Hi there!
We have version 6.4.5 installed on our FWG100F.
I have configured a dynamic routing through BGP and using a performance SLA to our DataCenter by 2 ways, (optical fibre and IPsec tunnel).
When the Fibre (main) goes down, the secondary route "tunnel Ipsec" is up correctly, but when the main line recovers, the Firewall keeps the old sessions, going out through the wrong interface (standby) and does not work correctly.
Researching I have read that this can be solved for NAT connections by enabling "snat-route-change", but in our case the sessions are not with NAT, being internal communication. We have tested it and it works, but obviously we can't use it since it is internal communication and we always need to be able to see the origin of the communications.
Someone knows what could be going on? I've read that others don't have the same problem for IPsec sessions with SLA performance without NAT.
I appreciate any advice!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 01-10-2022 12:05 PM
Hello,
Can you confirm if you have also confirmed SDWAN ?
Hello! Thanks for your reply.
Yes I'm using SD-wan with the interface of the Main circuit participating performance SLA.
When it goes down, the standby circuit rise up correctly, but when it bring up, the routes go to the main circuit, but the sessions are still running through the standby interface and does not work.
I have similar issue with you, in my scenario I have a fiber as primary line and IPSec as backup, both of them establish a BGP peer to advertise routes.
During failover some session will down and here is some debug outputs, common reasons are RPF check fail and no active session on FortiGate ( FG 200F , V7.2.1 )
And I find this tcp-session-without-syn option in policy, I think it may work well, I have test for serval times, Not sure if this is a elegant solution, I'm waiting for my local support respond, just put it here ahead.
Hi There,
I believe you should enable snat-route-hange feature:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-SNAT-route-change-to-update-existing...
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Routing-Changes-and-SNAT-snat-route-...
Hi @ellocodelacommencal ,
This is a pretty old topic but, since it was brought again to our attention, on top of what was already shared, can you check if "preserve session route" is set to enabled, on the interface.
More info available at Handbook | FortiGate / FortiOS 6.0.0 | Fortinet Documentation Library
Hi @aahmadzada ,
Thanks, but in my environment I don't have any NAT config since our network is a flat fabric. 2 sites connected by the Fiber leased line OR IPSec, all traffic is L3 routing without NAT.
So the problem I faced here is when the BGP is down, all sessions will broken and my users can feel it ( which is not great for me ).
And Hi @aionescu I tried this preserve-session-route option as well, but it doesn't help me.
From debug flow I can see the complain "RPF fail" and "no session".
RPF I think is because 2 sides BGP convergence time is not equal, and "no session" TAC told me because traffic arrived before routing change, so the session is not "dirty" at that time so FGT marked these traffic "no session".
I don't know if I'm right but I enabled TCP session without SYN looks good now.
I'm assuming both sides are advertising/learning the same routes to/from the other end on both circuits with eBGP. Then I would set the local preference on the primary learned routes higher than secondary. Then when the primary BGP comes back up, almost instantaneously the primary routes would take over from the backup ones.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.