Hot!Traffic takes wrong route - cache?

Author
sw2090
Expert Member
  • Total Posts : 790
  • Scores: 58
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
2020/08/26 01:54:40 (permalink)
0

Traffic takes wrong route - cache?

I have the following constellation:
 
FGT 100E on site that has two ipsec tunnels to HQ.
It has two static routes for HQ Net over the tunnels with different prio (for Failover).
Also there is some vlan interfaces for special purposes on Site.
I now have a device in one vlan that wants to talk to a server at HQ.
It has all neccessary policies and routes on both sides. Just on the 100E on Site the order of the policies had been worong.
Due to that the internet policy for the vlan matched first and the policy to the server at HQ so never matched. Correct so far.
I changed the order of the policies so the other one can match first.
I also deleted every session of the device.
Thus flow debug shows me that the traffic still matches the wrong policy and gets routet to the internet instead to HQ.

Due to static routing the FGT should know it has to route traffic to HQ over the tunnel with lowest prio  first and higher prio second. It does that perfect except for that one device.
Is the routing cached somewhere idependent from sessions?
 
#1

4 Replies Related Threads

    lobstercreed
    Platinum Member
    • Total Posts : 320
    • Scores: 37
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: Traffic takes wrong route - cache? 2020/08/26 07:39:32 (permalink)
    0
    Hey Sebastian,
     
    Forgive me if I'm stating the obvious, but it seems like you had a routing problem and tried to solve it with firewall policy (unless you meant routing policy), which of course does not work but would explain the continued wrong behavior.
     
    "Due to that the internet policy for the vlan matched first and the policy to the server at HQ so never matched. Correct so far.
    I changed the order of the policies so the other one can match first."
     
    Routing comes before policy decisions in the firewall so the order of policies that have different egress interfaces doesn't matter in the first place.
     
    Now, how to solve the routing problem is the question, but we'd need more info to try to help with that.
     
    - Daniel
    #2
    sw2090
    Expert Member
    • Total Posts : 790
    • Scores: 58
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Traffic takes wrong route - cache? 2020/08/26 08:11:33 (permalink)
    0
    Daniel,
     
    usually I just create the policies to allow the traffic to flow. 
    Routing is (except from WAN Interfaces) static here anyways.
     
    And yes routing comes before policies. That's the point where it goes wrong way because due to whatever reason my FGT prefers to select the default route for that traffic even though there is static routes.
     
    So lets say the device is 10.1.2.3 in 10.1.2.0/24.
    The Server at HQ is 192.168.23.23/32.
    FGT is 10.1.2.254 in the device subnet.
     
    Then there is two ipsec tunnels to HQ.
    For both there is a static route:
     
    192.168.23.0/24 via tunnel1 prio 10, distance 10
    192.168.23.0/24 via tunnel2 prio 20, distiance 20
    (this is for failover and will switch to tunnel2 when tunnel1 is gone)
     
    Also there is three default routes:
     
    0.0.0.0/0.0.0.0 via wan1 with prio 1 and gw of wan1
    0.0.0.0/0.0.0.0 via wan2 with prio 1 and gw of wan2
    0.0.0.0/0.0.0.0 via wan3 with prio 1 and gw of wan3
    Those are automatically created by SD-WAN and I cannot change them due to that.
    SD-WAN handles which one of them to use when :)
     
    Given this the FGT should select the route via tunnel1 (or tunnel2 if tunnel1 is gone) if there is traffic that wants to go to 192.168.23.0/24. 
     
    Now I have traffic coming from 10.1.2.3 via the corresponding vlan interface and going to 192.168.23.23.
    Why does the FGT select one of the default routes for this (an in consequence then only match the internet policy).
    Usually Subnets the FGT knows either by interface (connected route) or static route come before the default route as in any other network device too.
     
    I also openend a TAC Ticket on that as I have no more idea.
    If you want me to provide more info let me know :)
     
     
    #3
    Benoit_Rech_FTNT
    Bronze Member
    • Total Posts : 37
    • Scores: 5
    • Reward points: 0
    • Joined: 2013/06/04 02:38:46
    • Location: Sophia Antipolis (France)
    • Status: offline
    Re: Traffic takes wrong route - cache? 2020/09/13 23:53:01 (permalink)
    0
    Hello Sebastian,
    When the default route was used instead of the most specific routes, are you sure that your VPN tunnels where up ? If this is not the case, then you can use "blackhole" routes with higher distance than the VPN to prevent the traffic to go through the default route when the VPN is not up.
     
    Moreover, they are three commands to troubleshoot the routing on the FortiGate:
    * get router info routing-table all (see the routing table, with IPSec, dynamic protocols, ...)
    * get router info kernel (or diag ip route list) are the two commands to show the kernel routing table. 
    * diagnose ip rtcache list (display the route cache).

    If you need more help, please share the output of the three commands.
    Best regards,
    Benoit
    #4
    sw2090
    Expert Member
    • Total Posts : 790
    • Scores: 58
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Traffic takes wrong route - cache? 2020/09/25 00:58:51 (permalink)
    0
    This was solved meanwhile. It was no fault of the FortiGate...it was due to other network missconfig that was not on the FGT ;)
     
    So to say a "fatal adiministrator error" or a OSI Layer 8 Problem ;D
    #5
    Jump to:
    © 2020 APG vNext Commercial Version 5.5