- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Route issue or SDWAN issue ?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Route issue or SDWAN issue ?
Hi, guys,
I have a network infrastructure:
1. Three sites: SiteA, SiteB and SiteC;
2. The Forti400E pair sits between SiteA and SiteC;
3. The Forti400E pair has individual static route table for SiteA and SiteC:
4. The Forti400E pair has a SDWAN ( Link01 (port08) and Link02 (port9) ) to SiteC.
5. The SDWAN is using Link01(port8) for primary link to access SiteC ( SDWAN is configured for this ), but the link02 (port9) has better SLA
My problem ( port9 is link02, in my test):
==========================
1. When I just opened the CLI mode, without any specified source interface :
1.1 Pingtest to siteC -- OK!!
1.2 traceroute is OK
2. When I specified an source interface,
2.1 Pintest to siteC failed
2.2 traceroute failed
3. What reason the SDWAN used link02/port9 for accessing SiteC ( not useing link01/port8 ), while specifying the source interface?
Noted: 10.10.32.65 is GW of the link01; 10.10.32.91 is GW of the link02
Test result refers to the attached captured.
Any idea or advice.
Thanks a lot
Benson LEI
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Guys,
When I captured the route..something interesting:
================================
Forti400E_2 # diag ip rtcache list
No specified source interface: ===============================
family=02 tab=254 vrf=0 vf=0 type=01 tos=0 flag=00000200 0.0.0.0@0->10.131.1.23@16(port8) gwy=10.10.32.65 prefsrc=10.10.32.70 ci: ref=0 lastused=0 expire=0 err=00000000 used=0 br=0 pmtu=1500
With specified source interface : =================================
family=02 tab=254 vrf=0 vf=0 type=01 tos=0 flag=00000200 10.16.1.254@0->10.131.1.23@17(port9) gwy=10.10.32.91 prefsrc=0.0.0.0 ci: ref=0 lastused=0 expire=0 err=00000000 used=0 br=0 pmtu=1500
My finding:
=======
1. When no specified source interface....route path is using SDWAN for decision making
2. When specified source interface ... route path is using static route for decision making
My guess is correct, thx ?
Thanks a lot
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately you did not wirte the ip config of the link01 and link02 interface.
Do you have corresponding policies for both links?
Is link02 in Site C Subnet?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am fairly new to Fortigate products but I have been making a lot of support calls on issues very similar to this. Fortigates have no one way of handling traffic generated on the firewall. If you have a fabric setup with SDWan I am sure you would have gone through a few of them. Some traffic seems to not be able to use SD-WAN at all and requires a manual static route while others have a setting to tell them to use the SD-WAN rules.
In this case ( I have not tried this yet myself) have you tried the "execute ping-options use-sdwan" command in conjunction with your specified interface?
Related Posts
Labels
-
FortiGate
6,413 -
FortiClient
1,279 -
5.2
801 -
5.4
639 -
FortiManager
557 -
6.0
416 -
FortiAnalyzer
407 -
5.6
362 -
FortiSwitch
329 -
FortiAP
322 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
238 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
102 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
81 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
IPsec
61 -
Wireless Controller
56 -
SSL-VPN
52 -
FortiProxy
43 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
37 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
FortiPortal
17 -
VLAN
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Routing
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
Interface
10 -
VDOM
10 -
FortiWeb v5.0
9 -
BGP
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
Security profile
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
Web application firewall profile
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
OSPF
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
Web profile
2 -
FortiAI
2 -
Intrusion prevention
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Service
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Zone
1 -
Internet Service Database
1 -
System settings
1 -
Fortinet Engage Partner Program
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.