I' ve seen several references throughout this site stating that enabling " allow-subnet-overlap" is VERY VERY bad and should never, ever be done.
There are times when there' s good reasons for assigning two IPs to an interface. (i.e. 10.0.0.1 and 10.0.0.2 to WAN1). I also know that VIPs can be used instead of secondary IPs in other instances. For the moment, let' s not discuss VIPs.
I haven' t been able to find a reference in any manual suggesting that this is a dreadfully bad thing. The manuals do state that enabling asymmetric routing should only be enabled for limited troubleshooting purposes because it disables stateful inspection. This makes sense -- but what I don' t understand is how enabling allow-subnet-overlap also enables asymmetric routing, as it' s been suggested by others within this forum.
In fact, Fortinet even specifies it should be enabled in the KB document, " How to setup IPSEC VPN on secondary IP address"
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD32009&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=8688267&stateId=0%200%208690021
I' ve also seen posts from others where apparently Fortinet Support has advised them to enable " allow-subnet-overlap" . Is the Fortinet Knowledgebase flat-out wrong? Is the information given by Support also wrong? Please, help me understand the situation. I would appreciate a detailed explanation or even a polite reference to a link or a PDF/page number with any relevant information.
Thanks!