Helpful ReplyHot!SD-WAN Self-Originated Traffic Broken

Author
Jamie
New Member
  • Total Posts : 8
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/09/13 12:13:24
  • Status: offline
2020/11/25 21:04:19 (permalink) 6.0
0

SD-WAN Self-Originated Traffic Broken

Hi,
 
Has anyone worked through a similar problem on SD-WAN where the self-originated traffic isn't smart enough to pick the correct interface to get out ( internet ).
 
I know this because running
diagnose sniffer packet any "port 8888" 4 0 l
we can see the device is trying to use the wrong port / sdwan member to talk to forticloud on port 8888. That's whats tricky with the self originated traffic when it doesn't work.

 
In this case we have wan1, port1 and port2 as member interfaces for sd-wan. port1 and port2 are private circuits and wan1 is the internet gateway. Looking at its very obvious which interface has the internet gateway but the device wants to use every port except the correct one for the self traffic. :( All the user / client traffic is operating as it should.
#1
Jirka
Gold Member
  • Total Posts : 177
  • Scores: 7
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: SD-WAN Self-Originated Traffic Broken 2020/11/26 07:38:24 (permalink)
0
Hello,


a year ago I solved the same problem with TAC.
Since self-originating traffic in version 6.2.2 and higher does not pass SD WAN - https://kb.fortinet.com/k....do?externalID=FD47380 - it is necessary to change DR.
But..in all KB and CB from Fortinet, it is stated that when using SD WAN, only one DR per SD WAN is required - which is obviously not always true...

So if there are some IPsec tunnels in SD WAN that connect local ranges (eg HQ and BR), it is necessary to place these IP local address ranges into Static Routes and set DR to the net (WAN1 and WAN2) directly to the gateway of the upstream router.
I had no other explanation from them. But the ticket says: Bug fix already available. From this I understand that it is probably a bug and will be fixed. But who knows ..

Anyway, now everything seems to work correctly (I will try it in detail tomorrow).
This is how my routing table looks like now (FTN support used all RFC1918 address)
 

 
Jirka
 
 

Attached Image(s)

#2
Jirka
Gold Member
  • Total Posts : 177
  • Scores: 7
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: SD-WAN Self-Originated Traffic Broken 2020/11/26 12:05:23 (permalink) ☄ Helpfulby lobstercreed 2020/11/27 14:10:46
0
btw now I have found this manual, I will try to set it according to it on our box as well
 
https://docs.fortinet.com...lf-originating-traffic
#3
lobstercreed
Platinum Member
  • Total Posts : 360
  • Scores: 43
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: SD-WAN Self-Originated Traffic Broken 2020/11/27 14:11:59 (permalink)
0
sigmasoftcz
btw now I have found this manual, I will try to set it according to it on our box as well
 
https://docs.fortinet.com...lf-originating-traffic




I am just beginning to roll out SD-WAN for my branches on 6.4.3 and also discovered this.  I set the interface method to SD-WAN for pretty much everything and it works the way I wanted it to.
#4
Jamie
New Member
  • Total Posts : 8
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/09/13 12:13:24
  • Status: offline
Re: SD-WAN Self-Originated Traffic Broken 2020/11/28 14:09:39 (permalink)
5 (1)
The fix for me was.........
 
set source-ip x.x.x.x to be the wan ip you want the self traffic to orriginate from.
config log fortiguard setting

 
Create a top most sdwan rule for SOURCE [ WAN IP ] DESTINATION [ ALL ] INTERFACE [ WAN1 ]
 

Attached Image(s)

#5
Jump to:
© 2021 APG vNext Commercial Version 5.5