Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gipsy
New Contributor

Created on ‎04-18-2019 01:11 PM

WAN Redundant - Link-Monitor not right working?

Hello,

it's my first post. 

 

We have implemented with our Fortigate 60E WAN redundant.

The primary ISP is fiber and the secondary is LTE.

 

All traffic should go through the WAN1 interface.

 

In general, failover works from WAN1 to WAN2 or WAN2 to WAN1.

 

Now I have something strange observed:

In Germany, an automatic reconnect is performed every 24 hours. Unfortunately, this can not be avoided.

 

If the reconnect takes place or I perform it manually, then the WAN1 is for max. 3 seconds unreachable. After 3 seconds, it runs again and stable.

After 15 minutes, the failover to WAN2 is done and the traffic goes over it. (WAN1 works 100%) Then after 3 minutes, switch back to WAN1.

 

If I disable WAN2 before the i performed a manual reconnect, then the above behavior does not happen.

 

BUT:

If I activate WAN2 after 20 minutes, then it takes a few minutes and it will again fail over to WAN2. After 3 minutes back to WAN1.

 

Although my link monitor has the values ​​failtime 15 minutes and recoverytime 3 minutes, but the question is:

Why is the failover performed when WAN1 is gone for only 3 seconds after a reconnect and is then permanently stable?

 

Is my link monitor configured correctly?

 

config system link-monitor edit "Check" set srcintf "wan1" set server "8.8.8.8" set interval 60 set failtime 15 set recoverytime 3 set update-cascade-interface disable next end

 

Regards

Gipsy

3925
0 Kudos
3 REPLIES 3
BryanS
New Contributor

Created on ‎04-18-2019 02:58 PM

I suspect the route is updating.

 

Set failtime is only available 1-10 I thought.  Change to 10.

 

set update-static-route disable

 

 

I didn't set anything for failtime, only interval and mine works as expected.

1886
0 Kudos
Gipsy
New Contributor
In response to BryanS

Created on ‎04-19-2019 12:59 AM

Hello BryanS,

thank for your quick reply.

 

If i didn't set failtime and i have a interval of 60, then the failover to WAN2 will be performed if the WAN1 is down "since 60 seconds". Right?

 

If i disable the option "update-static-route", then i must create two static routes for wan1 and wan2 correct (0.0.0.0)?

Or is the option working with the setting that i have now (without static routes for 0.0.0.0)?

 

Regards

Gipsy

1886
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Gipsy

Created on ‎04-19-2019 08:49 AM

If you don't have static routes and don't (nothing to be removed) let link-monitor to remove them, I don't think link-monitor has any active role to fail over. It wouldn't shut down the wan1 even pinging fails because otherwise it can't detect the circuit's recovery.

I would observe those two default routes in the routing-table while they're transitioning to understand how they're faling-over and failing-back. But it's better overriding them with two static default routes with proper distances/priorities (you can disable taking a default route via DHCP/PPPoE), and control the fail-over with link-monitor.

 

By the way, the answer to your first question is below. The default value is 5.

xxx-fg1 (NAME1) # set failtime ? failtime    Enter an integer value from <1> to <10> (default = <5>).

1886
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.