Hi there,
I am unable to understand why we one ISP1 goes down then traffic is not being moved via secondary ISP2
1. We have two ISP - ISP1 & ISP2, when one of the ISP goes down traffic does not move automatically via another ISP.
2. Once we disable interface of down ISP (ISP1) then traffic move via another ISP (ISP2).
Let us know what can be issue.
What are the initial parameters to troubleshoot it.
Thank you.
Umesh
Hello.
List of questions:
1) Do you have static IP address or DHCP/PPPoE on your ISP interfaces?
2) When you say ISP1 is down, do you mean that ISP1 is not able to route traffic but physical connection is up, correct?
3) How is your routing? Only static routing with default routes?
4) Do you have health-checks with update-static-route enabled?
For these cases, it is always good to perform debug flow when the problem is reproduced to see if the session was re-evaluated. And also examine routing-table before failure and during the failure to see if the routing-table acknowledged that there is some problem with ISP.
Hi,
Try using this setting : https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Routing-Changes-and-SNAT-snat-route-...
Hello @Umesh ,
Thank you for reaching the Fortinet Support forum portal,
Can you please answer below questions :
-What is the current firmware version you are using on the FortiGate and Fortigate firewall model?
-How did you configure the sd-wan rules manually, based on sla performance?
-Do you have a static IP address or DHCP/PPPoE on your ISP interfaces?
-When you say ISP1 is down, do you mean that ISP1 is not able to get route traffic but the physical connection is up, correct?
- How is your routing? Did you configure routing based on individual static routes or via sd-wan interface, Only static routing with default routes?
-Do you have health checks with update-static-route enabled?
If you have not configured based on SLA then check the rules parameters of which process you choose. If you want to configure an automatic process refer below articles and configure based on the SLA parameter best quality.
articles :
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/723056/link-monitoring-and-failover
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/478384/performance-sla-link-monitoring
as mentioned earlier by my colleague @akristof live traffic can give more information of behavior.
few logs you can consider collecting when an issue occurs:
# diagnose ip rtcache list
# get router info routing-table
# get router info kernel
# show full system sd-wan
# diagnose sys sdwan member
# diagnose sys sdwan health-check [health-check-name]
# diagnose sys sdwan service [service-id]
# diagnose sys sdwan intf-sla-log [interface-name]
# diagnose sys sdwan sla-log [health-check-name]
Best regards,
Manasa.
Hi @Umesh.
In addition to previous replies, can you please run the following comands when sd-wan failover:
diag debug reset
diag debug flow filter addr X.X.X.X (local IP)
diag debug flow show ip en
diag debug flow show func en
diag debug console time ena
diag debug ena
diag debug flow trace start 999
diagnose sys session filter src X.X.X.X (local IP)
diagnose sys session list
Regards,
Minh
Hi All,
Whenever ISP1 goes down why default route does not remove from the routing table itself.
In SDWAN .
thank you.
Hello Umesh,
Please reply with the information requested earlier so that we can confirm if it is supposed to be switched or not. It depends on your configuration under sd-wan rules and sd-wan members. Any screenshots as a reference would much help.
Best regards,
Manasa.
For the route to be updated when ISP1 goes down, you need to configure Performance SLA as mentioned by Manasa. Have you done that?
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.