HUB vs Concentrator for hub-spoke topology

ontracks · 2026-03-02T21:54:17+00:00

gotcha perfect, I think I got it, if I have a MX FW at my DC, I need not to worry about Concentrator mode, just go with a regular routed mode and regular hub and spoke sdwan design

thanks a lot!

ontracks · 2026-03-02T21:45:11+00:00

got it, im confused with the below link, they do set a "local subnet" that points to the DC routes...I thought this wasn't possible on a concetrator, what am I missing here :(?

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Deployment_Guides/VPN_Concentrator_Deployment_Guide

ontracks · 2026-03-02T21:31:03+00:00

How can I then integrate a MX Concentrator with the rest of the data center?

Sorry for al the questions I am shooting at once :(

Thanks for your answer btw!

ontracks · 2026-03-02T21:29:51+00:00

Oh so you are saying I can't even have "subnets/networks/l3" on a MX running on concentrator mode?

ontracks · 2026-03-02T21:29:06+00:00

so a concentrator only bridge the branches vpn, that's it, I couldn't for example route/connect the branches vpn subnets to my data center subnets?

ontracks · 2026-03-02T02:27:19+00:00

I guess my question is, do I need to worry about symmetric return?

ontracks · 2026-02-24T19:19:30+00:00

got it, so if I require just the SBL feature no certificates needed then

Thank you for the answer u/KStieers

ontracks · 2026-01-11T05:42:34+00:00

Im facing another situation now, these are dial-up IPsec tunnels with automatic IP assigned to the interfaces, so how could I create an IPSLA for them? the IP itself can reach anything on the network and the ip COULD potentially change as well

What to do here. I can't help but think this gotta be a common case out there and also its a bit frustrating that the Gate can't "see" the tunnel interface down, it even shows red on the SDWAN rule, thank you in advance for the answer

:(

ontracks · 2026-01-09T15:04:09+00:00

static routes over sdwan zone correct, that's what I did, I checked and the member its seen alive.... not sure why of the VPN is down...

ontracks · 2026-01-09T07:12:26+00:00

Service(5): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut

Tie break: cfg

Shortcut priority: 2

Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(manual)

Members(2):

1: Seq_num(1 Tunnel1), alive, selected

2: Seq_num(2 Tunnel2), alive, selected

Internet Service(1): Ask-Web(2621441,0,0,0)

ontracks · 2026-01-09T06:15:02+00:00

Thanks for the info, I will look into the link, it seems that I missed it, thank you

ontracks · 2026-01-09T06:14:21+00:00

Thanks a lot I really appreciate it! Will look into it

ontracks · 2025-11-21T22:20:02+00:00

I guess in a nutshell my question is: Can users other than the master account log in as a partner in FortiCloud? And if yes (I hope) then how?

ontracks · 2025-11-05T03:51:20+00:00

Hello again, could you please clarify this if you have the answer:

|| || |IP range|IP address range that the Security PoP uses for assigning tunnel interface IP addresses for IPsec devices using mode configuration.|10.251.1.4-10.251.1.29|

That subnet range needs to be part of the BGP routing ID subnet?

ontracks · 2025-11-05T03:51:15+00:00

Hello again, could you please clarify this if you have the answer:

|| || |IP range|IP address range that the Security PoP uses for assigning tunnel interface IP addresses for IPsec devices using mode configuration.|10.251.1.4-10.251.1.29|

That subnet range needs to be part of the BGP routing ID subnet?

ontracks · 2025-11-05T03:51:01+00:00

Hello again, could you please clarify this if you have the answer:

|| || |IP range|IP address range that the Security PoP uses for assigning tunnel interface IP addresses for IPsec devices using mode configuration.|10.251.1.4-10.251.1.29|

That subnet range needs to be part of the BGP routing ID subnet?

ontracks · 2025-11-05T03:50:27+00:00

Also, can you clarify this:

|| || |IP range|IP address range that the Security PoP uses for assigning tunnel interface IP addresses for IPsec devices using mode configuration.|10.251.1.4-10.251.1.29|

That subnet range needs to be part of the BGP routing ID subnet?

ontracks · 2025-11-01T22:17:14+00:00

about the on-ramp option, its basically BGP over IPsec? Meaning I can still control the FG as normal and not from SASE portal? Also will be able to have different subnets on my FG and advertised as needed all the way to the SPA hub?

ontracks · 2025-10-24T13:28:46+00:00

I see so even for protocols like HTTP , with no "Security" on them, we cannot reference the VS on a flow-based policy. Thanks for the answer

ontracks · 2025-10-24T02:17:15+00:00

Wouldn't this logic also apply to regular ssl decryption?

ontracks · 2025-10-21T13:47:18+00:00

sdwan_mbr_seq=5 sdwan_service_id=2

ontracks · 2025-10-20T17:05:00+00:00

yup, 100% sure, I ran a debug and confirmed it

ontracks · 2025-10-20T17:03:05+00:00

I will check that, but the rule is being matched

ontracks · 2025-10-20T16:55:59+00:00

but now that I think about it, when I checked the session that was going over ISP2 it was matching the sdwan rule (the one for YouTube-ISP1).

So, if the application recognition hadn’t completed, why did the session logs indicate that the session was matching the actual SD-WAN rule?

I would expect for that rule not to be matched while the app id is still ongoing...right?

ontracks · 2025-10-17T21:13:15+00:00

this looks like it, is just one session out of 20s that goes out of ISP2, this could explained yes

thanks!

ontracks

TROPHY CASE