Hi, guys,
I am currently using Fortigate 400E with FortiOS v7.0.3, with the SDWAN configuration of 3 internet lines.
I tried to test the destination IP with traceroute/pingtest as the following test cases:
SDWAN configuration:
1. service rule = Maximized
2. SDWAN Mode(load-balance hash-mode=round-robin)
3. load-balance-mode : source-dest-ip-based
4. duplication-max-num : 3
Firewall policy "local-in-policy" :
Forti400e01 (local-in-policy) # show
config firewall local-in-policy
end
My traceroute test ( pingtest is similar )
Case 1 --- Traceroute test by using dedicated internet line
==========================================
Forti400e01 # exec traceroute-options device port3
Forti400e01 # exec traceroute 91.240.118.105
Forti400e01 # exec traceroute-options device port4
Forti400e01 # exec traceroute 91.240.118.105
Forti400e01 # exec traceroute-options device port5
Forti400e01 # exec traceroute 91.240.118.105
Case 2 --- Traceroute test by using SDWAN rule
=============================================
Forti400e01 # exec traceroute-options source 100.100.100.10
Forti400e01 # exec traceroute-options use-sdwan yes
Forti400e01 # exec traceroute 91.240.118.105
Forti400e01 # exec traceroute-options source 222.222.222.22
Forti400e01 # exec traceroute-options use-sdwan yes
Forti400e01 # exec traceroute 91.240.118.105
Forti400e01 # exec traceroute-options source 111.111.111.11
Forti400e01 # exec traceroute-options use-sdwan yes
Forti400e01 # exec traceroute 91.240.118.105
Case 3 -- Traceroute test by using Source IP
==============================================
Forti400e01 # exec traceroute-options source 100.100.100.10
Forti400e01 # exec traceroute 91.240.118.105
Forti400e01 # exec traceroute-options source 222.222.222.22
Forti400e01 # exec traceroute 91.240.118.105
Forti400e01 # exec traceroute-options source 111.111.111.11
Forti400e01 # exec traceroute 91.240.118.105
Test results:
==========
For case 1, every 'traceroute' completes perfectly;
For case 3, most of 'traceroute' completes (around 1 or 2 times failures in 10 times);
For case 2, most of 'traceroute' can not be performed ( 70% number of times failure )
The cause is found in the Route Cache (Forti400e01 # diag ip rtcache list) :
family=02 tab=254 vrf=0 vf=0 type=01 tos=0 flag=00000200
100.100.100.10@0->91.240.118.105@11(port4) gwy=222.222.222.2 prefsrc=0.0.0.0
ci: ref=0 lastused=41 expire=0 err=00000000 used=12 br=0 pmtu=1500
what is the reason the test always goes to the wrong gateway ( from port3 --> port4 ) ?
Any issue of my test ? any suggestion/recommendation ?
With many thanks
Benson
Hi,
What would be the purpose of the test or what you are aiming for? Do you expect traffic sourced with source IP of isp1 and send out through isp2 be routed back to isp2 interface by isp2 and other upstream in the path towards 91.240.118.105?
best regards,
Jin
Thanks for your reply, my queries/questions/conerns:
1. What is reason when I do traceroute with sourced IP = isp1, the traffic goes through the wrong and not-working gateway/isp2 ( but not goes through isp1 ) ? by what condtion/standard/configuration/policy/route the fortigate makes this decision ?
2. can I make change of these condition/standard/configuration/policy/route ?
Thanks a lot
Benson
Hi Benson,
During test2 and test3, was any changes done in routing table or config? or both these tests were done with same configuration? Was there a route in route-table for destination 91.240.118.105 during any of the test 2 or test 3 case?
Best regards,
Jin
Created on 10-12-2022 02:36 AM Edited on 10-12-2022 02:44 AM
Hi, Jin,
Same configuration for all tests; and the default route 0.0.0.0 0.0.0 for all internet lines as below:
Forti400e01 # get router info routing-table static
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 100.100.100.1, port3
[1/0] via 222.222.222.2, port4
[1/0] via 111.111.111.1, port5
Forti400e01 # diag sys sdwan service
.....
.....
Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Gen(4), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(load-balance hash-mode=round-robin)
Members(3):
1: Seq_num(1 port3), alive, sla(0x1), gid(2), num of pass(1), selected
2: Seq_num(2 port4), alive, sla(0x1), gid(2), num of pass(1), selected
3: Seq_num(3 port5), alive, sla(0x1), gid(2), num of pass(1), selected
Src address(1):
0.0.0.0-255.255.255.255
Dst address(1):
0.0.0.0-255.255.255.255
....
Forti400e01 #
Thanks
Benson
Hin Jin,
Traceroute and ping test failure is found for the SDWAN configuration of 3 internet lines;
This problem seems not be found for the SDWAN configuration of 2 internet lines;
I shall verify this problem ( by upgrading the FortiOS to v7.2.2 ).
Thanks so much for your kind input in advance.
Hello,
The difference in your Test1 and Test3 case is the source. On first case, you are specifying source interface. So basically, you are "skipping" whole routing lookup, there is just check if the route to destination via that interface exists to get the gateway. And then the source IP is taken from outgoing interface.
In test case scenario 3, you are specifying source IP address. Without the use of sdwan, FortiOS will do standard routing lookup. Only difference is that it will select outgoing route based on ldb-algorithm and it will IP you already specified for hash (not sure what you mean by SDWAN mode round-robin and load-balance mode source-dest-ip).
And that's it. Do not expect that if you specify source-ip traffic will leave via interface that has this IP address.
I am not sure if it clarifies anything, but if you have any questions, let me know.
Created on 10-12-2022 08:51 PM Edited on 10-13-2022 12:45 AM
Hi, guys,
Thanks so much for your inputs.
Based on your document:
SD-WAN Architecture for Enterprise | FortiGate / FortiOS 7.0.0 | Fortinet Documentation Library
Once configured, SD-WAN takes the responsibility of intelligent traffic steering. But how does it interact with the traditional routing subsystem?
The following main rules apply by default:
The best route to the destination must point to any SD-WAN Member—not necessarily the one selected to forward the traffic. This check allows you to easily fit SD-WAN functionality into your existing network topology without disrupting services that are not supposed to be handled by SD-WAN. For example, you may have an out-of-band management network or a group of sites that have not (yet) migrated to SD-WAN. If the best route to the destination does not point to your SD-WAN bundle, the traffic will be handled by conventional routing.
One of our Fortigate with the SDWAN of 2 internet lines, there is no problem for the traceroute tests ( case 1, case 2, case 3).
But traceroute test fails in both case 2 and case 3, while with the SDWAN of 3 internet lines ( SDWAN issue for 3 lines ? ).
p.s. the above traceroute test results are applied for all SDWAN service-rules cases ( lowest cost (SLA), Maximize Bandwidth (SLA)..)
Created on 10-17-2022 11:39 PM Edited on 10-18-2022 03:08 AM
Hi, guys,
May I know what this item means " Device: auto" from the following commands ?
Forti400e_1 # exec traceroute-options source 111.111.111.11
Forti400e_1 # exec traceroute-options view-settings
Traceroute Options:
Number of probes per hop: 3
Source Address: 111.111.111.11
Device: auto
Use SD-WAN: no
Thanks a lot
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.