Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cedwards
New Contributor

Issue with SDWAN, Policy Routes, and OSPF

I have a Fortigate 60 F connected to 2 FPOE248 switches via Fortilink. 

 

WAN 1 of the Fortigate connects to a router which provides connectivity to a private WAN, that is also the primary internet access. WAN2 connects to a cable modem that is intended to be a failover Internet.

 

Port 1 is the gateway for the locations LAN. Port 2 is the gateway for the WiFi LAN. Port 1 is a member of OSPF and is receiving a default route. A Policy route in the 60F is sending traffic from Port 2 out WAN2, so as to prevent the WiFi traffic from traversing the private WAN. All traffic was functioning as intended in this configuration.

 

As I have done before on other 60Fs, to allow the internet traffic from Port 1 to failover to WAN2, I setup SDWan with WAN1 and WAN2 as members. Manual failover was setup with WAN1 preferred. I implemented IPSLA. At this point, despite WAN1 being the preferred interface, all traffic was exiting WAN2. Both interfaces showed up in the IPSLA. Removing WAN1 from the SDWAN fixed the issue with that Port1 traffic exiting WAN2, when WAN1 was still up, but at this point WiFi traffic stopped working. I eventually had to bypass the 60F entirely to get WiFi restored.

 

Has anyone had an issue with SDWAN and default routes from OSPF? I've used the SDWan and Policy routes before with no issues. Any thoughts?

2 REPLIES 2
distillednetwork
Contributor III

could you post your policy route and sdwan configuration?  SDWAN basically creates dynamic policy routes in the background and you could have a conflict with this.  

 

When the issue is occurring you could run:

diag firewall proute list

to see how the proutes are listed in the kernel

 

cedwards

All the SDWan configuration was ripped out to get the LAN traffic working correctly.

 

Here is the one policy route I configured:

 

# show router policy
config router policy
edit 1
set input-device "internal2"
set src "0.0.0.0/0.0.0.0"
set dst "0.0.0.0/0.0.0.0"
set gateway 10.1.10.1
set output-device "wan2"
next
end

 

When I'm able to schedule an outage to implement the failover I'll run the diag command.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors