Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HT_JDC
New Contributor II

Created on ‎09-13-2024 03:16 AM

SDWAN: IPsec Aggregation under NAT is not seen

Hello,

 

IPsec aggregation I/F is not seen when I try to input it as SDWAN member.

Here is my environment.

       (wan1) --- NAT router1 --- (wan2)

FG1                                                     FG2

       (wan2) --- NAT router2 --- (wan2)

 

At FG1, as VPN tunnel, vpn1_1 and vpn1_2 are created

And AGGnat I/F is created as aggregation of the both.

At FG2, the situation is similar.

In VPN tunnel, AGGnat I/F is up. However, this I/F is not seen as SDWAN member.

 

How can I solve?

 

Any comments are appreciated.

 

 

Labels:
925
0 Kudos
1 Solution
AEK
SuperUser
SuperUser
In response to HT_JDC

Created on ‎09-16-2024 06:06 AM

It looks fine.

Since it is functioning well, I think the red icon is just a cosmetic bug.

AEK

View solution in original post

AEK
595
13 REPLIES 13
dbhavsar
Staff
Staff

Created on ‎09-13-2024 04:54 AM Edited on ‎09-13-2024 04:54 AM

Good day @HT_JDC ,

- Could you please confirm what firmware version you are using? Or can you try using the CLI?

DNB
651
HT_JDC
New Contributor II
In response to dbhavsar

Created on ‎09-13-2024 05:26 AM

Hello DNB,

 

The version is v7.2.0.

I tried it by CLI, however, AGGnat I/F is not seen at "set members".

 

Thanks in advance for everyone's reply.

639
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎09-13-2024 08:28 AM

Check if it is already used in some policy or in other configuration.

AEK
AEK
617
HT_JDC
New Contributor II
In response to AEK

Created on ‎09-13-2024 11:19 PM

Hello AEK,

 

Thanks. That's the reason.

579
HT_JDC
New Contributor II

Created on ‎09-13-2024 11:23 PM

Hello everyone,

 

Now it works. Although data communication works well between network device behind FG1 and FG2, FG2 (NAT outside) shows "red" sign.
キャプチャ3.PNG

Is it correct behavior?

BTW, FG1 (NAT inside) shows " green" sign.

 

Any comments are appreciated.

573
0 Kudos
AEK
SuperUser
SuperUser
In response to HT_JDC

Created on ‎09-13-2024 11:40 PM

Hello

IPsec tunnel shows reg when it is down. It becomes green once it connects.

AEK
AEK
560
HT_JDC
New Contributor II
In response to AEK

Created on ‎09-14-2024 05:53 PM

Hello AEK,

 

Even after IPsec tunnel is established, it still shows "Red".

Data communication works behind 2 fortigate. Except "Red", everything is ok.

Is it kind of bug?  (I do not know well.)

512
0 Kudos
AEK
SuperUser
SuperUser
In response to HT_JDC

Created on ‎09-15-2024 02:02 AM

Hi HT_JDC

Is FortiOS version the same on FG1 an FG2?

Try compare the below output between FG1 and FG2 to see if it is just a cosmetic issue.

diagnose vpn ike gateway list name <phase1-name>
diagnose vpn tunnel list name <phase2-name> (compare "sa" value)
diagnose sys ipsec-aggregate list

 

AEK
AEK
477
HT_JDC
New Contributor II
In response to AEK

Created on ‎09-15-2024 06:40 PM

Hello AEK,

Thanks.

There is a difference for "diagnose sys ipsec-aggregate list".

 

FG1 (NAT inside)

# diagnose sys ipsec-aggregate list AGGnat
list all ipsec bundle in AGGnat num_bun=1
------------------------------------------------------
vf=0 bundle=AGGnat algo=WRR member=2
members:
tunnel=vpn1_2 weight=1
tunnel=vpn1_1 weight=1

 

FG2 (NAT outside, Red sign)

# diagnose sys ipsec-aggregate list AGGnat
list all ipsec bundle in AGGnat num_bun=3
------------------------------------------------------
vf=0 bundle=vpn2_1_0 algo=SELECTED member=1
members:
tunnel=vpn2_1_0 weight=1
------------------------------------------------------
vf=0 bundle=vpn2_2_0 algo=SELECTED member=1
members:
tunnel=vpn2_2_0 weight=1
------------------------------------------------------
vf=0 bundle=AGGnat algo=WRR member=0

 

Are there something wrong?

Any comments are appreciated.

 

 

 

418
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.