SD-WAN Self-Originated Traffic Broken | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB
Fuse
- Fuse Fortinet User Community

Mark Thread UnreadFlat Reading Mode ❐

Helpful ReplyHot!SD-WAN Self-Originated Traffic Broken

Author Post Essentials Only Full Version
Jamie New Member Total Posts : 8 Scores: 2 Reward points: 0 Joined: 2014/09/13 12:13:24 Status: offline 2020/11/25 21:04:19 (permalink) 6.0 0 SD-WAN Self-Originated Traffic Broken Hi, Has anyone worked through a similar problem on SD-WAN where the self-originated traffic isn't smart enough to pick the correct interface to get out ( internet ). I know this because running diagnose sniffer packet any "port 8888" 4 0 l we can see the device is trying to use the wrong port / sdwan member to talk to forticloud on port 8888. That's whats tricky with the self originated traffic when it doesn't work. In this case we have wan1, port1 and port2 as member interfaces for sd-wan. port1 and port2 are private circuits and wan1 is the internet gateway. Looking at its very obvious which interface has the internet gateway but the device wants to use every port except the correct one for the self traffic. :( All the user / client traffic is operating as it should. #1 List Solutions Only 4 Replies Related Threads
Jirka Gold Member Total Posts : 177 Scores: 7 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: offline Re: SD-WAN Self-Originated Traffic Broken 2020/11/26 07:38:24 (permalink) 0 Hello, a year ago I solved the same problem with TAC. Since self-originating traffic in version 6.2.2 and higher does not pass SD WAN - https://kb.fortinet.com/k....do?externalID=FD47380 - it is necessary to change DR. But..in all KB and CB from Fortinet, it is stated that when using SD WAN, only one DR per SD WAN is required - which is obviously not always true... So if there are some IPsec tunnels in SD WAN that connect local ranges (eg HQ and BR), it is necessary to place these IP local address ranges into Static Routes and set DR to the net (WAN1 and WAN2) directly to the gateway of the upstream router. I had no other explanation from them. But the ticket says: Bug fix already available. From this I understand that it is probably a bug and will be fixed. But who knows .. Anyway, now everything seems to work correctly (I will try it in detail tomorrow). This is how my routing table looks like now (FTN support used all RFC1918 address) Jirka Attached Image(s) #2
Jirka Gold Member Total Posts : 177 Scores: 7 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: offline Re: SD-WAN Self-Originated Traffic Broken 2020/11/26 12:05:23 (permalink) ☄ Helpfulby lobstercreed 2020/11/27 14:10:46 0 btw now I have found this manual, I will try to set it according to it on our box as well https://docs.fortinet.com...lf-originating-traffic #3
lobstercreed Platinum Member Total Posts : 360 Scores: 43 Reward points: 0 Joined: 2018/11/28 14:57:58 Location: Sedalia, MO Status: offline Re: SD-WAN Self-Originated Traffic Broken 2020/11/27 14:11:59 (permalink) 0 sigmasoftcz btw now I have found this manual, I will try to set it according to it on our box as well https://docs.fortinet.com...lf-originating-traffic I am just beginning to roll out SD-WAN for my branches on 6.4.3 and also discovered this. I set the interface method to SD-WAN for pretty much everything and it works the way I wanted it to. #4
Jamie New Member Total Posts : 8 Scores: 2 Reward points: 0 Joined: 2014/09/13 12:13:24 Status: offline Re: SD-WAN Self-Originated Traffic Broken 2020/11/28 14:09:39 (permalink) 5 (1) The fix for me was......... set source-ip x.x.x.x to be the wan ip you want the self traffic to orriginate from. config log fortiguard setting Create a top most sdwan rule for SOURCE [ WAN IP ] DESTINATION [ ALL ] INTERFACE [ WAN1 ] Attached Image(s) #5

Jump to:

© 2021 APG vNext Commercial Version 5.5