Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
veechee
New Contributor

Dual WAN: system link-monitor vs. system virtual-wan-link for monitoring interface health

We have two Internet links and want to have health monitoring to failover from one to the other if there is an outage.  What is the difference between these two functions in FOS 5.6?

[ul]
  • config system link-monitor
  • config system virtual-wan-link -> config health-check[/ul]

     

    We are not using any of the SD-WAN features at present as we have some functionality on parts of the network that is not suitable to it (e.g., IP Pools, policy based routes).  In this case which should we use?

     

    Also, would using the SD-WAN health-check with no SD-WAN functionality otherwise enabled be likely to cause any odd behaviour?

     

     

  • 4 REPLIES 4
    veechee
    New Contributor

    So decided on going this route.  I will note that the CLI documentation for FOS 5.6 is not accurate on how to set the servers.

     

    config system link-monitor edit "wan2" set srcintf "wan2" set server "4.2.2.6" "8.8.4.4" "9.9.9.10" set gateway-ip <gatewayIP> set timeout 2

    set update-cascade-interface disable next edit "wan1" set srcintf "wan1" set server "4.2.2.6" "8.8.4.4" "9.9.9.10" set gateway-ip <gatewayIP> set timeout 2 set update-cascade-interface disable next end

    sw2090
    Honored Contributor

    well I guess the link monitor will only monitor the health of your WAN but probably will not do any failover.

    If you want failover use WLLB.

    I do that like this:

     

    - configure several WAN Interfaces

    - create a virtual-wan-link over them with load balancing (i.e. WLLB)

    - set some WLLB Conectivity check rules to monitor the WANs.

     

    The Connectivty Checks will make the Loadbalancer know when there is an outtage. It then automtically does "failover" by just using the working WANs until the other one(s) will be back up again.

     

    This works fine here...

    -- 

    "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

    -- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
    ecsupport

    Just an FYI having deployed both, it's not possible to do a primary/failover config with WLLB, as *both* must be active at least partially (can't do a weight of 0 for one link). For many of our branch sites, we'll have a coax primary and a DSL or T1 backup, which we don't want to use unless the primary goes down, so for that, we just do ECMP (equal cost multipath) with 2 static routes same distance but diff priority, and link-monitor to yank the primary if it goes down. Typically ping google quad8 & openDNS.

     

    WLLB has some nicer features like jitter & latency based rules, as well as all the SD-WAN stuff, but again thats more for balancing load between circuits, rather than the scenario above.

    sw2090
    Honored Contributor

    @ecsupport: yeah thx for the info. Might be so but I use WLLB hence I do also need loadblanacing over the WANs. 

    Meanwhile I am not sure if the WLLB Health test does work as intended. It does detect when a WAN is down correctly but I am not sure wether the WLLB uses this info to not route anything over that WAN as long as it is down.

     

    Also I found that deactivating a WAN in WLLB (not the interface itself!) create a SMTP Trap for this WAN being down even though the interface is still up and running.

    -- 

    "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

    -- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
    Labels
    Top Kudoed Authors