I have a below setup.
Spoke locations: Single WAN link sites (Single Underlay) & Dual WAN link sites (2 Underlay)
Hub location: Single Hub with Dual WAN link
Single Underlay sites having 1 Overlay to Hub location
Dual Underlay sites having 2 Overlay to Hub location
I have a ADVPN with SDWAN setup, spoke-to-spoke communication is happening via shortcut tunnel.
In this case some fail-over scenarios are there between spoke-to-spoke communication,
Single Underlay Site - Overlay 1 is UP
Dual Underlay site - Overlay 1 is down (WAN 1 down) but Overlay 2 is UP (WAN 2)
But communication between these sites are not happening via Criss-Cross tunnel.
Question:
How to achieve this communication (Criss-Cross tunnel)?
Fail-over: As per TAC, Its not possible
I want to cheek anyone achieved this solution or design or not, If possible how it is done?
anyone having any idea? Need your suggestion.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @KD_IFDU,
If wan1 is down, traffic should flow through wan2. Can you make sure that both tunnels appear in the routing table by running "get router info routing-table all".
Regards,
In the Dual WAN link site (Consider Branch2), WAN1 is down due to that Overlay1 down and learning about the single WAN link sites LAN subnet (Consider Branch1) via Overlay2
But on other side Branch1 WAN1 is UP, so Overlay1 is UP and there is no Overlay2 here, this is learning about Branch2 LAN subnet via Overlay1.
(Overlay1 via WAN1 & Overlay2 via WAN2 is built for all the sites)
Hub side (acting as RR in IBGP), SDWAN setup is done like, Overlay1 is primary for all the spoke-to-spoke communications, Overlay2 is secondary.
Routing details.
Branch1: Learning the Branch2 subnet via Overlay2
Branch2: Learning the Branch1 subnet via Overlay1
This is how I was learning the routing information.
Please provide a network diagram if possible. If I understand correctly, Branch1 only has 1 wan connection and one IPsec tunnel? It should have 2 tunnels to each wan interfaces of the hub.
Regards,
Are you advertising all the overlay subnets from hub so that recursive lookup happens for next hop
you should provide the output first of the bgp network. Do you see the next-hop marked as 'inaccesible' ? the problem is already on the spoke's side probably. You could use bgp recursive resolution if there are aggregated subnets, or static routes that point to the overlay. A lot of posts lack of details to provide good answers, anyway 'cross-overlay failures' are not explained enough in detail also in Fortinet documentation.
Anyway, in general there must be routing from underlay2 subnet to underlay1 subnet. Is that the case ? for example, you can't have shortcuts between internet and internal mpls private addresses.
Only the shortcuts are not working, or there are also problems in inter-site flows ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1629 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.