Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vjoshi_FTNT
Staff
Staff

Created on ‎06-26-2015 01:58 AM Edited on ‎02-28-2025 07:26 AM By Moderator

Article Id 192526

Technical Tip: Use of Black hole route in site to site IPsec VPN scenarios

Description

 

This article explains what happens to the traffic when the VPN tunnel goes down with respect to the routing on the FortiGate.
 
Scope
 
FortiGate.


Solution

 

In this scenario, it is assumed that there is a site-to-site VPN between two FortiGates already configured and working.

There are two cases to consider:

 

  1. When the VPN tunnel is down.
  2.  When the VPN tunnel comes back up.

 

  • Usually, when the tunnel is up, the traffic between the two sites happens across the VPN tunnel.

Case 1: When the Tunnel is brought down:

 

  • Using ping to test the traffic.

On-Site A, ping is initiated from a PC:

  • The request reaches the FortiGate.
  •  On the FortiGate, route look-up is done. As the tunnel is down, the request is not sent out through the IPsec tunnel, however, the default route is chosen and sent out.
  •  ISP drops it as the remote host is a private IP.

Case 2: When the Tunnel is up:

  •  If there is a continuous ping request, it hits the same session on the FortiGate and uses the same route in the route cache.
  • Because of the initial request, there is a session created on the FortiGate, and will hold that session for a specific time (based on the session-TTL).
  • By default, the session-TTL for the ICMP is 1 minute.
  • So, if the ping request is re-initiated within this session-ttl time (1 min), the request hits the same session and will never be able to reach the actual destination.

The session can be cleared in this case or wait for the idle timeout to expire.

 

Note:

Executing the 'diagnose sys session clear' command without any filters will clear all sessions currently on the FortiGate.

Refer to this article to clear particular sessions using filters: Technical Tip: Using filters to clear sessions on a FortiGate 


The solution to avoid such a situation to occur is as follows:

  • On a working site-to-site VPN configuration, there should be already a static route created for the remote destination.
  • Now, create a black hole route on the FortiGate for the same destination network with a higher distance than the original one (by default it takes a distance '10'). It is important to note that an AD of 255 cannot be used, because 255 is a special value which means that the route should never be used. (Routes where the preference value is 255 are always discarded.)

 

Syntax for the black hole route:


config router static
    edit {sequence_number>
        set blackhole enable
        set distance 50
        set dst [destination-address_ipv4mask>
    end


This route is active when the tunnel is down. By adding this route the FortiGate is being told to drop the requests silently.

  • So, there are no sessions added on the FortiGate and hence the ping test or the actual traffic or probes should return an immediate response when the tunnel is up.

This also helps in making the network more secure because the traffic that is supposed to enter the encrypted tunnel is now not pushed to the default route (ISP) when the tunnel is down.

 
Note:
If the site-to-site VPN was configured using IPsec Wizard, the blackhole route will be created automatically with an administrative distance of 254. Due to hardware limitations, only a specific number of static routes can be created. The maximum number of static routes can be verified in this document: Maximum Values Table.
To conserve the number of available static routes, it is possible to put all remote subnets of IPsec tunnels in a single address group and create only one black hole route. Under address/address group objects, make sure 'Static route configuration' is enabled. 
 
Additionally, make sure the blackhole route distance stays at 254 (default) if it is being changed then it should have more distance than the other IPSec VPN tunnels. This case is especially true in the case of redundant tunnels, where if the distance of the primary tunnel is 10, the blackhole route is 15, and the secondary tunnel is 20. Then the failover to the secondary tunnel will not happen. Ensure the blackhole stays at a distance of more than the VPN tunnels.
 
addgroup.PNG

 

blackhole.PNG
 
Labels:
120776
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.