Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiToken
- FortiTester
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- OVERLAY NETWORK CAN NOT BE REACHED SD-WAN BGP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OVERLAY NETWORK CAN NOT BE REACHED SD-WAN BGP
Hello team
We have configured the SD-WAN network, now the FGT 70 is at brach and FGT 200F at HQ, now all Underlay Network is reached through ISP means 70F at branch can ping 200F at HQ ,but LAN network is not reached trough Overlay
what is the issue?
ALMkunwa
Solved! Go to Solution.
ALMkunwa
Labels:
- Labels:
-
SD-WAN
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Team we found the Solution ,
The solution is we were not advertise the LAN network that is why the branch did not see the network so we use Default route originate command to advertise the LAN network and it works
ALMkunwa
ALMkunwa
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Aidnet,
Thank you for reaching out. This sounds like a traffic issue. I assume the overlay interfaces are ipsec tunnels and phase1 and 2 on the tunnel is up. I assume also that phase 2 selectors have correct subnets on both ends if applicable. You will need to check routing first making sure the advertised and received subnets are showing properly in the routing table:
# get router info routing-table bgp
# get router info routing-table all
# get router info routing-table details x.x.x.x ---------- the subnet you are looking up
# get router info bgp summary -------- gives you a list of all bgp neighbors and their ip
# get router info bgp neighbors y.y.y.y advertised-routes --------- this should be the neighbor ip
# get router info bgp neighbors y.y.y.y received-routes
- If all is good on routing side then you will have to check if sdwan rules are setup correctly and the correct overlay interface is selected. You will also need to check if performance sla is used that the interfaces are showing up. This can be done from gui: "Network>SDWAN"
- If you are using any options to prefer a specific route using SDWAN that is not listed on the advertised or received routes on bgp by changing cost for example for the overlay interface while using lowest-cost strategy or using priority with manual strategy then try to match your config to the bgp active routes.
- If routing and sdwan is good then check firewall policies and make sure interfaces, source and destination and services, etc are all correct.
I recommend if the fortigates have support contract to open a support ticket as this is a complicated subject specially with the involvement of bgp routing and sdwan.
Thank you,
saleha
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
as of now HQ FW 200F it can see Branch 70F LAN Network, and it can ping the LAN user IP, But The 70F Branch FW it can't see the HQ 200F LAN Networks... so LAN to LAN can't reach each other
ALMkunwa
ALMkunwa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. Verify if the BGP neighbours are up
get router info bgp summary
2.Check if there is valid route to the bgp destination via the overlay
get router info routing-table details <destination ip>
Also check if the route is received via bgp peer
get router info bgp neighbor <ip address of the neighbor> received-routes
3. Check if there is a firewall policy to allow this traffic
4. Check if SDWAN rules are in the correct order and if the correct outgoing interface is selected. Also, if you are using performance SLAs make sure the SLAs are up
5.Run following debugs and upload
di de flow filter <dst ip>
di de flow filter proto 1
di de flow show function-name en
di de flow trace start 100
di de en
On CLI2
di sniffer packet any 'host <dest ip> and icmp' 4 0 l
Ping the destination
Amritpal Singh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
as of now HQ FW 200F it can see Branch 70F LAN Network, and it can ping the LAN user IP, But The 70F Branch FW it can't see the HQ 200F LAN Networks... so LAN to LAN can't reach each other.
ALMkunwa
ALMkunwa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The underlay network is ok, HQ and Branch FW can ping each other.
But on the Branch FW you cannot see the LAN network from the Branch if you run get router info routing-table all.
but in the HQ if you run get router info routing-table all, you can see the LAN network.
ALMkunwa
ALMkunwa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please provide the following debugs from the 70F
get router info bgp summary -- mention the peer bgp ip
get router info routing-table details <destination lan ip>
CLI1
di de flow filter <dst ip>
di de flow filter proto 1
di de flow show function-name en
di de flow trace start 100
di de en
CLI2:di sniffer packet any 'host <dest ip> and icmp' 4 0 l
Ping the destination
Also check the firewall rules and sdwan rules
Without checking the above debugs, it is not possible to find the root cause
Amritpal Singh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the underlay network is ok, HQ and Branch FW can ping each other.
But on the Branch FW you cannot see the LAN network from the Branch if you run get router info routing-table all.
but in the HQ if you run get router info routing-table all, you can see the LAN network.
ALMkunwa
ALMkunwa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Team we found the Solution ,
The solution is we were not advertise the LAN network that is why the branch did not see the network so we use Default route originate command to advertise the LAN network and it works
ALMkunwa
ALMkunwa
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- vivaldi browser wont reach any webpage 1720 Views
- Fortigate 7.4 IKEv2 Dial-In Clients cannot... 417 Views
- Fortinet Developer Network Access 241 Views
- Dual ISP Failover with Azure VPN... 345 Views
Labels
-
FortiGate
7,515 -
FortiClient
1,478 -
5.2
801 -
FortiManager
641 -
5.4
639 -
FortiAnalyzer
488 -
6.0
416 -
FortiAP
391 -
FortiSwitch
388 -
5.6
362 -
FortiClient EMS
319 -
FortiMail
288 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
182 -
FortiNAC
140 -
SSL-VPN
132 -
6.4
128 -
IPsec
127 -
FortiGuard
122 -
FortiGateCloud
97 -
FortiCloud Products
93 -
FortiSIEM
92 -
FortiToken
80 -
Customer Service
73 -
Wireless Controller
68 -
SD-WAN
66 -
4.0MR3
64 -
FortiProxy
54 -
FortiEDR
48 -
FortiADC
48 -
FortiAuthenticator
47 -
Fortivoice
46 -
FortiDNS
43 -
Firewall policy
42 -
FortiSandbox
39 -
FortiExtender
39 -
VLAN
37 -
FortiGate v5.4
36 -
High Availability
34 -
FortiSwitch v6.4
32 -
DNS
28 -
BGP
27 -
LDAP
27 -
FortiConnect
26 -
ZTNA
26 -
FortiGate v5.2
24 -
FortiWAN
24 -
Routing
24 -
FortiConverter
23 -
Interface
23 -
SAML
22 -
Certificate
22 -
Authentication
21 -
FortiSwitch v6.2
20 -
NAT
20 -
VDOM
19 -
FortiLink
19 -
FortiPortal
18 -
RADIUS
16 -
Logging
16 -
FortiMonitor
16 -
Virtual IP
16 -
Web profile
16 -
FortiGate v5.0
15 -
SSL SSH inspection
15 -
Fortigate Cloud
14 -
FortiDDoS
14 -
SSO
14 -
Application control
14 -
Traffic shaping
13 -
FortiManager v5.0
12 -
FortiCASB
12 -
IP address management - IPAM
11 -
FortiRecorder
10 -
SSID
10 -
Static route
10 -
WAN optimization
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiSOAR
9 -
FortiWeb v5.0
9 -
SNMP
9 -
RMA Information and Announcements
9 -
OSPF
9 -
FortiAP profile
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
Admin
8 -
Security profile
8 -
Proxy policy
8 -
Web application firewall profile
8 -
4.0
7 -
FortiCache
7 -
Automation
7 -
trunk
6 -
Packet capture
6 -
IPS signature
6 -
Antivirus profile
6 -
Traffic shaping policy
6 -
System settings
6 -
FortiCarrier
5 -
FortiDirector
5 -
DNS Filter
5 -
FortiPAM
5 -
FortiTester
5 -
Users
5 -
Port policy
5 -
Intrusion prevention
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiToken Cloud
4 -
FortiScan
4 -
Explicit proxy
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
DoS policy
4 -
Web rating
4 -
FortiInsight
3 -
FortiDB
3 -
FortiCWP
3 -
FortiHypervisor
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
Email filter profile
3 -
Fabric connector
3 -
File filter
3 -
Multicast routing
3 -
FortiAI
2 -
FortiNDR
2 -
Internet service database
2 -
Netflow
2 -
Protocol option
2 -
Replacement messages
2 -
Schedule
2 -
Service
2 -
VoIP profile
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
Kerberos
1 -
RIP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1277 | |
| 943 | |
| 676 | |
| 441 | |
| 177 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.