Testing and troubleshooting the configuration
To test the configuration attempt, start a web browsing session between the client network and the web server network. For example, from a PC on the client network browse to the IP address of a web server on the web server network, for example http://192.168.10.13. Even though this address is not on the client network, you should be able to connect to this web server over the WAN optimization tunnel.
If you can connect, the WAN Opt. Monitor widget should show the protocol that has been optimized (in this case HTTP) and the Peer Monitor widget displays the Peer information. To add the WAN Opt. Monitor and the Peer Monitor, go to Dashboard > Status > Add Widget > WAN Opt. & Cache and add WAN Opt. Monitor and Peer Monitor. See Monitoring performance for more information.
If you cannot connect, try the following to diagnose the problem:
-
Review your configuration and make sure all details such as address ranges, peer names, and IP addresses are correct.
-
Check routing on the FortiGate units and on the client and web server networks to make sure packets can be forwarded as required. The FortiGate units must be able to communicate with each other, routing on the client network must allow packets destined for the web server network to be received by the client-side FortiGate unit, and packets from the server-side FortiGate unit must be able to reach the web servers. See Routing concepts for more information.
You can use get
and diagnose
commands to display information about how WAN optimization is operating.
Example output
The command output for the client-side FortiGate unit shows 10 tunnels all created by the manual WAN optimization configuration:
# diagnose wad tunnel list Tunnel: id=100 type=manual vd=0 shared=no uses=0 state=2 peer name=Server-Fgt id=100 ip=192.168.30.12 SSL-secured-tunnel=no auth-grp= bytes_in=348 bytes_out=384 Tunnel: id=99 type=manual vd=0 shared=no uses=0 state=2 peer name=Server-Fgt id=99 ip=192.168.30.12 SSL-secured-tunnel=no auth-grp= bytes_in=348 bytes_out=384 Tunnel: id=98 type=manual vd=0 shared=no uses=0 state=2 peer name=Server-Fgt id=98 ip=192.168.30.12 SSL-secured-tunnel=no auth-grp= bytes_in=348 bytes_out=384 Tunnel: id=39 type=manual vd=0 shared=no uses=0 state=2 peer name=Server-Fgt id=39 ip=192.168.30.12 SSL-secured-tunnel=no auth-grp= bytes_in=1068 bytes_out=1104 Tunnel: id=7 type=manual vd=0 shared=no uses=0 state=2 peer name=Server-Fgt id=7 ip=192.168.30.12 SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264 Tunnel: id=8 type=manual vd=0 shared=no uses=0 state=2 peer name=Server-Fgt id=8 ip=192.168.30.12 SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264 Tunnel: id=5 type=manual vd=0 shared=no uses=0 state=2 peer name=Server-Fgt id=5 ip=192.168.30.12 SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264 Tunnel: id=4 type=manual vd=0 shared=no uses=0 state=2 peer name=Server-Fgt id=4 ip=192.168.30.12 SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264 Tunnel: id=1 type=manual vd=0 shared=no uses=0 state=2 peer name=Server-Fgt id=1 ip=192.168.30.12 SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264 Tunnel: id=2 type=manual vd=0 shared=no uses=0 state=2 peer name=Server-Fgt id=2 ip=192.168.30.12 SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264 Tunnels total=10 manual=10 auto=0
The command output shows three tunnels all created by the active-passive WAN optimization configuration:
# diagnose wad tunnel list Tunnel: id=22 type=auto vd=0 shared=no uses=1 state=2 peer name=Server-Fgt id=42 ip=192.168.20.1 (best guess) SSL-secured-tunnel=no auth-grp= bytes_in=56693 bytes_out=10831 Tunnel: id=24 type=auto vd=0 shared=no uses=1 state=2 peer name=Server-Fgt id=44 ip=192.168.20.1 (best guess) SSL-secured-tunnel=no auth-grp= bytes_in=14833 bytes_out=3896 Tunnel: id=26 type=auto vd=0 shared=no uses=1 state=2 peer name=Server-Fgt id=46 ip=192.168.20.1 (best guess) SSL-secured-tunnel=no auth-grp= bytes_in=481 bytes_out=176 Tunnels total=3 manual=0 auto=3
The command output shows a tunnel created by active passive WAN optimization configuration with secure tunneling:
# diagnose wad tunnel list Tunnel: id=3 type=auto vd=0 shared=no uses=1 state=2 peer name=Server-Fgt id=49 ip=192.168.20.1 (best guess) SSL-secured-tunnel=yes auth-grp=Auth-Secure-Tunnel bytes_in=95810 bytes_out=39597 Tunnels total=1 manual=0 auto=1
Unlike manual mode, for active-passive configurations, each session will negotiate an active-passive tunnel so an open session is required the display the corresponding output above. For example, continuous data transfer such as uploading or downloading will display tunnel output in the active-passive configuration, which is in contrast to manual mode where tunnels are always open and ready to use. |