Dear All,
I have one stand alone Firewall and configured SDWAN (ISP1 & ISP2). The problem which I am facing is If ISP1 goes down then traffic is not flowing to another link (ISP2).
I can see that in routing table there are two routes present in the routing table of the firewall but the link which are currently down route is not removing from the routing table. what can be issue however I have configured update static route.
FGT_Primeary # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 192.168.50.1, port1, [1/0]
[1/0] via 192.168.51.1, port2, [1/0]
C 10.1.1.0/24 is directly connected, port3
C 192.168.50.0/28 is directly connected, port1
C 192.168.51.0/28 is directly connected, port2
C 192.168.145.0/24 is directly connected, port10
FGT_Primeary # config system sdwan
FGT_Primeary (sdwan) # config health-check
FGT_Primeary (health-check) # edit "Internet"
FGT_Primeary (Internet) # show
config health-check
edit "Internet"
set server "8.8.8.8" "8.8.4.4"
set members 0
config sla
edit 1
next
end
next
end
FGT_Primeary (Internet) #
My question is if ISP1 is down then static route must be removed from the routing table. only ISP2 routing table should be there in the routing table.
Regards,
learner
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Umesh,
I always configured sd-wan from gui, so I am not familiar with this code.
However, this seems to me that you missed select members in the health-check, I think you should select both WANs.
While testing, try to make sure, you have only 1 default route using the SD-WAN, NO one route for each WAN.
Regards,
Damián
HI @Umesh
I see that you have a query related to SD-WAN. In FortiGate, the route preference will be first policy route and then SD-WAN routes.
Hence you should have a default route pointing toward the SD-WAN virtual interface this will help to route traffic with other interfaces when one link fails.
Please refer to the below article on how to configure an SD-WAN properly.
https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/218559/configuring-the-sd-wa...
Hello @Umesh
For your query make sure:
1. Static route is pointing to SD WAN zone:
https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/626338/adding-a-static-route
2. Make sure the Performance SLA has the SD WAN members selected and 'update static route' enabled:
https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/723056/link-monitoring-and-f...
Regards,
Varun
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.