- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sd-wan issue
Hi,
I have 2 connection for internet ,port 1 and port 2 are connected to ISP for internet connection
Lets say
ISP 1, 191.X.1.0/24
ISP 2, 191.X.2.0/24
interface IP
port1
191.X.1.2/24
port2
191.X.2.2/24
I have created Ippool like below
isp1
192.168.2.0 -snat -191.X.1.100
192.168.3.0-SNAT 191.X.1.101
isp2
192.168.2.0 -snat -191.X.2.100
192.168.3.0-SNAT 191.X.2.101
now the problem is random interval , the traffic stops . But it works if I change Ippool to outgoing interface ip
it was working , this happened recently
One thing I noticed in the log ,it choose the destination port 1 instead of port2 when the problem happens but the sdwan ruleis correct it shows that port 2
(In sdwan rule i have only one interface assigned which is ISP2)
Source
-----------------------------------
Source 192.168.2.10
Source NAT IP 191.X.2.100
Destination
-----------------------
Destination 8.8.8.8
port1------------->it supposed to be port2
other
---------------
Policy Name test1
SD-WAN Quality Seq_num(2 port2), alive, selected (here showing correct port )
SD-WAN Rule Name sdwan_rule9------------------- (matching sdwan rule )
sd-wan rule
------------------------------------------
edit 9
set name "sdwan_rule9"
set dst "all"
set src "192.168.2.10"
set priority-members 2 (Only ISP 2 assigned )
next
ippool ------------
edit "ISP2-100"
set startip 191.X.2.100
set endip 191.X.2.100
set arp-reply disable
set associated-interface "port2"
set comments "191.X.2.100"
next
policy
-------------------
set name "test1"
set srcintf "LAN"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "192.168.2.10"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set nat enable
set ippool enable
set poolname ISP2-100" ,
Please help
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sims
- Which FortiOS version?
- What do you see in performance SLA when the issue appears?
- When you say "But it works if I change Ippool to outgoing interface ip", does it simply mean that this is the correct SNAT instead of 191.x.2.100?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
7.2
Here the performance sla is manual , there is significant alert with sdwan member dead or alive
when I say "But it works if I change Ippool to outgoing interface ip" means , it use the 191.X.2.2/24 for SNAT instead of 1921.x.2.100
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it's not already enabled, you should enable this.
config system global
set snat-route-change enable
end