Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mgauthier
New Contributor

Created on ‎09-22-2023 11:03 PM

VPN route prefered over L2 in OSPF

Hello,

I'm having some trouble to change my OSPF topology.

Firewall site4-fw1 is in Area 1 and everything else in Area 0.

At this time site4-fw1 prefered to used direct VPN to contact 10.10.1.0/24 on site1 (blue square).

 

Interface cost is ok. 100 for VPN and 1 for L2 link.

In OSPF database, LSA for both network is the same (metric 10)

 

Do you have any idea ? Should I tried to set a route map to force metric ?

 

chrome_425oVN4kgE.png

Labels:
959
0 Kudos
5 REPLIES 5
hbac
Staff
Staff

Created on ‎09-23-2023 07:41 AM

Hi @mgauthier

 

Can you check the routing table by running "get router info routing-table detail 10.10.1.1" in the CLI? 

 

Regards, 

933
0 Kudos
mgauthier
New Contributor
In response to hbac

Created on ‎10-01-2023 09:27 AM

FortiGate-VM64-KVM # get router info routing-table details 10.10.1.0

Routing table for VRF=0
Routing entry for 10.10.1.0/24
Known via "ospf", distance 110, metric 10, best
Last update 00:01:50 ago
* 100.65.0.5, via vpn1 distance 0

 

FortiGate-VM64-KVM # get router info routing-table details 10.10.1.1

Routing table for VRF=0
Routing entry for 10.10.1.0/24
Known via "ospf", distance 110, metric 10, best
Last update 00:01:56 ago
* 100.65.0.5, via vpn1 distance 0

863
0 Kudos
hhasny
Staff
Staff

Created on ‎09-24-2023 06:15 PM

Hi,

Is the VPN route a static route?

Static route would have lower AD if compare to OSPF.

Lower AD would be preferred.

Checked the routing database table 'get router info routing-table database' and see the ADs.

 

regards

913
0 Kudos
mgauthier
New Contributor
In response to hhasny

Created on ‎10-01-2023 09:28 AM

No, the only static route is the fake public ip for the vpn 

FortiGate-VM64-KVM # sh router static
config router static
edit 1
set dst 80.0.1.0 255.255.255.252
set gateway 80.0.4.2
set device "port2"
next
end

FortiGate-VM64-KVM

862
0 Kudos
mgauthier
New Contributor

Created on ‎10-01-2023 10:19 AM

This lab has been done on Eve NG with :

  • FGT VM KMV 6.4.14
  • Arista Veos 4.29.4M
  • VPCs (Native)
 

You can find all config change/add below to reproduce

 

 

 

image.png

simulationwan.txt 

site1-fw1.txt 

site2-fw1.txt 

site2-sw1.txt 

site3-sw1.txt 

siite4-fw1.txt 

site5-fw1.txt 

857
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.