Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dclabs
New Contributor

Ipsec vpn and sdwan performance SLA issu

Hi All,

 

one of my customers has two branches, each one with a Fortigate 40F. Both appliances use SDWAN to balance outgoing traffic between two ISPs each has 2 ipsec tunnels pointing at the other branch and 4 ipsec tunnels pointing at their AWS instances.

The routing for th vpns was configured with static routing but I wanted to use SDWAN also for the ipsec traffic, so I crerated new SDWAN zone and members for the tunnels pointing at AWS. I followed this Technical Tip except for the fact that the tunnels were create previously so I just added them to the new sdwan zone and set a performance sla source IP via the cli.

 

Now the new sdwan zone works fine, I've tried knocking down the tunnels one by one and the ping sessions to AWS stayed up perfectly, on both Fortigates. Though if I look at the performance SLA's tab one fortigate shows as if only one tunnel was working, while the other shows as if none of the tunnels worked.

 

I'm posting a couple of screenshots:

 

Performance SLA's of Fortigate1

Screenshot 2023-10-30 at 07.57.15.png

PErformance SLA's of Fortigate 2

Screenshot 2023-10-30 at 07.56.46.png

 

8 REPLIES 8
syordanov
Staff
Staff

Hello dclabs,

 

From provided screenshots i can see that on both devices the target is 192.168.20.12, on the first FG only AWS4 seams to be UP, but on the second is down.

Is it possible to check session list for this destination IP .

You can check with sniffer as well.:

 

diag sys session filter dst 192.168.20.12 <---- destination IP

diagnose sys session filter proto  <0-255> <---- you can filter by protocol in order to reduce the output

diag sys session list

 

With sniffer you can see on the both FW's how traffic is send out to remote IP

 

diagnose sniffer packet any "host 192.168.20.12" 4 50 l

 

 

 

 

 
.
dclabs

thanks for your reply.

Unfortunately I had to remove the vpns from sdwan and configure it back to use static routing for each tunnel, because despite pings from the fortigate to 192.168.20.12 were routed correctly  through the sdwan interface, all the users were being routed out to the internet when trying to reach 192.168.20.12.

syordanov

Hello dclabs,

 

Please have a look of the KB/documentation bellow which explains how to configure static route/routes for the new SD-WAN zone.

 

Best regards,

 

Fortinet

.
dclabs

Hi,

I guess your post is missing the link to the kb.

 

However, as _per my first post, I followed this guide except for the fact that the tunnels were created and established before the sdwan zone:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/20984...

syordanov
Staff
Staff

Hello dclabs,

 

My apologies , please check the links bellow :

 

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/270527/specify-an-sd-wan-zone-in-sta...

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/270527/specify-an-sd-wan-zon...

 

 

Also is very useful this one(especially points "Configuring the SD-WAN interface " and "adding a static route" :

 

https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/218559/configuring-the-sd-wan-interface

 

Best regards,

Fortinet

 

 

.
dclabs

Thank you syordanov.

I've reviewed the docs you posted, and it looks like what I did with the configuration was right.

I created a new zone into which i inserted the tunnel interfaces as members.

I created a performance sla rule and selected the the proper source in the cli.

I created a static route with the newly created sdwan zon and I created firewall policies to allow traffic to and from the new sdwan interface.

 

However the firewall behavior is strange: if I ping the other side of the tunnels from the firewall cli it works perfectly, and it works throught sdwan working, infacts when I turn tunnel interfaces down it smoothly switch traffic to the remaing tunnels. Though the performance sla is not working and traffic coming from the lan is not routed to the new sdwan zone and instead is routed to the default route, which is the default sdwan zone.

dclabs
New Contributor

Here's an update:

 

I'm working on just one of the two firewalls. It's got 4 IPsec tunnels to AWS (all to reach the same destination 192.168.20.12), 2 tunnels from WAN1 and 2 from WAN2 (WAN's are in their own sdwan zone and work properly).

I've followed the kb's to create a new sdwan zone for IPsecs, configured all the firewall rules and static routes accordingly, configured performance sla and set the source ip on each tunnel.

The SDWAN interface seems to be doing its job and steers between the available tunnels, though the perfomance sla seems to be monitoring only one tunnel at the time.

 

Screenshot 2023-12-03 at 12.27.10.png

As you can see from the picture it looks like AWS is the only tunnels that is up, though if bring AWS3 down te sdwan rules routes the traffic onto another of the three available tunnels and the perfomance sla shows that as the only one active.

Since all 4 tunnels are actually up I expect all 4 to be monitored by performance sla, not just one. Not sure where the problem is.

 

 

Labels
Top Kudoed Authors