策略路由不生效

问题现象

  1. 配置的策略路由如下。

    config router policy
        edit 1
            set input-device "lan"
            set src "192.168.100.77/255.255.255.255"
            set dst "223.5.5.5/255.255.255.255"
            set gateway 10.10.12.1
            set output-device "wan1"
        next
    end
    
  2. 实际使用中该策略路由不生效,查看策略路由列表(diagnose firewall proute list),该条策略路由有disable标记,但该策略路由配置中未disable。

    image-20240424162442189

问题原因

  1. 可能是由于配置了link-monitor或SD-WAN的健康检查功能,默认配置下update-policy-route为开启状态,当link-monitor的检查状态由UP变为DOWN后,会将相应出接口的策略路由禁用。

    config system link-monitor
        edit "test"
            set srcintf "wan1"
            set server "10.10.12.1"
            set update-cascade-interface enable    //默认开启//
            set update-static-route enable    //默认开启//
            set update-policy-route enable    //默认开启//
        next
    end
    
  2. 查看link-monitor的状态为DOWN,导致对应出接口的策略路由为disable状态。

    FW1_FGT101F # diagnose sys link-monitor status 
    
    Link Monitor: test, Status: dead, Server num(1), HA state: local(dead), shared(dead)
    Flags=0x9 init log_downgateway, Create time: Wed Apr 24 16:19:13 2024
    Source interface: wan1 (7)
    VRF: 0
    Interval: 500 ms
    Service-detect: disable
    Diffservcode: 000000
    Class-ID: 0
      Peer: 10.10.12.1(10.10.12.1) 
            Source IP(10.10.12.2)
            Route: 10.10.12.2->10.10.12.1/32, gwy(10.10.12.2)
            protocol: ping, state: dead
                    Packet lost: 100.000%
                    MOS: 4.350
                    Number of out-of-sequence packets: 0
                    Recovery times(0/5) Fail Times(1/5)
                    Packet sent: 1231, received: 287, Sequence(sent/rcvd/exp): 1232/475/476
    

解决方法

  1. 关闭link-monitor中的update-policy-route

    config system link-monitor
        edit "test"
            set update-policy-route disable
        next
    end
    
  2. 再次查看对应出接口的策略路由状态,disable标记消失,流量可以正确匹配该策略路由。

    FW1_FGT101F # diagnose firewall proute list
    list route policy info(vf=root):
    
    id=1(0x01) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=48(lan) dport=0-65535 path(1) oif=7(wan1) gwy=10.10.12.1 
    source wildcard(1): 192.168.100.77/255.255.255.255 
    destination wildcard(1): 223.5.5.5/255.255.255.255 
    hit_count=1 last_used=2024-04-24 16:32:24
    

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-04-24 16:33:40

results matching ""

    No results matching ""