Hello
I'm having problems with local traffic generated by Fortigate and SDWAN rules. When one of the links that make up our SDWAN goes offline, I receive the following error message:
"unable to connect to fortisandbox. Either the appliance is not reachable or this fortigate is not authorized"
Then users start receiving SSL certificate error messages when they try to access a web page, or a message like this:
"Web Page Blocked
An error occurred while trying to rate the website using the webfiltering service. Web Filter Service Error no correct FortiGuard information"
I tried the following commands (available at: link ) but the problem persists:
config log fortiguard setting
set interface-select-method sdwan
end
config system fortiguard
set interface-select-method sdwan
end
I have a 60F with version 7.0.13 build 0566 (Mature)
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
May be I'm misunderstanding something in your request but do you expect the traffic is still sent through PPPoE link even if it goes down?
When an interface goes down, any route through that interface is automatically removed from the routing table. That's the normal behavior, otherwise routing will not work properly. I don't think there is a way to change this behavior.
Hello,
When one of the link goes down in SDWAN, does that default route getting removed ?
You can check available default route using the following command:
# get router info routing-table details 0.0.0.0
Also, are you able to ping below FQDN when the issue occurs?
# exec ping service.fortiguard.net
# exec ping update.fortiguard.net
# exec ping guard.fortinet.net
For more details about Fortiguard server connectivity, please refer to following article:
thank you
Apparently the problem only happens when the link involved is a PPPOE link. It seems that the performance SLA cannot disable the default route of this link when it is a PPPOE interface with a fixed gateway set. I will do some more tests.
In your PPPoE interface settings, try set route distance to something higher like 30. And in your SD-WAN settings, set the same interface gateway to dynamic.
putting the PPPOE interface gateway in dynamic mode solved the problem and the route is removed from the routing table when the link goes down. However, this caused the problem reported in this post: link
Try remove those policy routes and configure SD-WAN rules instead.
same behavior that occurs with policy routes. If the PPPOE link goes down, the packets are automatically redirected to another interface, I can't force the output through the PPPOE link, not even with a static route
May be I'm misunderstanding something in your request but do you expect the traffic is still sent through PPPoE link even if it goes down?
When an interface goes down, any route through that interface is automatically removed from the routing table. That's the normal behavior, otherwise routing will not work properly. I don't think there is a way to change this behavior.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1663 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.