Hello,
IPsec aggregation I/F is not seen when I try to input it as SDWAN member.
Here is my environment.
(wan1) --- NAT router1 --- (wan2)
FG1 FG2
(wan2) --- NAT router2 --- (wan2)
At FG1, as VPN tunnel, vpn1_1 and vpn1_2 are created
And AGGnat I/F is created as aggregation of the both.
At FG2, the situation is similar.
In VPN tunnel, AGGnat I/F is up. However, this I/F is not seen as SDWAN member.
How can I solve?
Any comments are appreciated.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It looks fine.
Since it is functioning well, I think the red icon is just a cosmetic bug.
Good day @HT_JDC ,
- Could you please confirm what firmware version you are using? Or can you try using the CLI?
Hello DNB,
The version is v7.2.0.
I tried it by CLI, however, AGGnat I/F is not seen at "set members".
Thanks in advance for everyone's reply.
Check if it is already used in some policy or in other configuration.
Hello AEK,
Thanks. That's the reason.
Hello everyone,
Now it works. Although data communication works well between network device behind FG1 and FG2, FG2 (NAT outside) shows "red" sign.
Is it correct behavior?
BTW, FG1 (NAT inside) shows " green" sign.
Any comments are appreciated.
Hello
IPsec tunnel shows reg when it is down. It becomes green once it connects.
Hello AEK,
Even after IPsec tunnel is established, it still shows "Red".
Data communication works behind 2 fortigate. Except "Red", everything is ok.
Is it kind of bug? (I do not know well.)
Hi HT_JDC
Is FortiOS version the same on FG1 an FG2?
Try compare the below output between FG1 and FG2 to see if it is just a cosmetic issue.
diagnose vpn ike gateway list name <phase1-name>
diagnose vpn tunnel list name <phase2-name> (compare "sa" value)
diagnose sys ipsec-aggregate list
Hello AEK,
Thanks.
There is a difference for "diagnose sys ipsec-aggregate list".
FG1 (NAT inside)
# diagnose sys ipsec-aggregate list AGGnat
list all ipsec bundle in AGGnat num_bun=1
------------------------------------------------------
vf=0 bundle=AGGnat algo=WRR member=2
members:
tunnel=vpn1_2 weight=1
tunnel=vpn1_1 weight=1
FG2 (NAT outside, Red sign)
# diagnose sys ipsec-aggregate list AGGnat
list all ipsec bundle in AGGnat num_bun=3
------------------------------------------------------
vf=0 bundle=vpn2_1_0 algo=SELECTED member=1
members:
tunnel=vpn2_1_0 weight=1
------------------------------------------------------
vf=0 bundle=vpn2_2_0 algo=SELECTED member=1
members:
tunnel=vpn2_2_0 weight=1
------------------------------------------------------
vf=0 bundle=AGGnat algo=WRR member=0
Are there something wrong?
Any comments are appreciated.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.