cannot ping or http after configuring sdwan static route

BusinessUser · ‎08-31-2023

I newly implemented sd wan.

My sdwan has only 1 WAN interface.

I remove the previous static route configured on the wan interface.

I put a new static route for the sdwan interface.

Now i cannot ping or https from the wan interface.

Why?

maulishshah · ‎09-08-2023

Hi,

Sorry for misunderstanding the question.

The Lan link is SDWAN Zone?

If yes, from the version 7.0 and above it gives you option to configure two static routes with the different SDWAN Zone.

If the LAN is not part of the SDWAN then there is no possiblity to configure the two static route.

SDWAN it self has perfromance SLA, where you can enable the feature of "update static route", if WAN failed then whatever the best route is available it will choose.

Again I am sorry if I am not understanding the question correctly.

Thanks.

Maulish Shah

View solution in original post

pgautam · ‎08-31-2023

Hi @BusinessUser

Thank you for posting your query.

SDWAN configuration does not affect the wan interface access.

Could you please confirm the routing table to check whether the configured route is available in the RIB table or not?

get router info router-table details

get router info routing-table database

If you see the route in the inactive state then check the performance sla in SDWAN whether it is up or dead.

Regards
Priyanka

- Have you found a solution? Then give your helper a "Kudos" and mark the solution

BusinessUser · ‎08-31-2023

Lost access to it. Have to go down on site.

If the static route to the wan is lost, there is supposed to be another static route to go to another part of the internal network.

But what i did previously:

Amend firewall rules and removed wan1.

configure performance sla.

Add wan1 in sd-wan-link.

Amend firewall rules and replace wan1 with sd-wan link.

Remove wan1 static route and put sd-wan-link static route.

Not sure why i cant access fw from outside now.

BusinessUser · ‎08-31-2023

I need to ask.

Can i create a static route based on physical interface and not based on sdwan interface instead?

pgautam · ‎08-31-2023

Hi @BusinessUser

If you have created the default static route using SDWAN then try to create it through the physical interface it will through the duplicate route error.

Once you have firewall access then check the SLA status and make sure it is alive.

Regards
Priyanka

- Have you found a solution? Then give your helper a "Kudos" and mark the solution

BusinessUser · ‎09-03-2023

Will do.

What is the difference if I create a static route with a wan interface vs i create a static route with sd wan link with 1 single member?

BusinessUser · ‎09-03-2023

Ha. I understand what is wrong.

I have a 0.0.0.0/0 to sdwan interface wan1.

I also have 0.0.0.0/0 to a physical lan interface.

I cannot put these 2 static routes together. Is there any way to resolve this?

pgautam · ‎09-03-2023

Hi @BusinessUser

If you configure a static route for a destination that references a zone(SDWAN zone), FortiOS does not allow you to configure a static route for the same destination that references an interface. In SDWAN these routes are known as duplicate routes.

For example, if you have configured a default route using the SDWAN zone then you can not create a static route using the physical interface it will show an error.

Please find the attached screenshot from the lab device:-

The default static route is there using the SDWAN Virtual-wan-link

When trying to create another default route using the physical interface throws the error:-

Regards
Priyanka

- Have you found a solution? Then give your helper a "Kudos" and mark the solution

BusinessUser · ‎09-04-2023

If you configure a static route for a destination that references a zone(SDWAN zone), FortiOS does not allow you to configure a static route for the same destination that references an interface. In SDWAN these routes are known as duplicate routes.

Is there any suggested solutions for this?

For default traffic I want to forward to the SD wan interface.

If the sd wan interface fails, I want to forward it to a local interface.

Christian_89 · ‎09-03-2023

If you are unable to ping or access HTTPS after configuring a new static route on the SD-WAN interface, it's essential to troubleshoot the issue step by step. Here are some common troubleshooting steps to identify and resolve the problem:

1. **Check the Static Route Configuration**:
- Verify that the static route you added on the SD-WAN interface is correctly configured. Double-check the destination network, gateway (next hop), and subnet mask.

2. **Routing Table**:
- Ensure that the new static route has been added to the routing table of the device.
- Check the routing table to confirm that the traffic is being directed to the correct next hop.

3. **Default Route**:
- Make sure that you still have a default route (0.0.0.0/0) pointing to the WAN interface. Without this route, your device may not know how to send traffic to the internet.

4. **Firewall Rules**:
- Review the firewall rules on your device. Ensure that there are no rules that might be blocking ICMP (ping) or HTTPS traffic.
- Confirm that there are rules allowing traffic from the WAN interface to the SD-WAN interface.

5. **SD-WAN Policies**:
- Check the SD-WAN policies and ensure that they are correctly configured to route traffic to the desired destinations over the appropriate interfaces.
- Verify that the SD-WAN policy for internet-bound traffic is correctly set to use the WAN interface.

6. **Physical Connection**:
- Confirm that the physical connection between the WAN interface and your internet gateway is secure and functional. Ensure that the cables are properly connected.

7. **Gateway Device Configuration**:
- If your SD-WAN device is not the edge device connecting to the internet, check the configuration of the gateway device (e.g., router or modem) connected to your WAN interface.
- Ensure that the gateway device is configured to allow traffic from your SD-WAN device.

8. **Packet Capture**:
- You can use packet capture tools or diagnostics on your SD-WAN device to trace the path of packets leaving the WAN interface and entering the SD-WAN interface. This can help pinpoint where the issue is occurring.

9. **Log Analysis**:
- Review system logs and logs related to the SD-WAN configuration. Look for any error messages or indications of issues.

10. **Rollback Configuration**:
- If you made changes to the configuration just before the issue occurred, consider rolling back to the previous configuration to see if the problem is resolved.

11. **Vendor Support**:
- If you are unable to identify and resolve the issue, consider reaching out to your device's vendor support or consulting with a network specialist who can provide assistance.

It's important to approach troubleshooting systematically and document your steps and findings to help diagnose and resolve the issue effectively. Additionally, ensure that any changes you make to the configuration are done carefully to avoid disrupting network connectivity further.