Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGuest
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- Wireless Controller
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- VPN access issue via a dual ISP connected FW
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN access issue via a dual ISP connected FW
Hi All,
Hoping someone can point me in the right direction as I cannot seem to get the following setup working:
Equipment: 60D
Software: 5.6.0
Internet: Dual WAN Connectivity to 2 x different ISP's
Network Setup
The FW itself currently has two Trusted networks connected locally:
[ul]I also have a small network range defined for Remote Access Users (10.10.254.0/28) who I would like to remotely access the Security Lab (Net B) via an IPSEC VPN.
[ul]Both ISP's provide a default route though I have modified the Interface Admin Distance as follows:
[ul]I 'do not' want to run these links in a load balancing setup.
Problem Statement
I would like the remote access users to VPN in to the FW via the secondary ISP connection (ISP B) so they can access the security lab (Net B) over an ISP link which is not really utilized.
I have set a specific Policy Route for the security lab (Net B) to utilize and use the secondary ISP connection as follows:
Protocol: Any
Source Addr: Net B
Destination Addr: Any
Action: Forward Traffic
Outgoing Interface: WAN2 (ISP B)
Gateway Addr: (Next Hop)
I can see in the routing table (via the routing monitor) that a default route is installed for 'ISP A' on the basis I previously configured a better distance so Net A would use this path.
All outbound traffic from Net A does appear to correctly ollow the default route via ISP A.
All outbound traffic from Net B appears to use the policy route via ISP B (However this route is not shown in the routing monitor)
The issue I have is that no users can currently establish an IPSEC VPN via ISP B to the FW.
Running 'diagnose debug application ike -1' appears to show that new IKE sessions arrive via ISP B though all sessions try to return via ISP A.
My understanding here is that this is probably the correct behavior as the FW only has a single default route installed back via ISP A.
I have previously set both admin distances to the same value and can see both default routes in the routing table, however this caused devices within Net A to use both ISP A & ISP B.
I tried to add a separate static route back to the Remote Access User Range directly via NET B though this made no difference.
Forum Question
Is there a way to force all VPN users trying to connect via ISP B to return via the same interface instead of routing via ISP A (which prevents any IPSEC session establishment) ?
Apologies if this is long winded though wanted to provide as much info as possible as I am probably overlooking something here.
Any help or pointers greatly appreciated !
Cheers
Matt
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I meant to set static default routes toward both with different priority. I don't think you can change priority on DHCP/PPPoE injected routes.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the same cost (leave it default) on both and set a lower priority (higher number like 10) on the B side only, which should provide your desirable behaviour.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I meant to set static default routes toward both with different priority. I don't think you can change priority on DHCP/PPPoE injected routes.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Toshi,
Thanks for your reply. So your spot on that both ISP's are 'injecting' default Gateways and they don't have an option to set a higher priority.
Having said that, your suggestion does seem to work as I subsequently created a single static route pointing towards 'ISP B' and kept the distance the same as 'ISP A' (4) though set a priority of (1) on this route.
The resulting output in the routing table shows the following:
xxxxxxxx (Internet) # get router info routing-table static
S* 0.0.0.0/0 [4/0] via x.x.254.1, wan1
[4/0] via x.x.254.254, wan2, [1/0]
If I hover over the priority setting within the 'Static Route' config section then it does state that the priority of routes dynamically learned from routing protocols will always be '0'.
In the above output, the static route for 'wan1' was dynamically added to the routing table by virtue of the received gateway obtained dynamically via ISP A, so I guess this actually does have a priority of '0' though it is not displayed in the above output.
A quick check in the kernel routing table however does however show this:
tab=254 vf=1 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=x.x.254.1 dev=7(wan1)
tab=254 vf=1 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=x.x.254.254 dev=6(wan2)
So really happy this is working and a huge thanks to you !
For future reference for others , i found a really useful document here which explains how Fortinet handles routing with regards to Distance, Priority and Policy Based Routes:
http://kb.fortinet.com/kb/viewContent.do?externalId=FD32103
The key statement for me here was:
Note : the "priority" parameter is used in situation where a static route needs to be present in order to accept incoming traffic and pass the RPF check (anti-spoofing).
Thanks again Toshi. I now have remote VPN users connecting via the secondary ISP to access dedicated equipment, whilst outbound users continue to use the primary ISP.
Matt
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad it worked for you.
Labels
-
FortiGate
9,378 -
FortiClient
1,906 -
5.2
801 -
FortiManager
795 -
5.4
639 -
FortiAnalyzer
608 -
FortiSwitch
513 -
FortiAP
507 -
FortiClient EMS
471 -
6.0
416 -
5.6
362 -
FortiMail
339 -
SSL-VPN
302 -
IPsec
276 -
6.2
251 -
FortiAuthenticator v5.5
234 -
FortiWeb
225 -
FortiNAC
222 -
5.0
196 -
FortiGuard
150 -
SD-WAN
142 -
FortiAuthenticator
132 -
6.4
128 -
Firewall policy
105 -
FortiGateCloud
104 -
FortiSIEM
102 -
FortiCloud Products
102 -
FortiToken
96 -
Wireless Controller
86 -
Customer Service
82 -
FortiProxy
72 -
High Availability
68 -
4.0MR3
64 -
Fortivoice
61 -
FortiEDR
61 -
Routing
58 -
FortiADC
57 -
ZTNA
57 -
VLAN
56 -
DNS
55 -
BGP
52 -
SAML
49 -
RADIUS
48 -
Authentication
48 -
LDAP
48 -
FortiSandbox
47 -
FortiGate-VM
46 -
FortiExtender
46 -
NAT
46 -
Certificate
44 -
SSO
43 -
FortiDNS
42 -
FortiGate v5.4
35 -
VDOM
35 -
FortiSwitch v6.4
34 -
FortiLink
34 -
Application control
34 -
Interface
33 -
FortiConnect
32 -
Logging
31 -
FortiWAN
28 -
Virtual IP
28 -
Web profile
28 -
FortiGate v5.2
26 -
FortiConverter
26 -
FortiPAM
25 -
FortiPortal
23 -
SSL SSH inspection
23 -
FortiGate Cloud
21 -
Traffic shaping
21 -
Static route
21 -
FortiSwitch v6.2
20 -
SSID
20 -
Automation
20 -
SNMP
19 -
FortiMonitor
18 -
WAN optimization
18 -
OSPF
16 -
System settings
16 -
FortiDDoS
15 -
Security profile
15 -
Web application firewall profile
15 -
FortiGate v5.0
14 -
Fortisoar
14 -
FortiCASB
14 -
API
14 -
Admin
14 -
IP address management - IPAM
14 -
IPS signature
13 -
FortiManager v5.0
12 -
Proxy policy
12 -
FortiManager v4.0
11 -
FortiRecorder
11 -
Traffic shaping policy
11 -
FortiAP profile
11 -
Intrusion prevention
11 -
FortiBridge
10 -
Explicit proxy
10 -
Port policy
10 -
Web rating
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiWeb v5.0
9 -
DNS filter
9 -
Traffic shaping profile
9 -
Fabric connector
9 -
FortiDeceptor
8 -
FortiCache
8 -
RMA Information and Announcements
8 -
trunk
8 -
Users
8 -
Antivirus profile
8 -
Fortinet Engage Partner Program
8 -
4.0
7 -
FortiToken Cloud
6 -
Packet capture
6 -
Authentication rule and scheme
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
Application signature
5 -
DLP profile
5 -
Email filter profile
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
NAC policy
4 -
DLP sensor
4 -
Netflow
4 -
Protocol option
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
VoIP profile
4 -
Multicast routing
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
DLP Dictionary
3 -
DoS policy
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
File filter
2 -
Schedule
2 -
Zone
2 -
Vulnerability Management
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2056 | |
| 1173 | |
| 770 | |
| 448 | |
| 341 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.