- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- WAN Link Load Balancing with DUAL WAN and IPSEC tu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WAN Link Load Balancing with DUAL WAN and IPSEC tunnel per WAN interface?
Hi Guys,
I've searched far and wide for an answer to my query and cannot find it anywhere! So hoping you can help.
I am configuring a new Fortigate 800D running 5.4.2. It will have dual WAN interfaces over different ISPs, so to cater for this I have configured WAN Link Load Balancing. All this is working perfectly.
The stumbling block I'm hitting is creating redundant IPSEC tunnels to the same remote IP. So scenario is:
Site 1 = two WAN connections 1.1.1.1 and 2.2.2.2
Site 2 = 1 WAN connection 3.3.3.3
I have created two IPSEC tunnels at both sites. Site 1 has one for each source WAN connection, going to the remote IP 3.3.3.3 and site 2 has 1 for each remote WAN IP, going from the same source IP 3.3.3.3.
The first IPsec tunnel comes up fine. The 2nd one doesn't and a diag debug application ike -1 shows "error 101:Network is unreachable".
Checking the routing monitor, it shows the default route is statically configured to use the wan1 connection (where the ip of the working IPSEC tunnel resides). The static route I've actually configured points to the wan-load-balance virtual interface that is created as part of WLLB.
Have I hit an incompatibility here or is there a workaround so that I can get IPSEC tunnels up to both WAN links in a WLLB config?
Labels:
- Labels:
-
5.4
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is an old post but I have the same issue - can't seem to get both WAN1 and WAN2 at site 1 to use the same IP for Site 2. Only site 1 has redundant internet - Site 2 only has 1 link.
Any info on this?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi FirewallNoob. This was a while ago, our issue was the way that Wan Link Load Balancing had been configured on the Fortigate with redundant WAN connections. WLLB was configured to use the "Volume" Load Balancing Algorithm, and weighted 100 on one WAN link and 0 on another. This was done as the 2nd WAN link was intended to be used as a backup link, and only to be used in the event of an outage on WAN1. Unfortunately, setting the weight to 0 removes routes from the routing table, causing the issue described here.
Instead, we have selected the "Source IP" load balancing algorithm. Each static route now has 2x routes, one for each WAN link. The routes for the secondary wan link are configured with a priority of 100 whilst the routes for the primary link are configured with a priority of 0, meaning the fortigate uses the primary wan link unless down and WLLB does it stuff.
So in the first instance, I would check how WLLB is configured to see if its this that's causing the issue
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it. Thanks for the update!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem. Let me know how you get on, as I've had a baptism of fire with WLLB!
Related Posts
- Solution for Article 239709 not working... 117 Views
- no traffic in IPSEC vpn tunnel... 135 Views
- Implementing FGSP with OSPF ECMP based... 140 Views
- SSL VPN Country Restriction 547 Views
- Virtual IP for npm breaks my... 432 Views
Labels
-
FortiGate
6,733 -
FortiClient
1,341 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
345 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
107 -
FortiSIEM
92 -
FortiGateCloud
88 -
FortiCloud Products
85 -
IPsec
82 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
68 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
32 -
SD-WAN
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
22 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Logging
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Web rating
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.