Redundant Link without load balancing

tlmrichard · ‎08-21-2019

I thought I had things setup a year ago, but turns out the link has to be physically disconnected to failover. Something seems wrong with my link monitoring. After a fair amount of searching I found something but am not sure if it's still valid for V6.0.4, as it didn't say. I found several related posts but some were older and I have a feeling I originally used one of those when I first set it up.

Here's what I found https://kb.fortinet.com/kb/documentLink.do?externalID=FD36151

I tried another setup a few months ago that had me use SD-WAN, but that also doesn't seem to be working. The SD-WAN setup didn't use the command line. During my initial setup, I remember doing something with the command line. Maybe they are conflicting with each other?

I may need to factory reset and start all over. If someone can point me to a good guide that'll be great.

(connections: one is Spectrum Cable and the other is ATT Fiber)

Thanks!

ede_pfau · ‎08-21-2019

hi,

the KB article names all steps perfectly. You should be fine if you follow that.

By default - that is, without 'config sys link-monitor' - the FGT has only the link status to determine if a line/port is down. This will not suffice in 99% of the time as the next, say, modem will always be up. Unless it itself dies.

So, if your failover doesn't work it's probably because you are not using link monitors, or if you do, they are misconfigured.

SD-WAN is a new feature which tries to combine all the necessary steps into one virtual interface setup. Basically, it's the same, with link monitoring etc. Additionally, SD-WAN can monitor link quality which previously was not possible. Quality in this sense is measured by latency or jitter (fluctuation in latency).

So yes, you could go ahead with SD-WAN for the sole purpose of WAN redundancy.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

tlmrichard · ‎08-21-2019

Oh I appreciate that sooo much!

Between the 2, which wold you recommend I use? If SD-WAN Method, perhaps you can link me to a good guide for setting this up? I'm oviously new to FortiOS so every little bit helps.

In the case that my link-monitor is miss-configured, will following the steps in the KB simply overwrite it? This would save me the hassle of having to start off fresh.

ede_pfau · ‎08-22-2019

I'd say go the SD-WAN way. Sure, the setup is new but it'll stick. And you get more insight into what is happening with your WANs.

If you're looking for pointers, there are 3 main sources:

- cookbook.fortinet.com

has a lot of 'recipes' which you can just follow, for the most common tasks

Couldn't connect to the site, though. See next source:

- docs.fortinet.com

select your version of FortiOS (6.0), and then get either the Handbook/Admin Guide, or access the cookbook

- kb.fortinet.com

the Knowledgebase. I'd say there is EVERYTHING in it which you'd ever desire to know about, BUT it's hard to find. >>> Fortinet, go get a Google appliance! The search spits out irrelevant scatter and omits the pearls. <<<

That said, have a look at

https://docs.fortinet.com...t-internet-with-sd-wan

and configure it like that. You will replace your two WAN ports with a virtual SD-WAN port, so you only need one set of policies. (Similar to using a WAN zone plus link monitors.)

Ede

"Kernel panic: Aiee, killing interrupt handler!"

tlmrichard · ‎08-23-2019

Thanks! I'll work on that route. Going the SD-WAN route, will I need to do anything in the command line to negate the original setup for the Link Monitoring? I would like for them to switch correctly, and I have a feeling something in here is messing with the current SD WAN setup.