| Description | This article describes behavior where the VIP does not work when configured on the secondary ISP connection. A workaround is offered. |
| Scope | FortiGate. |
| Solution |
There are some scenarios where a VIP is configured on secondary ISP and, even after completing configuration, debugging returns a 'reverse path check fail, drop' error.
To fix this issue:
It is most important to check the routing table of the FortiGate by running the following command:
get router info routing-table all
It is necessary for wan2 to be in an active routing table. To achieve this, both WAN1 and WAN2 should have the same AD value.
Note: In Failover scenarios, use the priority value to choose the best path. If both wan1 and wan2 have the same AD value and the same priority value, ECMP will be performed: it will work as load balancing using wan1 and wan2.
Note: The lower the priority value, the higher the route priority.
Refer to Technical Tip: Routing behavior depending on distance and priority for static routes and policy base... for more information regarding routing behavior based on the aforementioned variables. |
