Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
UnderscoresAndDashes
Contributor

Created on ‎09-05-2024 02:17 PM Edited on ‎09-05-2024 02:24 PM

Some SDWAN(BGP) routes discovered on wan interface.

My issue is that if I have 2 dialup tunnels on a remote gate, each dialup is connected to a seperate ISP, if I lose the primary ISP that is connected to dialup tunnel 1 and dialup tunnel 2 (seperate ISP) picks up the routing, then some routes are discovered on the correct dialup interface, but others show as being discovered via the wan interface.

I am not sure what the problem is. 

See below:

 

SDWANRouting issue.png

 This is in a test environment. The gates are on 7.2.8 

 

Remote Gate

config vpn ipsec phase1-interface
edit "advpn_1"
set interface "wan1"
set peertype any
set net-device disable
set proposal aes256-sha256
set add-route disable
set auto-discovery-receiver enable
set remote-gw x.x.x.x

next

end

 

config vpn ipsec phase2-interface
edit "advpn_1_p2"
set phase1name "advpn_1"
set proposal aes256-sha256
set auto-negotiate enable
next
end

 

config vpn ipsec phase1-interface

edit "advpn_2"
set interface "wan2"
set peertype any
set net-device disable
set proposal aes256-sha256
set add-route disable
set auto-discovery-receiver enable
set remote-gw x.x.x.x

next

end

 

config vpn ipsec phase2-interface
edit "advpn_2_p2"
set phase1name "advpn_1"
set proposal aes256-sha256
set auto-negotiate enable
next
end

 

Hub Dialup config

config vpn ipsec phase1-interface

edit "advpn_1"
set type dynamic
set interface "port1"
set peertype any
set net-device disable
set proposal aes256-sha256
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set auto-discovery-receiver enable

set dpd-retryinterval 60
next
end

 

config vpn ipsec phase2-interface
edit "advpn_1_p2"
set phase1name "advpn_1"
set proposal aes256-sha256
next
end

 

config vpn ipsec phase1-interface

edit "advpn_2"
set type dynamic
set interface "port2"
set peertype any
set net-device disable
set proposal aes256-sha256
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set auto-discovery-receiver enable

set dpd-retryinterval 60
next
end

 

config vpn ipsec phase2-interface
edit "advpn_2_p2"
set phase1name "advpn_2"
set proposal aes256-sha256
next
end

 

Thank you for any help. 

 

Labels:
548
2 REPLIES 2
UnderscoresAndDashes
Contributor

Created on ‎09-05-2024 02:21 PM Edited on ‎09-05-2024 02:22 PM

Should also mention that remote gate dialup tunnels are in an SDWAN zone, have an SLA and a SDWAN rule based on best quality. Routing works correctly regardless of which dialup is selected by the rule, unless I lose an ISP and one tunnel goes down. Then routing gets all weird. 

544
0 Kudos
holmes
New Contributor

Created on ‎11-03-2024 04:26 PM

Hi,

 

I'm sure this is because your SLA option: update static route is enabled, I have the same problem before, disabled it and problem solved.

 

Goodluck.

279
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.