FortiGate 7.4.3 using both VM and 60F platforms.
I set up two tunnels in a zone with duplication=force outbound and de-duplication enable inbound. On the origination side, outbound packets are duplicated on both tunnels and are de-duplicated on receiving end. This works both ways. However, if I ping or try a TCP connection, the response packets sent from the other end are not duplicated.
I ran the Debug Flow and it clearly states in the log if it is duplicating or not, and for established sessions for "return" traffic it always picks the input interface of the session to send the data to, and does not take the extra step to duplicate to the other zone member.
Is this by design, a bug, or a configuration error? I scoured config flags to see what is related to duplication and found nothing there.
Solved! Go to Solution.
Hello there :
The duplication works only in original direction.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-duplication-in-SD-WAN/ta-p/258997
Hope that helps!
Hello there :
The duplication works only in original direction.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-duplication-in-SD-WAN/ta-p/258997
Hope that helps!
I appreciate the response and I read that tech tip before. I am uncertain then as to the usefulness of this feature unless one is only streaming UDP. I was hoping this feature would give us resiliency with no outage. If the receiver is randomly picking the ingress link (I suppose whoever arrives first) for that ping or TCP connection etc, and that link happens to get cut, then replies are lost until we recognize the tunnel is down and all sessions are on the other tunnel.
Did anyone ever figure out if its possible to ensure return traffic is also duplicated, or at the very least returned on the same interface it was accepted on.
If we have two WANs and a session is established on WAN 1, if we are duplicating over both WANs to our hub (spoke to hub session) and WAN 1 fails. Packets will continue to flow into the hub on WAN 2, but be returned on the dead WAN 1 until DPD tears thte tunnel down.
This completely defeat the purpose of duplication. What am I missing here?
User | Count |
---|---|
2637 | |
1400 | |
810 | |
680 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.