Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tobezero
New Contributor

Created on ‎12-08-2019 05:55 AM

SDWAN Route Problem after add MPLS, and only FG240 cannot ping 8.8.8.8 but inside LAN can

Dear All,

 

need help advice.

 

I implement SDWAN in two exisiting FG. For HO and Branch

 

HO with 3 ISP WAN Interface and 2 MPLS WAN Interface

Branch with 1 ISP WAN Interface and 2 MPLS WAN Interface.

 

all Interface both site already can already talk from each other inside LAN.

 

already set performance SLA, in each fortigate,

1. SLA for internet that ping 8.8.8.8 only from 3 ISP WAN Interface. (and enable static route update)

2. SLA for MPLS only HO subnet to Branch Subnet only from 2 MPSL WAN Interface.

 

both fortigate get same config. (vice versa)

 

the problem only in HO Fortigate. (Branch Fortigate OK no problem at all)

- if only 3 ISP WAN, HO fortigate in CLI can ping 8.8.8.8 get OK, ping fortiguard get OK. from Inside LAN get OK. WEB Filter services OK.

- PROBLEM begin when add 2 MPLS WAN Interface (even we also tested with 1 MPLS WAN Interface only).

HO fortigate in CLI can ping 8.8.8.8 get FAIL, ping fortiguard get FAIL.

- BUT from Inside LAN get OK. can ping to 8.8.8.8 and fortiguard. do the traceroute that 8.8.8.8 only in ISPs WAN Interface.

 

doing check found

- traceroute from inside fortigate HO CLI to 8.8.8.8 get result route to other side branch with ROUTING LOOP between gateway of MPLS HO and Branch

- check in route monitoring. ALL interface in SDWAN route to 0.0.0.0/0.0.0.0

that include MPLS WAN Interface route to 0.0.0.0/0.0.0.0 even though in performance SLA, we don't input MPLS interfaces, in performance SLA for Internet (ping 8.8.8.8), it put automatically both MPLS WAN Interface as sequence first event though we added it later than ISP WAN Interfaces.

 

we add set performance SLA, in fortigate HO,

1. SLA for internet that ping 8.8.8.8 only from 3 ISP WAN Interfaces and 2 MPLS WAN Interfaces. (and enable static route update)

- check in monitoring perfomance SLA, result  3 ISP WAN Interfaces UP (OK), 2 MPLS Interfaces DOWN. 

 

check again.. still same thing happen.

- traceroute from inside fortigate HO CLI to 8.8.8.8 get result route to other side branch with ROUTING LOOP between gateway of MPLS HO and Branch

- check route monitoring. ALL interface in SDWAN route to 0.0.0.0/0.0.0.0

 

with this problem, our fortigate in HO cannot get WEB Filter running even though still in services. BUT internal LAN can do anything as we config, can internet and go to branch site.

 

we do check in fortigate branch site, with same config. (vice versa)

no problem at all.

branch fortigate in CLI can ping 8.8.8.8 get OK, ping fortiguard get OK. from Inside LAN get OK

and from INSIDE Branch LAN we can ping to INSIDE HO LAN 

 

please help us, we needed the WEB filter running well for security purpose. cause we already put a lot rule with WEB filter.

 

 

 

 

Preview file
55 KB
Labels:
1984
0 Kudos
0 REPLIES 0
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.