Vpn drops with starlink

van_sta · ‎11-13-2024

Hello: I have a Fortinet 60F, I changed the wan1 connection to Starlink, addressing mode dhcp and static route with dhcp too. If I enable wan1, the PCs can have internet with Starlink and with the other connection but the VPN drops, I have to disable wan1 for the VPN to work. I don't know if I have something else to configure or if the VPN is configured incorrectly, I have virtual IPs that point to one connection or another, I don't know if it is that, I attached one with the Starlink connection.

We use forticlient for vpn connection.
I hope you can guide me to solve these problems.
Greetings

Toshi_Esumi · ‎11-15-2024

No. That first screen shot is for the default route. Not interface. You need to change the distance of the interface wan1.
You might need to use CLI to change that.

Config system interface
edit wan1
set distance 10
next
end

Toshi

View solution in original post

johnathan · ‎11-13-2024

What distance is the static route for the non-Starlink WAN? They should probably be the same if you intend traffic to go over both links at once.

"Never trust a computer you can't throw out a window."

van_sta · ‎11-15-2024

Than Johnathan for your answer. I attach image.

Toshi_Esumi · ‎11-13-2024

I don't think the VIP is affecting the behavior you're seeing. But that VIP is only for VNC/RDP access at TCP 10221. If you have doubt, you can remove it for now. But the VIP might not work well with Startlink since the IP is not startic, assigned by the Startlink's router.

For the VPN drop issue, it's up to the other wan (wan2) interfaces setting. Depending on your intended usage of both wan connections (load balance with VPN on wan2 only, or all outgoing is for wan1 while VPN coming in wan2, etc.) you need to set (or manipulate) your two default routes intentionally.
If you check the routing table ("get router info routing-table all" in CLI) you would understand why those VPNs are dropped. Likely the default route to wan2 is not there.

Toshi

van_sta · ‎11-15-2024

Thanks for responding. We do not do load balancing, when necessary we change the connection by hand. What I do need is for the VPN to go out even through wan2 if it is not possible through both (wan1 and wan2, this would be ideal) and it worked until we changed to starlink. I attach the result of the command you suggested.

get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 192.168.1.1, wan1, [1/0]
C 128.1.1.0/24 is directly connected, dmz
C x.x.x.x/27 is directly connected, wan2
C 192.168.1.0/24 is directly connected, wan1
C 192.168.2.0/24 is directly connected, internal

Toshi_Esumi · ‎11-15-2024

As suspected, you lost the default route toward wan2. That's why VPN dropped obviously.

Is wan2 IP static? Then do you have a static default route to wan2 configured?
Static routes' default distance is 10, while DHCP introduced default route (from wan1) has distance 5. That's why it lost the wan2 default route, if that's the case.

You can either change "distance" of wan1 to 10 "set distance 10", or set 5 as the distance of the static default route to wan2 "set distance 5".
Either case, you have to set a higher priority on the default route, like 10, than the wan1 default route (priority 1).
So that both default routes would be in the routing table. Then your site-to-site VPN would come up.

Toshi

van_sta · ‎11-15-2024

Toshi, I am attaching screenshots of how the static routes are.
If I understand correctly, the only thing I have to change is the distance on the interface from wan1 to 10?

Toshi_Esumi · ‎11-15-2024

If you make wan1 distance to 10, both default routes (DHCP one to wan1 and static one to wan2) would be the same in the routing table.
But you're showing "Advanced options: priority 2". I'm not sure what it would do, did you have it from the beginning? Your routing table is showing 1.
In any case, you need to set Priority on the static default route to wan2 as like 10. Not 1.

Toshi

Toshi_Esumi · ‎11-15-2024

No. That first screen shot is for the default route. Not interface. You need to change the distance of the interface wan1.
You might need to use CLI to change that.

Config system interface
edit wan1
set distance 10
next
end

Toshi

van_sta · ‎11-15-2024

Toshi, Yes, I did that, it seems to work now.

get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.x.x5, wan2, [1/0]
[10/0] via 192.168.1.1, wan1, [1/0]
C 128.1.1.0/24 is directly connected, dmz
C x.x.x.224/27 is directly connected, wan2
C 192.168.1.0/24 is directly connected, wan1
C 192.168.2.0/24 is directly connected, internal

Thank you for your help.

Vpn drops with starlink

Nominate a Forum Post for Knowledge Article Creation