Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hmehrok
Staff
Staff

Created on ‎07-11-2022 12:28 PM Edited on ‎01-30-2024 03:22 AM By Community Manager

Article Id 217280

Technical Tip: FSSO Fabric Connector connected via IPSec tunnels in SDWAN shows down

Description

This article describes the setting to fix the issue from remote FortiGate to FSSO Agent over IPSec tunnels that are members of the SDWAN zone.
Scope

All FortiGate all v6.2.6 to v7.2.0, except 6.4.0 and 6.4.1.
Solution

Topology:

 

FSSO_Agent---HQ_FGT---IPSEC---(SDWAN)Branch_FGT

 

Branch_FGT = Branch FortiGate

HQ_FGT = Head Quarter FortiGate

 

Assuming two IPSec VPN tunnels are configured between both the FortiGates over dual ISP respectively.

 

These two IPSec VPNs are members of an SDWAN zone at Branch_FGT and SDWAN rule is set to choose the IPsec tunnel based on Best Quality.

 

(Note: SDWAN rule could be anything as per requirement)

 

FSSO Agent is deployed on the HQ side and is reachable from HQ_FGT but not reachable from Branch_FGT.

 

hmehrok_0-1657566390480.png

 

After configuring the FSSO External connector, the connection status shows down.

 

When using SDWAN, the set interface-select-method must be set to 'sdwan'.

 

By Default it is set to Auto:

 

When interface select method is set to ‘auto’ it will not follow SDWAN rules and the traffic will not go out through SDWAN.

 

# config user fsso

edit " DC1 "                 << Agent Name

set server 10.1.1.2

set source-ip  "X.X.X.X" << IP address of transit Network

set interface-select-method auto

 

To fix the issue, edit the FSSO configuration from CLI and set the set interface-select-method to sdwan.

 

When interface select method is set to ‘sdwan’ the traffic will go out through the particular interface as per the SDWAN rule and the connection will be established.

 

# config user fsso

edit " DC1 "                 << Agent Name

set server 10.1.1.2

set source-ip "X.X.X.X"   <<IP address of transit Network

      set interface-select-method sdwan

 

Results: When any one member interface (in this case IPSec Interface) of SDWAN goes down the FSSO Agent stays connected.

 

# get vpn ipsec tunnel summary

'IPsec_tunnel_1' 192.168.1.1:0  selectors(total,up): 1/1  rx(pkt,err): 2/0  tx(pkt,err): 6686246/624

' IPsec_tunnel_2' 10.174.0.182.2:0  selectors(total,up): 1/0  rx(pkt,err): 0/0  tx(pkt,err): 0/1684

 

# diagnose debug authd fsso server-status

Server Name  Connection Status  Version    Address

-----------  ----------------- ------ -------

DC1          connected     FSSO 5.0.0304  10.1.50.11

 

# get vpn ipsec tunnel summary

'IPsec_tunnel_1' 192.168.1.1:0  selectors(total,up): 1/0  rx(pkt,err): 0/0  tx(pkt,err): 0/624

' IPsec_tunnel_2' 10.174.0.182:0  selectors(total,up): 1/1  rx(pkt,err): 2/0  tx(pkt,err): 987486/1684

 

# diagnose debug authd fsso server-status

Server Name  Connection Status     Version   Address

----------- -----------------     -------    -------

      DC1       connected      FSSO 5.0.0304   10.1.50.11
1321
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.