Need Routing Help

HeshanDeeyagaha · ‎10-07-2023

Im troubleshooting this connection

Source - 10.19.19.20 (Connected subnet)
Destination - 10.15.1.1 (SD-WAN tunnel)

TXS-FW1 # get router info routing-table details 10.15.1.1
Routing table for VRF=0
Routing entry for 10.15.1.0/24
Known via "ospf", distance 110, metric 101, best
Last update 02w2d21h ago
* via SD1 tunnel 173.246.159.190
* via SD2 tunnel 173.246.159.246
TXS-FW1 #

TXS-FW1 # dia ip proute match 10.15.1.1 10.19.19.20 TXS-VMWD-NET 6 161
dst=10.15.1.1 src=10.19.19.20 smac=00:00:00:00:00:00 iif=67 protocol=6 dport=161
id=7f000002 type=SDWAN
seq-num=2 oif=61(ATT) >>>Shows it matches to SD-WAN rule 2

SD-WAN rule 2

============
TXS-FW1 # show system sdwan | grep -f Internet
config system sdwan
set status enable
config health-check
edit "Internet" ---
set server "8.8.8.8"
set members 7 8
next
end
config service
edit 2
set name "Internet" ---
set mode priority
set dst "all"
set src "all"
set health-check "Internet" ---
set priority-members 7 8
set priority-zone "virtual-wan-link"
next
end
end

But it should match to this SD-WAN rule
TXS-FW1 # show system sdwan | grep -f Toronto_Cacti
config system sdwan
set status enable
config service
edit 4
set name "Cacti" ---
set mode priority
set dst "MGMT-NET"
set src "CactiServer"
set health-check "Toronto"
set priority-members 5 6
set priority-zone "Toronto"
next
end
end

TXS-FW1 # show firewall address CactiServer
config firewall address
edit "CactiServer"
set uuid 6c9ba474-6381-51ee-1223-380a0f40d3d7
set subnet 10.19.19.20 255.255.255.255
next
end

TXS-FW1 # show firewall address MGMT-NET
config firewall address
edit "MGMT-NET"
set uuid b58cf592-24df-51ee-291e-6f4307a9dea0
set color 7
set subnet 10.15.1.0 255.255.255.0
next
end

Default Route
===========
TXS-FW1 # show router static 1
config router static
edit 1
set distance 1
set sdwan-zone "virtual-wan-link"
next
end

TXS-FW1 #

bpozdena_FTNT · ‎10-09-2023

Hi @HeshanDeeyagaha,

Your first troubleshooting step should be collecting a packet flow debug while generating the affected traffic. Feel free to share the output here if needed.

Example:

diagnose debug enable
diagnose debug flow filter addr 10.15.1.1
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug flow trace start 5

Useful resources:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/54688/debugging-the-packet-flow

HTH,
Boris

akristof · ‎10-09-2023

Hi,

As Boris mentioned, first run debug flow where we will see exactly which policy route and which route was selected. Then, for further analysis we will need a bit more details about the config and routing.

get router info routing-table all
diag firewall proute list
diag sys sdwan service
diag sys sdwan member

Adrian

HeshanDeeyagaha · ‎10-10-2023

Thanks Guys, will get this on non-prod and see check for what you have asked.

goro23 · ‎10-10-2023

I think I have your wording confused. You say VPN traffic never hits your router (the pfsense box)? If that's the case then pfsense would just need a static route to know how to route traffic to get to the VPN network.

10.0.0.0.1 192.168.1.254

HeshanDeeyagaha · ‎10-10-2023

Sir I think you are commenting on the wrong thread. no VPN, No pfSense