question

Alexander McMillen avatar image
2 Likes"
Alexander McMillen asked

I wasn't sent to the closest SASE datacenter?

When connecting to the FortiSASE service, I seem to be getting directed to a datacenter which isn't the closest one provisioned to my geographic location. What would cause this behavior?

sase
10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

·
Alexander McMillen avatar image
1 Like"
Alexander McMillen answered

FortiSASE utilizes Anycast GeoDNS hostnames, which are provisioned on a per-customer basis, to direct users to the closest available datacenter(s) provisioned in their instance. These are referred to within the FortiSASE GUI as a “Turbo Hostname”.

As of the time of this writing, you can find the instance Turbo Hostname referenced in multiple sections of the FortiSASE GUI including under the following sections:


  • Configuration -> VPN User SSO (Base URL)
  • Configuration -> SWG User SSO (Base URL)
  • System -> SWG Configuration (Global)


The Turbo Hostname will attempt to direct you to the “closest” datacenter based on the specific City, State, or Country you’re located in.

To ensure the most precise direction of traffic, we recommend utilizing a Resolving Name Server which implements the EDNS Client Subnet (ECS) extension. This extension will attempt to forward the specific Source IP or /24 Subnet originating the DNS lookup back to the Authoritative DNS server for a “more specific” answer, rather than using the default answer in cache.

Most traffic direction issues we observe are the result of using a DNS server which does not support this extension, and users being directed to Resolving Name Servers which aren’t physically near their users. This results in poor performance, even outside of the FortiSASE use case (CDNs), as traffic would be directed to servers which aren’t geographically near the user.

If you are sporadically ending up in different datacenters from the same physical location, it’s also possible that your system’s defined Resolving Name Servers are geolocating to different locations.

If you are using a DNS provider which supports the EDNS Client Subnet extension, and require a State or Country-level override, please open a ticket with FortiCare including the troubleshooting steps below. The FortiSASE Ops team can override these values on a per-customer basis as needed on occasion.

Troubleshooting DNS Lookups

For all steps below, you first need to be disconnected from FortiSASE VPN.

  • Determine the IP address of the Resolving Nameserver
    1. Simple: Run “nslookup whoami.akamai.com
      • The IP returned for this lookup is the Resolving Namserver’s public IP.
    2. Advanced (Mac/Linux) Run this command in a terminal:
      • for i in {1..10}; do dig +short resolver-identity.cloudfront.net; sleep 11; done;
        • If your system has multiple defined nameservers, or you’re using an Anycast service, the lookup may come from multiple source IPs. This output will provide you with an assortment of IPs being used to troubleshoot.
    3. Lookup the Geolocation of the IP address returned in public sources (FortiGuard, Maxmind, etc.). If the results aren’t near your physical location, this could be why you’re being directed to the wrong datacenter.
  • Determine if your Resolving Name Server supports EDNS Client Subnet for increased accuracy
    1. On Linux or macOS, use dig:
    2. On Windows, use nslookup:
    3. Review the first TXT record returned in the Answer section of the output. The first TXT value is the IP address of the DNS resolver. If there isn’t a second TXT record returned, the DNS resolver doesn’t support EDNS Client Subnet.
      • If EDNS Client Subnet isn’t supported, the Geolocation of the IP address of the Resolving Name Server will be used in the traffic direction process. This may be less precise than your physical location, depending on how close you are to your Resolving Name Server.
  • Determine what PoP you will be routed to based on your configured Resolving Name Server. Requires the Turbo Hostname from the FortiSASE GUI as outlined above.
    1. Disconnect from the FortiSASE VPN.
    2. Based on the IP address returned for the lookup, you can find the associated datacenter (same IP or /24) on the FortiSASE Egress IP page (https://docs.fortinet.com/document/fortisase/22.3.10/administration-guide/751044/appendix-a-ingress-and-egress-ip-addresses)

· 1
10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

jrcarlucci avatar image jrcarlucci commented ·

Hi Andrew -- good explanation and it makes sense from GeoDNS/ECS but where does Anycast come in to play?

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Welcome to FortiAnswers

FortiAnswers is the space dedicated to FortiSASE and FortiOS questions and suggestions.

  • Please review the Community guidelines
  • If you are a moderator, please refer to the Moderation guidelines
  • If something in the above guidelines is unclear, please post your question to the Community Feedback space or the Moderators' space