This article explains what happens to the traffic when the VPN tunnel goes down with respect to the routing on the FortiGate.
In this scenario, it is assumed that there is a site-to-site VPN between two FortiGates already configured and working.
There are two cases to consider:
1) When the VPN tunnel is down.
2) When the VPN tunnel comes back up.
- Usually, when the tunnel is up, the traffic between the two sites happens across the VPN tunnel.
Case 1: When the Tunnel is brought down:
- Using ping to test the traffic.
On-Site A, ping is initiated from a PC.
- Request reaches the FortiGate.
- On the FortiGate, route look-up is done. As the tunnel is down, the request is not sent out through the IPsec tunnel, however the default route is chosen and sent out.
- ISP drops it as the remote host is a private IP.
Case 2: When the Tunnel is up:
- If there is a continuous ping request, it hits the same session on the FortiGate and uses the same route in the route cache.
- Because of the initial request, there is a session created on the FortiGate and will hold that session for a specific time (based on the session-TTL).
- By default, the session-TTL for the ICMP is 1 minute.
- So, if the ping request is re-initiated within this session-ttl time (1 min), the request hits the same session and will never be able to reach the actual destination.
The session can be cleared in this case or wait for the idle timeout to expire.
The solution to avoid such a situation to occur is as follows:
- On a working site-to-site VPN configuration, there should be already a static route created for the remote destination.
- Now, create a black hole route on the FortiGate for the same destination network with a higher distance than the original one (by default it takes the distance '10'). It's mandatory to note that you can't use AD of 255, because 255 is a special value which means that the route should never be used. (and always discards routes whose preference value is 255).
Syntax for the black hole route:
# config router static
set blackhole enable
set distance 50
set dst [destination-address_ipv4mask>
This route is active when the tunnel is down. By adding this route the FortiGate is being told to drop the requests silently.
- So, there are no sessions added on the FortiGate and hence the ping test or the actual traffic or probes should return an immediate response when the tunnel is up.
This also helps in making the network more secure because the traffic which is supposed to enter the encrypted tunnel is now not pushed to the default route (ISP) when the tunnel is down.