Hi All,
one of my customers has two branches, each one with a Fortigate 40F. Both appliances use SDWAN to balance outgoing traffic between two ISPs each has 2 ipsec tunnels pointing at the other branch and 4 ipsec tunnels pointing at their AWS instances.
The routing for th vpns was configured with static routing but I wanted to use SDWAN also for the ipsec traffic, so I crerated new SDWAN zone and members for the tunnels pointing at AWS. I followed this Technical Tip except for the fact that the tunnels were create previously so I just added them to the new sdwan zone and set a performance sla source IP via the cli.
Now the new sdwan zone works fine, I've tried knocking down the tunnels one by one and the ping sessions to AWS stayed up perfectly, on both Fortigates. Though if I look at the performance SLA's tab one fortigate shows as if only one tunnel was working, while the other shows as if none of the tunnels worked.
I'm posting a couple of screenshots:
Performance SLA's of Fortigate1
PErformance SLA's of Fortigate 2
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello dclabs,
From provided screenshots i can see that on both devices the target is 192.168.20.12, on the first FG only AWS4 seams to be UP, but on the second is down.
Is it possible to check session list for this destination IP .
You can check with sniffer as well.:
diag sys session filter dst 192.168.20.12 <---- destination IP
diagnose sys session filter proto <0-255> <---- you can filter by protocol in order to reduce the output
diag sys session list
With sniffer you can see on the both FW's how traffic is send out to remote IP
diagnose sniffer packet any "host 192.168.20.12" 4 50 l
thanks for your reply.
Unfortunately I had to remove the vpns from sdwan and configure it back to use static routing for each tunnel, because despite pings from the fortigate to 192.168.20.12 were routed correctly through the sdwan interface, all the users were being routed out to the internet when trying to reach 192.168.20.12.
Hello dclabs,
Please have a look of the KB/documentation bellow which explains how to configure static route/routes for the new SD-WAN zone.
Best regards,
Fortinet
Hi,
I guess your post is missing the link to the kb.
However, as _per my first post, I followed this guide except for the fact that the tunnels were created and established before the sdwan zone:
Hello dclabs,
My apologies , please check the links bellow :
Also is very useful this one(especially points "Configuring the SD-WAN interface " and "adding a static route" :
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/218559/configuring-the-sd-wan-interface
Best regards,
Fortinet
Thank you syordanov.
I've reviewed the docs you posted, and it looks like what I did with the configuration was right.
I created a new zone into which i inserted the tunnel interfaces as members.
I created a performance sla rule and selected the the proper source in the cli.
I created a static route with the newly created sdwan zon and I created firewall policies to allow traffic to and from the new sdwan interface.
However the firewall behavior is strange: if I ping the other side of the tunnels from the firewall cli it works perfectly, and it works throught sdwan working, infacts when I turn tunnel interfaces down it smoothly switch traffic to the remaing tunnels. Though the performance sla is not working and traffic coming from the lan is not routed to the new sdwan zone and instead is routed to the default route, which is the default sdwan zone.
Here's an update:
I'm working on just one of the two firewalls. It's got 4 IPsec tunnels to AWS (all to reach the same destination 192.168.20.12), 2 tunnels from WAN1 and 2 from WAN2 (WAN's are in their own sdwan zone and work properly).
I've followed the kb's to create a new sdwan zone for IPsecs, configured all the firewall rules and static routes accordingly, configured performance sla and set the source ip on each tunnel.
The SDWAN interface seems to be doing its job and steers between the available tunnels, though the perfomance sla seems to be monitoring only one tunnel at the time.
As you can see from the picture it looks like AWS is the only tunnels that is up, though if bring AWS3 down te sdwan rules routes the traffic onto another of the three available tunnels and the perfomance sla shows that as the only one active.
Since all 4 tunnels are actually up I expect all 4 to be monitored by performance sla, not just one. Not sure where the problem is.
Did you configure Tunnel Interface IP?
Here is an article for more information:
You may also want to try creating IP Sec tunnel within SD WAN:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/20984...
Regards,
Varun
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1560 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.