question

This is typically caused by a misconfiguration on the hub or mismatched information between the FortiSASE portal and what is configured on the hub. My example working configuration can be found below. The intent of this article is to make the SPA setup easy, quick and successful.

The first stop should be to read the official documentation. You can find links to the most important sections below.

SPA with a FortiGate (FGT) SD-WAN deployment guide:

https://docs.fortinet.com/document/fortisase/22.4.12/spa-with-a-fortigate-sd-wan-deployment-guide/443423/configuring-spa-to-the-fortigate-sd-wan-hub-in-fortisase-private-access

BGP Configuration:

https://docs.fortinet.com/document/fortisase/22.4.5/spa-with-a-fortigate-sd-wan-deployment-guide/568255/bgp-configuration

IPsec VPN Configuration:

https://docs.fortinet.com/document/fortisase/22.4.5/spa-with-a-fortigate-sd-wan-deployment-guide/656405/ipsec-vpn-configuration

Notes and example for initial SPA set up.

I found that mapping it out in a table was helpful for me to understand what needs to be configured on the FGT hub to match the SASE UI config. That and having the output of an example config for ‘config router bgp’ and ‘config vpn ipsec phase1-interface’. Both sides, the SASE side and the FGT hub need configuration that matches to have a successful turn up. Note that the router-id network is only ‘logical’ as it is required for the SDWAN overlay network.

Example table for SASE UI and corresponding FGT hub configuration:

	FortiSASE UI	FGT hub
Remote Gateway	FGT Hub Public IP	n/a (dynamic tunnel)
BGP Router ID Subnet	192.168.254.0/24
BGP Peer IP	10.125.0.253
Network Overlay ID	0	0
ASN	65000	65000
Health Check IP	172.20.100.1
Router ID		10.125.0.253
Local AS		65000
Neighbor Group		SASE-SPA
Neighbor Ranges		10.125.0.0/24
Advertised BGP Network		172.20.100.0 255.255.255.0
Logical Tunnel Interface Local IP		10.125.0.253
Logical Tunnel Interface Remote IP		10.125.0.254 255.255.255.0
Ipsec phase1-interface DHCP Range		10.125.0.1-10.125.0.252 255.255.255.0

Example of a working config below:

SPA config example in SASE UI:

FGT hub config in UI and CLI. Please make sure to include BGP and IPsec tunnel configs via CLI:

1. BGP
2. IPsec tunnel
3. Hub tunnel interface

1. BGP config example FGT hub UI and CLI

config router bgp
    set as 65000
    set router-id 10.125.0.253
    set ebgp-multipath enable
    set ibgp-multipath enable
    set additional-path enable
    set graceful-restart enable
    set additional-path-select 4
    config neighbor-group
        edit "SASE-SPA"
            set capability-graceful-restart enable
            set link-down-failover enable
            set next-hop-self enable
            set remote-as 65000
            set additional-path send
            set route-reflector-client enable
        next
    end
    config neighbor-range
        edit 1
            set prefix 10.125.0.0 255.255.255.0
            set neighbor-group "SASE-SPA"
        next
    end
    config network
        edit 2
            set prefix 172.20.100.0 255.255.255.0
        next

1. IPsec config example FGT hub UI and CLI

config vpn ipsec phase1-interface
    edit "SASE-HUB"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 8.8.8.8
        set proposal aes128-sha256 aes256-sha256 aes256-sha1 aes128-sha1
        set add-route disable
        set dpd on-idle
        set auto-discovery-sender enable
        set network-overlay enable
        set network-id 0
        set ipv4-start-ip 10.125.0.1
        set ipv4-end-ip 10.125.0.252
        set ipv4-netmask 255.255.255.0

1. FGT hub logical tunnel interface UI

Lastly, don’t forget to permit traffic for health check in the firewall policy!

Useful troubleshooting commands:

get router info routing-table bgp
get router info bgp summary
get router info bgp network
exec ping <SASE remote logical tunnel IP (10.125.0.1-10.125.0.4 in the above example)>