Hi,
I have a FG60F with 7.4.4 and 3 Internet Accesses with a SD WAN. I have a SD WAN Implicit Rule with 40-40-20% for Volume. Checking Performance SLAs all of them seem OK but since I have the implict rule, I dont apply SLA.
Now I saw that WAN1 just had like 2 sessions all the time so I checked directly on the router and I get like 1GB. Than I disconnected WAN2 and Internal5 which are in the SD WAN and I can ping from the FG but NOT from LAN.
Sniffing the ping to 8.8.8-8 I see that traffic is not going out to SD WAN
XXX-XXX # diag sniffer packet any "host 10.10.14.25" 4
interfaces=[any]
filters=[host 10.10.14.25]
0.131501 lan in 10.10.14.25.57343 -> 10.10.14.1.444: psh 3371949728 ack 4293014073
0.131567 lan out 10.10.14.1.444 -> 10.10.14.25.57343: ack 3371949814
0.142213 lan out 10.10.14.1.444 -> 10.10.14.25.57343: psh 4293014073 ack 3371949814
0.142847 lan out 10.10.14.1.444 -> 10.10.14.25.57343: psh 4293014619 ack 3371949814
0.142987 lan in 10.10.14.25.57343 -> 10.10.14.1.444: ack 4293014650
Checking Routing I get with only WAN1 connected:
XXX-XX # get router info routing-table static
Routing table for VRF=0
S 10.177.0.0/17 [254/0] is a summary, Null, [1/0]
S 192.168.0.0/24 [254/0] is a summary, Null, [1/0]
Routing table for VRF=1
S* 0.0.0.0/0 [1/0] via 192.168.168.1, wan1, [10/0]
But I cant get out to the internet from the hosts.
Again connecting WAN2 and Internal5 I get:
XX-XXX # get router info routing-table static
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 192.168.0.1, wan2, [10/0]
[1/0] via 10.80.40.1, internal5, [10/0]
S 10.10.15.0/24 [10/0] via XXX tunnel 10.0.0.1, [1/0]
S 10.10.16.0/24 [10/0] via XX tunnel 10.0.0.4, [1/0]
S 10.177.0.0/17 [254/0] is a summary, Null, [1/0]
S 88.10.121.20/32 [10/0] via 192.168.0.1, wan2, [1/0]
Routing table for VRF=1
S* 0.0.0.0/0 [1/0] via 192.168.168.1, wan1, [10/0]
Any suggestions why i dongt get out of WAN1? Again, I checked with a notebook behind the router and everything OK and also the FG with only WAN1 connected can ping 8.8.8.8
Thanks,
Hello @RolandBaumgaertner72,
To diagnose connectivity from your LAN to WAN1 traffic, can you collect a debug flow for your source and destination IPs? This will display how the traffic is being processed. Please refer to the link below.
Reference: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Kind Regards,
Hi,
thanks but it is not so easy to cancel access and debug with only WAN1. Routing/NAT and everything is fine, I just see a difference in the routing table. WAN2 and Internal5 are working fine and are in VRF=0 and WAN1 is in VRF=1
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 192.168.0.1, wan2, [10/0]
[1/0] via 10.80.40.1, internal5, [10/0]
S 10.10.15.0/24 [10/0] via XXX tunnel 10.0.0.1, [1/0]
S 10.10.16.0/24 [10/0] via XX tunnel 10.0.0.4, [1/0]
S 10.177.0.0/17 [254/0] is a summary, Null, [1/0]
S 88.10.121.20/32 [10/0] via 192.168.0.1, wan2, [1/0]
Routing table for VRF=1
S* 0.0.0.0/0 [1/0] via 192.168.168.1, wan1, [10/0]
Any ideas?
OK I found the problem. WAN1 was connected some time ago in a VLAN and I didnt check the interface just the routing and subnet mask. I moved it also to VRF=0 and now it works fine.
Cheers
Why is WAN1 in VRF1? LAN and WAN1 must be in the same VRF if you want it to work.
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.