Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
infrasg
New Contributor

packet routing behavior - sdwan

hi all

 

When processing a packet - which will have priority over the routing of that packet ?

 

1)      Existing session

2)      Sd-wan rules

3)      Policy routing

4)      Static routing

 

======================

 

It also seems that if a session already exists, fortigate will always use back the existing session’s ingress interface to egress the return packet without checking the routing configuration

 

e.g.

 

t1) packet ingress to firewall at wan1 and exit lan1

-- new session created

t2) return packet ingress at lan1

-- existing session found

t3) firewall will always egress at wan1 without checking any routing

 

Is this expected ?

 

Thank you

1 Solution
Toshi_Esumi
Esteemed Contributor III

I believe, regardless with or without SD-WAN, if the session is initiated out-to-in direction, the returning direction always takes the same incoming interface because it's written in the session (diag sys session) as long as a proper route is there. Only if the session is initiated in-to-out direction, you can control outgoing interface using a policy route or SD-WAN rule.

View solution in original post

6 REPLIES 6
Toshi_Esumi
Esteemed Contributor III

I have the same question between 1) and 2), when you change the rules. But my assumption is 1) is the highest.

Then, you can rule out routes regardless if it's static or via routing protocol. It's in "underlay" and you have to have route to the interface if you want to steer traffic toward it. So generally all members in SD-WAN internet interfaces need to have a default route (in RIB) unless you have more specific routes for particular destination.

For the rest, I would wait other responses.

infrasg

hi toshi

 

Do you mean established in an existing session will always take precedence against all kind of routes ?

 

### FGT-Lab2 has a sd-wan rule that will use wan2 to send traffic

 

FGT-Lab2 # diagnose firewall proute list list route policy info(vf=root): id=0x7f250001 vwl_service=1(test) vwl_mbr_seq=2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=8(wan2) source(1): 0.0.0.0-255.255.255.255 destination(1): 0.0.0.0-255.255.255.255 hit_count=201196 last_used=2021-04-30 23:31:07

 

### FGT-Lab2 receive ingress packet from wan1

### FGT-Lab2 return the respond packet using wan1 instead of wan2 despite proute set as wan2

 

FGT-Lab2 # id=20085 trace_id=5932 func=print_pkt_detail line=5639 msg="vd-root:0 received a packet(proto=1, 192.168.100.99:52969->192.168.200.110:2048) from wan1. type=8, code=0, id=52969, seq=0." id=20085 trace_id=5932 func=init_ip_session_common line=5810 msg="allocate a new session-02f3f565" id=20085 trace_id=5932 func=iprope_dnat_check line=4969 msg="in-[wan1], out-[]" id=20085 trace_id=5932 func=iprope_dnat_check line=4982 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000" id=20085 trace_id=5932 func=vf_ip_route_input_common line=2598 msg="find a route: flag=00000000 gw-192.168.200.110 via lan" id=20085 trace_id=5932 func=iprope_fwd_check line=751 msg="in-[wan1], out-[lan], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0" id=20085 trace_id=5932 func=__iprope_tree_check line=559 msg="gnum-100004, use addr/intf hash, len=2" id=20085 trace_id=5932 func=__iprope_check_one_policy line=1919 msg="checked gnum-100004 policy-2, ret-matched, act-accept" id=20085 trace_id=5932 func=__iprope_user_identity_check line=1726 msg="ret-matched" id=20085 trace_id=5932 func=__iprope_check line=2163 msg="gnum-4e20, check-3f026250" id=20085 trace_id=5932 func=__iprope_check_one_policy line=1919 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=5932 func=__iprope_check_one_policy line=1919 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=5932 func=__iprope_check_one_policy line=1919 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=5932 func=__iprope_check line=2182 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=20085 trace_id=5932 func=__iprope_check_one_policy line=2134 msg="policy-2 is matched, act-accept" id=20085 trace_id=5932 func=iprope_fwd_auth_check line=806 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-2" id=20085 trace_id=5932 func=__iprope_check line=2163 msg="gnum-100016, check-3f026250" id=20085 trace_id=5932 func=iprope_policy_group_check line=4422 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=20085 trace_id=5932 func=fw_forward_handler line=796 msg="Allowed by Policy-2:" id=20085 trace_id=5932 func=ipd_post_route_handler line=439 msg="out lan vwl_zone_id 0, state2 0x0, quality 0. " id=20085 trace_id=5933 func=print_pkt_detail line=5639 msg="vd-root:0 received a packet(proto=1, 192.168.200.110:52969->192.168.100.99:0) from lan. type=0, code=0, id=52969, seq=0." id=20085 trace_id=5933 func=resolve_ip_tuple_fast line=5720 msg="Find an existing session, id-02f3f565, reply direction" id=20085 trace_id=5933 func=vf_ip_route_input_common line=2598 msg="find a route: flag=04000000 gw-10.11.12.1 via wan1" id=20085 trace_id=5933 func=npu_handle_session44 line=1142 msg="Trying to offloading session from lan to wan1, skb.npu_flag=00000000 ses.state=00000200 ses.npu_state=0x00000001" id=20085 trace_id=5933 func=fw_forward_dirty_handler line=396 msg="state=00000200, state2=00000000, npu_state=00000001" id=20085 trace_id=5933 func=ipd_post_route_handler line=439 msg="out wan1 vwl_zone_id 1, state2 0x0, quality 0.

 

Q1) any idea why the firewall is not returning the response packet using wan2 ?

 

Q2) if firewall always egress return packet via the existing session ingress interface, what is the point of this statement that the firewall will do a route lookup for the 1st reply packet ?

 

https://docs.fortinet.com/document/fortigate/6.4.4/administration-guide/139692/routing-concepts

"Route look-up typically occurs twice in the life of a session. Once when the first packet is sent by the originator and once more when the first reply packet is sent from the responder."

 

Thank you

Toshi_Esumi
Esteemed Contributor III

I believe, regardless with or without SD-WAN, if the session is initiated out-to-in direction, the returning direction always takes the same incoming interface because it's written in the session (diag sys session) as long as a proper route is there. Only if the session is initiated in-to-out direction, you can control outgoing interface using a policy route or SD-WAN rule.

infrasg

hi toshi

 

thanks for your reply

just to side track

 

Do you happen to know the correct sd-wan rule/strategy to use such that there are 2 priority groups

e.g.

 

group #1

ipsec1

ipsec2

 

group#2

mpls1

mpls2

 

traffic will be load-balance to all interfaces in group#1 and if all interfaces in group#1 are down, then traffic will be load-balance to all interfaces in group#2

 

Thank you

Toshi_Esumi
Esteemed Contributor III

Doesn't look like a simple fail-over depending on where those VPNs and MPLS connect to, like all goes to the same or multiple locatons' multiple subnets are arranged on each interface as different sets, etc. Probably no "correct" or "incorrect" answers, which you might needs to "try&adust" for some time.

byrsa08

Hi Toshi,

do you mean by a 'proper' route any route configured (SDWAN, static or dynamic)? So if yes this means if iam not initiating traffic i have to accept any path chosen by the initiator even if is it not my best route (i.e. 1 of 4 tunnel to the same destination)?

 

Sry if that sounds stupid I am still new to routing and SDWAN :)

 

Thank you!

Labels
Top Kudoed Authors