Hi Guys,
I've searched far and wide for an answer to my query and cannot find it anywhere! So hoping you can help.
I am configuring a new Fortigate 800D running 5.4.2. It will have dual WAN interfaces over different ISPs, so to cater for this I have configured WAN Link Load Balancing. All this is working perfectly.
The stumbling block I'm hitting is creating redundant IPSEC tunnels to the same remote IP. So scenario is:
Site 1 = two WAN connections 1.1.1.1 and 2.2.2.2
Site 2 = 1 WAN connection 3.3.3.3
I have created two IPSEC tunnels at both sites. Site 1 has one for each source WAN connection, going to the remote IP 3.3.3.3 and site 2 has 1 for each remote WAN IP, going from the same source IP 3.3.3.3.
The first IPsec tunnel comes up fine. The 2nd one doesn't and a diag debug application ike -1 shows "error 101:Network is unreachable".
Checking the routing monitor, it shows the default route is statically configured to use the wan1 connection (where the ip of the working IPSEC tunnel resides). The static route I've actually configured points to the wan-load-balance virtual interface that is created as part of WLLB.
Have I hit an incompatibility here or is there a workaround so that I can get IPSEC tunnels up to both WAN links in a WLLB config?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I know this is an old post but I have the same issue - can't seem to get both WAN1 and WAN2 at site 1 to use the same IP for Site 2. Only site 1 has redundant internet - Site 2 only has 1 link.
Any info on this?
Hi FirewallNoob. This was a while ago, our issue was the way that Wan Link Load Balancing had been configured on the Fortigate with redundant WAN connections. WLLB was configured to use the "Volume" Load Balancing Algorithm, and weighted 100 on one WAN link and 0 on another. This was done as the 2nd WAN link was intended to be used as a backup link, and only to be used in the event of an outage on WAN1. Unfortunately, setting the weight to 0 removes routes from the routing table, causing the issue described here.
Instead, we have selected the "Source IP" load balancing algorithm. Each static route now has 2x routes, one for each WAN link. The routes for the secondary wan link are configured with a priority of 100 whilst the routes for the primary link are configured with a priority of 0, meaning the fortigate uses the primary wan link unless down and WLLB does it stuff.
So in the first instance, I would check how WLLB is configured to see if its this that's causing the issue
Got it. Thanks for the update!
No problem. Let me know how you get on, as I've had a baptism of fire with WLLB!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1632 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.