.1.0/24 is directly connected, port3
S 192.168.2.0/24 [1/0] via H2B1_VPN1 tunnel 10.10.30.2 inactive, [1/0]
[1/0] via H2B1_VPN2 tunnel 10.10.40.2 inactive, [1/0]
S *> 192.168.2.0/24 [220/0] is a summary, Null, [1/0]
C *> 192.168.11.0/24 is directly connected, port3
C *> 192.168.145.0/24 is directly connected, port10

branch====

Routing table for VRF=0
S *> 0.0.0.0/0 [1/0] via 10.10.30.1, port1, [1/0]
*> [1/0] via 10.10.40.1, port2, [1/0]
S 0.0.0.0/0 [5/0] is directly connected, port10, [1/0]
S *> 1.1.1.0/30 [5/0] via B2HO_VPN1 tunnel 10.10.10.2, [1/0]
C *> 1.1.1.2/32 is directly connected, B2HO_VPN1
S *> 2.2.2.1/32 [5/0] via B2HO_VPN2 tunnel 10.10.20.2, [1/0]
C *> 2.2.2.2/32 is directly connected, B2HO_VPN2
C *> 10.10.30.0/27 is directly connected, port1
C *> 10.10.40.0/27 is directly connected, port2
S 192.168.1.0/24 [1/0] via B2HO_VPN1 tunnel 10.10.10.2 inactive, [1/0]
[1/0] via B2HO_VPN2 tunnel 10.10.20.2 inactive, [1/0]
S *> 192.168.1.0/24 [220/0] is a summary, Null, [1/0]
C *> 192.168.2.0/24 is directly connected, port3
C *> 192.168.12.0/24 is directly connected, port3
C *> 192.168.145.0/24 is directly connected, port10

Branch_Firewall #

Umesh · ‎02-04-2025

S 192.168.2.0/24 [1/0] via H2B1_VPN1 tunnel 10.10.30.2 inactive, [1/0]
[1/0] via H2B1_VPN2 tunnel 10.10.40.2 inactive, [1/0]
S *> 192.168.2.0/24 [220/0] is a summary, Null, [1/0]

routes are showing inactive

S 192.168.1.0/24 [1/0] via B2HO_VPN1 tunnel 10.10.10.2 inactive, [1/0]
[1/0] via B2HO_VPN2 tunnel 10.10.20.2 inactive, [1/0]
S *> 192.168.1.0/24 [220/0] is a summary, Null, [1/0]

funkylicious · ‎02-04-2025

try disabling in the SLA update static-route and lets see if it installs/marks the routes correctly and try some pings towards that dest afterwards enable it back.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Route-shows-inactive-when-SD-WAN-Per...

"jack of all trades, master of none"

Ipsec over SDWAN performance SLA is showing down

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website