Description
This article describes that on some occasions routes learned by the kernel will need to be deleted manually.
This example shows a route previously learned via BGP, now prioritized as learned via the 'add-route' feature of IPSEC Dial-up.
get route info kernel | grep 10.8.8.0
tab=254 vf=7 scope=0 type=1 proto=11 prio=100 0.0.0.0/0.0.0.0/0->10.8.8.0/24 pref=0.0.0.0 gwy=0.0.0.0 dev=30033(remote-dc-vpn)
tab=254 vf=7 scope=0 type=1 proto=18 prio=268435456 0.0.0.0/0.0.0.0/0->10.8.8.0/24 pref=0.0.0.0 gwy=10.9.8.7 dev=87(internal-dc)
Solution
To delete the route, use the following command: diagnose ip route delete <interface name> <IP address> <subnet mask> <gateway> <distance> <priority> <vf number; not mandatory>.
Example:
diagnose ip route delete internal-dc 10.8.8.0 255.255.255.0 10.9.8.7 20 268435456
The 'get route info kernel' command output does not show the distance value.
It is possible to check the distance in the routing table using the 'get router info routing-table all' command.
Below are the default distance values.
- Directly connected 0.
- Static routes 10.
- EBGP routes 20.
- OSPF routes 110.
- RIP routes 120.
- IBGP routes 200.
In the case of SSL VPN, its source IPs are directly added to the Kernel and it is not possible to see them in the routing table.
SSL VPN source IPs are nothing but Directly connected routes, so it is necessary to use a distance value of 0 while forcibly deleting an SSL VPN Source IP route from the FortiOS kernel. Without the distance value, the command will fail.
