Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mgauthier
New Contributor

Created on ‎09-22-2023 11:03 PM

VPN route prefered over L2 in OSPF

Hello,

I'm having some trouble to change my OSPF topology.

Firewall site4-fw1 is in Area 1 and everything else in Area 0.

At this time site4-fw1 prefered to used direct VPN to contact 10.10.1.0/24 on site1 (blue square).

 

Interface cost is ok. 100 for VPN and 1 for L2 link.

In OSPF database, LSA for both network is the same (metric 10)

 

Do you have any idea ? Should I tried to set a route map to force metric ?

 

chrome_425oVN4kgE.png

Labels:
1247
0 Kudos
5 REPLIES 5
hbac
Staff
Staff

Created on ‎09-23-2023 07:41 AM

Hi @mgauthier

 

Can you check the routing table by running "get router info routing-table detail 10.10.1.1" in the CLI? 

 

Regards, 

1221
0 Kudos
mgauthier
New Contributor
In response to hbac

Created on ‎10-01-2023 09:27 AM

FortiGate-VM64-KVM # get router info routing-table details 10.10.1.0

Routing table for VRF=0
Routing entry for 10.10.1.0/24
Known via "ospf", distance 110, metric 10, best
Last update 00:01:50 ago
* 100.65.0.5, via vpn1 distance 0

 

FortiGate-VM64-KVM # get router info routing-table details 10.10.1.1

Routing table for VRF=0
Routing entry for 10.10.1.0/24
Known via "ospf", distance 110, metric 10, best
Last update 00:01:56 ago
* 100.65.0.5, via vpn1 distance 0

1151
0 Kudos
hhasny
Staff
Staff

Created on ‎09-24-2023 06:15 PM

Hi,

Is the VPN route a static route?

Static route would have lower AD if compare to OSPF.

Lower AD would be preferred.

Checked the routing database table 'get router info routing-table database' and see the ADs.

 

regards

1201
0 Kudos
mgauthier
New Contributor
In response to hhasny

Created on ‎10-01-2023 09:28 AM

No, the only static route is the fake public ip for the vpn 

FortiGate-VM64-KVM # sh router static
config router static
edit 1
set dst 80.0.1.0 255.255.255.252
set gateway 80.0.4.2
set device "port2"
next
end

FortiGate-VM64-KVM

1150
0 Kudos
mgauthier
New Contributor

Created on ‎10-01-2023 10:19 AM

This lab has been done on Eve NG with :

  • FGT VM KMV 6.4.14
  • Arista Veos 4.29.4M
  • VPCs (Native)
 

You can find all config change/add below to reproduce

 

 

 

image.png

simulationwan.txt 

site1-fw1.txt 

site2-fw1.txt 

site2-sw1.txt 

site3-sw1.txt 

siite4-fw1.txt 

site5-fw1.txt 

1145
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.