Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RichyRoss
New Contributor III

SD-WAN Build Issues in Eve-NG

Hi All, 

 

Having some issues building SD-WAN in Eve-NG, or at least I think it's built correctly but traffic isn't routing, is anyone aware if there is an issue with Forti, SD-WAN and Eve?

 

I can see hit counts in the SD-WAN rules section, but I'm getting a timeout on pings from my VPC.

 

Pictures of the build below: -

 

Thanks, 
Rich

 

FW Policy.pngPorts.pngSD-WAN Rules.pngSD-WAN Zones.pngStaticRoute.png

R.Ross
R.Ross
1 Solution
RichyRoss
New Contributor III

Hi All, 

 

Looks like it was Eve-NG bugging out, rebuilt it the same and it's now working fine. 

 

Thanks for your help

R.Ross

View solution in original post

R.Ross
11 REPLIES 11
RichyRoss
New Contributor III

Oh, and pinging the LAN VPC, Gateway on WAN-ISP-A and Google

 

Pings.png

R.Ross
R.Ross
hbac
Staff
Staff

Hi @RichyRoss,

 

Please run debug flow to see if the traffic is being dropped. Run the following commands and try to ping from 10.0.10.2. 

 

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 10.0.10.2
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

 

Regards, 

RichyRoss
New Contributor III

Hey, 

 

Thanks for the reply, ran the debug, with the output below: -

 

DC-10 # 2023-11-18 10:32:28 id=65308 trace_id=1 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.10.2:15875->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=15875, seq=1."
2023-11-18 10:32:28 id=65308 trace_id=1 func=init_ip_session_common line=6076 msg="allocate a new session-00000b7c, tun_id=0.0.0.0"
2023-11-18 10:32:28 id=65308 trace_id=1 func=iprope_dnat_check line=5331 msg="in-[port2], out-[]"
2023-11-18 10:32:28 id=65308 trace_id=1 func=iprope_dnat_tree_check line=823 msg="len=0"
2023-11-18 10:32:28 id=65308 trace_id=1 func=iprope_dnat_check line=5343 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2023-11-18 10:32:29 id=65308 trace_id=1 func=rpdb_srv_match_input line=1064 msg="Match policy routing id=2131296257: to 8.8.8.8 via ifindex-5"
2023-11-18 10:32:29 id=65308 trace_id=1 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-86.54.121.6 via port3"
2023-11-18 10:32:30 id=65308 trace_id=2 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.10.2:16387->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=16387, seq=2."

 

 

Thanks, 
Rich

R.Ross
R.Ross
hbac

@RichyRoss,

 

Based on the debug outputs, traffic is being forwarded to port3. Do you have firewall policy to allow traffic from port2 to SD-WAN?

 

Regards, 

RichyRoss
New Contributor III

Hey, 

 

Yeah the debug looks good, and yes I do, as below: -

 

FW Policy.png

R.Ross
R.Ross
hbac

@RichyRoss

 

Can you provide the output of this command "get router info routing-table all". 

 

Regards, 

RichyRoss
New Contributor III

Of course, 

DC-10 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 45.16.81.6, port4, [1/0]
[1/0] via 86.54.121.6, port3, [1/0]
C 10.0.10.0/24 is directly connected, port2
C 45.16.81.0/29 is directly connected, port4
C 86.54.121.0/29 is directly connected, port3
C 192.168.197.0/24 is directly connected, port1



R.Ross
R.Ross
RichyRoss
New Contributor III

@hbac any more ideas? I'm thinking it could be an issue with compatibility with Eve-NG maybe?

R.Ross
R.Ross
adimailig

@RichyRoss 

Good day.

Can you ping 8.8.8.8 from port3?

execute ping-option source 86.54.121.1
execute ping-option use-sdwan yes
execute ping 8.8.8.8

Firewall policy Configuration:

show firewall policy

SDWAN debug and status:

diag sys sdwan member
diag sys sdwan health-check
diag sys sdwan zone
diag sys sdwan service
diag firewall proute list


Best Regards,

Arnold Dimailig
TAC Engineer
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors