OS - 6.4
I am trying to understand the behavior with this setting and when it should be used.
Assuming we have multiple Internet healthchecks with this setting enabled across multiple SD WAN rules we use for steering, what would the impact be?
Based on the this article it sounds like it would remove our default route which we probably don't want.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD44679
I am probably missing something here. Any guidance would be much appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
The suggestion in this article is correct and could be applied in many cases.
Below is an example:
Internal_Network -------- FGT ---wan1--------- Internet
Internal_Network -------- FGT ---wan2--------- Internet
You have 2 WAN interfaces, wan1 and wan2 which are part of SD-WAN and have a health-check configured for SD-WAN members pinging to public servers. For example 8.8.8.8 and 1.1.1.1
The purpose of the health-check is to confirm the reachability to the Internet from the WAN interfaces or in other words to make sure that the WAN interface could route the traffic to the Internet.
So, let's say we are pinging servers 8.8.8.8 and 1.1.1.1 and we don't any response from those servers on WAN1 interface, then we could remove the default static route associated with wan1 interface and route traffic to wan2 because we know that the Internet connection is not working from that interface even when the interface is up. That's the use of update-static-route.
If you don't have update-static-route enabled, then the route would still be there in the routing table even when the wan1 interface can't route traffic to the Internet. So, the traffic won't fail over from wan1 to wan2 in that case.
The route would be added back when the health-check is active or the servers start replying to the queries.
If we apply a SLA to the SD-WAN rule (internet for WAN1 and WAN2) and WAN1 is out of SLA, even if the static route is not removed shouldn't traffic still failover to WAN2 since WAN1 is out of SLA? I do not see the benefit of this option. In more cases it has caused issues where WAN1 is out of SLA but is still up and functional. Routes are removed for the interface and then removes the default route. Now any IPsec tunnel that is associated to WAN1 no longer has a route. Even though the tunnel is up and traffic should be routing over that tunnel it is not. Even though WAN1 might of just had a latency spike or 1% packet loss causing it to go out of SLA now any IPsec tunnel for WAN1 is affected. This is not enough to bring down the interface but this option will and it has seemed to cause us more issues than it is beneficial.
The answer seems obvious, so much so I'd like to know a use case where you wouldn't want the route removed. Someone once lectured me on why you SHOULDN'T enable this - I wasn't paying close enough attention and forgot.
Related, does the answer change if you're using 2 routes (1 to wan1 and 1 to wan2) versus a single route to the SDWAN interface (as we've been doing on newer deployments)?
Created on 10-20-2022 09:52 AM Edited on 10-20-2022 09:53 AM
We deployed FortiGates to almost 30 sites. Each site had at least 2 WAN circuits. We originally had deployed them with the SD-WAN default route. We then started to wrap IPSec tunnels to SD-WAN zones. Now that default route applies to every tunnel. So potentially any route could go across a tunnel especially if you use 0.0.0.0 for Phase2. This was causing us way too many issues so we went back through all of our FortiGates and removed the SD-WAN default route and just created default routes for each ISP and gave them the same cost. A lot of the material in the guides do not account for these types of issues especially if you add IPsec tunnels to the SD-WAN zone internet traffic will route out a tunnel. The only way we were able to keep internet traffic heading through a tunnel was to add a higher priority to the SD-WAN members for the IPsec tunnels.
Have you also experienced problems using two different SD-WAN zones?
One dedicated for Internet and one dedicated for VPN?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.