Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
UnderscoresAndDashes
New Contributor III

Some SDWAN(BGP) routes discovered on wan interface.

My issue is that if I have 2 dialup tunnels on a remote gate, each dialup is connected to a seperate ISP, if I lose the primary ISP that is connected to dialup tunnel 1 and dialup tunnel 2 (seperate ISP) picks up the routing, then some routes are discovered on the correct dialup interface, but others show as being discovered via the wan interface.

I am not sure what the problem is. 

See below:

 

SDWANRouting issue.png

 This is in a test environment. The gates are on 7.2.8 

 

Remote Gate

config vpn ipsec phase1-interface
edit "advpn_1"
set interface "wan1"
set peertype any
set net-device disable
set proposal aes256-sha256
set add-route disable
set auto-discovery-receiver enable
set remote-gw x.x.x.x

next

end

 

config vpn ipsec phase2-interface
edit "advpn_1_p2"
set phase1name "advpn_1"
set proposal aes256-sha256
set auto-negotiate enable
next
end

 

config vpn ipsec phase1-interface

edit "advpn_2"
set interface "wan2"
set peertype any
set net-device disable
set proposal aes256-sha256
set add-route disable
set auto-discovery-receiver enable
set remote-gw x.x.x.x

next

end

 

config vpn ipsec phase2-interface
edit "advpn_2_p2"
set phase1name "advpn_1"
set proposal aes256-sha256
set auto-negotiate enable
next
end

 

Hub Dialup config

config vpn ipsec phase1-interface

edit "advpn_1"
set type dynamic
set interface "port1"
set peertype any
set net-device disable
set proposal aes256-sha256
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set auto-discovery-receiver enable

set dpd-retryinterval 60
next
end

 

config vpn ipsec phase2-interface
edit "advpn_1_p2"
set phase1name "advpn_1"
set proposal aes256-sha256
next
end

 

config vpn ipsec phase1-interface

edit "advpn_2"
set type dynamic
set interface "port2"
set peertype any
set net-device disable
set proposal aes256-sha256
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set auto-discovery-receiver enable

set dpd-retryinterval 60
next
end

 

config vpn ipsec phase2-interface
edit "advpn_2_p2"
set phase1name "advpn_2"
set proposal aes256-sha256
next
end

 

Thank you for any help. 

 

2 REPLIES 2
UnderscoresAndDashes
New Contributor III

Should also mention that remote gate dialup tunnels are in an SDWAN zone, have an SLA and a SDWAN rule based on best quality. Routing works correctly regardless of which dialup is selected by the rule, unless I lose an ISP and one tunnel goes down. Then routing gets all weird. 

holmes
New Contributor

Hi,

 

I'm sure this is because your SLA option: update static route is enabled, I have the same problem before, disabled it and problem solved.

 

Goodluck.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors