- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SD-Wan failover and failback
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SD-Wan failover and failback
I'm playing in Eve-NG, trying to get SD-WAN setup. I've got everything configured but something doesn't seem to be correct.
I've got (within eve-ng) an 8.8.8.8 that I'm pinging as my performance SLA. I've got some NETem devices between my FortiGate FFVMEV (v7.0.13) and the router at 8.8.8.8. I've WAN1 and WAN2 both set up. Using NETem I've set a 10ms (each way) delay on WAN2, so WAN1 should be the preferred route.
I go to Network - SD-WAN - SD-Wan Rules and I see that per my SD-Wan rule, WAN1 is the current route. I ping from a device behind the FortiGate to 8.8.8.8 and traffic heads out WAN1. Now I introduce some latency into WAN1. I see in my SD-WAN, SD-WAN Rules that now my preferred route is WAN2, but my ping continues to go through WAN1 unless I forcefully clear the session in the FortiGate. If I take away the latency in WAN1, again I see per the SD-WAN rules that WAN1 is the preferred route, but the ping continues to go out WAN2, unless I again forcefully clear the session in the FortiGate. Alternatively if I stop the ping, wait for about a minute for the session to timeout in the FortiGate, then I don't have to forcefully clear the session in the FortiGate.
If I manually kill a link in the eve-ng network from the fortigate to the 8.8.8.8 router, after a few missed pings, the connection fails over to WAN2 and I see in the SD-WAN rules that WAN2 is now my preferred route. If I bring the link back online in the eve-ng network, I in the SD-WAN rules that WAN1 is now my preferred route again, but again, unless I forcefully kill the session traffic continues to go out WAN2.
It seems like unless that session clears, the SD-WAN rule isn't having any effect on traffic. Is this correct? It seems like if I've popped my SLA, the fortigate should be switching the traffic to the best route but it only seems to do this after the session has expired.
Labels:
- Labels:
-
FortiGate
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can follow the attached link. The issue has been highlighted here.
You can enable snat route change for the session to choose the best path.
config system global
set snat-route-change enable
HTH
Kind Regards,
Bijay Prakash Ghising
Ghising
Ghising
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, I found that and tried that, same result.
Created on 01-24-2024 01:43 PM Edited on 01-24-2024 01:44 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have the preserve session route enabled on the interface?
Otherwise, it is expected to carry on with the newly switched ISP link.
Also, can you share the SD-WAN rule(CLI and GUI) that the traffic is passing through? How did you configure it?
Ghising
Ghising
Created on 01-24-2024 01:47 PM Edited on 01-24-2024 01:48 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configured it via the GUI. I don't know the CLI very well.
Created on 01-24-2024 02:13 PM Edited on 01-24-2024 07:55 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you confirm in the GUI that the SD-Rule hit count is increasing? As of now, all we can check is whether the traffic passing through the expected rule or not.
Kind Regards,
Bijay Prakash Ghising
Ghising
Ghising
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it's increasing and as I stated, if I let the session clear (either naturally or force the session to clear) the traffic flows out the correct interface.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It took me a bit to find preserve session route, assuming that's on the WAN interface and not somewhere within the SD-WAN configuration, it is disabled.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So this is interesting. While I tried the
config system global
set snat-route-change enable
and it didn't work, I thought "what if somehow, the command just wasn't taking effect". So I enabled the command, then rebooted the FortiGate. Now things work as expected! Very unusual to have to reboot a FrotiGate to get it to work right. Odd as heck!
Related Posts
- choose between multiple ISP 166 Views
- IkeV2 IPSEC-crash during HA failover after... 278 Views
- Sdwan manual mode 471 Views
- IPsec VPN Multi VDOM - Remote... 1169 Views
Labels
-
FortiGate
6,528 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.