- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPSEC tunnel now active when Static route on WAN c...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSEC tunnel now active when Static route on WAN connection is larger than primary
60D on 6.0.9
I've run into this issue before for other clients and haven't figured it out.
When in a multi-WAN scenario:
Primary Private fiber connection: Wan2 (OSPF) Static Route with Distance of 10
Backup ISP: DMZ static route with a distance of 20
IPsec tunnel on DMZ port with Static route with a distance of 10
This IPsec tunnel will not stay active unless we change the Distance of the Backup ISP to 10?
But this puts our WAN2 and DMZ in a load-balancing scenario, and we want to keep active-passive setup.
How can we keep the backup ISP in a passive state and keep the VPN tunnel up?
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm assuming you meant "static default route" by "static route".
My first suggestion is if the IPsec peer public IP is static (not dynamic), setting /32 static route for the peer IP toward the DMZ port, so that regardless the priority/distance of the default routes to the WAN2 and the tunnel, the tunnel always comes up and stays up.
If that's not an option, the second suggestion is to set a low "priority" on the default route to DMZ (higher number of priority) to the DMZ port. It might not establish the tunnel from local end, but since it's still in the routing-table if the other side's tunnel establishment attempts would be returned to the port it came in (DMZ port).
You didn't explain how you want to utilize two default route paths; WAN2 and Tunnel when the tunnel is up. But based on your distance settings they would load-balance with ECMP logic.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm assuming you meant "static default route" by "static route". My first suggestion is if the IPsec peer public IP is static (not dynamic), setting /32 static route for the peer IP toward the DMZ port, so that regardless the priority/distance of the default routes to the WAN2 and the tunnel, the tunnel always comes up and stays up.
-We're using static Ip's
If that's not an option, the second suggestion is to set a low "priority" on the default route to DMZ (higher number of priority) to the DMZ port. It might not establish the tunnel from local end, but since it's still in the routing-table if the other side's tunnel establishment attempts would be returned to the port it came in (DMZ port). You didn't explain how you want to utilize two default route paths; WAN2 and Tunnel when the tunnel is up. But based on your distance settings they would load-balance with ECMP logic.
-What we're trying to do is have:
1. Primary Internet and private network access to use WAN2 always
-At the same time that WAN2 is being used we need to have the IPsec VPN tunnel always up on the DMZ internet connection.
Currently, we have 3 static routes configured for this:
1. 0.0.0.0/0 DMZ Distance = 20
2. 0.0.0.0/0 WAN2 Distance = 10
3. public IP VPN interface on the DMZ port = Distance = 20
If the WAN2 Distance is lower than the Distance on the DMZ the VPN tunnel fails to come up.
If we change the Distance on WAN2 to be the same or higher (25) then DMZ the VPN tunnels comes up right away.
How can we keep a lower distance to prioritize traffic to use WAN2 and also keep the VPN tunnel up on the DMZ port?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hm
we got plenty of IPSec S2S Tunnels here. Each is connected to a specific lan while SD-WAN takes care for the internet traffic. Those all work fine. Even redundant routing with different prios and distances for subnets that have to be reached via tunnels works fine here.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Created on 07-14-2020 08:31 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You don't need the default route to DMZ (No.1), you just need the (No.3) /32 route to DMZ. Your symptom indicates this /32 route is not working.
Either the detination IP is wrong or GW IP is wrong (or dynamic-gateway). Take the default route out on DMZ and try pinging the destination IP. I guess is you can't even ping the IP. Is that circuit static/DHCP/PPPoE?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If routes do not have the same distance(for competing subnets) it gets removed from the route table until the primary goes down. It effectively makes DMZ(in this scenario) inactive and unable to respond back to any incoming traffic.
You need to have the same distance so both routes end up in the route table and use priority to define which is used by default.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes! I just posted this fix right before your post showed up.
Since they both have 0.0.0.0/0.0.0.0 Static routes for internet access that make sense.
Assuming we had static routes that did not overlap it would stay up with different Distances set.
Thank you, thank you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you all for the input.
Turns out we had to make the Distance the same on both WAN2 and DMZ (Primary and backup) connections.
After the Distance is set the same, I changed the Priority to 10 on the DMZ and left it 0 on WAN2.
This allowed the tunnel to come up on the DMZ port and all traffic is still going out WAN2 as expected.
I also updated the link monitoring to make sure it has failover detection.
Related Posts
- FortiExtender LAN Extension policy not allowing... 266 Views
- FortiGate ethernet broken with HA 723 Views
- Adding 26 locations with dual redundant... 197 Views
- 2 fortigate firewall, I need one... 225 Views
- Dual ISP Failover with Azure VPN... 159 Views
Labels
-
FortiGate
6,450 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.