Created on 11-28-2017 08:59 AM Edited on 09-28-2023 11:54 PM By Jean-Philippe_P
Description
This article describes that on some occasions routes learned by the kernel will need to be deleted manually.
This example shows a route previously learned via BGP, now prioritized as learned via the 'add-route' feature of IPSEC Dial-up.
get route info kernel | grep 10.8.8.0
tab=254 vf=7 scope=0 type=1 proto=11 prio=100 0.0.0.0/0.0.0.0/0->10.8.8.0/24 pref=0.0.0.0 gwy=0.0.0.0 dev=30033(remote-dc-vpn)
tab=254 vf=7 scope=0 type=1 proto=18 prio=268435456 0.0.0.0/0.0.0.0/0->10.8.8.0/24 pref=0.0.0.0 gwy=10.9.8.7 dev=87(internal-dc)
Solution
To delete the route, use the following command: diagnose ip route delete <interface name> <IP address> <subnet mask> <gateway> <distance> <priority> <vf number; not mandatory>.
Example:
diagnose ip route delete internal-dc 10.8.8.0 255.255.255.0 10.9.8.7 20 268435456
The 'get route info kernel' command output does not show the distance value.
It is possible to check the distance in the routing table using the 'get router info routing-table all' command.
Below are the default distance values.
In the case of SSL VPN, its source IPs are directly added to the Kernel and it is not possible to see them in the routing table.
SSL VPN source IPs are nothing but Directly connected routes, so it is necessary to use a distance value of 0 while forcibly deleting an SSL VPN Source IP route from the FortiOS kernel. Without the distance value, the command will fail.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.