- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPsec VPN, TTL and ruting when VPN is down
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPsec VPN, TTL and ruting when VPN is down
We have 5 VPN' s in Interface-mode from HQ to 5 regional offices. When one of the VPN-nodes is down for å short moment, I see that trafic for this node is trying to use the next possible path from routingtable, which normally is the default gateway (=> WAN). When the link and VPN is re-etablished, those sessions have tendense to hang according to TTL-parameter for this session. Due to increased TTL-value and aggressive polling (WhatsUp), those sessions will hang for ever.
I have therefor added a new " DENY => internal-address" -rule first in my firewallset for Internal - WAN, (I guess this should have been there initially?).
But I have had similar issues on nodes where I have allowed failover-VPNs with lower priority; also here I have seen that sessions are " hanging" on secondary VPN-route even after primary VPN is re-etablished. This result in inconsistent routing and dropped packages.
Whats is best (and failproof) praxis for this issue?
Yngve
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The recommend way is to create a black hole route for segments on the vpn.
config router static
edit 0
set dst <segment/subnet>
set blackhole enable
set distance 254
end
Cheers, Eric
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks;
I wasnt aware of the Blackhole-routing function.
But what about the scenario with alternative, secondary link:
But I have had similar issues on nodes where I have allowed failover-VPNs with lower priority; also here I have seen that sessions are " hanging" on secondary VPN-route even after primary VPN is re-etablished. This result in inconsistent routing and dropped packages.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, that' s one reason to certify, I always elaborate on this issue during 301 class.
For your other scenario, one way is to have different metrics for the pri and sec vpn route. You can also use OSPF on the vpn network, if you have route based VPN' s
Cheers, Eric
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For your other scenario, one way is to have different metrics for the pri and sec vpn route. You can also use OSPF on the vpn network, if you have route based VPN' sI will try to set it up with OSPF, it may be easier than I first expected. But; There are one (big?) challange here; I need to route all internet-trafic (0.0.0.0/0) from remote site via HQ due to IP-restriction on several WEB-services and -subscribtion. Today this is solved with policy based VPN in " remote" -end and interface based VPN in HQ-end. Can I use 0.0.0.0/0 (DefGW) as " Network" in OSPF and have a static route with lower metric for HQ WAN-IP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you can. Use a static metric of 200 (or so) for the static route. The OSPF route will have a metric of 110.
Cheers, Eric
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank for help, but only partly succeeded. . . .
I can now see that routes are distributed but I got double of all routing entries;
- one heading for the remote VPN-interface
- one heading for the remote wan interface which is carrying the VPN-tunnel.
Seems like it try to route all trafic against the remote WAN interface instead throught the tunnel. Which is of course not allowed according fw-rules and therefor fail.
I have only the VPN-interface' s in the OSPF-conf, not OSPF-entry for any wan-interfaces. . .
What could be wrong?
FG200A (OSPF-Test) # get rou info ospf nei OSPF process 0: Neighbor ID Pri State Dead Time Address Interface 10.10.88.2 1 Init/ - 00:00:38 10.255.255.238 VPN_Internal4 10.10.88.1 1 Full/ - 00:00:33 10.255.255.242 VPN_Internal3 10.10.88.2 1 Full/Backup 00:00:33 10.255.255.250 internal4 10.10.88.1 1 Full/Backup 00:00:39 10.255.255.254 internal3 FG200A-VetInst (OSPF-Test) #Part of reply on get rou info rout all
O 10.10.88.1/32 [110/110] via 10.255.255.242, VPN_Internal3, 00:20:04
[110/110] via 10.255.255.254, internal3, 00:20:04
O 10.10.88.2/32 [110/110] via 10.255.255.238, VPN_Internal4, 00:01:58
[110/110] via 10.255.255.250, internal4, 00:01:58
Confusement (inconsistent) in the ip-structur, due to LAB-enviroment. I presume it will never occur in real life, SORRY . .
Yngve
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OSPF solved 95% of it, but I still need some additonal, static routes. I see that the static routing entry sometimes disappear from the monitor when the assigned VPN-tunnel is down. Other times, the static route are still in monitor and it try to route trafic over a VPN that is down.
Anybody who can clarify how this should work?
Y
Related Posts
- Aggregate dial-up IPsec tunnel 85 Views
- FMG: Error on installing policy package... 53 Views
- WAN Design using iBGP SD-WAN (optional... 67 Views
- ipsec vlan s2s loopback port not... 76 Views
- How can i change MTU of... 122 Views
Labels
-
FortiGate
6,905 -
FortiClient
1,364 -
5.2
801 -
5.4
639 -
FortiManager
597 -
FortiAnalyzer
435 -
6.0
416 -
5.6
362 -
FortiAP
361 -
FortiSwitch
357 -
FortiClient EMS
278 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
120 -
FortiGuard
110 -
IPsec
96 -
FortiGateCloud
91 -
FortiSIEM
91 -
FortiCloud Products
85 -
SSL-VPN
82 -
FortiToken
75 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
FortiEDR
42 -
SD-WAN
41 -
Fortivoice
41 -
FortiDNS
36 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
VLAN
27 -
High Availability
27 -
FortiAuthenticator
26 -
FortiConnect
24 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
SAML
17 -
FortiGate v5.2
17 -
DNS
17 -
LDAP
17 -
Certificate
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
FortiLink
13 -
Routing
13 -
FortiCASB
13 -
FortiDDoS
13 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Fortigate Cloud
9 -
4.0MR2
9 -
SSID
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
WAN optimization
7 -
SNMP
7 -
Web profile
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Traffic shaping policy
6 -
FortiBridge
6 -
Web application firewall profile
6 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 983 | |
| 818 | |
| 446 | |
| 440 | |
| 130 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.