Hi All,
Having some issues building SD-WAN in Eve-NG, or at least I think it's built correctly but traffic isn't routing, is anyone aware if there is an issue with Forti, SD-WAN and Eve?
I can see hit counts in the SD-WAN rules section, but I'm getting a timeout on pings from my VPC.
Pictures of the build below: -
Thanks,
Rich
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 11-20-2023 07:29 AM Edited on 11-20-2023 07:29 AM
Hi All,
Looks like it was Eve-NG bugging out, rebuilt it the same and it's now working fine.
Thanks for your help
Oh, and pinging the LAN VPC, Gateway on WAN-ISP-A and Google
Hi @RichyRoss,
Please run debug flow to see if the traffic is being dropped. Run the following commands and try to ping from 10.0.10.2.
di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 10.0.10.2
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable
Regards,
Hey,
Thanks for the reply, ran the debug, with the output below: -
DC-10 # 2023-11-18 10:32:28 id=65308 trace_id=1 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.10.2:15875->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=15875, seq=1."
2023-11-18 10:32:28 id=65308 trace_id=1 func=init_ip_session_common line=6076 msg="allocate a new session-00000b7c, tun_id=0.0.0.0"
2023-11-18 10:32:28 id=65308 trace_id=1 func=iprope_dnat_check line=5331 msg="in-[port2], out-[]"
2023-11-18 10:32:28 id=65308 trace_id=1 func=iprope_dnat_tree_check line=823 msg="len=0"
2023-11-18 10:32:28 id=65308 trace_id=1 func=iprope_dnat_check line=5343 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2023-11-18 10:32:29 id=65308 trace_id=1 func=rpdb_srv_match_input line=1064 msg="Match policy routing id=2131296257: to 8.8.8.8 via ifindex-5"
2023-11-18 10:32:29 id=65308 trace_id=1 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-86.54.121.6 via port3"
2023-11-18 10:32:30 id=65308 trace_id=2 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.10.2:16387->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=16387, seq=2."
Thanks,
Rich
Based on the debug outputs, traffic is being forwarded to port3. Do you have firewall policy to allow traffic from port2 to SD-WAN?
Regards,
Hey,
Yeah the debug looks good, and yes I do, as below: -
Of course,
DC-10 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 45.16.81.6, port4, [1/0]
[1/0] via 86.54.121.6, port3, [1/0]
C 10.0.10.0/24 is directly connected, port2
C 45.16.81.0/29 is directly connected, port4
C 86.54.121.0/29 is directly connected, port3
C 192.168.197.0/24 is directly connected, port1
@hbac any more ideas? I'm thinking it could be an issue with compatibility with Eve-NG maybe?
@RichyRoss
Good day.
Can you ping 8.8.8.8 from port3?
execute ping-option source 86.54.121.1
execute ping-option use-sdwan yes
execute ping 8.8.8.8
Firewall policy Configuration:
show firewall policy
SDWAN debug and status:
diag sys sdwan member
diag sys sdwan health-check
diag sys sdwan zone
diag sys sdwan service
diag firewall proute list
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1502 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.