Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RichyRoss
New Contributor III

Created on ‎11-18-2023 09:06 AM

SD-WAN Build Issues in Eve-NG

Hi All, 

 

Having some issues building SD-WAN in Eve-NG, or at least I think it's built correctly but traffic isn't routing, is anyone aware if there is an issue with Forti, SD-WAN and Eve?

 

I can see hit counts in the SD-WAN rules section, but I'm getting a timeout on pings from my VPC.

 

Pictures of the build below: -

 

Thanks, 
Rich

 

FW Policy.pngPorts.pngSD-WAN Rules.pngSD-WAN Zones.pngStaticRoute.png

R.Ross
R.Ross
Labels:
2497
0 Kudos
1 Solution
RichyRoss
New Contributor III
In response to hbac

Created on ‎11-20-2023 07:29 AM Edited on ‎11-20-2023 07:29 AM

Hi All, 

 

Looks like it was Eve-NG bugging out, rebuilt it the same and it's now working fine. 

 

Thanks for your help

R.Ross

View solution in original post

R.Ross
2173
0 Kudos
11 REPLIES 11
RichyRoss
New Contributor III

Created on ‎11-18-2023 09:16 AM Edited on ‎11-18-2023 09:17 AM

Oh, and pinging the LAN VPC, Gateway on WAN-ISP-A and Google

 

Pings.png

R.Ross
R.Ross
2029
0 Kudos
hbac
Staff
Staff

Created on ‎11-18-2023 09:31 AM

Hi @RichyRoss,

 

Please run debug flow to see if the traffic is being dropped. Run the following commands and try to ping from 10.0.10.2. 

 

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 10.0.10.2
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

 

Regards, 

2025
RichyRoss
New Contributor III
In response to hbac

Created on ‎11-18-2023 09:33 AM

Hey, 

 

Thanks for the reply, ran the debug, with the output below: -

 

DC-10 # 2023-11-18 10:32:28 id=65308 trace_id=1 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.10.2:15875->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=15875, seq=1."
2023-11-18 10:32:28 id=65308 trace_id=1 func=init_ip_session_common line=6076 msg="allocate a new session-00000b7c, tun_id=0.0.0.0"
2023-11-18 10:32:28 id=65308 trace_id=1 func=iprope_dnat_check line=5331 msg="in-[port2], out-[]"
2023-11-18 10:32:28 id=65308 trace_id=1 func=iprope_dnat_tree_check line=823 msg="len=0"
2023-11-18 10:32:28 id=65308 trace_id=1 func=iprope_dnat_check line=5343 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2023-11-18 10:32:29 id=65308 trace_id=1 func=rpdb_srv_match_input line=1064 msg="Match policy routing id=2131296257: to 8.8.8.8 via ifindex-5"
2023-11-18 10:32:29 id=65308 trace_id=1 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-86.54.121.6 via port3"
2023-11-18 10:32:30 id=65308 trace_id=2 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.10.2:16387->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=16387, seq=2."

 

 

Thanks, 
Rich

R.Ross
R.Ross
2023
0 Kudos
hbac
Staff
Staff
In response to RichyRoss

Created on ‎11-18-2023 09:37 AM

@RichyRoss,

 

Based on the debug outputs, traffic is being forwarded to port3. Do you have firewall policy to allow traffic from port2 to SD-WAN?

 

Regards, 

2021
RichyRoss
New Contributor III
In response to hbac

Created on ‎11-18-2023 09:40 AM

Hey, 

 

Yeah the debug looks good, and yes I do, as below: -

 

FW Policy.png

R.Ross
R.Ross
2019
0 Kudos
hbac
Staff
Staff
In response to RichyRoss

Created on ‎11-18-2023 09:48 AM

@RichyRoss

 

Can you provide the output of this command "get router info routing-table all". 

 

Regards, 

2017
0 Kudos
RichyRoss
New Contributor III
In response to hbac

Created on ‎11-18-2023 09:57 AM

Of course, 

DC-10 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 45.16.81.6, port4, [1/0]
[1/0] via 86.54.121.6, port3, [1/0]
C 10.0.10.0/24 is directly connected, port2
C 45.16.81.0/29 is directly connected, port4
C 86.54.121.0/29 is directly connected, port3
C 192.168.197.0/24 is directly connected, port1



R.Ross
R.Ross
2013
0 Kudos
RichyRoss
New Contributor III
In response to hbac

Created on ‎11-19-2023 12:30 AM

@hbac any more ideas? I'm thinking it could be an issue with compatibility with Eve-NG maybe?

R.Ross
R.Ross
1965
0 Kudos
adimailig
Staff
Staff
In response to RichyRoss

Created on ‎11-19-2023 04:53 PM

@RichyRoss 

Good day.

Can you ping 8.8.8.8 from port3?

execute ping-option source 86.54.121.1
execute ping-option use-sdwan yes
execute ping 8.8.8.8

Firewall policy Configuration:

show firewall policy

SDWAN debug and status:

diag sys sdwan member
diag sys sdwan health-check
diag sys sdwan zone
diag sys sdwan service
diag firewall proute list


Best Regards,

Arnold Dimailig
TAC Engineer
1946
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.