Hello team
We have configured the SD-WAN network, now the FGT 70 is at brach and FGT 200F at HQ, now all Underlay Network is reached through ISP means 70F at branch can ping 200F at HQ ,but LAN network is not reached trough Overlay
what is the issue?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Team we found the Solution ,
The solution is we were not advertise the LAN network that is why the branch did not see the network so we use Default route originate command to advertise the LAN network and it works
Hi Aidnet,
Thank you for reaching out. This sounds like a traffic issue. I assume the overlay interfaces are ipsec tunnels and phase1 and 2 on the tunnel is up. I assume also that phase 2 selectors have correct subnets on both ends if applicable. You will need to check routing first making sure the advertised and received subnets are showing properly in the routing table:
# get router info routing-table bgp
# get router info routing-table all
# get router info routing-table details x.x.x.x ---------- the subnet you are looking up
# get router info bgp summary -------- gives you a list of all bgp neighbors and their ip
# get router info bgp neighbors y.y.y.y advertised-routes --------- this should be the neighbor ip
# get router info bgp neighbors y.y.y.y received-routes
- If all is good on routing side then you will have to check if sdwan rules are setup correctly and the correct overlay interface is selected. You will also need to check if performance sla is used that the interfaces are showing up. This can be done from gui: "Network>SDWAN"
- If you are using any options to prefer a specific route using SDWAN that is not listed on the advertised or received routes on bgp by changing cost for example for the overlay interface while using lowest-cost strategy or using priority with manual strategy then try to match your config to the bgp active routes.
- If routing and sdwan is good then check firewall policies and make sure interfaces, source and destination and services, etc are all correct.
I recommend if the fortigates have support contract to open a support ticket as this is a complicated subject specially with the involvement of bgp routing and sdwan.
Thank you,
saleha
as of now HQ FW 200F it can see Branch 70F LAN Network, and it can ping the LAN user IP, But The 70F Branch FW it can't see the HQ 200F LAN Networks... so LAN to LAN can't reach each other
1. Verify if the BGP neighbours are up
get router info bgp summary
2.Check if there is valid route to the bgp destination via the overlay
get router info routing-table details <destination ip>
Also check if the route is received via bgp peer
get router info bgp neighbor <ip address of the neighbor> received-routes
3. Check if there is a firewall policy to allow this traffic
4. Check if SDWAN rules are in the correct order and if the correct outgoing interface is selected. Also, if you are using performance SLAs make sure the SLAs are up
5.Run following debugs and upload
di de flow filter <dst ip>
di de flow filter proto 1
di de flow show function-name en
di de flow trace start 100
di de en
On CLI2
di sniffer packet any 'host <dest ip> and icmp' 4 0 l
Ping the destination
as of now HQ FW 200F it can see Branch 70F LAN Network, and it can ping the LAN user IP, But The 70F Branch FW it can't see the HQ 200F LAN Networks... so LAN to LAN can't reach each other.
The underlay network is ok, HQ and Branch FW can ping each other.
But on the Branch FW you cannot see the LAN network from the Branch if you run get router info routing-table all.
but in the HQ if you run get router info routing-table all, you can see the LAN network.
Please provide the following debugs from the 70F
get router info bgp summary -- mention the peer bgp ip
get router info routing-table details <destination lan ip>
CLI1
di de flow filter <dst ip>
di de flow filter proto 1
di de flow show function-name en
di de flow trace start 100
di de en
CLI2:di sniffer packet any 'host <dest ip> and icmp' 4 0 l
Ping the destination
Also check the firewall rules and sdwan rules
Without checking the above debugs, it is not possible to find the root cause
the underlay network is ok, HQ and Branch FW can ping each other.
But on the Branch FW you cannot see the LAN network from the Branch if you run get router info routing-table all.
but in the HQ if you run get router info routing-table all, you can see the LAN network.
Hello Team we found the Solution ,
The solution is we were not advertise the LAN network that is why the branch did not see the network so we use Default route originate command to advertise the LAN network and it works
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.