Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiToken
- FortiTester
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL VPN and dual WAN / default routes
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 09-13-2007 03:27 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN and dual WAN / default routes
I' ve got a problem with my SSL VPN connections...
I' m running a Fortigate 500A, with two WAN links (T1, DSL) and one internal network link.
SSL VPN worked fine until I added the 2nd WAN link, and added a 2nd default route to allow web load sharing between it and the pre-existing T1.
Both static routes are:
0.0.0.0/0.0.0.0 > T1 router IP
0.0.0.0/0.0.0.0 > DSL router IP
After tweaking route order and priority, I was able to get web traffic to prefer the DSL route as I wanted, without having to use any policy routes.
But why is this breaking the return traffic to my SSL VPN tunnel clients? They can connect via the browser interface, but then are dropped within 30 secs, with no traffic ever received back from the firewall. Obviously, it' s being routed out the wrong gateway (DSL).
Any ideas?
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After tweaking route order and priority, I was able to get web traffic to prefer the DSL route as I wanted, without having to use any policy routes. But why is this breaking the return traffic to my SSL VPN tunnel clients? They can connect via the browser interface, but then are dropped within 30 secs, with no traffic ever received back from the firewall. Obviously, it' s being routed out the wrong gateway (DSL). Any ideas?" Re-tweak" again to ensure that: . T1 priority static route parameter is greater (lower value) than dsl, to ensure SSLVPN going to and back through T1 . use policy routes to route webtraffic throughout DSL Protocol = 6 (TCP) Incoming IF = internal Source = as required Destination= as required Destination Ports = 80 Force traffic to ->DSL iface You' ll need policies routes to manage traffic in a dual-wan scenario.
regards
/ Abel
regards
/ Abel
Not applicable
Created on 09-14-2007 07:40 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
" Re-tweak" again to ensure that: . T1 priority static route parameter is greater (lower value) than dsl, to ensure SSLVPN going to and back through T1There is my problem...I HAVE given route priority to the DSL gateway, which is what is re-routing return VPN traffic. Can I assume then ALL return traffic (ie FTP server or web server traffic) will return down the highest priority (lower value) gateway as well?
. use policy routes to route webtraffic throughout DSL Protocol = 6 (TCP) Incoming IF = internal Source = as required Destination= as required Destination Ports = 80 Force traffic to ->DSL ifaceI was leaving the ' Protocol' field blank, but was using dest port ' 80' to try and redirect web traffic to the DSL gateway, but for some reason it interferes with my users (10.1.1.0) routing correctly to my VOIP server / subnet (10.2.1.0) , which is defined as static route on the Fortigate.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is my problem...I HAVE given route priority to the DSL gateway, which is what is re-routing return VPN traffic.The important thing here is distinguish between the two wans with the priority parameter and establish the VPNSSL choosing the one with higher priority (lower value), dsl or T1 ( you choose).
Can I assume then ALL return traffic (ie FTP server or web server traffic) will return down the highest priority (lower value) gateway as well?only if you don' t set route policies to manage that traffic
I was leaving the ' Protocol' field blank,Don' t; work with 6 for TCP traffic, 17 for UDP traffic ans so on.
but for some reason it interferes with my users (10.1.1.0) routing correctly to my VOIP server / subnet (10.2.1.0) , which is defined as static route on the Fortigate.In my experience, policies routes supersedes static routes settings. Define a specific new policy route for that VOIP device and re-try Hope it helps.
regards
/ Abel
regards
/ Abel
Not applicable
Created on 09-14-2007 08:53 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The important thing here is distinguish between the two wans with the priority parameter and establish the VPNSSL choosing the one with higher priority (lower value), dsl or T1 ( you choose).I cleared out all static routes, and recreated them in the CLI. The T1 was the default route (" edit1" ), and the DSL was secondary (" edit2" ). I did not apply ' priority' because the edit order seems to accomplish the same thing---therefore I am now doubly confused about the function of the ' priority' parameter. Then, I created two policy routes: Protocol 6 internal interface internal subnet dest IP anywhere dest port 80 to 80 force to DSL gateway Protocol 6 internal interface internal subnet dest IP anywhere dest port 443 to 443 force to DSL gateway ...to route all http and https traffic to the DSL gateway. It works. Somehow, my 10.2.1.0 VOIP subnet routing issues seem to have vanished. Perhaps it was leaving the protocol field blank on my initial web traffic policy routes which was rerouting EVERYTHING out the DSL gateway? Thanks very much for your help Abel---your insight gave me the confidence boost I needed to know I was going about this the more-or-less correct way. Still, I' d like a better understanding of the use of setting static route ' priority' .
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cleared out all static routes, and recreated them in the CLI. The T1 was the default route (" edit1" ), and the DSL was secondary (" edit2" ). I did not apply ' priority' because the edit order seems to accomplish the same thing---therefore I am now doubly confused about the function of the ' priority' parameter.extracted from Release Notes pdf fortios 3.0 version: " Prior to FortiOS v3.00 MR1, if two equal cost static routes to a destination were configured, the FortiGate made a routing decision based on the sequence number - the order in which they were entered in the CLI or Web UI. FortiOS v3.00 MR1 removes this restriction by adding a priority argument to static routes. The priority argument now is responsible for breaking a tie between two equal cost routes - the lower the priority the higher the preference"
Still, I' d like a better understanding of the use of setting static route ' priority' .check also this forum thread, there' s a good paragraph from TAC' s guy named Stephane: http://support.fortinet.com/forum/tm.asp?m=31599&appid=&p=&mpage=1&key=&language=single&tmode=&smode=&s=#31670
regards
/ Abel
regards
/ Abel
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Should I create two default routes (0.0.0.0/0.0.0.0)... 208 Views
- FortiWeb Routes Issue 235 Views
- Default route in case of Zscaler... 369 Views
- FortiEms 7.2.4 build 0983 - MacOs... 313 Views
- Fortigate Firewall BGP received routes not... 787 Views
Labels
-
FortiGate
7,513 -
FortiClient
1,477 -
5.2
801 -
FortiManager
641 -
5.4
639 -
FortiAnalyzer
488 -
6.0
416 -
FortiAP
391 -
FortiSwitch
388 -
5.6
362 -
FortiClient EMS
319 -
FortiMail
288 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
182 -
FortiNAC
139 -
SSL-VPN
131 -
6.4
128 -
IPsec
127 -
FortiGuard
122 -
FortiGateCloud
97 -
FortiCloud Products
93 -
FortiSIEM
91 -
FortiToken
80 -
Customer Service
73 -
Wireless Controller
68 -
SD-WAN
66 -
4.0MR3
64 -
FortiProxy
54 -
FortiEDR
48 -
FortiADC
48 -
FortiAuthenticator
47 -
Fortivoice
46 -
FortiDNS
43 -
Firewall policy
41 -
FortiSandbox
39 -
FortiExtender
39 -
VLAN
37 -
FortiGate v5.4
36 -
High Availability
34 -
FortiSwitch v6.4
32 -
DNS
28 -
BGP
27 -
LDAP
27 -
FortiConnect
26 -
ZTNA
26 -
FortiGate v5.2
24 -
FortiWAN
24 -
Routing
24 -
FortiConverter
23 -
Interface
23 -
SAML
22 -
Certificate
22 -
Authentication
21 -
FortiSwitch v6.2
20 -
NAT
20 -
VDOM
19 -
FortiLink
19 -
FortiPortal
18 -
RADIUS
16 -
Logging
16 -
FortiMonitor
16 -
Virtual IP
16 -
Web profile
16 -
FortiGate v5.0
15 -
SSL SSH inspection
15 -
Fortigate Cloud
14 -
FortiDDoS
14 -
SSO
14 -
Application control
14 -
Traffic shaping
13 -
FortiManager v5.0
12 -
FortiCASB
12 -
IP address management - IPAM
11 -
FortiRecorder
10 -
SSID
10 -
Static route
10 -
WAN optimization
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiSOAR
9 -
FortiWeb v5.0
9 -
SNMP
9 -
RMA Information and Announcements
9 -
OSPF
9 -
FortiAP profile
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
Admin
8 -
Security profile
8 -
Proxy policy
8 -
Web application firewall profile
8 -
4.0
7 -
FortiCache
7 -
Automation
7 -
trunk
6 -
IPS signature
6 -
Antivirus profile
6 -
Traffic shaping policy
6 -
System settings
6 -
FortiCarrier
5 -
FortiDirector
5 -
DNS Filter
5 -
Packet capture
5 -
FortiPAM
5 -
FortiTester
5 -
Users
5 -
Port policy
5 -
Intrusion prevention
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiToken Cloud
4 -
FortiScan
4 -
Explicit proxy
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
DoS policy
4 -
Web rating
4 -
FortiInsight
3 -
FortiDB
3 -
FortiCWP
3 -
FortiHypervisor
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
Email filter profile
3 -
Fabric connector
3 -
File filter
3 -
Multicast routing
3 -
FortiAI
2 -
FortiNDR
2 -
Internet service database
2 -
Netflow
2 -
Protocol option
2 -
Replacement messages
2 -
Schedule
2 -
Service
2 -
VoIP profile
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
Kerberos
1 -
RIP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1277 | |
| 943 | |
| 676 | |
| 441 | |
| 177 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.