| Description | This article describes the best settings to solve traffic asymmetry in specific dial-up VPN topologies. |
| Scope | FortiOS 7.0.1+ GA releases. |
| Solution |
As an example, a network administrator has implemented the below SD-WAN IPSec topology:
In such scenarios, it can be observed that the hubs receive the traffic correctly over the main VPN connection. However, from the spoke's point of view, health check traffic or any other related traffic is received only from the primary VPN tunnel.
This occurs due to the fact that the hub's dial-up IPsec connection is configured with 'set-device' as disabled. Even if there are multiple tunnels from the same spoke, the hub always chooses the tunnel with the higher route priority even if the traffic was received from the other tunnel, causing traffic asymmetry.
In order to solve the issue, implement the following command on the VDOM system settings of the spoke FortiGate:
config system settings set location-id X.X.X.X <-- X.X.X.X can be replaced with a number in the form of an IP address. end
Then, during a maintenance window, on both the spoke & hub units' tunnels needs to flushed and the IKE service must be restarted with the following commands:
|
