- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- WAN1 doesn't seem to be failing over as part of WA...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WAN1 doesn't seem to be failing over as part of WAN LLB
FG-100D is configured with two WANs combined via WLLB. ISP for WAN1 has been flaky lately, dropping out for 30 seconds or so occasionally. I expected traffic to be immediately routed to WAN2, but in reality I have to manually disable WAN1 in the GUI in order for this to happen. The relevant parts of the config is below. I'm trying to determine whether I have something configured incorrectly in the Fortigate, or if the misconfiguration is occurring between my ears. Thanks in advance. Eric
5.04-FW-build1064
config system interface
edit "wan1"
set vdom "root"
set ip 74.143.138.236 255.255.255.248
set allowaccess ping fgfm
set type physical
set alias "isp1"
set estimated-upstream-bandwidth 5000
set estimated-downstream-bandwidth 50000
set role wan
set snmp-index 1
next
edit "wan2"
set vdom "root"
set mode dhcp
set distance 20
set allowaccess ping fgfm
set type physical
set alias "isp2"
set estimated-upstream-bandwidth 1800
set estimated-downstream-bandwidth 18000
set role wan
set snmp-index 7
next
end
config system virtual-wan-link
set status enable
set load-balance-mode measured-volume-based
config members
edit 1
set interface "wan1"
set gateway xxx.xxx.xxx.xxx
set volume-ratio 7
next
edit 2
set interface "wan2"
set gateway yyy.yyy.yyy.yyy
set volume-ratio 1
next
end
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For remote failure detection you need to set up a pingserver target or link monitor (which is ambiguous - a link failure is always detected, loss of network connectivity not). I understood that creating a WAN LLB will set up a link monitor as well but maybe you skipped that step.
Then, the default settings require to miss 5 pings each 3 seconds apart. You can alter these values to get a more responsive behavior, risking "link flapping". Depends on what you're willing to tolerate.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We had this issue as well, I believe you might need to configure the WAN Status Check so that it knows to update the default WAN load balance static route when packet loss is detected.
Also as a side note, we had the same issue with WAN1 dropping out for 30 seconds or so when we put in a Fortigate 100D along with our particular ISP. Their router had issues accepting Fortigate updates via port 53. Not sure if this is the same issue you're having or who your ISP is but going into System -> FortiGuard and changing the FortiGuard Filtering Port from 53 to 8888 cleared that right up.
Edit: Just realized you're running a different firmware, we're on 5.4.1. Though I'm sure some of the options I mentioned are there, just in different places.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For remote failure detection you need to set up a pingserver target or link monitor (which is ambiguous - a link failure is always detected, loss of network connectivity not). I understood that creating a WAN LLB will set up a link monitor as well but maybe you skipped that step.
Then, the default settings require to miss 5 pings each 3 seconds apart. You can alter these values to get a more responsive behavior, risking "link flapping". Depends on what you're willing to tolerate.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you!. I see now what I missed. WAN Link Health is an option in the GUI as of 5.4.1, so I set it there.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, without that being set it doesn't monitor at all lol
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Related Posts
- API to find device inventory -... 296 Views
- Best VPN option for backup ISP... 430 Views
- Forticonverter 319 Views
- Large config - ssh behaviour 399 Views
- IPSec tunnels from Azure Fortigate VM... 1005 Views
Labels
-
FortiGate
6,528 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.