Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RolandBaumgaertner72
Contributor

Problems accesing more and more URLs because of SD WAN

Hi,

 

we have a FG100F cluster and are using 3 x WANs to balance our traffic with SD WAN. This configuration is like at least 4 years old and it worked fine but now we get more and more user problems accessing different URLs (e.g ariba.com from SAP) and at the end we have to put more and more adresses in another SD WAN Rule to access only with WAN A. We have now like 10 URLs como exception and I am worried that we are getting more and more.

 

Is there any way to change or adapt the SD Wan for this problems?

 

Thanks!

14 REPLIES 14
jbeesley
New Contributor II

We need more information to resolve this issue.

 

Can you confirm it is SD-WAN that is causing this issue?

Do you have any logs to show that it is SD-WAN that is the problem?

What error message do the users get when going to a problematic site? A block page? If so what kind?

Are you able to replicate this issue by removing the SD-WAN rule for one site?

RolandBaumgaertner72

Yes, with the adress in a SD WAN Rule to only use Wan Interface A the problem was solved. 

 

The access before was just terminated and we found this information from the URL:

Why was my session terminated for security reasons? (ariba.com)

 

Thanks 

jbeesley

So what was the result of a debug flow when the traffic for that site is steered towards interface B or C? Was there a block page or did the page just not load?

How do you know it is not the ISP or an upstream device?

RolandBaumgaertner72

no,  we got a block page. We tried later with different SD WAN Rules over WAN A and WAN B but than it was solved.

jbeesley

Can you run a debug flow and a web filter debug and paste the output here. We need to understand whether it is SD-WAN (which is just policy routes underneath), or something like web filter that is blocking it.

 

To run the debug flow:

diag debug flow filter daddr <resolved-ip-address-of-site>

diag debug flow filter saddr <ip-of-host-you-are-testing-from>

diag debug flow trace start 100

diag debug enable

 

To stop the debug:

diag debug disable

 

To run the web filter debug:

diagnose debug urlfilter src-addr <source-ip>
diagnose debug application urlfilter -1
diagnose debug enable

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-WEB-filtering-rating-problems-when-u...

gfleming

It's literally spelled out in the error message of that URL you posted. Did you read it?

 

"Ariba had to terminate your current session for security reasons because we have identified a discrepancy in your current IP address from the IP address used in previous requests. Please return to the Ariba Login page and log in again to reset your session credentials. "

 

If you're load balancing across 3  WAN links the error message from Ariba makes perfect sense.

 

You need to either create rules that pick only one WAN interface and fails over when SLAs fail or link is down.

 

Or you can tune it so that sessions remain sticky to the same source IP. Try changing the strategy from round robin to source-dest-ip-based or something else.

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/708464/maximize-bandwidth-sl...

Cheers,
Graham
RolandBaumgaertner72

Hi,

 

I checked with anothe FG, updated to 7.,2.4 to get the option source-dest-ip-base. Now in SW WAN in my implicit rule (at the bottom of all rules) I chose now Source-Destination IP. I am not sure where I can find this option in the other rules or dows it automatically apply for them?

SDWanRules.PNG

Thanks

ihaidar

Hi Roland,

 

The Source- Destination Strategy will allow the traffic which is sent from a specific source IP to a specific destination IP to be sent to the same interface.

If you want to create an SD-WAN Rule which will override the implicit rule. You can create a manual strategy and you can assign specific source addresses and destination address to go out from specific WAN Interface. Always configure SD-WAN Rules as most specific at the begining. It will hit those rules first, any traffic that doesnt match those rules will hit the strategy of implicit policy.

In your case, as I can see from the attached screenshot, you have SD-WAN Rules with Source and destination all with criteria packet loss.
This will overide the implicit rule strategy. Traffic will reach internet based on the best WAN interface with less packet loss.
To override this, you can create Source IP ( Your Subnet) and destination IP ( ariba.com), and choose manual strategy and choose specific Interface preference.
As another option, you can delete any SD-WAN rule configured as ALL To ALL. So the traffic hit the implicit rule.

 

Best Regards,
Issa Haidar

Issa Haidar
gfleming

You will only see the option source-dest, etc in SD-WAN rules that are using the "Maximize Bandwidth" strategy. In your case it's likely that is only on the implicit rule.

Cheers,
Graham
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors