Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: SD WAN Routing Problems
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SD WAN Routing Problems
Hi,
we are changing to a new FG90F cluster and we would like to use SD WAN. We have a fiber internet access we used before for the www traffic and MPLS internet access for all branch and headquarter access. The actual HA used only routing so that all internal MPLS traffic went by A and default route for internet was used by B. We want to use SD WAN also just to have an option in the future when we need more outgoing traffic for this office.
Now we wanted to use SD WAN also as failover if something happens with B and we tried the implicit rule in SD WAN rules with 99-1 for B.
We had a small window today and we wanted check before we change the cluster but we got problems accessing our MPLS network. We had a static route for all MPLS traffic but when we wanted to connect to our LDAP server we could not establish the connection. Removing internet access B and leaving olny MPLS A connected we just connected fine with the internal LDAP in our data center.
So something with static route and SD Wan seems not to work well. in 2 days we want to change the cluster and therefore I added also Policy Based Rules for all MPLS traffic. I dont know if I should use Policy based or only SD WAN rules but I dont want to have another issue with these important basic connections (to our DNS) when we switch the cluster.
Any suggestions how to be sure or best way to router MPLS traffic via SD WAN?
Thanks,
Labels:
- Labels:
-
SD-WAN
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello RolandBaumgaertner72 ,
As far as i understand, your current FortiGate 90F has to 'ISP' connections 'A' is your MPLS, 'B' is your secondary connection.
Did you run any sniffer or debug flow during the time window? What is the static route for your LDAP, can you please check the static route/routes and associated prioritities.
In FortiOS you can configure AD (Administrative distance) and Priority for the static routes. Two static routes could have the same AD but different priority, please check the KB bellow :
Regarding the policy route and SD-WAN, always FortiOS checks the policy route/routes and then if there is no match is moving to SD-WAN rules. Please check the KB bellow :
I would suggest to check first the routing table/data base :
# get router info routing-table all
# get router info routing-table database
When traffic is not working(for example you can't connect to LDAP), run a debug flow + session list to see which FW rule/SD-WAN rule steers the traffic :
#### Session list ####
diag sys session filter src XXXXX.XXXXX.XXXX.XXXX <---- source IP
diag sys session filter dst XXXXX.XXXXX.XXXX.XXXX <---- destination IP
diag sys session filter dport XXX <----
diag sys session list
#### Debug flow #####
diagnose debug reset
diagnose debug flow filter saddr XXXXXX <---- source IP
diagnose debug flow filter daddr XXXXXX <---- destination IP
diag debug flow show function-name enable
diag debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug flow trace start 99999
diagnose debug enable
Best regards,
Fortinet
.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
No, there was no time for debugging since the window was so small. In Static Routes the default was on top and below was the route over the MPLS Interface. I changed to smaller priority for the MPLS Routing.
Also we configured Policy Based Routing so there should be no problem when we connect to LDAP again. Strange thing was, that my client behind the firewall had ping to the LDAP, so now it is hard to guess what really happened. SD WAN seems so simple and easygoing but like in 50% of the cases setting it up it gives us problems.
Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello RolandBaumgaertner72 ,
If both static default routes are with the same AD, means that they are installed . Here plays a role the 'priority' , lowest priority makes the route more preferable.
Regarding the SD-WAN , it depends if you have active monitoring -> performance SLA and both members (MPLS and ISP ) are added to it .
You can check the forwarding logs (if they are saved ) and filter for the LDAP destination of the time of the problem.
But the debug flow and session list would give us more info.
Best regards,
Fortinet
.
Labels
-
FortiGate
10,674 -
FortiClient
2,176 -
FortiManager
896 -
5.2
687 -
FortiAnalyzer
683 -
5.4
638 -
FortiSwitch
591 -
FortiClient EMS
571 -
FortiAP
563 -
IPsec
424 -
6.0
416 -
SSL-VPN
386 -
FortiMail
374 -
5.6
362 -
FortiNAC
288 -
FortiWeb
253 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
198 -
FortiAuthenticator
180 -
FortiGuard
160 -
5.0
152 -
Firewall policy
145 -
FortiGate-VM
134 -
6.4
128 -
FortiCloud Products
116 -
FortiToken
114 -
FortiSIEM
113 -
FortiGateCloud
112 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
87 -
FortiProxy
78 -
ZTNA
77 -
Routing
75 -
SAML
74 -
Fortivoice
73 -
VLAN
73 -
DNS
72 -
FortiEDR
70 -
BGP
70 -
Authentication
69 -
FortiADC
68 -
Certificate
66 -
RADIUS
62 -
LDAP
61 -
FortiLink
57 -
SSO
54 -
NAT
54 -
FortiSandbox
53 -
FortiExtender
52 -
4.0MR3
49 -
vdom
49 -
Interface
46 -
Application control
46 -
FortiDNS
43 -
Logging
41 -
Virtual IP
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
SSL SSH inspection
36 -
FortiConnect
35 -
Web profile
35 -
Automation
33 -
FortiWAN
31 -
FortiConverter
31 -
FortiGate v5.2
28 -
Traffic shaping
26 -
API
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
WAN optimization
21 -
FortiMonitor
20 -
OSPF
20 -
Security profile
19 -
Web rating
19 -
FortiSoar
18 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiDDoS
16 -
Explicit proxy
16 -
FortiAP profile
16 -
FortiGate v5.0
15 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiCASB
14 -
NAC policy
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2624 | |
| 1393 | |
| 804 | |
| 671 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.